From: "Mickaël Salaün" <mic@digikod.net>
To: Shervin Oloumi <enlightened@chromium.org>
Cc: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, gnoack@google.com,
shuah@kernel.org, jorgelo@chromium.org, allenwebb@chromium.org
Subject: Re: [PATCH v3 2/2] landlock: add support for private bind mount
Date: Thu, 23 Jan 2025 22:08:28 +0100 [thread overview]
Message-ID: <20250123.eSh0aipetesh@digikod.net> (raw)
In-Reply-To: <20250123.Eevilae6oolo@digikod.net>
On Thu, Jan 23, 2025 at 09:34:50PM +0100, Mickaël Salaün wrote:
> On Thu, Jan 09, 2025 at 06:10:08PM -0800, Shervin Oloumi wrote:
> > Finally, any existing mounts or bind mounts before the process enters a
> > LandLock domain remain as they are. Such mounts can be of the shared
> > propagation type, and they would continue to share updates with the rest
> > of their peer group. While this is an existing behavior, after this
> > patch
>
> > such mounts can also be remounted as private,
>
> OK
>
> > or be unmounted after the process enters the sandbox.
>
> As Christian pointed out, being able to unmount pre-sandbox mount points
> could give access to previously-hidden files. For unmounts, we should
> have a dedicated LANDLOCK_ACCESS_FS_UNMOUNT right and highlight in the
> documentation the risk of unveiling hidden files.
Instead of a new access right, a better approach would be to require the
LANDLOCK_ACCESS_FS_MOUNT and that the mount point was created by the
task trying to unmount it (or one with less privileges). This could be
done by recording the mount task's credential in struct
landlock_superblock_security and then checking that the task requesting
the unmount can ptrace this (mount) credential.
>
> > Existing mounts are outside the
> > scope of LandLock and should be considered before entering the sandbox.
next prev parent reply other threads:[~2025-01-23 21:17 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 2:10 [PATCH v3 1/2] fs: add loopback/bind mount specific security hook Shervin Oloumi
2025-01-10 2:10 ` [PATCH v3 2/2] landlock: add support for private bind mount Shervin Oloumi
2025-01-23 20:34 ` Mickaël Salaün
2025-01-23 21:08 ` Mickaël Salaün [this message]
2025-01-23 22:02 ` Mickaël Salaün
-- strict thread matches above, loose matches on Subject: below --
2024-12-31 1:46 [PATCH 1/2] fs: add loopback/bind mount specific security hook Shervin Oloumi
2024-12-31 1:46 ` [PATCH 2/2] landlock: add support for private bind mount Shervin Oloumi
2024-12-31 21:03 ` kernel test robot
2024-12-31 5:28 ` [PATCH 1/2] fs: add loopback/bind mount specific security hook kernel test robot
2024-12-31 6:01 ` kernel test robot
2024-12-31 16:43 ` Casey Schaufler
2025-01-03 5:11 ` Paul Moore
2025-01-10 4:11 ` Shervin Oloumi
2025-01-03 11:10 ` Jan Kara
2025-01-10 4:14 ` Shervin Oloumi
2025-01-10 15:42 ` [PATCH v3 " Christian Brauner
2025-01-23 20:34 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250123.eSh0aipetesh@digikod.net \
--to=mic@digikod.net \
--cc=allenwebb@chromium.org \
--cc=brauner@kernel.org \
--cc=enlightened@chromium.org \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=jmorris@namei.org \
--cc=jorgelo@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).