From: enlightened@chromium.org
To: mic@digikod.net
Cc: linux-security-module@vger.kernel.org, jorgelo@chromium.org,
keescook@chromium.org, groeck@chromium.org, jeffxu@chromium.org,
allenwebb@chromium.org, Shervin Oloumi <enlightened@chromium.org>
Subject: [PATCH 0/1] process attribute support for Landlock
Date: Thu, 2 Mar 2023 10:52:56 -0800 [thread overview]
Message-ID: <20230302185257.850681-1-enlightened@chromium.org> (raw)
From: Shervin Oloumi <enlightened@chromium.org>
Hi Mickaël,
I'm looking into adding a simple process attribute getter to Landlock so
we can determine the sand-boxing state of each process based on
/proc/[PID]/attr/current. As ChromeOS is expanding Landlock support,
this would help us paint a clear picture of Landlock coverage in the
fleet. I prepared a patch as a starting point, and would love to get
your feedback.
One area I am not very sure of is the case where more than one LSM is in
use. In such cases each LSM could have its own process attribute
getters and setters. What I learned is that when this is the case, the
kernel only calls the hook function for the LSM that is loaded first in
the CONFIG_LSM option. For example if landlock comes first
(CONFIG_LSM=landlock,...), then the kernel only calls the hook function
for Landlock, when the userspace interacts with process attribute files.
This is not a blocker for us, as we only currently care about reading
the Landlock related attributes, and my understanding is that this is
working as intended, but wanted to get your input.
Shervin Oloumi (1):
lsm: adds process attribute getter for Landlock
fs/proc/base.c | 11 +++++++++++
security/landlock/fs.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 44 insertions(+)
base-commit: e2ca6ba6ba0152361aa4fcbf6067db71b2c7a770
--
2.39.2.722.g9855ee24e9-goog
next reply other threads:[~2023-03-02 18:53 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-02 18:52 enlightened [this message]
2023-03-02 18:52 ` [PATCH 1/1] lsm: adds process attribute getter for Landlock enlightened
2023-03-02 20:24 ` Casey Schaufler
2023-03-03 16:39 ` Günther Noack
2023-03-02 20:22 ` [PATCH 0/1] process attribute support " Casey Schaufler
2023-03-06 22:40 ` Shervin Oloumi
2023-03-07 17:51 ` Casey Schaufler
2023-03-06 19:18 ` Mickaël Salaün
2023-03-07 14:16 ` Mickaël Salaün
2023-03-08 22:25 ` Shervin Oloumi
2023-03-15 9:56 ` Mickaël Salaün
2023-03-16 6:19 ` Günther Noack
2023-03-17 8:38 ` Mickaël Salaün
2023-05-18 20:44 ` Shervin Oloumi
2023-05-24 16:09 ` Mickaël Salaün
2023-05-24 16:21 ` Mickaël Salaün
2023-05-18 20:45 ` [PATCH v2] lsm: adds process attribute getter " Shervin Oloumi
2023-05-18 21:26 ` Casey Schaufler
2023-05-22 19:56 ` Paul Moore
2023-05-23 6:13 ` Jeff Xu
2023-05-23 15:32 ` Casey Schaufler
2023-05-30 18:02 ` Jeff Xu
2023-05-30 19:05 ` Casey Schaufler
2023-05-31 13:01 ` Mickaël Salaün
2023-06-01 20:45 ` Jeff Xu
2023-06-01 21:30 ` Casey Schaufler
2023-05-23 21:12 ` Paul Moore
2023-05-24 15:38 ` Mickaël Salaün
2023-05-24 16:02 ` Mickaël Salaün
2023-05-25 16:28 ` Casey Schaufler
2023-05-30 18:05 ` Jeff Xu
2023-05-30 19:19 ` Casey Schaufler
2023-05-31 13:26 ` Mickaël Salaün
2023-06-01 20:48 ` Jeff Xu
2023-06-01 21:34 ` Casey Schaufler
2023-06-01 22:08 ` Mickaël Salaün
2023-05-24 16:05 ` Mickaël Salaün
2023-05-24 16:48 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230302185257.850681-1-enlightened@chromium.org \
--to=enlightened@chromium.org \
--cc=allenwebb@chromium.org \
--cc=groeck@chromium.org \
--cc=jeffxu@chromium.org \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).