From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Paul Moore" <paul@paul-moore.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Shuah Khan" <shuah@kernel.org>, "Tejun Heo" <tj@kernel.org>,
"Thomas Graf" <tgraf@suug.ch>, "Tycho Andersen" <tycho@tycho.ws>,
"Will Drewry" <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH bpf-next v8 11/11] landlock: Add user and kernel documentation for Landlock
Date: Tue, 27 Feb 2018 01:41:21 +0100 [thread overview]
Message-ID: <20180227004121.3633-12-mic@digikod.net> (raw)
In-Reply-To: <20180227004121.3633-1-mic@digikod.net>
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
Changes since v7:
* update documentation according to the Landlock revamp
Changes since v6:
* add a check for ctx->event
* rename BPF_PROG_TYPE_LANDLOCK to BPF_PROG_TYPE_LANDLOCK_RULE
* rename Landlock version to ABI to better reflect its purpose and add a
dedicated changelog section
* update tables
* relax no_new_privs recommendations
* remove ABILITY_WRITE related functions
* reword rule "appending" to "prepending" and explain it
* cosmetic fixes
Changes since v5:
* update the rule hierarchy inheritance explanation
* briefly explain ctx->arg2
* add ptrace restrictions
* explain EPERM
* update example (subtype)
* use ":manpage:"
---
Documentation/security/index.rst | 1 +
Documentation/security/landlock/index.rst | 19 +++
Documentation/security/landlock/kernel.rst | 100 ++++++++++++++
Documentation/security/landlock/user.rst | 206 +++++++++++++++++++++++++++++
4 files changed, 326 insertions(+)
create mode 100644 Documentation/security/landlock/index.rst
create mode 100644 Documentation/security/landlock/kernel.rst
create mode 100644 Documentation/security/landlock/user.rst
diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst
index 298a94a33f05..1db294025d0f 100644
--- a/Documentation/security/index.rst
+++ b/Documentation/security/index.rst
@@ -11,3 +11,4 @@ Security Documentation
LSM
self-protection
tpm/index
+ landlock/index
diff --git a/Documentation/security/landlock/index.rst b/Documentation/security/landlock/index.rst
new file mode 100644
index 000000000000..8afde6a5805c
--- /dev/null
+++ b/Documentation/security/landlock/index.rst
@@ -0,0 +1,19 @@
+=========================================
+Landlock LSM: programmatic access control
+=========================================
+
+Landlock is a stackable Linux Security Module (LSM) that makes it possible to
+create security sandboxes. This kind of sandbox is expected to help mitigate
+the security impact of bugs or unexpected/malicious behaviors in user-space
+applications. The current version allows only a process with the global
+CAP_SYS_ADMIN capability to create such sandboxes but the ultimate goal of
+Landlock is to empower any process, including unprivileged ones, to securely
+restrict themselves. Landlock is inspired by seccomp-bpf but instead of
+filtering syscalls and their raw arguments, a Landlock rule can inspect the use
+of kernel objects like files and hence make a decision according to the kernel
+semantic.
+
+.. toctree::
+
+ user
+ kernel
diff --git a/Documentation/security/landlock/kernel.rst b/Documentation/security/landlock/kernel.rst
new file mode 100644
index 000000000000..0a52915e346c
--- /dev/null
+++ b/Documentation/security/landlock/kernel.rst
@@ -0,0 +1,100 @@
+==============================
+Landlock: kernel documentation
+==============================
+
+eBPF properties
+===============
+
+To get an expressive language while still being safe and small, Landlock is
+based on eBPF. Landlock should be usable by untrusted processes and must
+therefore expose a minimal attack surface. The eBPF bytecode is minimal,
+powerful, widely used and designed to be used by untrusted applications. Thus,
+reusing the eBPF support in the kernel enables a generic approach while
+minimizing new code.
+
+An eBPF program has access to an eBPF context containing some fields used to
+inspect the current object. These arguments can be used directly (e.g. cookie)
+or passed to helper functions according to their types (e.g. inode pointer). It
+is then possible to do complex access checks without race conditions or
+inconsistent evaluation (i.e. `incorrect mirroring of the OS code and state
+<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).
+
+A Landlock hook describes a particular access type. For now, there is three
+hooks dedicated to filesystem related operations: LANDLOCK_HOOK_FS_PICK,
+LANDLOCK_HOOK_FS_WALK and LANDLOCK_HOOK_FS_GET. A Landlock program is tied to
+one hook. This makes it possible to statically check context accesses,
+potentially performed by such program, and hence prevents kernel address leaks
+and ensure the right use of hook arguments with eBPF functions. Any user can
+add multiple Landlock programs per Landlock hook. They are stacked and
+evaluated one after the other, starting from the most recent program, as
+seccomp-bpf does with its filters. Underneath, a hook is an abstraction over a
+set of LSM hooks.
+
+
+Guiding principles
+==================
+
+Unprivileged use
+----------------
+
+* Landlock helpers and context should be usable by any unprivileged and
+ untrusted program while following the system security policy enforced by
+ other access control mechanisms (e.g. DAC, LSM).
+
+
+Landlock hook and context
+-------------------------
+
+* A Landlock hook shall be focused on access control on kernel objects instead
+ of syscall filtering (i.e. syscall arguments), which is the purpose of
+ seccomp-bpf.
+* A Landlock context provided by a hook shall express the minimal and more
+ generic interface to control an access for a kernel object.
+* A hook shall guaranty that all the BPF function calls from a program are
+ safe. Thus, the related Landlock context arguments shall always be of the
+ same type for a particular hook. For example, a network hook could share
+ helpers with a file hook because of UNIX socket. However, the same helpers
+ may not be compatible for a FS handle and a net handle.
+* Multiple hooks may use the same context interface.
+
+
+Landlock helpers
+----------------
+
+* Landlock helpers shall be as generic as possible while at the same time being
+ as simple as possible and following the syscall creation principles (cf.
+ *Documentation/adding-syscalls.txt*).
+* The only behavior change allowed on a helper is to fix a (logical) bug to
+ match the initial semantic.
+* Helpers shall be reentrant, i.e. only take inputs from arguments (e.g. from
+ the BPF context), to enable a hook to use a cache. Future program options
+ might change this cache behavior.
+* It is quite easy to add new helpers to extend Landlock. The main concern
+ should be about the possibility to leak information from the kernel that may
+ not be accessible otherwise (i.e. side-channel attack).
+
+
+Questions and answers
+=====================
+
+Why not create a custom hook for each kind of action?
