LKML Archive on
 help / color / Atom feed
From: Alexei Starovoitov <>
To: "Mickaël Salaün" <>
Cc: "" <>,
	Alexei Starovoitov <>,
	Andy Lutomirski <>,
	Daniel Borkmann <>,
	Daniel Mack <>,
	David Drysdale <>,
	"David S . Miller" <>,
	"Eric W . Biederman" <>,
	James Morris <>,
	Jann Horn <>, Kees Cook <>,
	Paul Moore <>, Sargun Dhillon <>,
	"Serge E . Hallyn" <>, Tejun Heo <>,
	Thomas Graf <>, Will Drewry <>,,
	Linux API <>,
	LSM List <>,
	"" <>,
	"open list:CONTROL GROUP (CGROUP)" <>
Subject: Re: [RFC v4 00/18] Landlock LSM: Unprivileged sandboxing
Date: Sun, 13 Nov 2016 09:38:11 -0800
Message-ID: <> (raw)

On Sun, Nov 13, 2016 at 6:23 AM, Mickaël Salaün <> wrote:
> Hi,
> After the BoF at LPC last week, we came to a multi-step roadmap to
> upstream Landlock.
> A first patch series containing the basic properties needed for a
> "minimum viable product", which means being able to test it, without
> full features. The idea is to set in place the main components which
> include the LSM part (some hooks with the manager logic) and the new
> eBPF type. To have a minimum amount of code, the first userland entry
> point will be the seccomp syscall. This doesn't imply non-upstream
> patches and should be more simple. For the sake of simplicity and to
> ease the review, this first series will only be dedicated to privileged
> processes (i.e. with CAP_SYS_ADMIN). We may want to only allow one level
> of rules at first, instead of dealing with more complex rule inheritance
> (like seccomp-bpf can do).
> The second series will focus on the cgroup manager. It will follow the
> same rules of inheritance as the Daniel Mack's patches does.
> The third series will try to bring a BPF map of handles for Landlock and
> the dedicated BPF helpers.
> Finally, the fourth series will bring back the unprivileged mode (with
> no_new_privs), at least for process hierarchies (via seccomp). This also
> imply to handle multi-level of rules.
> Right now, an important point of attention is the userland ABI. We don't
> want LSM hooks to be exposed "as is" to userland. This may have some
> future implications if their semantic and/or enforcement point(s)
> change. In the next series, I will propose a new abstraction over the
> currently used LSM hooks. I'll also propose a new way to deal with
> resource accountability. Finally, I plan to create a minimal (kernel)
> developer documentation and a test suite.

Thanks for the summary.
That's exactly what we discussed and agreed upon.

             reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-13 17:38 Alexei Starovoitov [this message]
  -- strict thread matches above, loose matches on Subject: below --
2016-10-26  6:56 Mickaël Salaün
2016-10-26 14:52 ` Jann Horn
2016-10-26 16:56   ` Mickaël Salaün
2016-10-26 17:24     ` Mickaël Salaün
2016-11-13 14:23 ` Mickaël Salaün
2016-11-14 10:35   ` Sargun Dhillon
2016-11-14 20:51     ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

LKML Archive on

Archives are clonable:
	git clone --mirror lkml/git/0.git
	git clone --mirror lkml/git/1.git
	git clone --mirror lkml/git/2.git
	git clone --mirror lkml/git/3.git
	git clone --mirror lkml/git/4.git
	git clone --mirror lkml/git/5.git
	git clone --mirror lkml/git/6.git
	git clone --mirror lkml/git/7.git
	git clone --mirror lkml/git/8.git
	git clone --mirror lkml/git/9.git
	git clone --mirror lkml/git/10.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ \
	public-inbox-index lkml

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone