From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758230AbdDRX0O (ORCPT ); Tue, 18 Apr 2017 19:26:14 -0400 Received: from mail-io0-f169.google.com ([209.85.223.169]:34966 "EHLO mail-io0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755038AbdDRX0L (ORCPT ); Tue, 18 Apr 2017 19:26:11 -0400 MIME-Version: 1.0 In-Reply-To: <20170328234650.19695-1-mic@digikod.net> References: <20170328234650.19695-1-mic@digikod.net> From: Kees Cook Date: Tue, 18 Apr 2017 16:26:05 -0700 X-Google-Sender-Auth: RAqr3NaAQ-INAxZ0jcaOkR90Uj8 Message-ID: Subject: Re: [PATCH net-next v6 00/11] Landlock LSM: Toward unprivileged sandboxing To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: LKML , Alexei Starovoitov , Andy Lutomirski , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Matthew Garrett , Michael Kerrisk , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Will Drewry , "kernel-hardening@lists.openwall.com" , Linux API , linux-security-module , Network Development Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v3INQVmt009117 On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote: > This sixth series add some changes to the previous one [1], including a simpler > rule inheritance hierarchy (similar to seccomp-bpf), a ptrace scope protection, > some file renaming (better feature identification per file), a future-proof > eBPF subtype and miscellaneous cosmetic fixes. Sorry for the delay in review! I finally had a chunk of time I could devote to this. I really like how it's heading. I still wonder about its overlap with seccomp (it's really only using the syscall now...), but that's just a detail. Getting the abstraction away from direct LSM hooks looks good. > There is as yet no way to allow a process to access only a subset of the > filesystem where the subset is specified via a path or a file descriptor. This > feature is intentionally left out so as to minimize the amount of code of this > patch series but will come in a following series. However, it is possible to > check the file type, as done in the following example. I understand why you've taken a progressive approach here, but I think there are two fundamental areas where people will use Landlock: path evaluation and network address evaluation. I think it's worth expanding this series to include those two confinement examples, since that can help people understand what the "general" case will look like. As I mentioned in one of the patch review emails, I think there needs to be a clearer explanation of how usage counting works vs the "events" (which I think of as "rule tables" not events -- maybe it needs a new name?) and "rule" lists. I think I understand it, but I spent a lot of time trying to get there. More comments would help. Finally, another thing I'm curious about is how to deal with the thread-sync issue. Seccomp uses its TSYNC thing, and I'd expect we'd want something similar for landlock... but that looks really hairy as far as locking goes. Perhaps it's already solved by using the same locking seccomp uses, in which case I'm less inclined to kick landlock out of seccomp.c. :) Looks like it's coming along nicely! Thanks for continuing to work on this! -Kees -- Kees Cook Pixel Security