+-----------------------------------------------------
+
+Landlock programs can handle these checks. Adding more exceptions to the
+kernel code would lead to more code complexity. A decision to ignore a kind of
+action can and should be done at the beginning of a Landlock program.
+
+
+Why a program does not return an errno or a kill code?
+------------------------------------------------------
+
+seccomp filters can return multiple kind of code, including an errno value or a
+kill signal, which may be convenient for access control. Those return codes
+are hardwired in the userland ABI. Instead, Landlock's approach is to return a
+boolean to allow or deny an action, which is much simpler and more generic.
+Moreover, we do not really have a choice because, unlike to seccomp, Landlock
+programs are not enforced at the syscall entry point but may be executed at any
+point in the kernel (through LSM hooks) where an errno return code may not make
+sense. However, with this simple ABI and with the ability to call helpers,
+Landlock may gain features similar to seccomp-bpf in the future while being
+compatible with previous programs.
diff --git a/Documentation/security/landlock/user.rst b/Documentation/security/landlock/user.rst
new file mode 100644
index 000000000000..3130063c9087
--- /dev/null
+++ b/Documentation/security/landlock/user.rst
@@ -0,0 +1,206 @@
+================================
+Landlock: userland documentation
+================================
+
+Landlock programs
+=================
+
+eBPF programs are used to create security programs. They are contained and can
+call only a whitelist of dedicated functions. Moreover, they cannot loop, which
+protects from denial of service. More information on BPF can be found in
+*Documentation/networking/filter.txt*.
+
+
+Writing a program
+-----------------
+
+To enforce a security policy, a thread first needs to create a Landlock program.
+The easiest way to write an eBPF program depicting a security program is to write
+it in the C language. As described in *samples/bpf/README.rst*, LLVM can
+compile such programs. Files *samples/bpf/landlock1_kern.c* and those in
+*tools/testing/selftests/landlock/* can be used as examples.
+
+Once the eBPF program is created, the next step is to create the metadata
+describing the Landlock program. This metadata includes a subtype which
+contains the hook type to which the program is tied and some options.
+
+.. code-block:: c
+
+ union bpf_prog_subtype subtype = {
+ .landlock_hook = {
+ .type = LANDLOCK_HOOK_FS_PICK,
+ .triggers = LANDLOCK_TRIGGER_FS_PICK_OPEN,
+ }
+ };
+
+A Landlock hook describes the kind of kernel object for which a program will be
+triggered to allow or deny an action. For example, the hook
+LANDLOCK_HOOK_FS_PICK can be triggered every time a landlocked thread performs
+a set of action related to the filesystem (e.g. open, read, write, mount...).
+This actions are identified by the `triggers` bitfield.
+
+The next step is to fill a :c:type:`union bpf_attr <bpf_attr>` with
+BPF_PROG_TYPE_LANDLOCK_HOOK, the previously created subtype and other BPF
+program metadata. This bpf_attr must then be passed to the :manpage:`bpf(2)`
+syscall alongside the BPF_PROG_LOAD command. If everything is deemed correct
+by the kernel, the thread gets a file descriptor referring to this program.
+
+In the following code, the *insn* variable is an array of BPF instructions
+which can be extracted from an ELF file as is done in bpf_load_file() from
+*samples/bpf/bpf_load.c*.
+
+.. code-block:: c
+
+ union bpf_attr attr = {
+ .prog_type = BPF_PROG_TYPE_LANDLOCK_HOOK,
+ .insn_cnt = sizeof(insn) / sizeof(struct bpf_insn),
+ .insns = (__u64) (unsigned long) insn,
+ .license = (__u64) (unsigned long) "GPL",
+ .prog_subtype = &subtype,
+ .prog_subtype_size = sizeof(subtype),
+ };
+ int fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+ if (fd == -1)
+ exit(1);
+
+
+Enforcing a program
+-------------------
+
+Once the Landlock program has been created or received (e.g. through a UNIX
+socket), the thread willing to sandbox itself (and its future children) should
+perform the following two steps.
+
+The thread should first request to never be allowed to get new privileges with a
+call to :manpage:`prctl(2)` and the PR_SET_NO_NEW_PRIVS option. More
+information can be found in *Documentation/prctl/no_new_privs.txt*.
+
+.. code-block:: c
+
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0))
+ exit(1);
+
+A thread can apply a program to itself by using the :manpage:`seccomp(2)` syscall.
+The operation is SECCOMP_PREPEND_LANDLOCK_PROG, the flags must be empty and the
+*args* argument must point to a valid Landlock program file descriptor.
+
+.. code-block:: c
+
+ if (seccomp(SECCOMP_PREPEND_LANDLOCK_PROG, 0, &fd))
+ exit(1);
+
+If the syscall succeeds, the program is now enforced on the calling thread and
+will be enforced on all its subsequently created children of the thread as
+well. Once a thread is landlocked, there is no way to remove this security
+policy, only stacking more restrictions is allowed. The program evaluation is
+performed from the newest to the oldest.
+
+When a syscall ask for an action on a kernel object, if this action is denied,
+then an EACCES errno code is returned through the syscall.
+
+
+.. _inherited_programs:
+
+Inherited programs
+------------------
+
+Every new thread resulting from a :manpage:`clone(2)` inherits Landlock program
+restrictions from its parent. This is similar to the seccomp inheritance as
+described in *Documentation/prctl/seccomp_filter.txt*.
+
+
+Ptrace restrictions
+-------------------
+
+A landlocked process has less privileges than a non-landlocked process and must
+then be subject to additional restrictions when manipulating another process.
+To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
+process, a landlocked process must have a subset of the target process programs.
+
+
+Chained programs
+================
+
+Landlock programs can be chained according to the hook they are tied to. This
+enable to keep a state between multiple program evaluation for an object access
+check (e.g. walking through a file path). The *cookie* field from the context
+can be used as a temporary storage shared between a chain of programs.
+
+The following graph is an example of the chain of programs used in
+*samples/bpf/landlock1_kern.c*. The fs_walk program evaluate if a file is
+beneath a set of file hierarchy. The first fs_pick program may be called when
+there is a read-like action (i.e. trigger for open, chdir, getattr...). The
+second fs_pick program may be called for write-like actions. And finally, the
+fs_get program is called to tag a file when it is open, receive or when the
+current task changes directory. This tagging is needed to be able to keep the
+state of this file evaluation for a next one involving the same opened file.
+
+::
+
+ .---------.
+ | fs_walk |
+ '---------'
+ |
+ v
+ .---------.
+ | fs_pick | open, chdir, getattr...
+ '---------'
+ |
+ v
+ .---------.
+ | fs_pick | create, write, link...
