From: "Mickaël Salaün" <mic@digikod.net>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: linux-kernel@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Daniel Mack <daniel@zonque.org>,
David Drysdale <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
Elena Reshetova <elena.reshetova@intel.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
James Morris <james.l.morris@oracle.com>,
Kees Cook <keescook@chromium.org>, Paul Moore <pmoore@redhat.com>,
Sargun Dhillon <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>, Tejun Heo <tj@kernel.org>,
Will Drewry <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.ker
Subject: Re: [RFC v3 07/22] landlock: Handle file comparisons
Date: Thu, 15 Sep 2016 01:02:22 +0200 [thread overview]
Message-ID: <57D9D6FE.4090708@digikod.net> (raw)
In-Reply-To: <20160914210649.GA57174@ast-mbp.thefacebook.com>
[-- Attachment #1.1: Type: text/plain, Size: 4653 bytes --]
On 14/09/2016 23:06, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:24:00AM +0200, Mickaël Salaün wrote:
>> Add eBPF functions to compare file system access with a Landlock file
>> system handle:
>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, file)
>> This function allows to compare the dentry, inode, device or mount
>> point of the currently accessed file, with a reference handle.
>> * bpf_landlock_cmp_fs_beneath_with_struct_file(opt, map, map_op, file)
>> This function allows an eBPF program to check if the current accessed
>> file is the same or in the hierarchy of a reference handle.
>>
>> The goal of file system handle is to abstract kernel objects such as a
>> struct file or a struct inode. Userland can create this kind of handle
>> thanks to the BPF_MAP_UPDATE_ELEM command. The element is a struct
>> landlock_handle containing the handle type (e.g.
>> BPF_MAP_HANDLE_TYPE_LANDLOCK_FS_FD) and a file descriptor. This could
>> also be any descriptions able to match a struct file or a struct inode
>> (e.g. path or glob string).
>>
>> Changes since v2:
>> * add MNT_INTERNAL check to only add file handle from user-visible FS
>> (e.g. no anonymous inode)
>> * replace struct file* with struct path* in map_landlock_handle
>> * add BPF protos
>> * fix bpf_landlock_cmp_fs_prop_with_struct_file()
>>
>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>> Cc: Alexei Starovoitov <ast@kernel.org>
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Cc: Daniel Borkmann <daniel@iogearbox.net>
>> Cc: David S. Miller <davem@davemloft.net>
>> Cc: James Morris <james.l.morris@oracle.com>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Link: https://lkml.kernel.org/r/CALCETrWwTiz3kZTkEgOW24-DvhQq6LftwEXh77FD2G5o71yD7g@mail.gmail.com
>
> thanks for keeping the links to the previous discussion.
> Long term it should help, though I worry we already at the point
> where there are too many outstanding issues to resolve before we
> can proceed with reasonable code review.
>
>> +/*
>> + * bpf_landlock_cmp_fs_prop_with_struct_file
>> + *
>> + * Cf. include/uapi/linux/bpf.h
>> + */
>> +static inline u64 bpf_landlock_cmp_fs_prop_with_struct_file(u64 r1_property,
>> + u64 r2_map, u64 r3_map_op, u64 r4_file, u64 r5)
>> +{
>> + u8 property = (u8) r1_property;
>> + struct bpf_map *map = (struct bpf_map *) (unsigned long) r2_map;
>> + enum bpf_map_array_op map_op = r3_map_op;
>> + struct file *file = (struct file *) (unsigned long) r4_file;
>
> please use just added BPF_CALL_ macros. They will help readability of the above.
>
>> + struct bpf_array *array = container_of(map, struct bpf_array, map);
>> + struct path *p1, *p2;
>> + struct map_landlock_handle *handle;
>> + int i;
>> +
>> + /* ARG_CONST_PTR_TO_LANDLOCK_HANDLE_FS is an arraymap */
>> + if (unlikely(!map)) {
>> + WARN_ON(1);
>> + return -EFAULT;
>> + }
>> + if (unlikely(!file))
>> + return -ENOENT;
>> + if (unlikely((property | _LANDLOCK_FLAG_FS_MASK) != _LANDLOCK_FLAG_FS_MASK))
>> + return -EINVAL;
>> +
>> + /* for now, only handle OP_OR */
>> + switch (map_op) {
>> + case BPF_MAP_ARRAY_OP_OR:
>> + break;
>> + case BPF_MAP_ARRAY_OP_UNSPEC:
>> + case BPF_MAP_ARRAY_OP_AND:
>> + case BPF_MAP_ARRAY_OP_XOR:
>> + default:
>> + return -EINVAL;
>> + }
>> + p2 = &file->f_path;
>> +
>> + synchronize_rcu();
>
> that is completely broken.
> bpf programs are executing under rcu_lock.
> please enable CONFIG_PROVE_RCU and retest everything.
Thanks for the tip. I will fix this.
>
> I would suggest for the next RFC to do minimal 7 patches up to this point
> with simple example that demonstrates the use case.
> I would avoid all unpriv stuff and all of seccomp for the next RFC as well,
> otherwise I don't think we can realistically make forward progress, since
> there are too many issues raised in the subsequent patches.
I hope we will find a common agreement about seccomp vs cgroup… I think
both approaches have their advantages, can be complementary and nicely
combined.
Unprivileged sandboxing is the main goal of Landlock. This should not be
a problem, even for privileged features, thanks to the new subtype/access.
>
> The common part that is mergeable is prog's subtype extension to
> the verifier that can be used for better tracing and is the common
> piece of infra needed for both landlock and checmate LSMs
> (which must be one LSM anyway)
Agreed. With this RFC, the Checmate features (i.e. network helpers)
should be able to sit on top of Landlock.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: linux-kernel@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Daniel Mack <daniel@zonque.org>,
David Drysdale <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
Elena Reshetova <elena.reshetova@intel.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
James Morris <james.l.morris@oracle.com>,
Kees Cook <keescook@chromium.org>, Paul Moore <pmoore@redhat.com>,
Sargun Dhillon <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>, Tejun Heo <tj@kernel.org>,
Will Drewry <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
cgroups@vger.kernel.org
Subject: [kernel-hardening] Re: [RFC v3 07/22] landlock: Handle file comparisons
Date: Thu, 15 Sep 2016 01:02:22 +0200 [thread overview]
Message-ID: <57D9D6FE.4090708@digikod.net> (raw)
In-Reply-To: <20160914210649.GA57174@ast-mbp.thefacebook.com>
[-- Attachment #1.1: Type: text/plain, Size: 4653 bytes --]
On 14/09/2016 23:06, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:24:00AM +0200, Mickaël Salaün wrote:
>> Add eBPF functions to compare file system access with a Landlock file
>> system handle:
>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, file)
>> This function allows to compare the dentry, inode, device or mount
>> point of the currently accessed file, with a reference handle.
>> * bpf_landlock_cmp_fs_beneath_with_struct_file(opt, map, map_op, file)
>> This function allows an eBPF program to check if the current accessed
>> file is the same or in the hierarchy of a reference handle.
>>
>> The goal of file system handle is to abstract kernel objects such as a
>> struct file or a struct inode. Userland can create this kind of handle
>> thanks to the BPF_MAP_UPDATE_ELEM command. The element is a struct
>> landlock_handle containing the handle type (e.g.
>> BPF_MAP_HANDLE_TYPE_LANDLOCK_FS_FD) and a file descriptor. This could
>> also be any descriptions able to match a struct file or a struct inode
>> (e.g. path or glob string).
>>
>> Changes since v2:
>> * add MNT_INTERNAL check to only add file handle from user-visible FS
>> (e.g. no anonymous inode)
>> * replace struct file* with struct path* in map_landlock_handle
>> * add BPF protos
>> * fix bpf_landlock_cmp_fs_prop_with_struct_file()
>>
>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>> Cc: Alexei Starovoitov <ast@kernel.org>
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Cc: Daniel Borkmann <daniel@iogearbox.net>
>> Cc: David S. Miller <davem@davemloft.net>
>> Cc: James Morris <james.l.morris@oracle.com>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Link: https://lkml.kernel.org/r/CALCETrWwTiz3kZTkEgOW24-DvhQq6LftwEXh77FD2G5o71yD7g@mail.gmail.com
>
> thanks for keeping the links to the previous discussion.
