Re: [PATCH v5 07/10] bpf: Add a Landlock sandbox example

From: MickaÃl SalaÃn
Date: Thu Feb 23 2017 - 17:14:55 EST

Next message: Bjorn Helgaas: "Re: [PATCH v2 0/4] New Microsemi PCI Switch Management Driver"
Previous message: Andy Shevchenko: "Re: [PATCH] checkpatch: don't complain on module_param(foo, bar, 0)"
In reply to: MickaÃl SalaÃn: "[PATCH v5 07/10] bpf: Add a Landlock sandbox example"
Next in thread: MickaÃl SalaÃn: "[PATCH v5 10/10] landlock: Add user and kernel documentation for Landlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 22/02/2017 02:26, MickaÃl SalaÃn wrote:
> Add a basic sandbox tool to create a process isolated from some part of
> the system. This sandbox create a read-only environment. It is only
> allowed to write to a character device such as a TTY:
>
> # :> X
> # echo $?
> 0
> # ./samples/bpf/landlock1 /bin/sh -i
> Launching a new sandboxed process.
> # :> Y
> cannot create Y: Operation not permitted
>
> Changes since v4:
> * write Landlock rule in C and compiled it with LLVM
> * remove cgroup handling
> * remove path handling: only handle a read-only environment
> * remove errno return codes
>
> Changes since v3:
> * remove seccomp and origin field: completely free from seccomp programs
> * handle more FS-related hooks
> * handle inode hooks and directory traversal
> * add faked but consistent view thanks to ENOENT
> * add /lib64 in the example
> * fix spelling
> * rename some types and definitions (e.g. SECCOMP_ADD_LANDLOCK_RULE)
>
> Changes since v2:
> * use BPF_PROG_ATTACH for cgroup handling
>
> Signed-off-by: MickaÃl SalaÃn <mic@xxxxxxxxxxx>
> Cc: Alexei Starovoitov <ast@xxxxxxxxxx>
> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Cc: David S. Miller <davem@xxxxxxxxxxxxx>
> Cc: James Morris <james.l.morris@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Serge E. Hallyn <serge@xxxxxxxxxx>
> ---
> samples/bpf/.gitignore | 32 ++++++++++++++
> samples/bpf/Makefile | 4 ++
> samples/bpf/bpf_load.c | 26 +++++++++--
> samples/bpf/landlock1_kern.c | 46 +++++++++++++++++++
> samples/bpf/landlock1_user.c | 102 +++++++++++++++++++++++++++++++++++++++++++
> 5 files changed, 206 insertions(+), 4 deletions(-)
> create mode 100644 samples/bpf/.gitignore
> create mode 100644 samples/bpf/landlock1_kern.c
> create mode 100644 samples/bpf/landlock1_user.c
>
> diff --git a/samples/bpf/.gitignore b/samples/bpf/.gitignore
> new file mode 100644
> index 000000000000..a7562a5ef4c2
> --- /dev/null
> +++ b/samples/bpf/.gitignore
> @@ -0,0 +1,32 @@
> +fds_example
> +lathist
> +lwt_len_hist
> +map_perf_test
> +offwaketime
> +sampleip
> +sockex1
> +sockex2
> +sockex3
> +sock_example
> +spintest
> +tc_l2_redirect
> +test_cgrp2_array_pin
> +test_cgrp2_attach
> +test_cgrp2_attach2
> +test_cgrp2_sock
> +test_cgrp2_sock2
> +test_current_task_under_cgroup
> +test_lru_dist
> +test_overhead
> +test_probe_write_user
> +trace_event
> +trace_output
> +tracex1
> +tracex2
> +tracex3
> +tracex4
> +tracex5
> +tracex6
> +xdp1
> +xdp2
> +xdp_tx_iptunnel

Please ignore this hunk, it was part of another patch seriesâ

Attachment: signature.asc
Description: OpenPGP digital signature

Next message: Bjorn Helgaas: "Re: [PATCH v2 0/4] New Microsemi PCI Switch Management Driver"
Previous message: Andy Shevchenko: "Re: [PATCH] checkpatch: don't complain on module_param(foo, bar, 0)"
In reply to: MickaÃl SalaÃn: "[PATCH v5 07/10] bpf: Add a Landlock sandbox example"
Next in thread: MickaÃl SalaÃn: "[PATCH v5 10/10] landlock: Add user and kernel documentation for Landlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]