+ '---------'
+ |
+ v
+ .--------.
+ | fs_get |
+ '--------'
+
+
+Landlock structures and constants
+=================================
+
+Hook types
+----------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_hook_type
+
+
+Contexts
+--------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_ctx_fs_pick landlock_ctx_fs_walk landlock_ctx_fs_get
+
+
+Triggers for fs_pick
+--------------------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_triggers
+
+
+Helper functions
+----------------
+
+::
+
+ u64 bpf_inode_get_tag(inode, chain)
+ @inode: pointer to struct inode
+ @chain: pointer to struct landlock_chain
+ Return: tag tied to this inode and chain, or zero if none
+
+ int bpf_landlock_set_tag(tag_obj, chain, value)
+ @tag_obj: pointer pointing to a taggable object (e.g. inode)
+ @chain: pointer to struct landlock_chain
+ @value: value of the tag
+ Return: 0 on success or negative error code
+
+See *include/uapi/linux/bpf.h* for other functions documentation.
+
+
+Additional documentation
+========================
+
+See https://landlock.io
--
2.16.2
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Arnaldo Carvalho de Melo" <acme@kernel.org>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"David Drysdale" <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"James Morris" <james.l.morris@oracle.com>,
"Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Kees Cook" <keescook@chromium.org>,
"Paul Moore" <paul@paul-moore.com>,
"Sargun Dhillon" <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Shuah Khan" <shuah@kernel.org>, "Tejun Heo" <tj@kernel.org>,
"Thomas Graf" <tgraf@suug.ch>
Subject: [PATCH bpf-next v8 11/11] landlock: Add user and kernel documentation for Landlock
Date: Tue, 27 Feb 2018 01:41:21 +0100 [thread overview]
Message-ID: <20180227004121.3633-12-mic@digikod.net> (raw)
In-Reply-To: <20180227004121.3633-1-mic@digikod.net>
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
Changes since v7:
* update documentation according to the Landlock revamp
Changes since v6:
* add a check for ctx->event
* rename BPF_PROG_TYPE_LANDLOCK to BPF_PROG_TYPE_LANDLOCK_RULE
* rename Landlock version to ABI to better reflect its purpose and add a
dedicated changelog section
* update tables
* relax no_new_privs recommendations
* remove ABILITY_WRITE related functions
* reword rule "appending" to "prepending" and explain it
* cosmetic fixes
Changes since v5:
* update the rule hierarchy inheritance explanation
* briefly explain ctx->arg2
* add ptrace restrictions
* explain EPERM
* update example (subtype)
* use ":manpage:"
---
Documentation/security/index.rst | 1 +
Documentation/security/landlock/index.rst | 19 +++
Documentation/security/landlock/kernel.rst | 100 ++++++++++++++
Documentation/security/landlock/user.rst | 206 +++++++++++++++++++++++++++++
4 files changed, 326 insertions(+)
create mode 100644 Documentation/security/landlock/index.rst
create mode 100644 Documentation/security/landlock/kernel.rst
create mode 100644 Documentation/security/landlock/user.rst
diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst
index 298a94a33f05..1db294025d0f 100644
--- a/Documentation/security/index.rst
+++ b/Documentation/security/index.rst
@@ -11,3 +11,4 @@ Security Documentation
LSM
self-protection
tpm/index
+ landlock/index
diff --git a/Documentation/security/landlock/index.rst b/Documentation/security/landlock/index.rst
new file mode 100644
index 000000000000..8afde6a5805c
--- /dev/null
+++ b/Documentation/security/landlock/index.rst
@@ -0,0 +1,19 @@
+=========================================
+Landlock LSM: programmatic access control
+=========================================
+
+Landlock is a stackable Linux Security Module (LSM) that makes it possible to
+create security sandboxes. This kind of sandbox is expected to help mitigate
+the security impact of bugs or unexpected/malicious behaviors in user-space
+applications. The current version allows only a process with the global
+CAP_SYS_ADMIN capability to create such sandboxes but the ultimate goal of
+Landlock is to empower any process, including unprivileged ones, to securely
+restrict themselves. Landlock is inspired by seccomp-bpf but instead of
+filtering syscalls and their raw arguments, a Landlock rule can inspect the use
+of kernel objects like files and hence make a decision according to the kernel
+semantic.
+
+.. toctree::
+
+ user
+ kernel
diff --git a/Documentation/security/landlock/kernel.rst b/Documentation/security/landlock/kernel.rst
new file mode 100644
index 000000000000..0a52915e346c
--- /dev/null
+++ b/Documentation/security/landlock/kernel.rst
@@ -0,0 +1,100 @@
+==============================
+Landlock: kernel documentation
+==============================
+
+eBPF properties
+===============
+
+To get an expressive language while still being safe and small, Landlock is
+based on eBPF. Landlock should be usable by untrusted processes and must
+therefore expose a minimal attack surface. The eBPF bytecode is minimal,
+powerful, widely used and designed to be used by untrusted applications. Thus,
+reusing the eBPF support in the kernel enables a generic approach while
+minimizing new code.
+
+An eBPF program has access to an eBPF context containing some fields used to
+inspect the current object. These arguments can be used directly (e.g. cookie)
+or passed to helper functions according to their types (e.g. inode pointer). It
+is then possible to do complex access checks without race conditions or
+inconsistent evaluation (i.e. `incorrect mirroring of the OS code and state
+<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).
+
+A Landlock hook describes a particular access type. For now, there is three
+hooks dedicated to filesystem related operations: LANDLOCK_HOOK_FS_PICK,
+LANDLOCK_HOOK_FS_WALK and LANDLOCK_HOOK_FS_GET. A Landlock program is tied to
+one hook. This makes it possible to statically check context accesses,
+potentially performed by such program, and hence prevents kernel address leaks
+and ensure the right use of hook arguments with eBPF functions. Any user can
+add multiple Landlock programs per Landlock hook. They are stacked and
+evaluated one after the other, starting from the most recent program, as
+seccomp-bpf does with its filters. Underneath, a hook is an abstraction over a
+set of LSM hooks.
+
+
+Guiding principles
+==================
+
+Unprivileged use
+----------------
+
+* Landlock helpers and context should be usable by any unprivileged and
+ untrusted program while following the system security policy enforced by
+ other access control mechanisms (e.g. DAC, LSM).
+
+
+Landlock hook and context
+-------------------------
+
+* A Landlock hook shall be focused on access control on kernel objects instead
+ of syscall filtering (i.e. syscall arguments), which is the purpose of
+ seccomp-bpf.
