On 10/09/2020 20:08, Mimi Zohar wrote:
> On Thu, 2020-09-10 at 19:21 +0200, Mickaël Salaün wrote:
>> On 10/09/2020 19:04, Matthew Wilcox wrote:
>>> On Thu, Sep 10, 2020 at 06:46:09PM +0200, Mickaël Salaün wrote:
>>>> This ninth patch series rework the previou
On 10/09/2020 19:21, Mickaël Salaün wrote:
>
> On 10/09/2020 19:04, Matthew Wilcox wrote:
>> On Thu, Sep 10, 2020 at 06:46:09PM +0200, Mickaël Salaün wrote:
>>> This ninth patch series rework the previous AT_INTERPRETED and O_MAYEXEC
>>> series with a new syscall:
On 10/09/2020 19:04, Matthew Wilcox wrote:
> On Thu, Sep 10, 2020 at 06:46:09PM +0200, Mickaël Salaün wrote:
>> This ninth patch series rework the previous AT_INTERPRETED and O_MAYEXEC
>> series with a new syscall: introspect_access(2) . Access check are now
>> on
alcetrvez0euffxwfhtag_j+advbzewe0m3wjxmwveo7pj+...@mail.gmail.com/
[5]
https://lore.kernel.org/lkml/20200406221439.1469862-12-deven.de...@linux.microsoft.com/
[6] https://www.python.org/dev/peps/pep-0578/
[7]
https://lore.kernel.org/lkml/0c70debd-e79e-d514-06c6-4cd1e021f...@python.org/
Regards,
Mickaë
On 09/09/2020 19:13, Al Viro wrote:
> On Wed, Sep 09, 2020 at 09:19:11AM +0200, Mickaël Salaün wrote:
>>
>> On 08/09/2020 20:50, Al Viro wrote:
>>> On Tue, Sep 08, 2020 at 09:59:53AM +0200, Mickaël Salaün wrote:
>>>> Hi,
>>>>
>>>> This
On 09/09/2020 19:08, Matthew Wilcox wrote:
> On Wed, Sep 09, 2020 at 09:19:11AM +0200, Mickaël Salaün wrote:
>>
>> On 08/09/2020 20:50, Al Viro wrote:
>>> On Tue, Sep 08, 2020 at 09:59:53AM +0200, Mickaël Salaün wrote:
>>>> Hi,
>>>>
>>>
On 08/09/2020 20:50, Al Viro wrote:
> On Tue, Sep 08, 2020 at 09:59:53AM +0200, Mickaël Salaün wrote:
>> Hi,
>>
>> This height patch series rework the previous O_MAYEXEC series by not
>> adding a new flag to openat2(2) but to faccessat2(2) instead. As
>> sugge
On 08/09/2020 14:28, Mimi Zohar wrote:
> Hi Mickael,
>
> On Tue, 2020-09-08 at 09:59 +0200, Mickaël Salaün wrote:
>> diff --git a/fs/open.c b/fs/open.c
>> index 9af548fb841b..879bdfbdc6fa 100644
>> --- a/fs/open.c
>> +++ b/fs/open.c
>> @@ -405,9 +405
On 08/09/2020 17:24, Mimi Zohar wrote:
> On Tue, 2020-09-08 at 14:43 +0200, Mickaël Salaün wrote:
>> On 08/09/2020 14:28, Mimi Zohar wrote:
>>> Hi Mickael,
>>>
>>> On Tue, 2020-09-08 at 09:59 +0200, Mickaël Salaün wrote:
>>>> diff --git
On 08/09/2020 18:44, Mimi Zohar wrote:
> On Tue, 2020-09-08 at 17:44 +0200, Mickaël Salaün wrote:
>> On 08/09/2020 17:24, Mimi Zohar wrote:
>>> On Tue, 2020-09-08 at 14:43 +0200, Mickaël Salaün wrote:
>>>> On 08/09/2020 14:28, Mimi Zohar wrote:
>>>>>
On 08/09/2020 15:42, Stephen Smalley wrote:
> On Tue, Sep 8, 2020 at 9:29 AM Mimi Zohar wrote:
>>
>> On Tue, 2020-09-08 at 08:52 -0400, Stephen Smalley wrote:
>>> On Tue, Sep 8, 2020 at 8:50 AM Stephen Smalley
>>> wrote:
>>>>
>>>
From: Mickaël Salaün
Test that checks performed by faccessat2(2) with AT_INTERPRETED on file
path and file descriptors are consistent with noexec mount points and
file execute permissions, according to the policy configured with the
fs.interpreted_access sysctl.
