From: "Mickaël Salaün" <mic@digikod.net>
To: Paul Moore <paul@paul-moore.com>,
ast@kernel.org, daniel@iogearbox.net, kpsingh@kernel.org,
john.fastabend@gmail.com
Cc: Justin Suess <utilityemal77@gmail.com>,
andrii@kernel.org, viro@zeniv.linux.org.uk, brauner@kernel.org,
kees@kernel.org, gnoack@google.com, jack@suse.cz,
jmorris@namei.org, serge@hallyn.com, song@kernel.org,
yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org,
eddyz87@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Frederick Lawler <fred@cloudflare.com>
Subject: Re: [RFC PATCH 06/20] bpf: lsm: Add Landlock kfuncs
Date: Wed, 1 Jul 2026 20:34:10 +0200 [thread overview]
Message-ID: <20260701.jei4Paej3zen@digikod.net> (raw)
In-Reply-To: <CAHC9VhSjRcMr9+5dMkep_TPKduYdob-bZ73FLfXd_o2xiWwOSg@mail.gmail.com>
On Wed, Jul 01, 2026 at 09:28:22AM -0400, Paul Moore wrote:
> On Wed, Jul 1, 2026 at 8:52 AM Justin Suess <utilityemal77@gmail.com> wrote:
> > On Wed, Jul 01, 2026 at 08:12:34AM -0400, Paul Moore wrote:
> > > On Wed, Jul 1, 2026 at 6:59 AM Mickaël Salaün <mic@digikod.net> wrote:
> > > > On Tue, Apr 07, 2026 at 04:01:28PM -0400, Justin Suess wrote:
> > > > > Create 2 kfuncs exposing control over Landlock functionality to BPF
> > > > > callers. Export an opaque struct bpf_landlock_ruleset preventing callers
> > > > > from accessing unstable internal Landlock fields.
> > >
> > > Generally speaking we don't want to provide APIs, either in-kernel or
> > > at the userspace/kernel boundary, that are specific to a single LSM,
> > > see the LSM syscalls or the security_current_getlsmprop_subj()
> > > function as examples.
This patch series is not about the LSM framework, only about Landlock
and its specific model and use case. Landlock using some of the LSM API
is not relevant here.
> >
> > I would raise bpf_ima_file_hash, bpf_ima_inode_hash, as examples of
> > clear precedence for this. (BPF calling into specific LSM)
>
> The BPF IMA helpers were merged back in the v5.18 timeframe when IMA
> was still standalone, it wasn't until v6.9 that IMA and EVM became
> proper LSMs.
>
> > Kfuncs are explicitly marked as not being an ABI, and are more
> > flexible for later changes / deprecation etc. [1]
>
> The issue isn't so much the kfunc itself, it is what the kfunc
> *calls*. From what I saw in the proposed patch, the kfunc calls
> directly into Landlock instead of passing through the LSM framework,
> e.g. a function wrapper in security/security.c.
Yes, and I'm OK for this kfunc to call directly into a new public
Landlock function. There is no need to create a new class of LSM
wrapper.
LSM hooks make sense because they are designed for a specific subsystem
(the caller) and their goal is to return an access decision or to keep
up-to-date related states, which means that their API is designed for
the caller, with its own types and specificities, not the other way
around. This case is different, the kfunc is strongly typed and tied to
the Landlock (subsystem) semantic with an API defined by and for
Landlock. I don't think a multiplexer would be a good idea.
However, I agree with your layering concern, and it would make more
sense to move the Landlock-related kfuncs to security/landlock/bpf.c,
which is also the idiomatic way for subsystems to own their API.
Alexei, KP, what do you think?
>
> > LSM framework API can mean a lot of things. I assume you are meaning
> > like a pseudo-filesystem mounted interface that controls LSM?
> > Correct me if I'm wrong.
>
> My apologies, I should have been more clear. When I speak about the
> "LSM framework", I'm talking about the abstraction layer that provides
> the interface that the kernel and userspace uses to talk to individual
> LSMs. The LSM framework is analogous to the VFS layer/framework in
> that it provides a single API for a variety of underlying subsystems.
> While not 100% correct, you can think of it the LSM framework as being
> the functions/hooks defined in security/security.c.
This abstraction layer is useful and make sense for access control hooks
but it is not needed in this case, and it would only make the kfunc
interface more complex for no reason. If any other kernel subsystem
wants to add a kfunc, I think it should be reviewed with its purpose in
mind and a well defined use case.
>
> Does that help?
