[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMOXUJ=kiZDEpuBfys0Me4o8wqSymCz+Eu_qdQdOH5+Czzfj8g@mail.gmail.com>
Date: Mon, 28 Aug 2017 17:47:19 -0700
From: Chenbo Feng <fengc@...gle.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Daniel Borkmann <daniel@...earbox.net>,
Jeffrey Vander Stoep <jeffv@...gle.com>,
Stephen Smalley <sds@...ho.nsa.gov>, netdev@...r.kernel.org,
SELinux <Selinux@...ho.nsa.gov>,
Mickaël Salaün <mic@...ikod.net>
Subject: Re: Permissions for eBPF objects
On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov
<alexei.starovoitov@...il.com> wrote:
> On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote:
>> On 08/25/2017 09:52 PM, Chenbo Feng wrote:
>> > On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <jeffv@...gle.com> wrote:
>> > > On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley <sds@...ho.nsa.gov> wrote:
>> > > > On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux
>> > > > wrote:
>> > > > > I’d like to get your thoughts on adding LSM permission checks on BPF
>> > > > > objects.
>
> before reinventing the wheel please take a look at landlock work.
> Everything that was discussed in this thread is covered by it.
> The patches have been in development for more than a year and most of the early
> issues have been resolved.
> It will be presented again during security summit in LA in September.
>
I am not very familiar with landlock lsm, isn't this module also
depend on the lsm hooks to do
the landlock check? If so then adding lsm hooks for eBPF object seems
not conflict with the
work on progress.
Powered by blists - more mailing lists