linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Kees Cook <keescook@chromium.org>,
	Casey Schaufler <casey@schaufler-ca.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	David Drysdale <drysdale@google.com>,
	"David S . Miller" <davem@davemloft.net>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	James Morris <james.l.morris@oracle.com>,
	Jann Horn <jann@thejh.net>, Jonathan Corbet <corbet@lwn.net>,
	Matthew Garrett <mjg59@srcf.ucam.org>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	Paul Moore <paul@paul-moore.com>,
	Sargun Dhillon <sargun@sargun.me>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	Shuah Khan <shuah@kernel.org>, Tejun Heo <tj@kernel.org>,
	Thomas Graf <tgraf@suug.ch>, Will Drewry <wad@chromium.org>,
	"kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>,
	Linux API <linux-api@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem
Date: Thu, 20 Apr 2017 00:03:16 +0200	[thread overview]
Message-ID: <35272f2b-ec5f-d032-ae2e-9fc0b4c0e2e3@digikod.net> (raw)
In-Reply-To: <CAGXu5jKCr1qPqJ8YWAjK1Lj-fThAhMnrxFW8twFcj6C9ODBpsA@mail.gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 2384 bytes --]


On 19/04/2017 01:40, Kees Cook wrote:
> On Tue, Apr 18, 2017 at 4:16 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 4/18/2017 3:44 PM, Mickaël Salaün wrote:
>>> On 19/04/2017 00:17, Kees Cook wrote:
>>>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün <mic@digikod.net> wrote:
>>>>> +void __init landlock_add_hooks(void)
>>>>> +{
>>>>> +       pr_info("landlock: Version %u", LANDLOCK_VERSION);
>>>>> +       landlock_add_hooks_fs();
>>>>> +       security_add_hooks(NULL, 0, "landlock");
>>>>> +       bpf_register_prog_type(&bpf_landlock_type);
>>>> I'm confused by the separation of hook registration here. The call to
>>>> security_add_hooks is with count=0 is especially weird. Why isn't this
>>>> just a single call with security_add_hooks(landlock_hooks,
>>>> ARRAY_SIZE(landlock_hooks), "landlock")?
>>> Yes, this is ugly with the new security_add_hooks() with three arguments
>>> but I wanted to split the hooks definition in multiple files.
>>
>> Why? I'll buy a good argument, but there are dangers in
>> allowing multiple calls to security_add_hooks().

I prefer to have one file per hook "family" (e.g. filesystem, network,
ptrace…). This reduce the mess with all the included files (needed for
LSM hook argument types) and make the files easier to read, understand
and maintain.

>>
>>>
>>> The current security_add_hooks() use lsm_append(lsm, &lsm_names) which
>>> is not exported. Unfortunately, calling multiple security_add_hooks()
>>> with the same LSM name would register multiple names for the same LSM…
>>> Is it OK if I modify this function to not add duplicated entries?
>>
>> It may seem absurd, but it's conceivable that a module might
>> have two hooks it wants called. My example is a module that
>> counts the number of times SELinux denies a process access to
>> things (which needs to be called before and after SELinux in
>> order to detect denials) and takes "appropriate action" if
>> too many denials occur. It would be weird, wonky and hackish,
>> but that never stopped anybody before.

Right, but now, with the new lsm_append(), module names are concatenated
("%s,%s") in the lsm_names variable. It would be nice to not pollute
this string with multiple time the same module name.

> 
> If ends up being sane and clear, I'm fine with allowing multiple calls.
> 
> -Kees
> 


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

  reply	other threads:[~2017-04-19 22:05 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-28 23:46 [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2017-03-29 13:48   ` kbuild test robot
2017-04-18 21:48   ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 02/11] bpf,landlock: Define an eBPF program type for Landlock Mickaël Salaün
2017-04-16 21:57   ` Mickaël Salaün
2017-04-18 21:58   ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 03/11] bpf: Define handle_fs and add a new helper bpf_handle_fs_get_mode() Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem Mickaël Salaün
2017-03-29 15:18   ` kbuild test robot
2017-04-18 22:17   ` Kees Cook
2017-04-18 22:44     ` Mickaël Salaün
2017-04-18 23:16       ` Casey Schaufler
2017-04-18 23:40         ` Kees Cook
2017-04-19 22:03           ` Mickaël Salaün [this message]
2017-04-19 23:58             ` [kernel-hardening] " Casey Schaufler
2017-04-20  1:48             ` Kees Cook
2017-04-18 23:39       ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 05/11] seccomp: Split put_seccomp_filter() with put_seccomp() Mickaël Salaün
2017-04-18 22:23   ` Kees Cook
2017-04-18 22:47     ` Mickaël Salaün
2017-04-19 22:18       ` Mickaël Salaün
2017-04-20  1:54         ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 06/11] seccomp,landlock: Handle Landlock events per process hierarchy Mickaël Salaün
2017-03-29 10:35   ` [kernel-hardening] " Djalal Harouni
2017-03-31 21:15     ` Mickaël Salaün
2017-04-18 22:54       ` Kees Cook
2017-04-18 22:53   ` Kees Cook
2017-04-18 23:24     ` Mickaël Salaün
2017-04-18 23:48       ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 07/11] landlock: Add ptrace restrictions Mickaël Salaün
2017-04-10  6:48   ` [kernel-hardening] " Djalal Harouni
2017-04-11  7:19     ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 08/11] bpf: Add a Landlock sandbox example Mickaël Salaün
2017-04-18 23:06   ` Kees Cook
2017-04-18 23:35     ` Mickaël Salaün
2017-03-28 23:46 ` [PATCH net-next v6 09/11] seccomp: Enhance test_harness with an assert step mechanism Mickaël Salaün
2017-04-19  0:02   ` Kees Cook
2017-04-19 21:51     ` Mickaël Salaün
2017-04-19 22:02       ` Kees Cook
2017-04-19 22:05         ` Mickaël Salaün
2017-04-20  1:50           ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 10/11] bpf,landlock: Add tests for Landlock Mickaël Salaün
2017-04-18 23:16   ` Kees Cook
2017-04-18 23:53     ` Mickaël Salaün
2017-04-18 23:59       ` Kees Cook
2017-03-28 23:46 ` [PATCH net-next v6 11/11] landlock: Add user and kernel documentation " Mickaël Salaün
2017-03-29 15:58   ` kbuild test robot
2017-04-18 23:26 ` [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing Kees Cook
2017-04-19  0:12   ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=35272f2b-ec5f-d032-ae2e-9fc0b4c0e2e3@digikod.net \
    --to=mic@digikod.net \
    --cc=acme@kernel.org \
    --cc=ast@kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=corbet@lwn.net \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=drysdale@google.com \
    --cc=ebiederm@xmission.com \
    --cc=james.l.morris@oracle.com \
    --cc=jann@thejh.net \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mjg59@srcf.ucam.org \
    --cc=mtk.manpages@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sargun@sargun.me \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=tgraf@suug.ch \
    --cc=tj@kernel.org \
    --cc=wad@chromium.org \
    --subject='Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).