Linux Security Modules development
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul@paul-moore.com>,
	 Justin Suess <utilityemal77@gmail.com>,
	ast@kernel.org, daniel@iogearbox.net, kpsingh@kernel.org,
	 john.fastabend@gmail.com, andrii@kernel.org,
	viro@zeniv.linux.org.uk, brauner@kernel.org,  kees@kernel.org,
	gnoack@google.com, jack@suse.cz, jmorris@namei.org,
	 serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev,
	martin.lau@linux.dev,  m@maowtm.org, eddyz87@gmail.com,
	sdf@fomichev.me, skhan@linuxfoundation.org,  bpf@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	 linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	 Frederick Lawler <fred@cloudflare.com>
Subject: Re: [RFC PATCH 06/20] bpf: lsm: Add Landlock kfuncs
Date: Thu, 2 Jul 2026 11:51:54 +0200	[thread overview]
Message-ID: <20260702.wiegh2vahb3O@digikod.net> (raw)
In-Reply-To: <c9abd9ab-3379-47ab-ad41-79cec8f465c2@schaufler-ca.com>

On Wed, Jul 01, 2026 at 02:41:49PM -0700, Casey Schaufler wrote:
> On 7/1/2026 1:02 PM, Paul Moore wrote:
> > ...
> >
> >> Each LSM calls this once to register its sets. Because registration goes
> >> through the framework, the framework gets to decide whether to actually
> >> register them so you could, for example, run an LSM while explicitly
> >> opting its BPF kfuncs out. (something that should be done at the LSM
> >> framework level).
> > I'm not opposed to the LSM supporting a set of kfuncs, see my comments
> > in other threads, but we should treat these kfuncs just as we treat
> > other LSM hooks today because that is what they are: LSM hooks that
> > happened to be called from within a BPF program.
> 
> As someone who has been working to get the SELinux specific assumptions
> out of the LSM framework for the past 15 years the notion of adding
> Landlock specific interfaces makes me want to cry. Is it really that
> difficult to understand that 5 or 10 years from now something is going
> to come along that makes any LSM specific interface a nightmare?

From my point of view, your work has been, and continue to be, very
valuable and helped improve Linux security tremendously.  Everyone agree
that no LSM should implement their own security hook.  But that's not
the topic here.  See
https://lore.kernel.org/all/20260701.aeghohNoe3ek@digikod.net/

> What
> if there's an LSM that does what Landlock does, but does it better?

Then the eBPF programs will use another kfunc, specific to the *new*
semantic of the other LSM.

> What if the Landlock sponsors decide to quit funding it? Or the maintainers
> get bored?

It is the same for any (kernel) interface: going through a multiplexer
would not help at all.  Your argument is sound for security hooks, but
not here.  Security (or access control) hooks make sense because they
identify a set of specific enforcement points in the kernel, and any LSM
can implement such hook to allow or deny the related operation.  Other
hooks are useful to keep track of the kernel state.  Again, see
https://lore.kernel.org/all/20260701.aeghohNoe3ek@digikod.net/

> 
> I agree with Paul completely. Make the hooks available to any and all
> LSMs, or don't make them at all.

We don't need a security hook but a function call to one specific part
of the kernel with a very clear semantic that only make sense for one
subsystem (i.e. Landlock in this case).  It's the same for other kfunc,
nothing special.  The same way it would be a waste of time to implement
an in-kernel multiplexer for a set of unrelated operations, I really
don't see the value of adding a generic kfunc that might perform an
action according to an operation argument (i.e. multiplexer).  Why
implementing an ioctl-like interface in the kernel?  I'm open to
suggestions (and concrete proposal/examples) but so far I only heard
authoritative arguments that ignored most of my comments.