Signed-off-by: Mickaël Salaün
From: Mickaël Salaün
The AT_INTERPRETED flag combined with the X_OK mode enable trusted user
space tasks to check that files are allowed to be executed by user
space. The security policy is consistently managed by the kernel
through a sysctl or implemented by an LSM thanks to the
From: Mickaël Salaün
This enables to configure a policy for executable scripts which can be
queried with faccessat2(2) and the AT_INTERPRETED flag. This may allow
script interpreters to check execution permission before reading
commands from a file, or dynamic linkers to allow shared object
7e5fb76ae4cb38bc83f5.ca...@linux.ibm.com/
Regards,
Mickaël Salaün (3):
fs: Introduce AT_INTERPRETED flag for faccessat2(2)
fs,doc: Enable to configure exec checks for AT_INTERPRETED
selftest/interpreter: Add tests for AT_INTERPRETED enforcing
Documentation/admin-guide/sysctl/fs.rst
On 12/08/2020 12:06, Mark Rutland wrote:
> On Thu, Aug 06, 2020 at 12:26:02PM -0500, Madhavan T. Venkataraman wrote:
>> Thanks for the lively discussion. I have tried to answer some of the
>> comments below.
>>
>> On 8/4/20 9:30 AM, Mark Rutland wrote:
>>>
So, the context is - if security se
Arnd and Michael, what do you think about these new syscalls?
On 02/08/2020 23:58, Mickaël Salaün wrote:
> These 4 system calls are designed to be used by unprivileged processes
> to sandbox themselves:
> * landlock_get_features(2): Gets the supported features (required for
>
Kees Cook wrote this patch, which is in Andrew Morton's tree, but I
think you're talking about O_MAYEXEC, not this patch specifically.
On 11/08/2020 21:36, Eric W. Biederman wrote:
> Mickaël Salaün writes:
>
>> From: Kees Cook
>>
>> The path_noexec() check
On 11/08/2020 21:58, Eric W. Biederman wrote:
> Mickaël Salaün writes:
>
>> Allow for the enforcement of the O_MAYEXEC openat2(2) flag. Thanks to
>> the noexec option from the underlying VFS mount, or to the file execute
>> permission, userspace can enforce these e
On 11/08/2020 21:51, Eric W. Biederman wrote:
> Mickaël Salaün writes:
>
>> When the O_MAYEXEC flag is passed, openat2(2) may be subject to
>> additional restrictions depending on a security policy managed by the
>> kernel through a sysctl or implemented
On 12/08/2020 21:16, Stephen Smalley wrote:
> On 8/2/20 5:58 PM, Mickaël Salaün wrote:
>> From: Casey Schaufler
>>
>> Move management of the superblock->sb_security blob out
>> of the individual security modules and into the security
>> infrastructure.
On 11/08/2020 10:09, David Laight wrote:
>> On 11/08/2020 00:28, Al Viro wrote:
>>> On Mon, Aug 10, 2020 at 10:09:09PM +, David Laight wrote:
>>>>> On Mon, Aug 10, 2020 at 10:11:53PM +0200, Mickaël Salaün wrote:
>>>>>> It seems that there is
On 11/08/2020 01:05, Al Viro wrote:
> On Tue, Aug 11, 2020 at 12:43:52AM +0200, Mickaël Salaün wrote:
>
>> Hooking on open is a simple design that enables processes to check files
>> they intend to open, before they open them.
>
> Which is a good thing, because...?
&g
On 11/08/2020 01:03, Jann Horn wrote:
> On Tue, Aug 11, 2020 at 12:43 AM Mickaël Salaün wrote:
>> On 10/08/2020 22:21, Al Viro wrote:
>>> On Mon, Aug 10, 2020 at 10:11:53PM +0200, Mickaël Salaün wrote:
>>>> It seems that there is no more complains nor question
On 11/08/2020 00:28, Al Viro wrote:
> On Mon, Aug 10, 2020 at 10:09:09PM +, David Laight wrote:
>>> On Mon, Aug 10, 2020 at 10:11:53PM +0200, Mickaël Salaün wrote:
>>>> It seems that there is no more complains nor questions. Do you want me
>>>> to send an
On 10/08/2020 22:21, Al Viro wrote:
> On Mon, Aug 10, 2020 at 10:11:53PM +0200, Mickaël Salaün wrote:
>> It seems that there is no more complains nor questions. Do you want me
>> to send another series to fix the order of the S-o-b in patch 7?
