Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

From: Tycho Andersen
Date: Tue Mar 06 2018 - 17:46:47 EST

Next message: Andrew Morton: "Re: [PATCH v12 02/11] mm, swap: Add infrastructure for saving page metadata on swap"
Previous message: Pavel Tatashin: "[PATCH v2] mm: might_sleep warning"
In reply to: Andy Lutomirski: "Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing"
Next in thread: MickaÃl SalaÃn: "Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 06, 2018 at 10:33:17PM +0000, Andy Lutomirski wrote:
> >> Suppose I'm writing a container manager. I want to run "mount" in the
> >> container, but I don't want to allow moun() in general and I want to
> >> emulate certain mount() actions. I can write a filter that catches
> >> mount using seccomp and calls out to the container manager for help.
> >> This isn't theoretical -- Tycho wants *exactly* this use case to be
> >> supported.
> >
> > Well, I think this use case should be handled with something like
> > LD_PRELOAD and a helper library. FYI, I did something like this:
> > https://github.com/stemjail/stemshim
>
> I doubt that will work for containers. Containers that use user
> namespaces and, for example, setuid programs aren't going to honor
> LD_PRELOAD.

Or anything that calls syscalls directly, like go programs.

Tycho

Next message: Andrew Morton: "Re: [PATCH v12 02/11] mm, swap: Add infrastructure for saving page metadata on swap"
Previous message: Pavel Tatashin: "[PATCH v2] mm: might_sleep warning"
In reply to: Andy Lutomirski: "Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing"
Next in thread: MickaÃl SalaÃn: "Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]