> Long term it should help, though I worry we already at the point
> where there are too many outstanding issues to resolve before we
> can proceed with reasonable code review.
>
>> +/*
>> + * bpf_landlock_cmp_fs_prop_with_struct_file
>> + *
>> + * Cf. include/uapi/linux/bpf.h
>> + */
>> +static inline u64 bpf_landlock_cmp_fs_prop_with_struct_file(u64 r1_property,
>> + u64 r2_map, u64 r3_map_op, u64 r4_file, u64 r5)
>> +{
>> + u8 property = (u8) r1_property;
>> + struct bpf_map *map = (struct bpf_map *) (unsigned long) r2_map;
>> + enum bpf_map_array_op map_op = r3_map_op;
>> + struct file *file = (struct file *) (unsigned long) r4_file;
>
> please use just added BPF_CALL_ macros. They will help readability of the above.
>
>> + struct bpf_array *array = container_of(map, struct bpf_array, map);
>> + struct path *p1, *p2;
>> + struct map_landlock_handle *handle;
>> + int i;
>> +
>> + /* ARG_CONST_PTR_TO_LANDLOCK_HANDLE_FS is an arraymap */
>> + if (unlikely(!map)) {
>> + WARN_ON(1);
>> + return -EFAULT;
>> + }
>> + if (unlikely(!file))
>> + return -ENOENT;
>> + if (unlikely((property | _LANDLOCK_FLAG_FS_MASK) != _LANDLOCK_FLAG_FS_MASK))
>> + return -EINVAL;
>> +
>> + /* for now, only handle OP_OR */
>> + switch (map_op) {
>> + case BPF_MAP_ARRAY_OP_OR:
>> + break;
>> + case BPF_MAP_ARRAY_OP_UNSPEC:
>> + case BPF_MAP_ARRAY_OP_AND:
>> + case BPF_MAP_ARRAY_OP_XOR:
>> + default:
>> + return -EINVAL;
>> + }
>> + p2 = &file->f_path;
>> +
>> + synchronize_rcu();
>
> that is completely broken.
> bpf programs are executing under rcu_lock.
> please enable CONFIG_PROVE_RCU and retest everything.
Thanks for the tip. I will fix this.
>
> I would suggest for the next RFC to do minimal 7 patches up to this point
> with simple example that demonstrates the use case.
> I would avoid all unpriv stuff and all of seccomp for the next RFC as well,
> otherwise I don't think we can realistically make forward progress, since
> there are too many issues raised in the subsequent patches.
I hope we will find a common agreement about seccomp vs cgroup… I think
both approaches have their advantages, can be complementary and nicely
combined.
Unprivileged sandboxing is the main goal of Landlock. This should not be
a problem, even for privileged features, thanks to the new subtype/access.
>
> The common part that is mergeable is prog's subtype extension to
> the verifier that can be used for better tracing and is the common
> piece of infra needed for both landlock and checmate LSMs
> (which must be one LSM anyway)
Agreed. With this RFC, the Checmate features (i.e. network helpers)
should be able to sit on top of Landlock.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: linux-kernel@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Daniel Mack <daniel@zonque.org>,
David Drysdale <drysdale@google.com>,
"David S . Miller" <davem@davemloft.net>,
Elena Reshetova <elena.reshetova@intel.com>,
"Eric W . Biederman" <ebiederm@xmission.com>,
James Morris <james.l.morris@oracle.com>,
Kees Cook <keescook@chromium.org>, Paul Moore <pmoore@redhat.com>,
Sargun Dhillon <sargun@sargun.me>,
"Serge E . Hallyn" <serge@hallyn.com>, Tejun Heo <tj@kernel.org>,
Will Drewry <wad@chromium.org>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
cgroups@vger.kernel.org
Subject: Re: [RFC v3 07/22] landlock: Handle file comparisons
Date: Thu, 15 Sep 2016 01:02:22 +0200 [thread overview]
Message-ID: <57D9D6FE.4090708@digikod.net> (raw)
In-Reply-To: <20160914210649.GA57174@ast-mbp.thefacebook.com>
[-- Attachment #1.1: Type: text/plain, Size: 4653 bytes --]
On 14/09/2016 23:06, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:24:00AM +0200, Mickaël Salaün wrote:
>> Add eBPF functions to compare file system access with a Landlock file
>> system handle:
>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, file)
>> This function allows to compare the dentry, inode, device or mount
>> point of the currently accessed file, with a reference handle.