I think Justin is right, and with some minor changes this kfunc should
be good.
next prev parent reply other threads:[~2026-07-01 18:34 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 20:01 [RFC PATCH 00/20] BPF interface for applying Landlock rulesets Justin Suess
2026-04-07 20:01 ` [RFC PATCH 01/20] landlock: Move operations from syscall into ruleset code Justin Suess
2026-04-07 20:01 ` [RFC PATCH 02/20] execve: Add set_nnp_on_point_of_no_return Justin Suess
2026-04-07 20:01 ` [RFC PATCH 03/20] landlock: Implement LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 04/20] selftests/landlock: Cover LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 05/20] landlock: Make ruleset deferred free RCU safe Justin Suess
2026-04-07 20:01 ` [RFC PATCH 06/20] bpf: lsm: Add Landlock kfuncs Justin Suess
2026-07-01 10:59 ` Mickaël Salaün
2026-07-01 12:12 ` Paul Moore
2026-07-01 12:52 ` Justin Suess
2026-07-01 13:28 ` Paul Moore
2026-07-01 18:29 ` Justin Suess
2026-07-01 18:33 ` Paul Moore
2026-07-01 18:34 ` Mickaël Salaün [this message]
2026-07-01 18:38 ` Paul Moore
2026-07-01 19:49 ` Mickaël Salaün
2026-07-01 19:55 ` Justin Suess
2026-07-01 20:02 ` Paul Moore
2026-07-01 21:28 ` Mickaël Salaün
2026-07-01 23:32 ` Paul Moore
2026-07-01 21:41 ` Casey Schaufler
2026-07-01 19:56 ` Paul Moore
2026-04-07 20:01 ` [RFC PATCH 07/20] bpf: arraymap: Implement Landlock ruleset map Justin Suess
2026-04-07 20:01 ` [RFC PATCH 08/20] bpf: Add Landlock ruleset map type Justin Suess
2026-04-16 21:12 ` Song Liu
2026-04-16 21:53 ` Justin Suess
2026-04-16 23:47 ` Song Liu
2026-04-17 14:09 ` Justin Suess
2026-04-17 15:18 ` Mickaël Salaün
2026-04-17 16:10 ` Song Liu
2026-04-17 18:01 ` Mickaël Salaün
2026-04-17 16:51 ` Justin Suess
2026-04-17 18:03 ` Mickaël Salaün
2026-04-17 20:33 ` Justin Suess
2026-04-17 20:42 ` Song Liu
2026-04-18 21:50 ` Justin Suess
2026-04-17 16:01 ` Song Liu
2026-04-07 20:01 ` [RFC PATCH 09/20] bpf: syscall: Handle Landlock ruleset maps Justin Suess
2026-04-07 20:01 ` [RFC PATCH 10/20] bpf: verifier: Add Landlock ruleset map support Justin Suess
2026-04-07 20:01 ` [RFC PATCH 11/20] selftests/bpf: Add Landlock kfunc declarations Justin Suess
2026-04-07 20:01 ` [RFC PATCH 12/20] selftests/landlock: Rename gettid wrapper for BPF reuse Justin Suess
2026-04-07 20:01 ` [RFC PATCH 13/20] selftests/bpf: Enable Landlock in selftests kernel Justin Suess
2026-04-07 20:01 ` [RFC PATCH 14/20] selftests/bpf: Add Landlock kfunc test program Justin Suess
2026-04-07 20:01 ` [RFC PATCH 15/20] selftests/bpf: Add Landlock kfunc test runner Justin Suess
2026-04-07 20:01 ` [RFC PATCH 16/20] landlock: Bump ABI version Justin Suess
2026-04-07 20:01 ` [RFC PATCH 17/20] tools: bpftool: Add documentation for landlock_ruleset Justin Suess
2026-04-07 20:01 ` [RFC PATCH 18/20] landlock: Document LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 19/20] bpf: Document BPF_MAP_TYPE_LANDLOCK_RULESET Justin Suess
2026-04-07 20:01 ` [RFC PATCH 20/20] MAINTAINERS: update entry for the Landlock subsystem Justin Suess
2026-04-08 4:40 ` [RFC PATCH 00/20] BPF interface for applying Landlock rulesets Ihor Solodrai
2026-04-08 11:41 ` Justin Suess
2026-04-08 14:00 ` Mickaël Salaün
2026-04-08 17:10 ` Justin Suess
2026-04-08 19:21 ` Mickaël Salaün
2026-04-10 12:43 ` Justin Suess
2026-04-13 15:06 ` Justin Suess
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701.jei4Paej3zen@digikod.net \
--to=mic@digikod.net \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=fred@cloudflare.com \
--cc=gnoack@google.com \
--cc=jack@suse.cz \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kees@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=martin.lau@linux.dev \
--cc=paul@paul-moore.com \
--cc=sdf@fomichev.me \
--cc=serge@hallyn.com \
--cc=skhan@linuxfoundation.org \
--cc=song@kernel.org \
--cc=utilityemal77@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox