[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <57E16D07.4050301@digikod.net>
Date: Tue, 20 Sep 2016 19:08:23 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Pavel Machek <pavel@....cz>
Cc: linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
Andy Lutomirski <luto@...capital.net>,
Arnd Bergmann <arnd@...db.de>,
Casey Schaufler <casey@...aufler-ca.com>,
Daniel Borkmann <daniel@...earbox.net>,
Daniel Mack <daniel@...que.org>,
David Drysdale <drysdale@...gle.com>,
"David S . Miller" <davem@...emloft.net>,
Elena Reshetova <elena.reshetova@...el.com>,
James Morris <james.l.morris@...cle.com>,
Kees Cook <keescook@...omium.org>,
Paul Moore <pmoore@...hat.com>,
Sargun Dhillon <sargun@...gun.me>,
"Serge E . Hallyn" <serge@...lyn.com>,
Will Drewry <wad@...omium.org>,
kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
linux-security-module@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [RFC v2 00/10] Landlock LSM: Unprivileged sandboxing
On 15/09/2016 11:19, Pavel Machek wrote:
> Hi!
>
>> This series is a proof of concept to fill some missing part of seccomp as the
>> ability to check syscall argument pointers or creating more dynamic security
>> policies. The goal of this new stackable Linux Security Module (LSM) called
>> Landlock is to allow any process, including unprivileged ones, to create
>> powerful security sandboxes comparable to the Seatbelt/XNU Sandbox or the
>> OpenBSD Pledge. This kind of sandbox help to mitigate the security impact of
>> bugs or unexpected/malicious behaviors in userland applications.
>>
>> The first RFC [1] was focused on extending seccomp while staying at the syscall
>> level. This brought a working PoC but with some (mitigated) ToCToU race
>> conditions due to the seccomp ptrace hole (now fixed) and the non-atomic
>> syscall argument evaluation (hence the LSM hooks).
>
> Long and nice description follows. Should it go to Documentation/
> somewhere?
>
> Because some documentation would be useful...
> Pavel
Right, but I was looking for feedback before investing in documentation. :)
>
>> include/linux/bpf.h | 41 +++++
>> include/linux/lsm_hooks.h | 5 +
>> include/linux/seccomp.h | 54 ++++++-
>> include/uapi/asm-generic/errno-base.h | 1 +
>> include/uapi/linux/bpf.h | 103 ++++++++++++
>> include/uapi/linux/seccomp.h | 2 +
>> kernel/bpf/arraymap.c | 222 +++++++++++++++++++++++++
>> kernel/bpf/syscall.c | 18 ++-
>> kernel/bpf/verifier.c | 32 +++-
>> kernel/fork.c | 41 ++++-
>> kernel/seccomp.c | 211 +++++++++++++++++++++++-
>> samples/Makefile | 2 +-
>> samples/landlock/.gitignore | 1 +
>> samples/landlock/Makefile | 16 ++
>> samples/landlock/sandbox.c | 295 ++++++++++++++++++++++++++++++++++
>> security/Kconfig | 1 +
>> security/Makefile | 2 +
>> security/landlock/Kconfig | 19 +++
>> security/landlock/Makefile | 3 +
>> security/landlock/checker_cgroup.c | 96 +++++++++++
>> security/landlock/checker_cgroup.h | 18 +++
>> security/landlock/checker_fs.c | 183 +++++++++++++++++++++
>> security/landlock/checker_fs.h | 20 +++
>> security/landlock/lsm.c | 228 ++++++++++++++++++++++++++
>> security/security.c | 1 +
>> 25 files changed, 1592 insertions(+), 23 deletions(-)
>> create mode 100644 samples/landlock/.gitignore
>> create mode 100644 samples/landlock/Makefile
>> create mode 100644 samples/landlock/sandbox.c
>> create mode 100644 security/landlock/Kconfig
>> create mode 100644 security/landlock/Makefile
>> create mode 100644 security/landlock/checker_cgroup.c
>> create mode 100644 security/landlock/checker_cgroup.h
>> create mode 100644 security/landlock/checker_fs.c
>> create mode 100644 security/landlock/checker_fs.h
>> create mode 100644 security/landlock/lsm.c
>>
>
Download attachment "signature.asc" of type "application/pgp-signature" (456 bytes)
Powered by blists - more mailing lists