+* A Landlock context provided by a hook shall express the minimal and more
+ generic interface to control an access for a kernel object.
+* A hook shall guaranty that all the BPF function calls from a program are
+ safe. Thus, the related Landlock context arguments shall always be of the
+ same type for a particular hook. For example, a network hook could share
+ helpers with a file hook because of UNIX socket. However, the same helpers
+ may not be compatible for a FS handle and a net handle.
+* Multiple hooks may use the same context interface.
+
+
+Landlock helpers
+----------------
+
+* Landlock helpers shall be as generic as possible while at the same time being
+ as simple as possible and following the syscall creation principles (cf.
+ *Documentation/adding-syscalls.txt*).
+* The only behavior change allowed on a helper is to fix a (logical) bug to
+ match the initial semantic.
+* Helpers shall be reentrant, i.e. only take inputs from arguments (e.g. from
+ the BPF context), to enable a hook to use a cache. Future program options
+ might change this cache behavior.
+* It is quite easy to add new helpers to extend Landlock. The main concern
+ should be about the possibility to leak information from the kernel that may
+ not be accessible otherwise (i.e. side-channel attack).
+
+
+Questions and answers
+=====================
+
+Why not create a custom hook for each kind of action?
+-----------------------------------------------------
+
+Landlock programs can handle these checks. Adding more exceptions to the
+kernel code would lead to more code complexity. A decision to ignore a kind of
+action can and should be done at the beginning of a Landlock program.
+
+
+Why a program does not return an errno or a kill code?
+------------------------------------------------------
+
+seccomp filters can return multiple kind of code, including an errno value or a
+kill signal, which may be convenient for access control. Those return codes
+are hardwired in the userland ABI. Instead, Landlock's approach is to return a
+boolean to allow or deny an action, which is much simpler and more generic.
+Moreover, we do not really have a choice because, unlike to seccomp, Landlock
+programs are not enforced at the syscall entry point but may be executed at any
+point in the kernel (through LSM hooks) where an errno return code may not make
+sense. However, with this simple ABI and with the ability to call helpers,
+Landlock may gain features similar to seccomp-bpf in the future while being
+compatible with previous programs.
diff --git a/Documentation/security/landlock/user.rst b/Documentation/security/landlock/user.rst
new file mode 100644
index 000000000000..3130063c9087
--- /dev/null
+++ b/Documentation/security/landlock/user.rst
@@ -0,0 +1,206 @@
+================================
+Landlock: userland documentation
+================================
+
+Landlock programs
+=================
+
+eBPF programs are used to create security programs. They are contained and can
+call only a whitelist of dedicated functions. Moreover, they cannot loop, which
+protects from denial of service. More information on BPF can be found in
+*Documentation/networking/filter.txt*.
+
+
+Writing a program
+-----------------
+
+To enforce a security policy, a thread first needs to create a Landlock program.
+The easiest way to write an eBPF program depicting a security program is to write
+it in the C language. As described in *samples/bpf/README.rst*, LLVM can
+compile such programs. Files *samples/bpf/landlock1_kern.c* and those in
+*tools/testing/selftests/landlock/* can be used as examples.
+
+Once the eBPF program is created, the next step is to create the metadata
+describing the Landlock program. This metadata includes a subtype which
+contains the hook type to which the program is tied and some options.
+
+.. code-block:: c
+
+ union bpf_prog_subtype subtype = {
+ .landlock_hook = {
+ .type = LANDLOCK_HOOK_FS_PICK,
+ .triggers = LANDLOCK_TRIGGER_FS_PICK_OPEN,
+ }
+ };
+
+A Landlock hook describes the kind of kernel object for which a program will be
+triggered to allow or deny an action. For example, the hook
+LANDLOCK_HOOK_FS_PICK can be triggered every time a landlocked thread performs
+a set of action related to the filesystem (e.g. open, read, write, mount...).
+This actions are identified by the `triggers` bitfield.
+
+The next step is to fill a :c:type:`union bpf_attr <bpf_attr>` with
+BPF_PROG_TYPE_LANDLOCK_HOOK, the previously created subtype and other BPF
+program metadata. This bpf_attr must then be passed to the :manpage:`bpf(2)`
+syscall alongside the BPF_PROG_LOAD command. If everything is deemed correct
+by the kernel, the thread gets a file descriptor referring to this program.
+
+In the following code, the *insn* variable is an array of BPF instructions
+which can be extracted from an ELF file as is done in bpf_load_file() from
+*samples/bpf/bpf_load.c*.
+
+.. code-block:: c
+
+ union bpf_attr attr = {
+ .prog_type = BPF_PROG_TYPE_LANDLOCK_HOOK,
+ .insn_cnt = sizeof(insn) / sizeof(struct bpf_insn),
+ .insns = (__u64) (unsigned long) insn,
+ .license = (__u64) (unsigned long) "GPL",
+ .prog_subtype = &subtype,
+ .prog_subtype_size = sizeof(subtype),
+ };
+ int fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+ if (fd == -1)
+ exit(1);
+
+
+Enforcing a program
+-------------------
+
+Once the Landlock program has been created or received (e.g. through a UNIX
+socket), the thread willing to sandbox itself (and its future children) should
+perform the following two steps.
+
+The thread should first request to never be allowed to get new privileges with a
+call to :manpage:`prctl(2)` and the PR_SET_NO_NEW_PRIVS option. More
+information can be found in *Documentation/prctl/no_new_privs.txt*.
+
+.. code-block:: c
+
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0))
+ exit(1);
+
+A thread can apply a program to itself by using the :manpage:`seccomp(2)` syscall.
+The operation is SECCOMP_PREPEND_LANDLOCK_PROG, the flags must be empty and the
+*args* argument must point to a valid Landlock program file descriptor.
+
+.. code-block:: c
+
+ if (seccomp(SECCOMP_PREPEND_LANDLOCK_PROG, 0, &fd))
+ exit(1);
+
+If the syscall succeeds, the program is now enforced on the calling thread and
+will be enforced on all its subsequently created children of the thread as
+well. Once a thread is landlocked, there is no way to remove this security
+policy, only stacking more restrictions is allowed. The program evaluation is
+performed from the newest to the oldest.
+
+When a syscall ask for an action on a kernel object, if this action is denied,
+then an EACCES errno code is returned through the syscall.
+
+
+.. _inherited_programs:
+
+Inherited programs
+------------------
+
+Every new thread resulting from a :manpage:`clone(2)` inherits Landlock program
+restrictions from its parent. This is similar to the seccomp inheritance as
+described in *Documentation/prctl/seccomp_filter.txt*.