>
> There is a major quest
> in patch 1-3), can you pick the rest of this series too?
>
> Thanks!
>
> -Kees
>
> On Thu, Jul 23, 2020 at 07:12:20PM +0200, Mickaël Salaün wrote:
>> Hi,
>>
>> This seventh patch series do not set __FMODE_EXEC for the sake of
>> simplicity.
process must have a subset of the target
process' rules (i.e. the tracee must be in a sub-domain of the tracer).
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v14:
* Constify variables.
Changes since v13:
* Make the p
seccomp policy.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Constify returned domain pointers from landlock_get_current_domain()
and landlock_get_task_domain() helpers.
Changes since v15:
* Optimize landlocked() for
other fields
can have __u64 type for flags and bitfields, and __s32 type for file
descriptors.
See the user and kernel documentation for more details (provided by a
following commit): Documentation/security/landlock/
Signed-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Hor
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v19:
* Update with the new Landlock syscalls
re of Landlock
described in the next commit.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Initial patch to replace the direct call to landlock_release_inodes()
(requested by James Morris).
ruleset provided by
the current process. This modification only impact the current process.
This means that a process can only gain more constraints (i.e. lose
accesses) over time.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v19:
* Update examples and documentation with the new syscalls.
Changes since v15
Test landlock syscall, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent
Wire up the following system calls for all architectures:
* landlock_get_features(2)
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_enforce_ruleset(2)
Signed-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
is allocated there.
Signed-off-by: Casey Schaufler
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Reviewed-by: Stephen Smalley
Reviewed-by: Mickaël Salaün
Link: https://lore.kernel.org/r/20190829232935.7099-2-ca...@schaufler-ca.com
---
Changes since v17:
* Rebase the original LSM stacking patch f
xtending this access-control
without breaking user space will not be a problem. Moreover, seccomp
filters can be used to restrict the use of syscall families which may
not be currently handled by Landlock.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: Anton Ivanov
Cc: James Morris
Cc: Jann
of a
rule according to the lifetime of its object. To avoid a global lock,
this implementation make use of RCU and counters to safely reference
objects.
A following commit uses this generic object management for inodes.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
(1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
On 27/07/2020 07:27, Florian Weimer wrote:
> * Al Viro:
>
>> On Thu, Jul 23, 2020 at 07:12:24PM +0200, Mickaël Salaün wrote:
>>> When the O_MAYEXEC flag is passed, openat2(2) may be subject to
>>> additional restrictions depending on a security policy managed by the
>>> kernel through a sysctl
ib.2.html#ERRORS
[3] http://man7.org/linux/man-pages/man2/open.2.html#ERRORS
[4] http://man7.org/linux/man-pages/man2/mmap.2.html#ERRORS
Signed-off-by: Mickaël Salaün
Signed-off-by: Kees Cook
Acked-by: Christian Brauner
Link: https://lore.kernel.org/r/20200605160013.3954297-2-keesc...@chromi
noexec() test */
Signed-off-by: Mickaël Salaün
Signed-off-by: Kees Cook
Link: https://lore.kernel.org/r/20200605160013.3954297-4-keesc...@chromium.org
---
fs/exec.c | 12
fs/namei.c | 4
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
open()
[1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/
Signed-off-by: Mickaël Salaün
Signed-off-by: Kees Cook
Link: https://lore.kernel.org/r/20200605160013.3954297-3-keesc...@chromium.org
---
fs/exec.c | 14 --
fs/namei.c | 6 --
fs/open.c | 6 --
3 fi
. This is a best-effort approach from the
application developer point of view:
https://lore.kernel.org/lkml/1477d3d7-4b36-afad-7077-a38f42322...@digikod.net/
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Aleksa Sarai
Cc: Al Viro
Cc: Jonathan Corbet
Cc: Kees Cook
Cc: Randy
Test propagation of noexec mount points or file executability through
files open with or without O_MAYEXEC, thanks to the
fs.open_mayexec_enforce sysctl.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Aleksa Sarai
Cc: Al Viro
Cc: Kees Cook
Cc: Shuah Khan
---
Changes since
ibaut Sautereau
Signed-off-by: Mickaël Salaün
Cc: Aleksa Sarai
Cc: Al Viro
Cc: Deven Bowers
Cc: Kees Cook
---
Changes since v6:
* Do not set __FMODE_EXEC for now because of inconsistent behavior:
https://lore.kernel.org/lkml/202007160822.CCDB5478@keescook/
* Returns EISDIR when opening a dire
flag.
Example:
measure func=FILE_CHECK mask=^MAY_OPENEXEC
appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC
Signed-off-by: Mickaël Salaün
Signed-off-by: Mimi Zohar
Reviewed-by: Lakshmi Ramasubramanian
Link:
https://lore.kernel.org/r/1588167523-7866-3-git-send-email-zo
.org/lkml/0c70debd-e79e-d514-06c6-4cd1e021f...@python.org/
Regards,
Kees Cook (3):
exec: Change uselib(2) IS_SREG() failure to EACCES
exec: Move S_ISREG() check earlier
exec: Move path_noexec() check earlier
Mickaël Salaün (3):
fs: Introduce O_MAYEXEC flag for openat2(2)
fs,doc: Enable to e
On 22/07/2020 18:16, Thibaut Sautereau wrote:
> On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote:
>>
>> On 15/07/2020 22:37, Kees Cook wrote:
>>> On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote:
>>>> @@ -2849,7 +2855,7 @@ static
On 16/07/2020 16:59, Randy Dunlap wrote:
> On 7/16/20 7:40 AM, Mickaël Salaün wrote:
>>
>> On 15/07/2020 22:40, Kees Cook wrote:
>>> On Tue, Jul 14, 2020 at 08:16:38PM +0200, Mickaël Salaün wrote:
>>>> From: Mimi Zohar
>>>>
>>>> The ke
On 14/07/2020 20:40, Randy Dunlap wrote:
> Hi,
>
> On 7/14/20 11:16 AM, Mickaël Salaün wrote:
>
>> ---
>> Documentation/admin-guide/sysctl/fs.rst | 45 +
>> fs/namei.c | 29 +---
>> include/
On 15/07/2020 22:40, Kees Cook wrote:
> On Tue, Jul 14, 2020 at 08:16:38PM +0200, Mickaël Salaün wrote:
>> From: Mimi Zohar
>>
>> The kernel has no way of differentiating between a file containing data
>> or code being opened by an interpreter. The proposed O_MAYEXEC
On 15/07/2020 22:37, Kees Cook wrote:
> On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote:
>> @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int
>> acc_mode, int flag)
>> case S_IFLNK:
>> return -ELOOP;
>>
On 15/07/2020 22:06, Kees Cook wrote:
> On Tue, Jul 14, 2020 at 08:16:35PM +0200, Mickaël Salaün wrote:
>> When the O_MAYEXEC flag is passed, openat2(2) may be subject to
>> additional restrictions depending on a security policy managed by the
>> kernel through a sysctl or
flag.
Example:
measure func=FILE_CHECK mask=^MAY_OPENEXEC
appraise func=FILE_CHECK appraise_type=imasig mask=^MAY_OPENEXEC
Signed-off-by: Mimi Zohar
Reviewed-by: Lakshmi Ramasubramanian
Acked-by: Mickaël Salaün
Link:
https://lore.kernel.org/r/1588167523-7866-3-git-send-email-zo...@linux.ibm.com
Test propagation of noexec mount points or file executability through
files open with or without O_MAYEXEC, thanks to the
fs.open_mayexec_enforce sysctl.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Aleksa Sarai
Cc: Al Viro
Cc: Kees Cook
Cc: Shuah Khan
---
Changes since
noexec() test */
Signed-off-by: Kees Cook
Acked-by: Mickaël Salaün
Link: https://lore.kernel.org/r/20200605160013.3954297-4-keesc...@chromium.org
---
fs/exec.c | 12
fs/namei.c | 4
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
ib.2.html#ERRORS
[3] http://man7.org/linux/man-pages/man2/open.2.html#ERRORS
[4] http://man7.org/linux/man-pages/man2/mmap.2.html#ERRORS
Signed-off-by: Kees Cook
Acked-by: Christian Brauner
Acked-by: Mickaël Salaün
Link: https://lore.kernel.org/r/20200605160013.3954297-2-keesc...@chromium.org
ibaut Sautereau
Signed-off-by: Thibaut Sautereau
Signed-off-by: Mickaël Salaün
Reviewed-by: Deven Bowers
Reviewed-by: Kees Cook
Cc: Aleksa Sarai
Cc: Al Viro
---
Changes since v5:
* Update commit message.
