From: Randy Dunlap <rdunlap@infradead.org> To: "Mickaël Salaün" <mic@digikod.net>, linux-kernel@vger.kernel.org Cc: "Al Viro" <viro@zeniv.linux.org.uk>, "Andy Lutomirski" <luto@amacapital.net>, "Arnd Bergmann" <arnd@arndb.de>, "Casey Schaufler" <casey@schaufler-ca.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "James Morris" <jmorris@namei.org>, "Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Serge E . Hallyn" <serge@hallyn.com>, "Shuah Khan" <shuah@kernel.org>, "Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.k Subject: Re: [RFC PATCH v14 10/10] landlock: Add user and kernel documentation Date: Sat, 29 Feb 2020 09:23:38 -0800 [thread overview] Message-ID: <cc8da381-d3dc-3c0a-5afd-96824362b636@infradead.org> (raw) In-Reply-To: <20200224160215.4136-11-mic@digikod.net> Hi, Here are a few corrections for you to consider. On 2/24/20 8:02 AM, Mickaël Salaün wrote: > This documentation can be built with the Sphinx framework. > > Another location might be more appropriate, though. > > Signed-off-by: Mickaël Salaün <mic@digikod.net> > Reviewed-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr> > Cc: Andy Lutomirski <luto@amacapital.net> > Cc: James Morris <jmorris@namei.org> > Cc: Kees Cook <keescook@chromium.org> > Cc: Serge E. Hallyn <serge@hallyn.com> > --- > > Changes since v13: > * Rewrote the documentation according to the major revamp. > > Previous version: > https://lore.kernel.org/lkml/20191104172146.30797-8-mic@digikod.net/ > --- > Documentation/security/index.rst | 1 + > Documentation/security/landlock/index.rst | 18 ++ > Documentation/security/landlock/kernel.rst | 44 ++++ > Documentation/security/landlock/user.rst | 233 +++++++++++++++++++++ > 4 files changed, 296 insertions(+) > create mode 100644 Documentation/security/landlock/index.rst > create mode 100644 Documentation/security/landlock/kernel.rst > create mode 100644 Documentation/security/landlock/user.rst > > diff --git a/Documentation/security/landlock/index.rst b/Documentation/security/landlock/index.rst > new file mode 100644 > index 000000000000..dbd33b96ce60 > --- /dev/null > +++ b/Documentation/security/landlock/index.rst > @@ -0,0 +1,18 @@ > +========================================= > +Landlock LSM: unprivileged access control > +========================================= > + > +:Author: Mickaël Salaün > + > +The goal of Landlock is to enable to restrict ambient rights (e.g. global > +filesystem access) for a set of processes. Because Landlock is a stackable > +LSM, it makes possible to create safe security sandboxes as new security layers > +in addition to the existing system-wide access-controls. This kind of sandbox > +is expected to help mitigate the security impact of bugs or > +unexpected/malicious behaviors in user-space applications. Landlock empower any empowers > +process, including unprivileged ones, to securely restrict themselves. > + > +.. toctree:: > + > + user > + kernel > diff --git a/Documentation/security/landlock/kernel.rst b/Documentation/security/landlock/kernel.rst > new file mode 100644 > index 000000000000..b87769909029 > --- /dev/null > +++ b/Documentation/security/landlock/kernel.rst > @@ -0,0 +1,44 @@ > +============================== > +Landlock: kernel documentation > +============================== > + > +Landlock's goal is to create scoped access-control (i.e. sandboxing). To > +harden a whole system, this feature should be available to any process, > +including unprivileged ones. Because such process may be compromised or > +backdoored (i.e. untrusted), Landlock's features must be safe to use from the > +kernel and other processes point of view. Landlock's interface must therefore > +expose a minimal attack surface. > + > +Landlock is designed to be usable by unprivileged processes while following the > +system security policy enforced by other access control mechanisms (e.g. DAC, > +LSM). Indeed, a Landlock rule shall not interfere with other access-controls > +enforced on the system, only add more restrictions. > + > +Any user can enforce Landlock rulesets on their processes. They are merged and > +evaluated according to the inherited ones in a way that ensure that only more ensures > +constraints can be added. > + > + > +Guiding principles for safe access controls > +=========================================== > + > +* A Landlock rule shall be focused on access control on kernel objects instead > + of syscall filtering (i.e. syscall arguments), which is the purpose of > + seccomp-bpf. > +* To avoid multiple kind of side-channel attacks (e.g. leak of security kinds > + policies, CPU-based attacks), Landlock rules shall not be able to > + programmatically communicate with user space. > +* Kernel access check shall not slow down access request from unsandboxed > + processes. > +* Computation related to Landlock operations (e.g. enforce a ruleset) shall > + only impact the processes requesting them. > + > + > +Landlock rulesets and domains > +============================= > + > +A domain is a read-only ruleset tied to a set of subjects (i.e. tasks). A > +domain can transition to a new one which is the intersection of the constraints > +from the current and a new ruleset. The definition of a subject is implicit > +for a task sandboxing itself, which makes the reasoning much easier and helps > +avoid pitfalls. > diff --git a/Documentation/security/landlock/user.rst b/Documentation/security/landlock/user.rst > new file mode 100644 > index 000000000000..cbd7f61fca8c > --- /dev/null > +++ b/Documentation/security/landlock/user.rst > @@ -0,0 +1,233 @@ > +================================= > +Landlock: userspace documentation > +================================= > + > +Landlock rules > +============== > + > +A Landlock rule enables to describe an action on an object. An object is > +currently a file hierarchy, and the related filesystem actions are defined in > +`Access rights`_. A set of rules are aggregated in a ruleset, which can then is > +restricts the thread enforcing it, and its future children. restrict > + > + > +Defining and enforcing a security policy > +---------------------------------------- > + > +Before defining a security policy, an application should first probe for the > +features supported by the running kernel, which is important to be compatible > +with older kernels. This can be done thanks to the `landlock` syscall (cf. > +:ref:`syscall`). > + > +.. code-block:: c > + > + struct landlock_attr_features attr_features; > + > + if (landlock(LANDLOCK_CMD_GET_FEATURES, LANDLOCK_OPT_GET_FEATURES, > + sizeof(attr_features), &attr_features)) { > + perror("Failed to probe the Landlock supported features"); > + return 1; > + } > + > +Then, we need to create the ruleset that will contains our rules. For this contain > +example, the ruleset will contains rules which only allow read actions, but contain > +write actions will be denied. The ruleset then needs to handle both of these > +kind of actions. To have a backward compatibility, these actions should be > +ANDed with the supported ones. > + > +.. code-block:: c > + > + int ruleset_fd; > + struct landlock_attr_ruleset ruleset = { > + .handled_access_fs = > + LANDLOCK_ACCESS_FS_READ | > + LANDLOCK_ACCESS_FS_READDIR | > + LANDLOCK_ACCESS_FS_EXECUTE | > + LANDLOCK_ACCESS_FS_WRITE | > + LANDLOCK_ACCESS_FS_TRUNCATE | > + LANDLOCK_ACCESS_FS_CHMOD | > + LANDLOCK_ACCESS_FS_CHOWN | > + LANDLOCK_ACCESS_FS_CHGRP | > + LANDLOCK_ACCESS_FS_LINK_TO | > + LANDLOCK_ACCESS_FS_RENAME_FROM | > + LANDLOCK_ACCESS_FS_RENAME_TO | > + LANDLOCK_ACCESS_FS_RMDIR | > + LANDLOCK_ACCESS_FS_UNLINK | > + LANDLOCK_ACCESS_FS_MAKE_CHAR | > + LANDLOCK_ACCESS_FS_MAKE_DIR | > + LANDLOCK_ACCESS_FS_MAKE_REG | > + LANDLOCK_ACCESS_FS_MAKE_SOCK | > + LANDLOCK_ACCESS_FS_MAKE_FIFO | > + LANDLOCK_ACCESS_FS_MAKE_BLOCK | > + LANDLOCK_ACCESS_FS_MAKE_SYM, > + }; > + > + ruleset.handled_access_fs &= attr_features.access_fs; > + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, > + LANDLOCK_OPT_CREATE_RULESET, sizeof(ruleset), &ruleset); > + if (ruleset_fd < 0) { > + perror("Failed to create a ruleset"); > + return 1; > + } > + > +We can now add a new rule to this ruleset thanks to the returned file > +descriptor referring to this ruleset. The rule will only enable to read the > +file hierarchy ``/usr``. Without other rule, write actions would then be Without other rules, or Without another rule, > +denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the > +``O_PATH`` flag and fill the &struct landlock_attr_path_beneath with this file > +descriptor. > + > +.. code-block:: c > + > + int err; > + struct landlock_attr_path_beneath path_beneath = { > + .ruleset_fd = ruleset_fd, > + .allowed_access = > + LANDLOCK_ACCESS_FS_READ | > + LANDLOCK_ACCESS_FS_READDIR | > + LANDLOCK_ACCESS_FS_EXECUTE, > + }; > + > + path_beneath.allowed_access &= attr_features.access_fs; > + path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); > + if (path_beneath.parent_fd < 0) { > + perror("Failed to open file"); > + close(ruleset_fd); > + return 1; > + } > + err = landlock(LANDLOCK_CMD_ADD_RULE, LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, > + sizeof(path_beneath), &path_beneath); > + close(path_beneath.parent_fd); > + if (err) { > + perror("Failed to update ruleset"); > + close(ruleset_fd); > + return 1; > + } > + > +We now have a ruleset with one rule allowing read access to ``/usr`` while > +denying all accesses featured in ``attr_features.access_fs`` to everything else > +on the filesystem. The next step is to restrict the current thread from > +gaining more privileges (e.g. thanks to a SUID binary). > + > +.. code-block:: c > + > + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { > + perror("Failed to restrict privileges"); > + close(ruleset_fd); > + return 1; > + } > + > +The current thread is now ready to sandbox itself with the ruleset. > + > +.. code-block:: c > + > + struct landlock_attr_enforce attr_enforce = { > + .ruleset_fd = ruleset_fd, > + }; > + > + if (landlock(LANDLOCK_CMD_ENFORCE_RULESET, LANDLOCK_OPT_ENFORCE_RULESET, > + sizeof(attr_enforce), &attr_enforce)) { > + perror("Failed to enforce ruleset"); > + close(ruleset_fd); > + return 1; > + } > + close(ruleset_fd); > + > +If this last system call succeeds, the current thread is now restricted and If this last landlock system call succeeds, [because close() is the last system call] > +this policy will be enforced on all its subsequently created children as well. > +Once a thread is landlocked, there is no way to remove its security policy, preferably: policy; > +only adding more restrictions is allowed. These threads are now in a new > +Landlock domain, merge of their parent one (if any) with the new ruleset. > + > +A full working code can be found in `samples/landlock/sandboxer.c`_. Full working code > + > + > +Inheritance > +----------- > + > +Every new thread resulting from a :manpage:`clone(2)` inherits Landlock program > +restrictions from its parent. This is similar to the seccomp inheritance (cf. > +:doc:`/userspace-api/seccomp_filter`) or any other LSM dealing with task's > +:manpage:`credentials(7)`. For instance, one process' thread may apply process's > +Landlock rules to itself, but they will not be automatically applied to other > +sibling threads (unlike POSIX thread credential changes, cf. > +:manpage:`nptl(7)`). [snip] thanks for the documentation. -- ~Randy
WARNING: multiple messages have this Message-ID (diff)
From: Randy Dunlap <rdunlap@infradead.org> To: "Mickaël Salaün" <mic@digikod.net>, linux-kernel@vger.kernel.org Cc: "Al Viro" <viro@zeniv.linux.org.uk>, "Andy Lutomirski" <luto@amacapital.net>, "Arnd Bergmann" <arnd@arndb.de>, "Casey Schaufler" <casey@schaufler-ca.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "James Morris" <jmorris@namei.org>, "Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Serge E . Hallyn" <serge@hallyn.com>, "Shuah Khan" <shuah@kernel.org>, "Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.kernel.org, x86@kernel.org Subject: Re: [RFC PATCH v14 10/10] landlock: Add user and kernel documentation Date: Sat, 29 Feb 2020 09:23:38 -0800 [thread overview] Message-ID: <cc8da381-d3dc-3c0a-5afd-96824362b636@infradead.org> (raw) Message-ID: <20200229172338.arSHE5z5LAtIiX0DI2HF7RoYVP6SZ4tiZ3J4PjAZnkM@z> (raw) In-Reply-To: <20200224160215.4136-11-mic@digikod.net> Hi, Here are a few corrections for you to consider. On 2/24/20 8:02 AM, Mickaël Salaün wrote: > This documentation can be built with the Sphinx framework. > > Another location might be more appropriate, though. > > Signed-off-by: Mickaël Salaün <mic@digikod.net> > Reviewed-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr> > Cc: Andy Lutomirski <luto@amacapital.net> > Cc: James Morris <jmorris@namei.org> > Cc: Kees Cook <keescook@chromium.org> > Cc: Serge E. Hallyn <serge@hallyn.com> > --- > > Changes since v13: > * Rewrote the documentation according to the major revamp. > > Previous version: > https://lore.kernel.org/lkml/20191104172146.30797-8-mic@digikod.net/ > --- > Documentation/security/index.rst | 1 + > Documentation/security/landlock/index.rst | 18 ++ > Documentation/security/landlock/kernel.rst | 44 ++++ > Documentation/security/landlock/user.rst | 233 +++++++++++++++++++++ > 4 files changed, 296 insertions(+) > create mode 100644 Documentation/security/landlock/index.rst > create mode 100644 Documentation/security/landlock/kernel.rst > create mode 100644 Documentation/security/landlock/user.rst > > diff --git a/Documentation/security/landlock/index.rst b/Documentation/security/landlock/index.rst > new file mode 100644 > index 000000000000..dbd33b96ce60 > --- /dev/null > +++ b/Documentation/security/landlock/index.rst > @@ -0,0 +1,18 @@ > +========================================= > +Landlock LSM: unprivileged access control > +========================================= > + > +:Author: Mickaël Salaün > + > +The goal of Landlock is to enable to restrict ambient rights (e.g. global > +filesystem access) for a set of processes. Because Landlock is a stackable > +LSM, it makes possible to create safe security sandboxes as new security layers > +in addition to the existing system-wide access-controls. This kind of sandbox > +is expected to help mitigate the security impact of bugs or > +unexpected/malicious behaviors in user-space applications. Landlock empower any empowers > +process, including unprivileged ones, to securely restrict themselves. > + > +.. toctree:: > + > + user > + kernel > diff --git a/Documentation/security/landlock/kernel.rst b/Documentation/security/landlock/kernel.rst > new file mode 100644 > index 000000000000..b87769909029 > --- /dev/null > +++ b/Documentation/security/landlock/kernel.rst > @@ -0,0 +1,44 @@ > +============================== > +Landlock: kernel documentation > +============================== > + > +Landlock's goal is to create scoped access-control (i.e. sandboxing). To > +harden a whole system, this feature should be available to any process, > +including unprivileged ones. Because such process may be compromised or > +backdoored (i.e. untrusted), Landlock's features must be safe to use from the > +kernel and other processes point of view. Landlock's interface must therefore > +expose a minimal attack surface. > + > +Landlock is designed to be usable by unprivileged processes while following the > +system security policy enforced by other access control mechanisms (e.g. DAC, > +LSM). Indeed, a Landlock rule shall not interfere