All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jeff Xu <jeffxu@google.com>
To: "Günther Noack" <gnoack3000@gmail.com>,
	"Jorge Lucangeli Obes" <jorgelo@chromium.org>,
	"Allen Webb" <allenwebb@google.com>,
	"Jeff Xu" <jeffxu@chromium.org>,
	"Dmitry Torokhov" <dtor@google.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	linux-security-module@vger.kernel.org,
	"Paul Moore" <paul@paul-moore.com>,
	"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
	Linux-Fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [RFC 0/4] Landlock: ioctl support
Date: Wed, 24 May 2023 14:43:18 -0700	[thread overview]
Message-ID: <CALmYWFv4f=YsRFHvj4LTog4GY9NmfSOE6hZnJNOpCzPM-5G06g@mail.gmail.com> (raw)
In-Reply-To: <20230510.c667268d844f@gnoack.org>

Sorry for the late reply.
>
> (Looking in the direction of Jeff Xu, who has inquired about Landlock
> for Chromium in the past -- do you happen to know in which ways you'd
> want to restrict ioctls, if you have that need? :))
>

Regarding this patch, here is some feedback from ChromeOS:
 - In the short term: we are looking to integrate Landlock into our
sandboxer, so the ability to restrict to a specific device is huge.
- Fundamentally though, in the effort of bringing process expected
behaviour closest to allowed behaviour, the ability to speak of
ioctl() path access in Landlock would be huge -- at least we can
continue to enumerate in policy what processes are allowed to do, even
if we still lack the ability to restrict individual ioctl commands for
a specific device node.

Regarding medium term:
My thoughts are, from software architecture point of view, it would be
nice to think in planes: i.e. Data plane / Control plane/ Signaling
Plane/Normal User Plane/Privileged User Plane. Let the application
define its planes, and assign operations to them. Landlock provides
data structure and syscall to construct the planes.

However, one thing I'm not sure is the third arg from ioctl:
int ioctl(int fd, unsigned long request, ...);
Is it possible for the driver to use the same request id, then put
whatever into the third arg ? how to deal with that effectively ?

For real world user cases, Dmitry Torokhov (added to list) can help.

PS: There is also lwn article about SELinux implementation of ioctl: [1]
[1] https://lwn.net/Articles/428140/

Thanks!
-Jeff Xu

  reply	other threads:[~2023-05-24 21:44 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-02 17:17 [RFC 0/4] Landlock: ioctl support Günther Noack
2023-05-02 17:17 ` [RFC 1/4] landlock: Increment Landlock ABI version to 4 Günther Noack
2023-06-19 14:41   ` Mickaël Salaün
2023-05-02 17:17 ` [RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right Günther Noack
2023-06-19 14:42   ` Mickaël Salaün
2023-07-14 12:46     ` Günther Noack
2023-07-31 13:42       ` Mickaël Salaün
2023-05-02 17:17 ` [RFC 3/4] selftests/landlock: Test ioctl support Günther Noack
2023-06-19 14:42   ` Mickaël Salaün
2023-08-07  7:39     ` Günther Noack
2023-08-07  9:41       ` Mickaël Salaün
2023-08-07 13:21         ` Günther Noack
2023-05-02 17:17 ` [RFC 4/4] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
2023-05-04 21:12 ` [RFC 0/4] Landlock: ioctl support Mickaël Salaün
2023-05-10 19:21   ` Günther Noack
2023-05-24 21:43     ` Jeff Xu [this message]
2023-06-17  9:48       ` Mickaël Salaün
2023-06-20 23:44         ` Jeff Xu
2023-06-21  9:17           ` Mickaël Salaün
2023-06-17  9:47     ` Mickaël Salaün
2023-06-19 16:21       ` Günther Noack
2023-06-19 18:57         ` Mickaël Salaün
2023-07-12 11:08       ` Günther Noack
2023-07-12 11:38         ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALmYWFv4f=YsRFHvj4LTog4GY9NmfSOE6hZnJNOpCzPM-5G06g@mail.gmail.com' \
    --to=jeffxu@google.com \
    --cc=allenwebb@google.com \
    --cc=dtor@google.com \
    --cc=gnoack3000@gmail.com \
    --cc=jeffxu@chromium.org \
    --cc=jorgelo@chromium.org \
    --cc=konstantin.meskhidze@huawei.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.