> On Wed, Dec 15, 2021, at 1:45 PM, Luca Boccassi wrote: > > Hmm. Some interesting stuff going on there but I would have started with a > new SELinux > access vector. That'd allow fine-grained constraints, e.g. disallowing > `init_t` but > allowing `unconfined_service_t`. Possibly also landlock should be able to > hook into this. > IOW it's not clear to me that a new LSM is the best thing for the ecosystem > here. > > But bigger picture I'd agree that fs-verity is significantly stronger when > coupled > with such a policy - strong enough to block exploits like the runc one: > https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-c...
We use this in production, and those kind of constraints are just not enough, because there's too many obvious ways around them. What we needed is for the kernel to enforce that only signed code shall run, and thus IPE was born, so that when coupled with dm-verity/fs-verity it allows to enforce a policy like that. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