  reply	other threads:[~2026-07-02 10:00 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-07 20:01 [RFC PATCH 00/20] BPF interface for applying Landlock rulesets Justin Suess
2026-04-07 20:01 ` [RFC PATCH 01/20] landlock: Move operations from syscall into ruleset code Justin Suess
2026-04-07 20:01 ` [RFC PATCH 02/20] execve: Add set_nnp_on_point_of_no_return Justin Suess
2026-04-07 20:01 ` [RFC PATCH 03/20] landlock: Implement LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 04/20] selftests/landlock: Cover LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 05/20] landlock: Make ruleset deferred free RCU safe Justin Suess
2026-04-07 20:01 ` [RFC PATCH 06/20] bpf: lsm: Add Landlock kfuncs Justin Suess
2026-07-01 10:59   ` Mickaël Salaün
2026-07-01 12:12     ` Paul Moore
2026-07-01 12:52       ` Justin Suess
2026-07-01 13:28         ` Paul Moore
2026-07-01 18:29           ` Justin Suess
2026-07-01 18:33             ` Paul Moore
2026-07-01 18:34           ` Mickaël Salaün
2026-07-01 18:38             ` Paul Moore
2026-07-01 19:49               ` Mickaël Salaün
2026-07-01 19:55                 ` Justin Suess
2026-07-01 20:02                   ` Paul Moore
2026-07-01 21:28                     ` Mickaël Salaün
2026-07-01 23:32                       ` Paul Moore
2026-07-02  9:53                         ` Mickaël Salaün
2026-07-01 21:41                     ` Casey Schaufler
2026-07-02  9:51                       ` Mickaël Salaün [this message]
2026-07-01 19:56                 ` Paul Moore
2026-04-07 20:01 ` [RFC PATCH 07/20] bpf: arraymap: Implement Landlock ruleset map Justin Suess
2026-04-07 20:01 ` [RFC PATCH 08/20] bpf: Add Landlock ruleset map type Justin Suess
2026-04-16 21:12   ` Song Liu
2026-04-16 21:53     ` Justin Suess
2026-04-16 23:47       ` Song Liu
2026-04-17 14:09         ` Justin Suess
2026-04-17 15:18           ` Mickaël Salaün
2026-04-17 16:10             ` Song Liu
2026-04-17 18:01               ` Mickaël Salaün
2026-04-17 16:51             ` Justin Suess
2026-04-17 18:03               ` Mickaël Salaün
2026-04-17 20:33                 ` Justin Suess
2026-04-17 20:42                   ` Song Liu
2026-04-18 21:50                     ` Justin Suess
2026-04-17 16:01           ` Song Liu
2026-04-07 20:01 ` [RFC PATCH 09/20] bpf: syscall: Handle Landlock ruleset maps Justin Suess
2026-04-07 20:01 ` [RFC PATCH 10/20] bpf: verifier: Add Landlock ruleset map support Justin Suess
2026-04-07 20:01 ` [RFC PATCH 11/20] selftests/bpf: Add Landlock kfunc declarations Justin Suess
2026-04-07 20:01 ` [RFC PATCH 12/20] selftests/landlock: Rename gettid wrapper for BPF reuse Justin Suess
2026-04-07 20:01 ` [RFC PATCH 13/20] selftests/bpf: Enable Landlock in selftests kernel Justin Suess
2026-04-07 20:01 ` [RFC PATCH 14/20] selftests/bpf: Add Landlock kfunc test program Justin Suess
2026-04-07 20:01 ` [RFC PATCH 15/20] selftests/bpf: Add Landlock kfunc test runner Justin Suess
2026-04-07 20:01 ` [RFC PATCH 16/20] landlock: Bump ABI version Justin Suess
2026-04-07 20:01 ` [RFC PATCH 17/20] tools: bpftool: Add documentation for landlock_ruleset Justin Suess
2026-04-07 20:01 ` [RFC PATCH 18/20] landlock: Document LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Justin Suess
2026-04-07 20:01 ` [RFC PATCH 19/20] bpf: Document BPF_MAP_TYPE_LANDLOCK_RULESET Justin Suess
2026-04-07 20:01 ` [RFC PATCH 20/20] MAINTAINERS: update entry for the Landlock subsystem Justin Suess
2026-04-08  4:40 ` [RFC PATCH 00/20] BPF interface for applying Landlock rulesets Ihor Solodrai
2026-04-08 11:41   ` Justin Suess
2026-04-08 14:00 ` Mickaël Salaün
2026-04-08 17:10   ` Justin Suess
2026-04-08 19:21     ` Mickaël Salaün
2026-04-10 12:43       ` Justin Suess
2026-04-13 15:06       ` Justin Suess

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702.wiegh2vahb3O@digikod.net \
    --to=mic@digikod.net \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=brauner@kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=fred@cloudflare.com \
    --cc=gnoack@google.com \
    --cc=jack@suse.cz \
    --cc=jmorris@namei.org \
    --cc=john.fastabend@gmail.com \
    --cc=kees@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=martin.lau@linux.dev \
    --cc=paul@paul-moore.com \
    --cc=sdf@fomichev.me \
    --cc=serge@hallyn.com \
    --cc=skhan@linuxfoundation.org \
    --cc=song@kernel.org \
    --cc=utilityemal77@gmail.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox