On Mon, Aug 28, 2017 at 05:47:19PM -0700, Chenbo Feng wrote: > On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov > <alexei.starovoi...@gmail.com> wrote: > > On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote: > >> On 08/25/2017 09:52 PM, Chenbo Feng wrote: > >> > On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep > >> > <je...@google.com> wrote: > >> > > On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley <s...@tycho.nsa.gov> > >> > > wrote: > >> > > > On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux > >> > > > wrote: > >> > > > > I’d like to get your thoughts on adding LSM permission checks on > >> > > > > BPF > >> > > > > objects. > > > > before reinventing the wheel please take a look at landlock work. > > Everything that was discussed in this thread is covered by it. > > The patches have been in development for more than a year and most of the > > early > > issues have been resolved. > > It will be presented again during security summit in LA in September. > > > I am not very familiar with landlock lsm, isn't this module also > depend on the lsm hooks to do > the landlock check? If so then adding lsm hooks for eBPF object seems > not conflict with the > work on progress.
I see. I got it the other way around. What lsm checks are you proposing? and why unprivileged_bpf_disabled is not enough? you want to allow unpriv only for specific user(s) ?