+
+
+Ptrace restrictions
+-------------------
+
+A landlocked process has less privileges than a non-landlocked process and must
+then be subject to additional restrictions when manipulating another process.
+To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
+process, a landlocked process must have a subset of the target process programs.
+
+
+Chained programs
+================
+
+Landlock programs can be chained according to the hook they are tied to. This
+enable to keep a state between multiple program evaluation for an object access
+check (e.g. walking through a file path). The *cookie* field from the context
+can be used as a temporary storage shared between a chain of programs.
+
+The following graph is an example of the chain of programs used in
+*samples/bpf/landlock1_kern.c*. The fs_walk program evaluate if a file is
+beneath a set of file hierarchy. The first fs_pick program may be called when
+there is a read-like action (i.e. trigger for open, chdir, getattr...). The
+second fs_pick program may be called for write-like actions. And finally, the
+fs_get program is called to tag a file when it is open, receive or when the
+current task changes directory. This tagging is needed to be able to keep the
+state of this file evaluation for a next one involving the same opened file.
+
+::
+
+ .---------.
+ | fs_walk |
+ '---------'
+ |
+ v
+ .---------.
+ | fs_pick | open, chdir, getattr...
+ '---------'
+ |
+ v
+ .---------.
+ | fs_pick | create, write, link...
+ '---------'
+ |
+ v
+ .--------.
+ | fs_get |
+ '--------'
+
+
+Landlock structures and constants
+=================================
+
+Hook types
+----------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_hook_type
+
+
+Contexts
+--------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_ctx_fs_pick landlock_ctx_fs_walk landlock_ctx_fs_get
+
+
+Triggers for fs_pick
+--------------------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_triggers
+
+
+Helper functions
+----------------
+
+::
+
+ u64 bpf_inode_get_tag(inode, chain)
+ @inode: pointer to struct inode
+ @chain: pointer to struct landlock_chain
+ Return: tag tied to this inode and chain, or zero if none
+
+ int bpf_landlock_set_tag(tag_obj, chain, value)
+ @tag_obj: pointer pointing to a taggable object (e.g. inode)
+ @chain: pointer to struct landlock_chain
+ @value: value of the tag
+ Return: 0 on success or negative error code
+
+See *include/uapi/linux/bpf.h* for other functions documentation.
+
+
+Additional documentation
+========================
+
+See https://landlock.io
--
2.16.2
WARNING: multiple messages have this Message-ID (diff)
From: mic@digikod.net (Mickaël Salaün)
To: linux-security-module@vger.kernel.org
Subject: [PATCH bpf-next v8 11/11] landlock: Add user and kernel documentation for Landlock
Date: Tue, 27 Feb 2018 01:41:21 +0100 [thread overview]
Message-ID: <20180227004121.3633-12-mic@digikod.net> (raw)
In-Reply-To: <20180227004121.3633-1-mic@digikod.net>
This documentation can be built with the Sphinx framework.
Signed-off-by: Micka?l Sala?n <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: David S. Miller <davem@davemloft.net>
Cc: James Morris <james.l.morris@oracle.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
---
Changes since v7:
* update documentation according to the Landlock revamp
Changes since v6:
* add a check for ctx->event
* rename BPF_PROG_TYPE_LANDLOCK to BPF_PROG_TYPE_LANDLOCK_RULE
* rename Landlock version to ABI to better reflect its purpose and add a
dedicated changelog section
* update tables
* relax no_new_privs recommendations
* remove ABILITY_WRITE related functions
* reword rule "appending" to "prepending" and explain it
* cosmetic fixes
Changes since v5:
* update the rule hierarchy inheritance explanation
* briefly explain ctx->arg2
* add ptrace restrictions
* explain EPERM
* update example (subtype)
* use ":manpage:"
---
Documentation/security/index.rst | 1 +
Documentation/security/landlock/index.rst | 19 +++
Documentation/security/landlock/kernel.rst | 100 ++++++++++++++
Documentation/security/landlock/user.rst | 206 +++++++++++++++++++++++++++++
4 files changed, 326 insertions(+)
create mode 100644 Documentation/security/landlock/index.rst
create mode 100644 Documentation/security/landlock/kernel.rst
create mode 100644 Documentation/security/landlock/user.rst
diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst
index 298a94a33f05..1db294025d0f 100644
--- a/Documentation/security/index.rst
+++ b/Documentation/security/index.rst
@@ -11,3 +11,4 @@ Security Documentation
LSM
self-protection
tpm/index
+ landlock/index
diff --git a/Documentation/security/landlock/index.rst b/Documentation/security/landlock/index.rst
new file mode 100644
index 000000000000..8afde6a5805c
--- /dev/null
+++ b/Documentation/security/landlock/index.rst
@@ -0,0 +1,19 @@
+=========================================
+Landlock LSM: programmatic access control
+=========================================
+
+Landlock is a stackable Linux Security Module (LSM) that makes it possible to
+create security sandboxes. This kind of sandbox is expected to help mitigate
+the security impact of bugs or unexpected/malicious behaviors in user-space
+applications. The current version allows only a process with the global
+CAP_SYS_ADMIN capability to create such sandboxes but the ultimate goal of
+Landlock is to empower any process, including unprivileged ones, to securely
+restrict themselves. Landlock is inspired by seccomp-bpf but instead of
+filtering syscalls and their raw arguments, a Landlock rule can inspect the use
+of kernel objects like files and hence make a decision according to the kernel
+semantic.
+
+.. toctree::
+
+ user
+ kernel
diff --git a/Documentation/security/landlock/kernel.rst b/Documentation/security/landlock/kernel.rst
new file mode 100644
index 000000000000..0a52915e346c
--- /dev/null
+++ b/Documentation/security/landlock/kernel.rst
@@ -0,0 +1,100 @@
+==============================
+Landlock: kernel documentation
+==============================
+
+eBPF properties
+===============
+
+To get an expressive language while still being safe and small, Landlock is
+based on eBPF. Landlock should be usable by untrusted processes and must
+therefore expose a minimal attack surface. The eBPF bytecode is minimal,
+powerful, widely used and designed to be used by untrusted applications. Thus,
+reusing the eBPF support in the kernel enables a generic approach while
+minimizing new code.
+
+An eBPF program has access to an eBPF context containing some fields used to
+inspect the current object. These arguments can be used directly (e.g. cookie)
+or passed to helper functions according to their types (e.g. inode pointer). It
+is then possible to do complex access checks without race conditions or
+inconsistent evaluation (i.e. `incorrect mirroring of the OS code and state
+<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).
