lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 May 2020 13:09:32 +1000 (AEST) From: James Morris <jmorris@...ei.org> To: Mickaël Salaün <mic@...ikod.net> cc: linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...capital.net>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, Vincent Dagonneau <vincent.dagonneau@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-security-module@...r.kernel.org, x86@...nel.org Subject: Re: [PATCH v17 02/10] landlock: Add ruleset and domain management On Mon, 11 May 2020, Mickaël Salaün wrote: > + * .. warning:: > + * > + * It is currently not possible to restrict some file-related actions > + * accessible through these syscall families: :manpage:`chdir(2)`, > + * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`, > + * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`, > + * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`. > + * Future Landlock evolutions will enable to restrict them. I have to wonder how useful Landlock will be without more coverage per the above. It would be helpful if you could outline a threat model for this initial version, so people can get an idea of what kind of useful protection may be gained from it. Are there any distros or other major users who are planning on enabling or at least investigating Landlock? Do you have any examples of a practical application of this scheme? -- James Morris <jmorris@...ei.org>
Powered by blists - more mailing lists