Changes since v3:
* Switch back to O_MAYEXEC, but only handle it with openat2(2) which
c
. This is a best-effort approach from the
application developer point of view:
https://lore.kernel.org/lkml/1477d3d7-4b36-afad-7077-a38f42322...@digikod.net/
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Aleksa Sarai
Cc: Al Viro
Cc: Jonathan Corbet
Cc: Kees Cook
ore.kernel.org/lkml/0c70debd-e79e-d514-06c6-4cd1e021f...@python.org/
Regards,
Kees Cook (3):
exec: Change uselib(2) IS_SREG() failure to EACCES
exec: Move S_ISREG() check earlier
exec: Move path_noexec() check earlier
Mickaël Salaün (3):
fs: Introduce O_MAYEXEC flag for openat2(2)
fs,doc: E
open()
[1] https://lore.kernel.org/lkml/202006041910.9EF0C602@keescook/
Signed-off-by: Kees Cook
Acked-by: Mickaël Salaün
Link: https://lore.kernel.org/r/20200605160013.3954297-3-keesc...@chromium.org
---
fs/exec.c | 14 --
fs/namei.c | 6 --
fs/open.c | 6 --
3 files cha
On 09/07/2020 19:47, Christian Brauner wrote:
> On Thu, Jul 09, 2020 at 07:26:18PM +0200, Arnd Bergmann wrote:
>> On Wed, Jul 8, 2020 at 7:50 PM Mickaël Salaün wrote:
>>> On 08/07/2020 15:49, Arnd Bergmann wrote:
>>>> On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün
On 08/07/2020 15:49, Arnd Bergmann wrote:
> On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün wrote:
>> On 08/07/2020 10:57, Arnd Bergmann wrote:
>>> On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün wrote:
>>>
>>> It looks like all you need here today is a single
On 08/07/2020 10:57, Arnd Bergmann wrote:
> On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün wrote:
>>
>> This system call, inspired from seccomp(2) and bpf(2), is designed to be
>> used by unprivileged processes to sandbox themselves. It has the same
>> usage rest
On 08/07/2020 09:47, Arnd Bergmann wrote:
> On Wed, Jul 8, 2020 at 9:31 AM Mickaël Salaün wrote:
>> On 08/07/2020 09:22, Arnd Bergmann wrote:
>>> On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün wrote:
>>>
>>>> index f4a01305d9a6..a63a411a74d5 100644
>&
On 08/07/2020 09:22, Arnd Bergmann wrote:
> On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün wrote:
>
>> index f4a01305d9a6..a63a411a74d5 100644
>> --- a/include/uapi/asm-generic/unistd.h
>> +++ b/include/uapi/asm-generic/unistd.h
>> @@ -857,9 +857,11 @@ __SYS
On 07/07/2020 22:11, Randy Dunlap wrote:
> Hi--
>
> On 7/7/20 11:09 AM, Mickaël Salaün wrote:
>> ---
>> arch/Kconfig | 7 +
>> arch/um/Kconfig | 1 +
>> include/uapi/linux/landlock.h | 78 +
>> security/landlock/Kco
Test landlock syscall, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v16:
* Switch syscall attribute pointer and
is allocated there.
Signed-off-by: Casey Schaufler
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Reviewed-by: Stephen Smalley
Reviewed-by: Mickaël Salaün
Link: https://lore.kernel.org/r/20190829232935.7099-2-ca...@schaufler-ca.com
---
Changes since v17:
* Rebase the original LSM stacking patch f
xtending this access-control
without breaking user space will not be a problem. Moreover, seccomp
filters can be used to restrict the use of syscall families which may
not be currently handled by Landlock.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: Anton Ivanov
Cc: James Morris
Cc: Jann
d-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v18:
* Remove useless include.
* Remove LLATTR_SIZE() which was only used to shorten lines. Cf. commit
bdc48fa11e46 ("checkpatch/coding-style: deprecate 80-colu
Wire up the landlock() system call for all architectures.
Signed-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v18:
* Increase the syscall number because of the new faccessat2(2).
Changes since v14:
* Add all
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v15:
* Add current limitations.
Changes since v14:
* Fix spelling (contributed by
ruleset provided by
the current process. This modification only impact the current process.
This means that a process can only gain more constraints (i.e. lose
accesses) over time.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since
process must have a subset of the target
process' rules (i.e. the tracee must be in a sub-domain of the tracer).
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v14:
* Constify variables.
Changes since v13:
* Make the p
seccomp policy.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Constify returned domain pointers from landlock_get_current_domain()
and landlock_get_task_domain() helpers.