>> * bpf_landlock_cmp_fs_beneath_with_struct_file(opt, map, map_op, file)
>> This function allows an eBPF program to check if the current accessed
>> file is the same or in the hierarchy of a reference handle.
>>
>> The goal of file system handle is to abstract kernel objects such as a
>> struct file or a struct inode. Userland can create this kind of handle
>> thanks to the BPF_MAP_UPDATE_ELEM command. The element is a struct
>> landlock_handle containing the handle type (e.g.
>> BPF_MAP_HANDLE_TYPE_LANDLOCK_FS_FD) and a file descriptor. This could
>> also be any descriptions able to match a struct file or a struct inode
>> (e.g. path or glob string).
>>
>> Changes since v2:
>> * add MNT_INTERNAL check to only add file handle from user-visible FS
>> (e.g. no anonymous inode)
>> * replace struct file* with struct path* in map_landlock_handle
>> * add BPF protos
>> * fix bpf_landlock_cmp_fs_prop_with_struct_file()
>>
>> Signed-off-by: Mickaël Salaün <mic@digikod.net>
>> Cc: Alexei Starovoitov <ast@kernel.org>
>> Cc: Andy Lutomirski <luto@amacapital.net>
>> Cc: Daniel Borkmann <daniel@iogearbox.net>
>> Cc: David S. Miller <davem@davemloft.net>
>> Cc: James Morris <james.l.morris@oracle.com>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Link: https://lkml.kernel.org/r/CALCETrWwTiz3kZTkEgOW24-DvhQq6LftwEXh77FD2G5o71yD7g@mail.gmail.com
>
> thanks for keeping the links to the previous discussion.
> Long term it should help, though I worry we already at the point
> where there are too many outstanding issues to resolve before we
> can proceed with reasonable code review.
>
>> +/*
>> + * bpf_landlock_cmp_fs_prop_with_struct_file
>> + *
>> + * Cf. include/uapi/linux/bpf.h
>> + */
>> +static inline u64 bpf_landlock_cmp_fs_prop_with_struct_file(u64 r1_property,
>> + u64 r2_map, u64 r3_map_op, u64 r4_file, u64 r5)
>> +{
>> + u8 property = (u8) r1_property;
>> + struct bpf_map *map = (struct bpf_map *) (unsigned long) r2_map;
>> + enum bpf_map_array_op map_op = r3_map_op;
>> + struct file *file = (struct file *) (unsigned long) r4_file;
>
> please use just added BPF_CALL_ macros. They will help readability of the above.
>
>> + struct bpf_array *array = container_of(map, struct bpf_array, map);
>> + struct path *p1, *p2;
>> + struct map_landlock_handle *handle;
>> + int i;
>> +
>> + /* ARG_CONST_PTR_TO_LANDLOCK_HANDLE_FS is an arraymap */
>> + if (unlikely(!map)) {
>> + WARN_ON(1);
>> + return -EFAULT;
>> + }
>> + if (unlikely(!file))
>> + return -ENOENT;
>> + if (unlikely((property | _LANDLOCK_FLAG_FS_MASK) != _LANDLOCK_FLAG_FS_MASK))
>> + return -EINVAL;
>> +
>> + /* for now, only handle OP_OR */
>> + switch (map_op) {
>> + case BPF_MAP_ARRAY_OP_OR:
>> + break;
>> + case BPF_MAP_ARRAY_OP_UNSPEC:
>> + case BPF_MAP_ARRAY_OP_AND:
>> + case BPF_MAP_ARRAY_OP_XOR:
>> + default:
>> + return -EINVAL;
>> + }
>> + p2 = &file->f_path;
>> +
>> + synchronize_rcu();
>
> that is completely broken.
