On 9/17/2018 4:47 PM, Mickaël Salaün wrote: > On 9/18/18 01:30, Casey Schaufler wrote: >> On 9/17/2018 4:20 PM, Kees Cook wrote: >>> On Mon, Sep 17, 2018 at 4:10 PM, Mickaël Salaün <m...@digikod.net> wrote: >>>> Landlock, because it target unprivileged users, should only be called >>>> after all other major (access-control) LSMs. The admin or distro must >>>> not be able to change that order in any way. This constraint doesn't >>>> apply to current LSMs, though. >> What harm would it cause for Landlock to get called before SELinux? >> I certainly see why it seems like it ought to get called after, but >> would it really make a difference? > If an unprivileged process is able to infer some properties of a file > being requested (thanks to one of its eBPF program doing checks on this > process accesses), whereas this file access would be denied by a > privileged LSM, then there is a side channel attack allowing this > process to indirectly get information otherwise inaccessible. > > In other words, an unprivileged process should not be allowed to sneak > itself (via an eBPF program) before SELinux for instance. SELinux should > be able to block such information gathering the same way it can block a > fstat(2) requested by a process.
The argument would feel a bit stronger if LSM checks happened before the DAC checks. The opportunity to sneak a check in already exists, but not with the tools you get with eBPF. For now at least I'll grant that there's good reason for Landlock to go last.