+
+A Landlock hook describes a particular access type. For now, there is three
+hooks dedicated to filesystem related operations: LANDLOCK_HOOK_FS_PICK,
+LANDLOCK_HOOK_FS_WALK and LANDLOCK_HOOK_FS_GET. A Landlock program is tied to
+one hook. This makes it possible to statically check context accesses,
+potentially performed by such program, and hence prevents kernel address leaks
+and ensure the right use of hook arguments with eBPF functions. Any user can
+add multiple Landlock programs per Landlock hook. They are stacked and
+evaluated one after the other, starting from the most recent program, as
+seccomp-bpf does with its filters. Underneath, a hook is an abstraction over a
+set of LSM hooks.
+
+
+Guiding principles
+==================
+
+Unprivileged use
+----------------
+
+* Landlock helpers and context should be usable by any unprivileged and
+ untrusted program while following the system security policy enforced by
+ other access control mechanisms (e.g. DAC, LSM).
+
+
+Landlock hook and context
+-------------------------
+
+* A Landlock hook shall be focused on access control on kernel objects instead
+ of syscall filtering (i.e. syscall arguments), which is the purpose of
+ seccomp-bpf.
+* A Landlock context provided by a hook shall express the minimal and more
+ generic interface to control an access for a kernel object.
+* A hook shall guaranty that all the BPF function calls from a program are
+ safe. Thus, the related Landlock context arguments shall always be of the
+ same type for a particular hook. For example, a network hook could share
+ helpers with a file hook because of UNIX socket. However, the same helpers
+ may not be compatible for a FS handle and a net handle.
+* Multiple hooks may use the same context interface.
+
+
+Landlock helpers
+----------------
+
+* Landlock helpers shall be as generic as possible while at the same time being
+ as simple as possible and following the syscall creation principles (cf.
+ *Documentation/adding-syscalls.txt*).
+* The only behavior change allowed on a helper is to fix a (logical) bug to
+ match the initial semantic.
+* Helpers shall be reentrant, i.e. only take inputs from arguments (e.g. from
+ the BPF context), to enable a hook to use a cache. Future program options
+ might change this cache behavior.
+* It is quite easy to add new helpers to extend Landlock. The main concern
+ should be about the possibility to leak information from the kernel that may
+ not be accessible otherwise (i.e. side-channel attack).
+
+
+Questions and answers
+=====================
+
+Why not create a custom hook for each kind of action?
+-----------------------------------------------------
+
+Landlock programs can handle these checks. Adding more exceptions to the
+kernel code would lead to more code complexity. A decision to ignore a kind of
+action can and should be done at the beginning of a Landlock program.
+
+
+Why a program does not return an errno or a kill code?
+------------------------------------------------------
+
+seccomp filters can return multiple kind of code, including an errno value or a
+kill signal, which may be convenient for access control. Those return codes
+are hardwired in the userland ABI. Instead, Landlock's approach is to return a
+boolean to allow or deny an action, which is much simpler and more generic.
+Moreover, we do not really have a choice because, unlike to seccomp, Landlock
+programs are not enforced at the syscall entry point but may be executed at any
+point in the kernel (through LSM hooks) where an errno return code may not make
+sense. However, with this simple ABI and with the ability to call helpers,
+Landlock may gain features similar to seccomp-bpf in the future while being
+compatible with previous programs.
diff --git a/Documentation/security/landlock/user.rst b/Documentation/security/landlock/user.rst
new file mode 100644
index 000000000000..3130063c9087
--- /dev/null
+++ b/Documentation/security/landlock/user.rst
@@ -0,0 +1,206 @@
+================================
+Landlock: userland documentation
+================================
+
+Landlock programs
+=================
+
+eBPF programs are used to create security programs. They are contained and can
+call only a whitelist of dedicated functions. Moreover, they cannot loop, which
+protects from denial of service. More information on BPF can be found in
+*Documentation/networking/filter.txt*.
+
+
+Writing a program
+-----------------
+
+To enforce a security policy, a thread first needs to create a Landlock program.
+The easiest way to write an eBPF program depicting a security program is to write
+it in the C language. As described in *samples/bpf/README.rst*, LLVM can
+compile such programs. Files *samples/bpf/landlock1_kern.c* and those in
+*tools/testing/selftests/landlock/* can be used as examples.
+
+Once the eBPF program is created, the next step is to create the metadata
+describing the Landlock program. This metadata includes a subtype which
+contains the hook type to which the program is tied and some options.
+
+.. code-block:: c
+
+ union bpf_prog_subtype subtype = {
+ .landlock_hook = {
+ .type = LANDLOCK_HOOK_FS_PICK,
+ .triggers = LANDLOCK_TRIGGER_FS_PICK_OPEN,
+ }
+ };
+
+A Landlock hook describes the kind of kernel object for which a program will be
+triggered to allow or deny an action. For example, the hook
+LANDLOCK_HOOK_FS_PICK can be triggered every time a landlocked thread performs
+a set of action related to the filesystem (e.g. open, read, write, mount...).
+This actions are identified by the `triggers` bitfield.
+
+The next step is to fill a :c:type:`union bpf_attr <bpf_attr>` with
+BPF_PROG_TYPE_LANDLOCK_HOOK, the previously created subtype and other BPF
+program metadata. This bpf_attr must then be passed to the :manpage:`bpf(2)`
+syscall alongside the BPF_PROG_LOAD command. If everything is deemed correct
+by the kernel, the thread gets a file descriptor referring to this program.
+
+In the following code, the *insn* variable is an array of BPF instructions
+which can be extracted from an ELF file as is done in bpf_load_file() from
+*samples/bpf/bpf_load.c*.
+
+.. code-block:: c
+
+ union bpf_attr attr = {
+ .prog_type = BPF_PROG_TYPE_LANDLOCK_HOOK,
+ .insn_cnt = sizeof(insn) / sizeof(struct bpf_insn),
+ .insns = (__u64) (unsigned long) insn,
+ .license = (__u64) (unsigned long) "GPL",
+ .prog_subtype = &subtype,
+ .prog_subtype_size = sizeof(subtype),
+ };
+ int fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+ if (fd == -1)
+ exit(1);
+
+
+Enforcing a program
+-------------------
+
+Once the Landlock program has been created or received (e.g. through a UNIX
+socket), the thread willing to sandbox itself (and its future children) should
+perform the following two steps.
+
+The thread should first request to never be allowed to get new privileges with a
+call to :manpage:`prctl(2)` and the PR_SET_NO_NEW_PRIVS option. More
+information can be found in *Documentation/prctl/no_new_privs.txt*.