> bpf programs are executing under rcu_lock.
> please enable CONFIG_PROVE_RCU and retest everything.
Thanks for the tip. I will fix this.
>
> I would suggest for the next RFC to do minimal 7 patches up to this point
> with simple example that demonstrates the use case.
> I would avoid all unpriv stuff and all of seccomp for the next RFC as well,
> otherwise I don't think we can realistically make forward progress, since
> there are too many issues raised in the subsequent patches.
I hope we will find a common agreement about seccomp vs cgroup… I think
both approaches have their advantages, can be complementary and nicely
combined.
Unprivileged sandboxing is the main goal of Landlock. This should not be
a problem, even for privileged features, thanks to the new subtype/access.
>
> The common part that is mergeable is prog's subtype extension to
> the verifier that can be used for better tracing and is the common
> piece of infra needed for both landlock and checmate LSMs
> (which must be one LSM anyway)
Agreed. With this RFC, the Checmate features (i.e. network helpers)
should be able to sit on top of Landlock.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2016-09-14 23:02 UTC|newest]
Thread overview: 260+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-14 7:23 [RFC v3 00/22] Landlock LSM: Unprivileged sandboxing Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <20160914072415.26021-1-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-09-14 7:23 ` [RFC v3 01/22] landlock: Add Kconfig Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 09/22] seccomp: Move struct seccomp_filter in seccomp.h Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:23 ` [RFC v3 02/22] bpf: Move u64_to_ptr() to BPF headers and inline it Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:23 ` [RFC v3 03/22] bpf,landlock: Add a new arraymap type to deal with (Landlock) handles Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 18:51 ` Alexei Starovoitov
2016-09-14 18:51 ` Alexei Starovoitov
2016-09-14 18:51 ` Alexei Starovoitov
2016-09-14 18:51 ` [kernel-hardening] " Alexei Starovoitov
2016-09-14 23:22 ` Mickaël Salaün
2016-09-14 23:22 ` Mickaël Salaün
2016-09-14 23:22 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 23:28 ` Alexei Starovoitov
2016-09-14 23:28 ` Alexei Starovoitov
2016-09-14 23:28 ` Alexei Starovoitov
2016-09-14 23:28 ` [kernel-hardening] " Alexei Starovoitov
2016-09-15 21:51 ` Mickaël Salaün
2016-09-15 21:51 ` Mickaël Salaün
2016-09-15 21:51 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <20160914072415.26021-4-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-10-03 23:53 ` Kees Cook
2016-10-03 23:53 ` Kees Cook
2016-10-03 23:53 ` [kernel-hardening] " Kees Cook
2016-10-05 22:02 ` Mickaël Salaün
2016-10-05 22:02 ` Mickaël Salaün
2016-10-05 22:02 ` Mickaël Salaün
2016-10-05 22:02 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:23 ` [RFC v3 04/22] bpf: Set register type according to is_valid_access() Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
2016-10-19 14:54 ` Thomas Graf
2016-10-19 14:54 ` Thomas Graf
2016-10-19 14:54 ` [kernel-hardening] " Thomas Graf
2016-10-19 15:10 ` Daniel Borkmann
2016-10-19 15:10 ` Daniel Borkmann
2016-10-19 15:10 ` Daniel Borkmann
2016-10-19 15:10 ` [kernel-hardening] " Daniel Borkmann
2016-09-14 7:23 ` [RFC v3 05/22] bpf,landlock: Add eBPF program subtype and is_valid_subtype() verifier Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
2016-10-19 15:01 ` Thomas Graf
2016-10-19 15:01 ` Thomas Graf
2016-10-19 15:01 ` [kernel-hardening] " Thomas Graf
2016-09-14 7:23 ` [RFC v3 06/22] landlock: Add LSM hooks Mickaël Salaün
2016-09-14 7:23 ` Mickaël Salaün
2016-09-14 7:23 ` [kernel-hardening] " Mickaël Salaün
2016-10-19 15:19 ` Thomas Graf
2016-10-19 15:19 ` [kernel-hardening] " Thomas Graf
2016-10-19 22:42 ` Mickaël Salaün
2016-10-19 22:42 ` Mickaël Salaün
2016-10-19 22:42 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 07/22] landlock: Handle file comparisons Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 19:07 ` Jann Horn
2016-09-14 19:07 ` Jann Horn
2016-09-14 19:07 ` [kernel-hardening] " Jann Horn
2016-09-14 22:39 ` Mickaël Salaün
2016-09-14 22:39 ` Mickaël Salaün
2016-09-14 22:39 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <20160914072415.26021-8-mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-09-14 21:06 ` Alexei Starovoitov
2016-09-14 21:06 ` Alexei Starovoitov
2016-09-14 21:06 ` [kernel-hardening] " Alexei Starovoitov
2016-09-14 23:02 ` Mickaël Salaün [this message]
2016-09-14 23:02 ` Mickaël Salaün
2016-09-14 23:02 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 23:24 ` Alexei Starovoitov
2016-09-14 23:24 ` Alexei Starovoitov
2016-09-14 23:24 ` [kernel-hardening] " Alexei Starovoitov
2016-09-15 21:25 ` Mickaël Salaün
2016-09-15 21:25 ` Mickaël Salaün
2016-09-15 21:25 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <57DB11B6.7090500-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-09-20 0:12 ` lsm naming dilemma. " Alexei Starovoitov
2016-09-20 0:12 ` Alexei Starovoitov
2016-09-20 0:12 ` [kernel-hardening] " Alexei Starovoitov
2016-09-20 1:10 ` Sargun Dhillon
2016-09-20 1:10 ` Sargun Dhillon
2016-09-20 1:10 ` [kernel-hardening] " Sargun Dhillon
2016-09-20 16:58 ` Mickaël Salaün
2016-09-20 16:58 ` Mickaël Salaün
2016-09-20 16:58 ` [kernel-hardening] " Mickaël Salaün
2016-10-03 23:30 ` Kees Cook
2016-10-03 23:30 ` Kees Cook
2016-10-03 23:30 ` [kernel-hardening] " Kees Cook
2016-09-14 7:24 ` [RFC v3 08/22] seccomp: Fix documentation for struct seccomp_filter Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 10/22] seccomp: Split put_seccomp_filter() with put_seccomp() Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 11/22] seccomp,landlock: Handle Landlock hooks per process hierarchy Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 18:43 ` Andy Lutomirski
2016-09-14 18:43 ` Andy Lutomirski
2016-09-14 18:43 ` Andy Lutomirski
2016-09-14 18:43 ` Andy Lutomirski
2016-09-14 18:43 ` [kernel-hardening] " Andy Lutomirski
2016-09-14 22:34 ` Mickaël Salaün
2016-09-14 22:34 ` Mickaël Salaün
2016-09-14 22:34 ` Mickaël Salaün
2016-09-14 22:34 ` [kernel-hardening] " Mickaël Salaün
2016-10-03 23:52 ` Kees Cook
2016-10-03 23:52 ` Kees Cook
2016-10-03 23:52 ` Kees Cook
2016-10-03 23:52 ` Kees Cook
2016-10-03 23:52 ` [kernel-hardening] " Kees Cook
2016-10-05 21:05 ` Mickaël Salaün
2016-10-05 21:05 ` Mickaël Salaün
2016-10-05 21:05 ` Mickaël Salaün