with other access-controls > +enforced on the system, only add more restrictions. > + > +Any user can enforce Landlock rulesets on their processes. They are merged and > +evaluated according to the inherited ones in a way that ensure that only more ensures > +constraints can be added. > + > + > +Guiding principles for safe access controls > +=========================================== > + > +* A Landlock rule shall be focused on access control on kernel objects instead > + of syscall filtering (i.e. syscall arguments), which is the purpose of > + seccomp-bpf. > +* To avoid multiple kind of side-channel attacks (e.g. leak of security kinds > + policies, CPU-based attacks), Landlock rules shall not be able to > + programmatically communicate with user space. > +* Kernel access check shall not slow down access request from unsandboxed > + processes. > +* Computation related to Landlock operations (e.g. enforce a ruleset) shall > + only impact the processes requesting them. > + > + > +Landlock rulesets and domains > +============================= > + > +A domain is a read-only ruleset tied to a set of subjects (i.e. tasks). A > +domain can transition to a new one which is the intersection of the constraints > +from the current and a new ruleset. The definition of a subject is implicit > +for a task sandboxing itself, which makes the reasoning much easier and helps > +avoid pitfalls. > diff --git a/Documentation/security/landlock/user.rst b/Documentation/security/landlock/user.rst > new file mode 100644 > index 000000000000..cbd7f61fca8c > --- /dev/null > +++ b/Documentation/security/landlock/user.rst > @@ -0,0 +1,233 @@ > +================================= > +Landlock: userspace documentation > +================================= > + > +Landlock rules > +============== > + > +A Landlock rule enables to describe an action on an object. An object is > +currently a file hierarchy, and the related filesystem actions are defined in > +`Access rights`_. A set of rules are aggregated in a ruleset, which can then is > +restricts the thread enforcing it, and its future children. restrict > + > + > +Defining and enforcing a security policy > +---------------------------------------- > + > +Before defining a security policy, an application should first probe for the > +features supported by the running kernel, which is important to be compatible > +with older kernels. This can be done thanks to the `landlock` syscall (cf. > +:ref:`syscall`). > + > +.. code-block:: c > + > + struct landlock_attr_features attr_features; > + > + if (landlock(LANDLOCK_CMD_GET_FEATURES, LANDLOCK_OPT_GET_FEATURES, > + sizeof(attr_features), &attr_features)) { > + perror("Failed to probe the Landlock supported features"); > + return 1; > + } > + > +Then, we need to create the ruleset that will contains our rules. For this contain > +example, the ruleset will contains rules which only allow read actions, but contain > +write actions will be denied. The ruleset then needs to handle both of these > +kind of actions. To have a backward compatibility, these actions should be > +ANDed with the supported ones. > + > +.. code-block:: c > + > + int ruleset_fd; > + struct landlock_attr_ruleset ruleset = { > + .handled_access_fs = > + LANDLOCK_ACCESS_FS_READ | > + LANDLOCK_ACCESS_FS_READDIR | > + LANDLOCK_ACCESS_FS_EXECUTE | > + LANDLOCK_ACCESS_FS_WRITE | > + LANDLOCK_ACCESS_FS_TRUNCATE | > + LANDLOCK_ACCESS_FS_CHMOD | > + LANDLOCK_ACCESS_FS_CHOWN | > + LANDLOCK_ACCESS_FS_CHGRP | > + LANDLOCK_ACCESS_FS_LINK_TO | > + LANDLOCK_ACCESS_FS_RENAME_FROM | > + LANDLOCK_ACCESS_FS_RENAME_TO | > + LANDLOCK_ACCESS_FS_RMDIR | > + LANDLOCK_ACCESS_FS_UNLINK | > + LANDLOCK_ACCESS_FS_MAKE_CHAR | > + LANDLOCK_ACCESS_FS_MAKE_DIR | > + LANDLOCK_ACCESS_FS_MAKE_REG | > + LANDLOCK_ACCESS_FS_MAKE_SOCK | > + LANDLOCK_ACCESS_FS_MAKE_FIFO | > + LANDLOCK_ACCESS_FS_MAKE_BLOCK | > + LANDLOCK_ACCESS_FS_MAKE_SYM, > + }; > + > + ruleset.handled_access_fs &= attr_features.access_fs; > + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, > + LANDLOCK_OPT_CREATE_RULESET, sizeof(ruleset), &ruleset); > + if (ruleset_fd < 0) { > + perror("Failed to create a ruleset"); > + return 1; > + } > + > +We can now add a new rule to this ruleset thanks to the returned file > +descriptor referring to this ruleset. The rule will only enable to read the > +file hierarchy ``/usr``. Without other rule, write actions would then be Without other rules, or Without another rule, > +denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the > +``O_PATH`` flag and fill the &struct landlock_attr_path_beneath with this file > +descriptor. > + > +.. code-block:: c > + > + int err; > + struct landlock_attr_path_beneath path_beneath = { > + .ruleset_fd = ruleset_fd, > + .allowed_access = > + LANDLOCK_ACCESS_FS_READ | > + LANDLOCK_ACCESS_FS_READDIR | > + LANDLOCK_ACCESS_FS_EXECUTE, > + }; > + > + path_beneath.allowed_access &= attr_features.access_fs; > + path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); > + if (path_beneath.parent_fd < 0) { > + perror("Failed to open file"); > + close(ruleset_fd); > + return 1; > + } > + err = landlock(LANDLOCK_CMD_ADD_RULE, LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, > + sizeof(path_beneath), &path_beneath); > + close(path_beneath.parent_fd); > + if (err) { > + perror("Failed to update ruleset"); > + close(ruleset_fd); > + return 1; > + } > + > +We now have a ruleset with one rule allowing read access to ``/usr`` while > +denying all accesses featured in ``attr_features.access_fs`` to everything else > +on the filesystem. The next step is to restrict the current thread from > +gaining more privileges (e.g. thanks to a SUID binary). > + > +.. code-block:: c > + > + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { > + perror("Failed to restrict privileges"); > + close(ruleset_fd); > + return 1; > + } > + > +The current thread is now ready to sandbox itself with the ruleset. > + > +.. code-block:: c > + > + struct landlock_attr_enforce attr_enforce = { > + .ruleset_fd = ruleset_fd, > + }; > + > + if (landlock(LANDLOCK_CMD_ENFORCE_RULESET, LANDLOCK_OPT_ENFORCE_RULESET, > + sizeof(attr_enforce), &attr_enforce)) { > + perror("Failed to enforce ruleset"); > + close(ruleset_fd); > + return 1; > + } > + close(ruleset_fd); > + > +If this last system call succeeds, the current thread is now restricted and If this last landlock system call succeeds, [because close() is the last system call] > +this policy will be enforced on all its subsequently created children as well. > +Once a thread is landlocked, there is no way to remove its security policy, preferably: policy; > +only adding more restrictions is allowed. These threads are now in a new > +Landlock domain, merge of their parent one (if any) with the new ruleset. > + > +A full working code can be found in `samples/landlock/sandboxer.c`_. Full working code > + > + > +Inheritance > +----------- > + > +Every new thread resulting from a :manpage:`clone(2)` inherits Landlock program > +restrictions from its parent. This is similar to the seccomp inheritance (cf. > +:doc:`/userspace-api/seccomp_filter`) or any other LSM dealing with task's > +:manpage:`credentials(7)`. For instance, one process' thread may apply process's > +Landlock rules to itself, but they will not be automatically applied to other > +sibling threads (unlike POSIX thread credential changes, cf. > +:manpage:`nptl(7)`). [snip] thanks for the documentation. -- ~Randy