Changes since v15:
* Optimize landlocked() for
of a
rule according to the lifetime of its object. To avoid a global lock,
this implementation make use of RCU and counters to safely reference
objects.
A following commit uses this generic object management for inodes.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
/lkml/20200526205322.23465-1-...@digikod.net/
[1]
https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b...@schaufler-ca.com/
[2]
https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad046...@digikod.net/
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël
re of Landlock
described in the next commit.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Initial patch to replace the direct call to landlock_release_inodes()
(requested by James Morris).
On 27/05/2020 05:07, Amir Goldstein wrote:
> On Wed, May 27, 2020 at 3:36 AM Mickaël Salaün wrote:
>>
>> Thanks to the Landlock objects and ruleset, it is possible to identify
>> inodes according to a process's domain. To enable an unprivileged
>> process to ex
Hi Jaskaran,
On 17/05/2020 00:14, Jaskaran Singh Khurana wrote:
>
> Hello Mickael,
>
> On Thu, 14 May 2020, Mickaël Salaün wrote:
>
>>
>> On 12/05/2020 22:46, Deven Bowers wrote:
>>>
>>>
>>> On 5/11/2020 11:03 AM, Deven Bowers wrote:
>
seccomp policy.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Constify returned domain pointers from landlock_get_current_domain()
and landlock_get_task_domain() helpers.
Changes since v15:
* Optimize landlocked() for
of a
rule according to the lifetime of its object. To avoid a global lock,
this implementation make use of RCU and counters to safely reference
objects.
A following commit uses this generic object management for inodes.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Test landlock syscall, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v15:
* Add current limitations.
Changes since v14:
* Fix spelling (contributed by
Wire up the landlock() system call for all architectures.
Signed-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v14:
* Add all architectures.
Changes since v13:
* New implementation.
---
arch/alpha/kernel
re of Landlock
described in the next commit.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Initial patch to replace the direct call to landlock_release_inodes()
(requested by James Morris).
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v16:
* Switch syscall attribute pointer and
process must have a subset of the target
process' rules (i.e. the tracee must be in a sub-domain of the tracer).
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v14:
* Constify variables.
Changes since v13:
* Make the p
is allocated there.
Signed-off-by: Casey Schaufler
Reviewed-by: Kees Cook
Reviewed-by: John Johansen
Reviewed-by: Stephen Smalley
Reviewed-by: Mickaël Salaün
Link: https://lore.kernel.org/r/20190829232935.7099-2-ca...@schaufler-ca.com
---
Changes since v17:
* Rebase the original LSM stacking patch f
xtending this access-control
without breaking user space will not be a problem. Moreover, seccomp
filters can be used to restrict the use of syscall families which may
not be currently handled by Landlock.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: Anton Ivanov
Cc: James Morris
Cc: Jann
d-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v17:
* Synchronize syscall declaration.
* Fix comment.
Changes since v16:
* Add a size_attr_features field to struct landlock_attr_features for
self-introspection
ruleset provided by
the current process. This modification only impact the current process.
This means that a process can only gain more constraints (i.e. lose
accesses) over time.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since
3167f952...@digikod.net/
[2]
https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b...@schaufler-ca.com/
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock
On 19/05/2020 04:23, Aleksa Sarai wrote:
> On 2020-05-15, Kees Cook wrote:
>> On Fri, May 15, 2020 at 04:43:37PM +0200, Florian Weimer wrote:
>>> * Kees Cook:
>>>
On Fri, May 15, 2020 at 10:43:34AM +0200, Florian Weimer wrote:
> * Kees Cook:
>
>> Maybe I've missed some earlier d
On 15/05/2020 17:46, Kees Cook wrote:
> On Fri, May 15, 2020 at 01:04:08PM +0200, Mickaël Salaün wrote:
>>
>> On 15/05/2020 10:01, Kees Cook wrote:
>>> On Thu, May 14, 2020 at 09:16:13PM +0200, Mickaël Salaün wrote:
>>>> On 14/05/2020 18:10, Stephen Smalley
On 15/05/2020 10:01, Kees Cook wrote:
> On Thu, May 14, 2020 at 09:16:13PM +0200, Mickaël Salaün wrote:
>> On 14/05/2020 18:10, Stephen Smalley wrote:
>>> On Thu, May 14, 2020 at 11:45 AM Kees Cook wrote:
>>>> So, it looks like adding FMODE_EXEC into f_f
401 - 500 of 1001 matches
Mail list logo
