Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: James Morris <jmorris@namei.org>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-kernel@vger.kernel.org, "Al Viro" <viro@zeniv.linux.org.uk>,
	"Andy Lutomirski" <luto@amacapital.net>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Casey Schaufler" <casey@schaufler-ca.com>,
	"Jann Horn" <jannh@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Kees Cook" <keescook@chromium.org>,
	"Michael Kerrisk" <mtk.manpages@gmail.com>,
	"Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	"Shuah Khan" <shuah@kernel.org>,
	"Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>,
	kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-security-module@vger.kernel.org, x86@kernel.org
Subject: Re: [PATCH v17 02/10] landlock: Add ruleset and domain management
Date: Thu, 14 May 2020 13:09:32 +1000 (AEST)
Message-ID: <alpine.LRH.2.21.2005141302330.30052@namei.org> (raw)
In-Reply-To: <20200511192156.1618284-3-mic@digikod.net>


[-- Attachment #1: Type: text/plain, Size: 950 bytes --]

On Mon, 11 May 2020, Mickaël Salaün wrote:

> + * .. warning::
> + *
> + *   It is currently not possible to restrict some file-related actions
> + *   accessible through these syscall families: :manpage:`chdir(2)`,
> + *   :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
> + *   :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
> + *   :manpage:`ioctl(2)`, :manpage:`fcntl(2)`.
> + *   Future Landlock evolutions will enable to restrict them.

I have to wonder how useful Landlock will be without more coverage per 
the above.

It would be helpful if you could outline a threat model for this initial 
version, so people can get an idea of what kind of useful protection may
be gained from it.

Are there any distros or other major users who are planning on enabling or 
at least investigating Landlock?

Do you have any examples of a practical application of this scheme?



-- 
James Morris
<jmorris@namei.org>

  reply index

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-11 19:21 [PATCH v17 00/10] Landlock LSM Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 01/10] landlock: Add object management Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 02/10] landlock: Add ruleset and domain management Mickaël Salaün
2020-05-14  3:09   ` James Morris [this message]
2020-05-14 10:27     ` Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 03/10] landlock: Set up the security framework and manage credentials Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 04/10] landlock: Add ptrace restrictions Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 05/10] fs,landlock: Support filesystem access-control Mickaël Salaün
2020-05-14  3:37   ` James Morris
2020-05-14 10:39     ` Mickaël Salaün
2020-05-14 15:58       ` Casey Schaufler
2020-05-14 18:46         ` Mickaël Salaün
2020-05-14 17:31       ` James Morris
2020-05-14 18:49         ` Mickaël Salaün
2020-05-14 19:37           ` James Morris
2020-05-11 19:21 ` [PATCH v17 06/10] landlock: Add syscall implementation Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 07/10] arch: Wire up landlock() syscall Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 08/10] selftests/landlock: Add initial tests Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 09/10] samples/landlock: Add a sandbox manager example Mickaël Salaün
2020-05-11 19:21 ` [PATCH v17 10/10] landlock: Add user and kernel documentation Mickaël Salaün
2020-05-11 21:54 ` [PATCH v17 00/10] Landlock LSM Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.LRH.2.21.2005141302330.30052@namei.org \
    --to=jmorris@namei.org \
    --cc=arnd@arndb.de \
    --cc=casey@schaufler-ca.com \
    --cc=corbet@lwn.net \
    --cc=jannh@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mic@digikod.net \
    --cc=mickael.salaun@ssi.gouv.fr \
    --cc=mtk.manpages@gmail.com \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=vincent.dagonneau@ssi.gouv.fr \
    --cc=viro@zeniv.linux.org.uk \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git