From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Subject: Re: [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy Date: Fri, 31 Mar 2017 23:15:37 +0200 Message-ID: References: <20170328234650.19695-1-mic@digikod.net> <20170328234650.19695-7-mic@digikod.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="s4vekTFDgBRs0jPPhSIJAk0Wswo40ibIX" Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: To: Djalal Harouni Cc: linux-kernel , Alexei Starovoitov , Andy Lutomirski , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Matthew Garrett , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas List-Id: linux-api@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --s4vekTFDgBRs0jPPhSIJAk0Wswo40ibIX Content-Type: multipart/mixed; boundary="hK6NeB2cm4U1IrlaGQfJmjPpWw4v1dsn3"; protected-headers="v1" From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= To: Djalal Harouni Cc: linux-kernel , Alexei Starovoitov , Andy Lutomirski , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Matthew Garrett , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Will Drewry , kernel-hardening@lists.openwall.com, Linux API , LSM List , netdev@vger.kernel.org, Andrew Morton , Tetsuo Handa Message-ID: Subject: Re: [kernel-hardening] [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy References: <20170328234650.19695-1-mic@digikod.net> <20170328234650.19695-7-mic@digikod.net> In-Reply-To: --hK6NeB2cm4U1IrlaGQfJmjPpWw4v1dsn3 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 29/03/2017 12:35, Djalal Harouni wrote: > On Wed, Mar 29, 2017 at 1:46 AM, Micka=C3=ABl Sala=C3=BCn wrote: >> @@ -25,6 +30,9 @@ struct seccomp_filter; >> struct seccomp { >> int mode; >> struct seccomp_filter *filter; >> +#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_SECURITY_LANDLOC= K) >> + struct landlock_events *landlock_events; >> +#endif /* CONFIG_SECCOMP_FILTER && CONFIG_SECURITY_LANDLOCK */ >> }; >=20 > Sorry if this was discussed before, but since this is mean to be a > stackable LSM, I'm wondering if later you could move the events from > seccomp, and go with a security_task_alloc() model [1] ? >=20 > Thanks! >=20 > [1] http://kernsec.org/pipermail/linux-security-module-archive/2017-Mar= ch/000184.html >=20 Landlock use the seccomp syscall to attach a rule to a process and using struct seccomp to store this rule make sense. There is currently no way to store multiple task->security, which is needed for a stackable LSM like Landlock, but we could move the events there if needed in the future= =2E Micka=C3=ABl --hK6NeB2cm4U1IrlaGQfJmjPpWw4v1dsn3-- --s4vekTFDgBRs0jPPhSIJAk0Wswo40ibIX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEUysCyY8er9Axt7hqIt7+33O9apUFAljexvkACgkQIt7+33O9 apXTugf9G00LkzuQTWtDhb6UG/2wEh7TKvzg2eXpVR2P92ZhHCXJmvGe1eQuk52c XJbx05s9G1M2kmn3OalXVoHEPAsg0r12Ig/XAxg6ZiGYO321FbPOHV9rx/eOYqeR TPyFvMfwQIbzO2CGV7sULdk+GCVYharK9n6glOrqJQ1MSF5/vu8Jz1WsGquaOGg1 n+dJ1LQTxwUiIGrT4P+PakOjC2GRzCE99mKUN15iEI91a6AzlXh+2ttYdu8cg7Ie pSYYEnEkT2B6hR+whX52iIGc0hGxfXxui0k3iA6RPcKaKc8e+WGyyrwX/NxSIvDU dJuM4TVeAEauG7q8o8apbEaqc5hiXw== =wefm -----END PGP SIGNATURE----- --s4vekTFDgBRs0jPPhSIJAk0Wswo40ibIX--