2016-10-05 21:05 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 12/22] bpf: Cosmetic change for bpf_prog_attach() Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 13/22] bpf/cgroup: Replace struct bpf_prog with union bpf_object Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 14/22] bpf/cgroup: Make cgroup_bpf_update() return an error code Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 21:16 ` Alexei Starovoitov
2016-09-14 21:16 ` Alexei Starovoitov
2016-09-14 21:16 ` [kernel-hardening] " Alexei Starovoitov
2016-09-14 7:24 ` [RFC v3 15/22] bpf/cgroup: Move capability check Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 16/22] bpf/cgroup,landlock: Handle Landlock hooks per cgroup Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-10-03 23:43 ` Kees Cook
2016-10-03 23:43 ` Kees Cook
2016-10-03 23:43 ` [kernel-hardening] " Kees Cook
2016-10-05 20:58 ` Mickaël Salaün
2016-10-05 20:58 ` Mickaël Salaün
2016-10-05 20:58 ` Mickaël Salaün
2016-10-05 20:58 ` [kernel-hardening] " Mickaël Salaün
2016-10-05 21:25 ` Kees Cook
2016-10-05 21:25 ` Kees Cook
2016-10-05 21:25 ` [kernel-hardening] " Kees Cook
2016-09-14 7:24 ` [RFC v3 17/22] cgroup: Add access check for cgroup_get_from_fd() Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 22:06 ` Mickaël Salaün
2016-09-14 22:06 ` Mickaël Salaün
2016-09-14 22:06 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 18/22] cgroup,landlock: Add CGRP_NO_NEW_PRIVS to handle unprivileged hooks Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 18:27 ` Andy Lutomirski
2016-09-14 18:27 ` Andy Lutomirski
2016-09-14 18:27 ` Andy Lutomirski
2016-09-14 18:27 ` Andy Lutomirski
2016-09-14 18:27 ` [kernel-hardening] " Andy Lutomirski
2016-09-14 22:11 ` Mickaël Salaün
2016-09-14 22:11 ` Mickaël Salaün
2016-09-14 22:11 ` Mickaël Salaün
2016-09-14 22:11 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <57D9CB25.1010103-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-09-15 1:25 ` Andy Lutomirski
2016-09-15 1:25 ` Andy Lutomirski
2016-09-15 1:25 ` Andy Lutomirski
2016-09-15 1:25 ` Andy Lutomirski
2016-09-15 1:25 ` [kernel-hardening] " Andy Lutomirski
2016-09-15 2:19 ` Alexei Starovoitov
2016-09-15 2:19 ` Alexei Starovoitov
2016-09-15 2:19 ` [kernel-hardening] " Alexei Starovoitov
2016-09-15 2:27 ` Andy Lutomirski
2016-09-15 2:27 ` Andy Lutomirski
2016-09-15 2:27 ` Andy Lutomirski
2016-09-15 2:27 ` [kernel-hardening] " Andy Lutomirski
2016-09-15 4:00 ` Alexei Starovoitov
2016-09-15 4:00 ` Alexei Starovoitov
2016-09-15 4:00 ` Alexei Starovoitov
2016-09-15 4:00 ` [kernel-hardening] " Alexei Starovoitov
[not found] ` <20160915040054.GA65308-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-09-15 4:08 ` Andy Lutomirski
2016-09-15 4:08 ` Andy Lutomirski
2016-09-15 4:08 ` Andy Lutomirski
2016-09-15 4:08 ` [kernel-hardening] " Andy Lutomirski
[not found] ` <CALCETrXTS8R1E2b9mmWzpOO6QOW5nWYW_RQRJYU1CGRsbNy+Yw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-09-15 4:31 ` Alexei Starovoitov
2016-09-15 4:31 ` Alexei Starovoitov
2016-09-15 4:31 ` Alexei Starovoitov
2016-09-15 4:31 ` [kernel-hardening] " Alexei Starovoitov
[not found] ` <20160915043120.GA65819-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-09-15 4:38 ` Andy Lutomirski
2016-09-15 4:38 ` Andy Lutomirski
2016-09-15 4:38 ` Andy Lutomirski
2016-09-15 4:38 ` [kernel-hardening] " Andy Lutomirski