+
+.. code-block:: c
+
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, NULL, 0, 0))
+ exit(1);
+
+A thread can apply a program to itself by using the :manpage:`seccomp(2)` syscall.
+The operation is SECCOMP_PREPEND_LANDLOCK_PROG, the flags must be empty and the
+*args* argument must point to a valid Landlock program file descriptor.
+
+.. code-block:: c
+
+ if (seccomp(SECCOMP_PREPEND_LANDLOCK_PROG, 0, &fd))
+ exit(1);
+
+If the syscall succeeds, the program is now enforced on the calling thread and
+will be enforced on all its subsequently created children of the thread as
+well. Once a thread is landlocked, there is no way to remove this security
+policy, only stacking more restrictions is allowed. The program evaluation is
+performed from the newest to the oldest.
+
+When a syscall ask for an action on a kernel object, if this action is denied,
+then an EACCES errno code is returned through the syscall.
+
+
+.. _inherited_programs:
+
+Inherited programs
+------------------
+
+Every new thread resulting from a :manpage:`clone(2)` inherits Landlock program
+restrictions from its parent. This is similar to the seccomp inheritance as
+described in *Documentation/prctl/seccomp_filter.txt*.
+
+
+Ptrace restrictions
+-------------------
+
+A landlocked process has less privileges than a non-landlocked process and must
+then be subject to additional restrictions when manipulating another process.
+To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
+process, a landlocked process must have a subset of the target process programs.
+
+
+Chained programs
+================
+
+Landlock programs can be chained according to the hook they are tied to. This
+enable to keep a state between multiple program evaluation for an object access
+check (e.g. walking through a file path). The *cookie* field from the context
+can be used as a temporary storage shared between a chain of programs.
+
+The following graph is an example of the chain of programs used in
+*samples/bpf/landlock1_kern.c*. The fs_walk program evaluate if a file is
+beneath a set of file hierarchy. The first fs_pick program may be called when
+there is a read-like action (i.e. trigger for open, chdir, getattr...). The
+second fs_pick program may be called for write-like actions. And finally, the
+fs_get program is called to tag a file when it is open, receive or when the
+current task changes directory. This tagging is needed to be able to keep the
+state of this file evaluation for a next one involving the same opened file.
+
+::
+
+ .---------.
+ | fs_walk |
+ '---------'
+ |
+ v
+ .---------.
+ | fs_pick | open, chdir, getattr...
+ '---------'
+ |
+ v
+ .---------.
+ | fs_pick | create, write, link...
+ '---------'
+ |
+ v
+ .--------.
+ | fs_get |
+ '--------'
+
+
+Landlock structures and constants
+=================================
+
+Hook types
+----------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_hook_type
+
+
+Contexts
+--------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_ctx_fs_pick landlock_ctx_fs_walk landlock_ctx_fs_get
+
+
+Triggers for fs_pick
+--------------------
+
+.. kernel-doc:: include/uapi/linux/landlock.h
+ :functions: landlock_triggers
+
+
+Helper functions
+----------------
+
+::
+
+ u64 bpf_inode_get_tag(inode, chain)
+ @inode: pointer to struct inode
+ @chain: pointer to struct landlock_chain
+ Return: tag tied to this inode and chain, or zero if none
+
+ int bpf_landlock_set_tag(tag_obj, chain, value)
+ @tag_obj: pointer pointing to a taggable object (e.g. inode)
+ @chain: pointer to struct landlock_chain
+ @value: value of the tag
+ Return: 0 on success or negative error code
+
+See *include/uapi/linux/bpf.h* for other functions documentation.
+
+
+Additional documentation
+========================
+
+See https://landlock.io
--
2.16.2
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-27 0:48 UTC|newest]
Thread overview: 191+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 0:41 [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 01/11] fs,security: Add a security blob to nameidata Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 01/11] fs, security: " Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 01/11] fs,security: " Mickaël Salaün
2018-02-27 0:57 ` Al Viro
2018-02-27 0:57 ` Al Viro
2018-02-27 0:57 ` Al Viro
2018-02-27 0:57 ` Al Viro
2018-02-27 0:57 ` Al Viro
2018-02-27 1:23 ` Al Viro
2018-02-27 1:23 ` Al Viro
2018-02-27 1:23 ` Al Viro
2018-02-27 1:23 ` Al Viro
2018-02-27 1:23 ` Al Viro
2018-03-11 20:14 ` Mickaël Salaün
2018-03-11 20:14 ` Mickaël Salaün
2018-03-11 20:14 ` Mickaël Salaün
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-27 0:41 ` [PATCH bpf-next v8 02/11] fs,security: Add a new file access type: MAY_CHROOT Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 02/11] fs, security: " Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 02/11] fs,security: " Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 03/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 04/11] bpf,landlock: Define an eBPF program type for Landlock hooks Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 04/11] bpf, landlock: " Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 04/11] bpf,landlock: " Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 05/11] seccomp, landlock: " Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 05/11] seccomp,landlock: " Mickaël Salaün
2018-02-27 2:08 ` Alexei Starovoitov
2018-02-27 2:08 ` Alexei Starovoitov
2018-02-27 2:08 ` Alexei Starovoitov
2018-02-27 2:08 ` Alexei Starovoitov
