Re: [RFC v2 00/10] Landlock LSM: Unprivileged sandboxing

From: MickaÃl SalaÃn
Date: Wed Oct 05 2016 - 16:31:16 EST

On 04/10/2016 00:56, Kees Cook wrote:
> On Tue, Sep 20, 2016 at 10:08 AM, MickaÃl SalaÃn <mic@xxxxxxxxxxx> wrote:
>> On 15/09/2016 11:19, Pavel Machek wrote:
>>> Hi!
>>>> This series is a proof of concept to fill some missing part of seccomp as the
>>>> ability to check syscall argument pointers or creating more dynamic security
>>>> policies. The goal of this new stackable Linux Security Module (LSM) called
>>>> Landlock is to allow any process, including unprivileged ones, to create
>>>> powerful security sandboxes comparable to the Seatbelt/XNU Sandbox or the
>>>> OpenBSD Pledge. This kind of sandbox help to mitigate the security impact of
>>>> bugs or unexpected/malicious behaviors in userland applications.
>>>> The first RFC [1] was focused on extending seccomp while staying at the syscall
>>>> level. This brought a working PoC but with some (mitigated) ToCToU race
>>>> conditions due to the seccomp ptrace hole (now fixed) and the non-atomic
>>>> syscall argument evaluation (hence the LSM hooks).
>>> Long and nice description follows. Should it go to Documentation/
>>> somewhere?
>>> Because some documentation would be useful...
>>> Pavel
>> Right, but I was looking for feedback before investing in documentation. :)
> Heh, understood. There are a number of grammar issues that slow me
> down when reading this, so when it does move into Documentation/, I'll
> have some English nit-picks. :)
> While reading I found myself wanting an explicit list of "guiding
> principles" for anyone implementing new hooks. It is touched on in
> several places (don't expose things, don't allow for privilege
> changes, etc). Having that spelled out somewhere would be nice.

Right, I'm going to try to create a more consistent documentation with
the "guiding principles".


Attachment: signature.asc
Description: OpenPGP digital signature