2016-09-15 4:48 ` Alexei Starovoitov
2016-09-15 4:48 ` Alexei Starovoitov
2016-09-15 4:48 ` Alexei Starovoitov
2016-09-15 4:48 ` [kernel-hardening] " Alexei Starovoitov
2016-09-15 19:41 ` Mickaël Salaün
2016-09-15 19:41 ` Mickaël Salaün
2016-09-15 19:41 ` Mickaël Salaün
2016-09-15 19:41 ` [kernel-hardening] " Mickaël Salaün
2016-09-20 4:37 ` Sargun Dhillon
2016-09-20 4:37 ` Sargun Dhillon
2016-09-20 4:37 ` [kernel-hardening] " Sargun Dhillon
2016-09-20 17:02 ` Mickaël Salaün
2016-09-20 17:02 ` Mickaël Salaün
2016-09-20 17:02 ` Mickaël Salaün
2016-09-20 17:02 ` [kernel-hardening] " Mickaël Salaün
2016-09-15 19:35 ` Mickaël Salaün
2016-09-15 19:35 ` Mickaël Salaün
2016-09-15 19:35 ` Mickaël Salaün
2016-09-15 19:35 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 19/22] landlock: Add interrupted origin Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 18:29 ` Andy Lutomirski
2016-09-14 18:29 ` Andy Lutomirski
2016-09-14 18:29 ` Andy Lutomirski
2016-09-14 18:29 ` Andy Lutomirski
2016-09-14 18:29 ` [kernel-hardening] " Andy Lutomirski
2016-09-14 22:14 ` Mickaël Salaün
2016-09-14 22:14 ` Mickaël Salaün
2016-09-14 22:14 ` Mickaël Salaün
2016-09-14 22:14 ` [kernel-hardening] " Mickaël Salaün
[not found] ` <57D9CBD3.7030100-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-09-15 1:19 ` Andy Lutomirski
2016-09-15 1:19 ` Andy Lutomirski
2016-09-15 1:19 ` Andy Lutomirski
2016-09-15 1:19 ` Andy Lutomirski
2016-09-15 1:19 ` [kernel-hardening] " Andy Lutomirski
2016-10-03 23:46 ` Kees Cook
2016-10-03 23:46 ` Kees Cook
2016-10-03 23:46 ` [kernel-hardening] " Kees Cook
2016-10-05 21:01 ` Mickaël Salaün
2016-10-05 21:01 ` Mickaël Salaün
2016-10-05 21:01 ` Mickaël Salaün
2016-10-05 21:01 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 20/22] landlock: Add update and debug access flags Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 21/22] bpf,landlock: Add optional skb pointer in the Landlock context Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 21:20 ` Alexei Starovoitov
2016-09-14 21:20 ` Alexei Starovoitov
2016-09-14 21:20 ` [kernel-hardening] " Alexei Starovoitov
2016-09-14 22:46 ` Mickaël Salaün
2016-09-14 22:46 ` Mickaël Salaün
2016-09-14 22:46 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 7:24 ` [RFC v3 22/22] samples/landlock: Add sandbox example Mickaël Salaün
2016-09-14 7:24 ` Mickaël Salaün
2016-09-14 7:24 ` [kernel-hardening] " Mickaël Salaün
2016-09-14 21:24 ` Alexei Starovoitov
2016-09-14 21:24 ` Alexei Starovoitov
2016-09-14 21:24 ` [kernel-hardening] " Alexei Starovoitov
2016-09-14 14:36 ` [RFC v3 00/22] Landlock LSM: Unprivileged sandboxing David Laight
2016-09-14 14:36 ` David Laight
2016-09-14 14:36 ` David Laight
2016-09-14 14:36 ` David Laight
2016-09-14 14:36 ` [kernel-hardening] " David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57D9D6FE.4090708@digikod.net \
--to=mic@digikod.net \
--cc=alexei.starovoitov@gmail.com \
--cc=arnd@arndb.de \
--cc=ast@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=daniel@iogearbox.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=elena.reshetova@intel.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.ker \
--cc=pmoore@redhat.com \
--cc=sargun@sargun.me \
--cc=serge@hallyn.com \
--cc=tj@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.