next prev parent reply other threads:[~2020-02-29 17:23 UTC|newest] Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-02-24 16:02 [RFC PATCH v14 00/10] Landlock LSM Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 01/10] landlock: Add object and rule management Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-25 20:49 ` Jann Horn 2020-02-25 20:49 ` Jann Horn 2020-02-26 15:31 ` Mickaël Salaün 2020-02-26 15:31 ` Mickaël Salaün 2020-02-26 20:24 ` Jann Horn 2020-02-26 20:24 ` Jann Horn 2020-02-27 16:46 ` Mickaël Salaün 2020-02-27 16:46 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 02/10] landlock: Add ruleset and domain management Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 03/10] landlock: Set up the security framework and manage credentials Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 04/10] landlock: Add ptrace restrictions Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 05/10] fs,landlock: Support filesystem access-control Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-26 20:29 ` Jann Horn 2020-02-26 20:29 ` Jann Horn 2020-02-27 16:50 ` Mickaël Salaün 2020-02-27 16:50 ` Mickaël Salaün 2020-02-27 16:51 ` Jann Horn 2020-02-27 16:51 ` Jann Horn 2020-02-24 16:02 ` [RFC PATCH v14 06/10] landlock: Add syscall implementation Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün [not found] ` <20200224160215.4136-7-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org> 2020-03-17 16:47 ` Al Viro 2020-03-17 16:47 ` Al Viro 2020-03-17 17:51 ` Mickaël Salaün 2020-03-17 17:51 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 07/10] arch: Wire up landlock() syscall Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 08/10] selftests/landlock: Add initial tests Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 09/10] samples/landlock: Add a sandbox manager example Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 10/10] landlock: Add user and kernel documentation Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-29 17:23 ` Randy Dunlap [this message] 2020-02-29 17:23 ` Randy Dunlap [not found] ` <cc8da381-d3dc-3c0a-5afd-96824362b636-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> 2020-03-02 10:03 ` Mickaël Salaün 2020-03-02 10:03 ` Mickaël Salaün [not found] ` <20200224160215.4136-1-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org> 2020-02-25 18:49 ` [RFC PATCH v14 00/10] Landlock LSM J Freyensee 2020-02-25 18:49 ` J Freyensee 2020-02-26 15:34 ` Mickaël Salaün 2020-02-26 15:34 ` Mickaël Salaün 2020-02-27 4:20 ` [RFC PATCH v14 01/10] landlock: Add object and rule management Hillf Danton [not found] ` <20200227042002.3032-1-hdanton-k+cT0dCbe1g@public.gmane.org> 2020-02-27 17:01 ` Mickaël Salaün 2020-02-27 17:01 ` Mickaël Salaün 2020-03-09 23:44 ` [RFC PATCH v14 00/10] Landlock LSM Jann Horn 2020-03-09 23:44 ` Jann Horn 2020-03-11 23:38 ` Mickaël Salaün 2020-03-11 23:38 ` Mickaël Salaün 2020-03-17 16:19 ` Jann Horn 2020-03-17 16:19 ` Jann Horn 2020-03-17 17:50 ` Mickaël Salaün 2020-03-17 17:50 ` Mickaël Salaün 2020-03-17 19:45 ` Jann Horn 2020-03-17 19:45 ` Jann Horn 2020-03-18 12:06 ` Mickaël Salaün 2020-03-18 12:06 ` Mickaël Salaün 2020-03-18 23:33 ` Jann Horn 2020-03-18 23:33 ` Jann Horn 2020-03-19 16:58 ` Mickaël Salaün 2020-03-19 16:58 ` Mickaël Salaün 2020-03-19 21:17 ` Jann Horn 2020-03-19 21:17 ` Jann Horn 2020-03-30 18:26 ` Mickaël Salaün 2020-03-30 18:26 ` Mickaël Salaün
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=cc8da381-d3dc-3c0a-5afd-96824362b636@infradead.org \ --to=rdunlap@infradead.org \ --cc=arnd@arndb.de \ --cc=casey@schaufler-ca.com \ --cc=corbet@lwn.net \ --cc=gregkh@linuxfoundation.org \ --cc=jann@thejh.net \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-arch@vger.kernel.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-kselftest@vger.kernel.org \ --cc=linux-security-module@vger.k \ --cc=luto@amacapital.net \ --cc=mic@digikod.net \ --cc=mickael.salaun@ssi.gouv.fr \ --cc=mtk.manpages@gmail.com \ --cc=serge@hallyn.com \ --cc=shuah@kernel.org \ --cc=vincent.dagonneau@ssi.gouv.fr \ --cc=viro@zeniv.linux.org.uk \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).