[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160915091902.GA13132@amd>
Date: Thu, 15 Sep 2016 11:19:02 +0200
From: Pavel Machek <pavel@....cz>
To: Mickaël Salaün <mic@...ikod.net>
Cc: linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
Andy Lutomirski <luto@...capital.net>,
Arnd Bergmann <arnd@...db.de>,
Casey Schaufler <casey@...aufler-ca.com>,
Daniel Borkmann <daniel@...earbox.net>,
Daniel Mack <daniel@...que.org>,
David Drysdale <drysdale@...gle.com>,
"David S . Miller" <davem@...emloft.net>,
Elena Reshetova <elena.reshetova@...el.com>,
James Morris <james.l.morris@...cle.com>,
Kees Cook <keescook@...omium.org>, Paul Moore <pmoore@...hat.com>,
Sargun Dhillon <sargun@...gun.me>,
"Serge E . Hallyn" <serge@...lyn.com>,
Will Drewry <wad@...omium.org>, kernel-hardening@...ts.openwall.com,
linux-api@...r.kernel.org, linux-security-module@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [RFC v2 00/10] Landlock LSM: Unprivileged sandboxing
Hi!
> This series is a proof of concept to fill some missing part of seccomp as the
> ability to check syscall argument pointers or creating more dynamic security
> policies. The goal of this new stackable Linux Security Module (LSM) called
> Landlock is to allow any process, including unprivileged ones, to create
> powerful security sandboxes comparable to the Seatbelt/XNU Sandbox or the
> OpenBSD Pledge. This kind of sandbox help to mitigate the security impact of
> bugs or unexpected/malicious behaviors in userland applications.
>
> The first RFC [1] was focused on extending seccomp while staying at the syscall
> level. This brought a working PoC but with some (mitigated) ToCToU race
> conditions due to the seccomp ptrace hole (now fixed) and the non-atomic
> syscall argument evaluation (hence the LSM hooks).
Long and nice description follows. Should it go to Documentation/
somewhere?
Because some documentation would be useful...
Pavel
> include/linux/bpf.h | 41 +++++
> include/linux/lsm_hooks.h | 5 +
> include/linux/seccomp.h | 54 ++++++-
> include/uapi/asm-generic/errno-base.h | 1 +
> include/uapi/linux/bpf.h | 103 ++++++++++++
> include/uapi/linux/seccomp.h | 2 +
> kernel/bpf/arraymap.c | 222 +++++++++++++++++++++++++
> kernel/bpf/syscall.c | 18 ++-
> kernel/bpf/verifier.c | 32 +++-
> kernel/fork.c | 41 ++++-
> kernel/seccomp.c | 211 +++++++++++++++++++++++-
> samples/Makefile | 2 +-
> samples/landlock/.gitignore | 1 +
> samples/landlock/Makefile | 16 ++
> samples/landlock/sandbox.c | 295 ++++++++++++++++++++++++++++++++++
> security/Kconfig | 1 +
> security/Makefile | 2 +
> security/landlock/Kconfig | 19 +++
> security/landlock/Makefile | 3 +
> security/landlock/checker_cgroup.c | 96 +++++++++++
> security/landlock/checker_cgroup.h | 18 +++
> security/landlock/checker_fs.c | 183 +++++++++++++++++++++
> security/landlock/checker_fs.h | 20 +++
> security/landlock/lsm.c | 228 ++++++++++++++++++++++++++
> security/security.c | 1 +
> 25 files changed, 1592 insertions(+), 23 deletions(-)
> create mode 100644 samples/landlock/.gitignore
> create mode 100644 samples/landlock/Makefile
> create mode 100644 samples/landlock/sandbox.c
> create mode 100644 security/landlock/Kconfig
> create mode 100644 security/landlock/Makefile
> create mode 100644 security/landlock/checker_cgroup.c
> create mode 100644 security/landlock/checker_cgroup.h
> create mode 100644 security/landlock/checker_fs.c
> create mode 100644 security/landlock/checker_fs.h
> create mode 100644 security/landlock/lsm.c
>
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
