From: "Mickaël Salaün" <mic@digikod.net>
To: Andy Lutomirski <luto@amacapital.net>
Cc: LKML <linux-kernel@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Daniel Borkmann <daniel@iogearbox.net>,
David Drysdale <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
"Eric W . Biederman" <ebiederm@xmission.com>,
James Morris <james.l.morris@oracle.com>,
Jann Horn <jann@thejh.net>, Jonathan Corbet <corbet@lwn.net>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Kees Cook <keescook@chromium.org>,
Paul Moore <paul@paul-moore.com>,
Sargun Dhillon <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>,
Shuah Khan <shuah@kernel.org>, Tejun Heo <tj@kernel.org>,
Thomas Graf <tgraf@suug.ch>, Tycho Andersen <tycho@tycho.ws>,
Will Drewry <wad@chromium.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
Linux API <linux-api@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing
Date: Tue, 6 Mar 2018 23:25:31 +0100 [thread overview]
Message-ID: <a70b41ee-78cb-52cc-152c-ac5e43b7e45c@digikod.net> (raw)
In-Reply-To: <CALCETrWnJ7WkkfiymyahQd7YqO0KXP4mG1pRMq7fp8LG8Bwtcw@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 3784 bytes --]
On 28/02/2018 00:09, Andy Lutomirski wrote:
> On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün <mic@digikod.net> wrote:
>>
>> On 27/02/2018 05:36, Andy Lutomirski wrote:
>>> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>> Hi,
>>>>
>
>>>>
>>>> ## Why use the seccomp(2) syscall?
>>>>
>>>> Landlock use the same semantic as seccomp to apply access rule
>>>> restrictions. It add a new layer of security for the current process
>>>> which is inherited by its children. It makes sense to use an unique
>>>> access-restricting syscall (that should be allowed by seccomp filters)
>>>> which can only drop privileges. Moreover, a Landlock rule could come
>>>> from outside a process (e.g. passed through a UNIX socket). It is then
>>>> useful to differentiate the creation/load of Landlock eBPF programs via
>>>> bpf(2), from rule enforcement via seccomp(2).
>>>
>>> This seems like a weak argument to me. Sure, this is a bit different
>>> from seccomp(), and maybe shoving it into the seccomp() multiplexer is
>>> awkward, but surely the bpf() multiplexer is even less applicable.
>>
>> I think using the seccomp syscall is fine, and everyone agreed on it.
>>
>
> Ah, sorry, I completely misread what you wrote. My apologies. You
> can disregard most of my email.
>
>>
>>>
>>> Also, looking forward, I think you're going to want a bunch of the
>>> stuff that's under consideration as new seccomp features. Tycho is
>>> working on a "user notifier" feature for seccomp where, in addition to
>>> accepting, rejecting, or kicking to ptrace, you can send a message to
>>> the creator of the filter and wait for a reply. I think that Landlock
>>> will want exactly the same feature.
>>
>> I don't think why this may be useful at all her. Landlock does not
>> filter at the syscall level but handles kernel object and actions as
>> does an LSM. That is the whole purpose of Landlock.
>
> Suppose I'm writing a container manager. I want to run "mount" in the
> container, but I don't want to allow moun() in general and I want to
> emulate certain mount() actions. I can write a filter that catches
> mount using seccomp and calls out to the container manager for help.
> This isn't theoretical -- Tycho wants *exactly* this use case to be
> supported.
Well, I think this use case should be handled with something like
LD_PRELOAD and a helper library. FYI, I did something like this:
https://github.com/stemjail/stemshim
Otherwise, we should think about enabling a process to (dynamically)
extend/patch the vDSO (similar to LD_PRELOAD but at the syscall level
and works with static binaries) for a subset of processes (the same way
seccomp filters are inherited). It may be more powerful and flexible
than extending the kernel/seccomp to patch (buggy?) userland.
>
> But using seccomp for this is indeed annoying. It would be nice to
> use Landlock's ability to filter based on the filesystem type, for
> example. So Tycho could write a Landlock rule like:
>
> bool filter_mount(...)
> {
> if (path needs emulation)
> call_user_notifier();
> }
>
> And it should work.
>
> This means that, if both seccomp user notifiers and Landlock make it
> upstream, then there should probably be a way to have a user notifier
> bound to a seccomp filter and a set of landlock filters.
>
Using seccomp filters and Landlock programs may be powerful. However,
for this use case, I think a *post-syscall* vDSO-like (which could get
some data returned by a Landlock program) may be much more flexible
(with less kernel code). What is needed here is a way to know the kernel
semantic (Landlock) and a way to patch userland without patching its
code (vDSO-like).
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2018-03-06 22:26 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 0:41 [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 01/11] fs,security: Add a security blob to nameidata Mickaël Salaün
2018-02-27 0:57 ` Al Viro
2018-02-27 1:23 ` Al Viro
2018-03-11 20:14 ` Mickaël Salaün
2018-02-28 16:27 ` kbuild test robot
2018-02-28 16:58 ` kbuild test robot
2018-02-27 0:41 ` [PATCH bpf-next v8 02/11] fs,security: Add a new file access type: MAY_CHROOT Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 03/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 04/11] bpf,landlock: Define an eBPF program type for Landlock hooks Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy Mickaël Salaün
2018-02-27 2:08 ` Alexei Starovoitov
2018-02-27 4:40 ` Andy Lutomirski
2018-02-27 4:54 ` Alexei Starovoitov
2018-02-27 5:20 ` Andy Lutomirski
2018-02-27 5:32 ` Alexei Starovoitov
2018-02-27 16:39 ` Andy Lutomirski
2018-02-27 17:30 ` Casey Schaufler
2018-02-27 17:36 ` Andy Lutomirski
2018-02-27 18:03 ` Casey Schaufler
2018-02-27 21:48 ` Mickaël Salaün
2018-04-08 13:13 ` Mickaël Salaün
2018-04-08 21:06 ` Andy Lutomirski
2018-04-08 22:01 ` Mickaël Salaün
2018-04-10 4:48 ` Alexei Starovoitov
2018-04-11 22:18 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 06/11] bpf,landlock: Add a new map type: inode Mickaël Salaün
2018-02-28 17:35 ` kbuild test robot
2018-02-27 0:41 ` [PATCH bpf-next v8 07/11] landlock: Handle filesystem access control Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 08/11] landlock: Add ptrace restrictions Mickaël Salaün
2018-02-27 4:17 ` Andy Lutomirski
2018-02-27 5:01 ` Andy Lutomirski
2018-02-27 22:14 ` Mickaël Salaün
2018-02-27 23:02 ` Andy Lutomirski
2018-02-27 23:23 ` Andy Lutomirski
2018-02-28 0:00 ` Mickaël Salaün
2018-02-28 0:09 ` Andy Lutomirski
2018-03-06 22:28 ` Mickaël Salaün
2018-04-01 22:48 ` Mickaël Salaün
2018-02-27 22:18 ` Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 09/11] bpf: Add a Landlock sandbox example Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 10/11] bpf,landlock: Add tests for Landlock Mickaël Salaün
2018-02-27 0:41 ` [PATCH bpf-next v8 11/11] landlock: Add user and kernel documentation " Mickaël Salaün
2018-02-27 4:36 ` [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing Andy Lutomirski
2018-02-27 22:03 ` Mickaël Salaün
2018-02-27 23:09 ` Andy Lutomirski
2018-03-06 22:25 ` Mickaël Salaün [this message]
2018-03-06 22:33 ` Andy Lutomirski
2018-03-06 22:46 ` Tycho Andersen
2018-03-06 23:06 ` Mickaël Salaün
2018-03-07 1:21 ` Andy Lutomirski
2018-03-08 23:51 ` Mickaël Salaün
2018-03-08 23:53 ` Andy Lutomirski
2018-04-01 22:04 ` Mickaël Salaün
2018-04-02 0:39 ` Tycho Andersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a70b41ee-78cb-52cc-152c-ac5e43b7e45c@digikod.net \
--to=mic@digikod.net \
--cc=acme@kernel.org \
--cc=ast@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=james.l.morris@oracle.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=sargun@sargun.me \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=tgraf@suug.ch \
--cc=tj@kernel.org \
--cc=tycho@tycho.ws \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).