2018-02-27 4:40 ` Andy Lutomirski
2018-02-27 4:40 ` Andy Lutomirski
2018-02-27 4:40 ` Andy Lutomirski
2018-02-27 4:54 ` Alexei Starovoitov
2018-02-27 4:54 ` Alexei Starovoitov
2018-02-27 4:54 ` Alexei Starovoitov
2018-02-27 5:20 ` Andy Lutomirski
2018-02-27 5:20 ` Andy Lutomirski
2018-02-27 5:20 ` Andy Lutomirski
2018-02-27 5:32 ` Alexei Starovoitov
2018-02-27 5:32 ` Alexei Starovoitov
2018-02-27 5:32 ` Alexei Starovoitov
2018-02-27 16:39 ` Andy Lutomirski
2018-02-27 16:39 ` Andy Lutomirski
2018-02-27 16:39 ` Andy Lutomirski
2018-02-27 17:30 ` Casey Schaufler
2018-02-27 17:30 ` Casey Schaufler
2018-02-27 17:30 ` Casey Schaufler
2018-02-27 17:36 ` Andy Lutomirski
2018-02-27 17:36 ` Andy Lutomirski
2018-02-27 17:36 ` Andy Lutomirski
2018-02-27 18:03 ` Casey Schaufler
2018-02-27 18:03 ` Casey Schaufler
2018-02-27 18:03 ` Casey Schaufler
2018-02-27 21:48 ` Mickaël Salaün
2018-02-27 21:48 ` Mickaël Salaün
2018-02-27 21:48 ` Mickaël Salaün
2018-04-08 13:13 ` Mickaël Salaün
2018-04-08 13:13 ` Mickaël Salaün
2018-04-08 13:13 ` Mickaël Salaün
2018-04-08 21:06 ` Andy Lutomirski
2018-04-08 21:06 ` Andy Lutomirski
2018-04-08 21:06 ` Andy Lutomirski
2018-04-08 21:06 ` Andy Lutomirski
2018-04-08 22:01 ` Mickaël Salaün
2018-04-08 22:01 ` Mickaël Salaün
2018-04-08 22:01 ` Mickaël Salaün
2018-04-10 4:48 ` Alexei Starovoitov
2018-04-10 4:48 ` Alexei Starovoitov
2018-04-10 4:48 ` Alexei Starovoitov
2018-04-10 4:48 ` Alexei Starovoitov
2018-04-10 4:48 ` Alexei Starovoitov
2018-04-11 22:18 ` Mickaël Salaün
2018-04-11 22:18 ` Mickaël Salaün
2018-04-11 22:18 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 06/11] bpf,landlock: Add a new map type: inode Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-28 17:35 ` kbuild test robot
2018-02-28 17:35 ` kbuild test robot
2018-02-28 17:35 ` [PATCH bpf-next v8 06/11] bpf, landlock: " kbuild test robot
2018-02-28 17:35 ` [PATCH bpf-next v8 06/11] bpf,landlock: " kbuild test robot
2018-02-28 17:35 ` kbuild test robot
2018-02-27 0:41 ` [PATCH bpf-next v8 07/11] landlock: Handle filesystem access control Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 08/11] landlock: Add ptrace restrictions Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 4:17 ` Andy Lutomirski
2018-02-27 4:17 ` Andy Lutomirski
2018-02-27 4:17 ` Andy Lutomirski
2018-02-27 4:17 ` Andy Lutomirski
2018-02-27 5:01 ` Andy Lutomirski
2018-02-27 5:01 ` Andy Lutomirski
2018-02-27 5:01 ` Andy Lutomirski
2018-02-27 5:01 ` Andy Lutomirski
2018-02-27 22:14 ` Mickaël Salaün
2018-02-27 22:14 ` Mickaël Salaün
2018-02-27 22:14 ` Mickaël Salaün
2018-02-27 23:02 ` Andy Lutomirski
2018-02-27 23:02 ` Andy Lutomirski
2018-02-27 23:02 ` Andy Lutomirski
2018-02-27 23:02 ` Andy Lutomirski
2018-02-27 23:23 ` Andy Lutomirski
2018-02-27 23:23 ` Andy Lutomirski
2018-02-27 23:23 ` Andy Lutomirski
2018-02-28 0:00 ` Mickaël Salaün
2018-02-28 0:00 ` Mickaël Salaün
2018-02-28 0:00 ` Mickaël Salaün
2018-02-28 0:09 ` Andy Lutomirski
2018-02-28 0:09 ` Andy Lutomirski
2018-02-28 0:09 ` Andy Lutomirski
2018-02-28 0:09 ` Andy Lutomirski
2018-03-06 22:28 ` Mickaël Salaün
2018-03-06 22:28 ` Mickaël Salaün
2018-03-06 22:28 ` Mickaël Salaün
2018-04-01 22:48 ` Mickaël Salaün
2018-04-01 22:48 ` Mickaël Salaün
2018-04-01 22:48 ` Mickaël Salaün
2018-02-27 22:18 ` Mickaël Salaün
2018-02-27 22:18 ` Mickaël Salaün
2018-02-27 22:18 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 09/11] bpf: Add a Landlock sandbox example Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 10/11] bpf,landlock: Add tests for Landlock Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün [this message]
2018-02-27 0:41 ` [PATCH bpf-next v8 11/11] landlock: Add user and kernel documentation " Mickaël Salaün
2018-02-27 0:41 ` Mickaël Salaün
2018-02-27 4:36 ` [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing Andy Lutomirski
2018-02-27 4:36 ` Andy Lutomirski
2018-02-27 4:36 ` Andy Lutomirski
2018-02-27 4:36 ` Andy Lutomirski
2018-02-27 22:03 ` Mickaël Salaün
2018-02-27 22:03 ` Mickaël Salaün
2018-02-27 22:03 ` Mickaël Salaün
2018-02-27 23:09 ` Andy Lutomirski
2018-02-27 23:09 ` Andy Lutomirski
2018-02-27 23:09 ` Andy Lutomirski
2018-02-27 23:09 ` Andy Lutomirski
2018-03-06 22:25 ` Mickaël Salaün
2018-03-06 22:25 ` Mickaël Salaün
2018-03-06 22:25 ` Mickaël Salaün
2018-03-06 22:33 ` Andy Lutomirski
2018-03-06 22:33 ` Andy Lutomirski
2018-03-06 22:33 ` Andy Lutomirski
2018-03-06 22:33 ` Andy Lutomirski
2018-03-06 22:46 ` Tycho Andersen
2018-03-06 22:46 ` Tycho Andersen
2018-03-06 22:46 ` Tycho Andersen
2018-03-06 23:06 ` Mickaël Salaün
2018-03-06 23:06 ` Mickaël Salaün
2018-03-06 23:06 ` Mickaël Salaün
2018-03-07 1:21 ` Andy Lutomirski
2018-03-07 1:21 ` Andy Lutomirski
2018-03-07 1:21 ` Andy Lutomirski
2018-03-07 1:21 ` Andy Lutomirski
2018-03-08 23:51 ` Mickaël Salaün
2018-03-08 23:51 ` Mickaël Salaün
2018-03-08 23:51 ` Mickaël Salaün
2018-03-08 23:53 ` Andy Lutomirski
2018-03-08 23:53 ` Andy Lutomirski
2018-03-08 23:53 ` Andy Lutomirski
2018-03-08 23:53 ` Andy Lutomirski
2018-04-01 22:04 ` Mickaël Salaün
2018-04-01 22:04 ` Mickaël Salaün
2018-04-01 22:04 ` Mickaël Salaün
2018-04-02 0:39 ` Tycho Andersen
2018-04-02 0:39 ` Tycho Andersen
2018-04-02 0:39 ` Tycho Andersen
2018-04-02 0:39 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180227004121.3633-12-mic@digikod.net \
--to=mic@digikod.net \
--cc=acme@kernel.org \
--cc=ast@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sargun@sargun.me \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
--cc=tycho@tycho.ws \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.