On Mon, Apr 29, 2024 at 05:16:57PM +0800, Ubisectech Sirius wrote:
> > Hello,
>
> > Thanks for the report. Could you please provide a reproducer?
>
> > Regards,
> > Mickaël
>
> Hi.
> The Poc file has seed to you as attachment.
Indeed, but could you please trim down the file. There are 650
Hello,
Thanks for the report. Could you please provide a reproducer?
Regards,
Mickaël
On Sun, Apr 28, 2024 at 10:47:02AM +0800, Ubisectech Sirius wrote:
> Hello.
> We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec.
> Recently, our team has discovered a issue in Linux
On Mon, Sep 11, 2023 at 09:29:07AM -0400, Mimi Zohar wrote:
> Hi Eric,
>
> On Fri, 2023-09-08 at 17:34 -0400, Eric Snowberg wrote:
> > Currently root can dynamically update the blacklist keyring if the hash
> > being added is signed and vouched for by the builtin trusted keyring.
> > Currently
Hi,
There was no new reviews, probably because the FS maintainers were busy,
and I was focused on Landlock (which is now in -next), but I plan to
send a new patch series for trusted_for(2) soon.
Thanks for letting know your interest,
Mickaël
On 09/04/2021 18:26, bauen1 wrote:
> Hello,
>
> As
Looks good, thanks Stephen!
On 09/04/2021 06:39, Stephen Rothwell wrote:
> Hi all,
>
> On Fri, 19 Mar 2021 13:05:51 +1100 Stephen Rothwell
> wrote:
>>
>> Today's linux-next merge of the security tree got conflicts in:
>>
>> arch/alpha/kernel/syscalls/syscall.tbl
>>
Hi David and Jarkko,
What is the status of this patchset? Could someone take it to -next?
Regards,
Mickaël
On 12/03/2021 18:12, Mickaël Salaün wrote:
> This new patch series is a rebase on David Howells's and Eric Snowberg's
> keys-cve-2020-26541-v3.
>
> I successfully teste
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control with multiple layouts.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc
From: Mickaël Salaün
Add a first document describing userspace API: how to define and enforce
a Landlock security policy. This is explained with a simple example.
The Landlock system calls are described with their expected behavior and
current limitations.
Another document is dedicated
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
list of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Jann Horn
Reviewed-by: Kees Cook
Link: https
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_restrict_self(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Link: https
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
From: Mickaël Salaün
Using Landlock objects and ruleset, it is possible to tag inodes
according to a process's domain. To enable an unprivileged process to
express a file hierarchy, it first needs to open a directory (or a file)
and pass this file descriptor to the kernel through
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
ace is
allocated there.
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
Acked-by: Serge Hallyn
Reviewed-by: Kees Cook
Link: https://lore.kernel.org/r/20210407160726.542794-6-...@digikod.net
---
Changes since v30:
* Add Reviewed-by Kees C
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested
access, e.g. to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing syscalls) which enables
From: Mickaël Salaün
Process's credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
(1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
landloc
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_restrict_self(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Link: https
From: Mickaël Salaün
Add a first document describing userspace API: how to define and enforce
a Landlock security policy. This is explained with a simple example.
The Landlock system calls are described with their expected behavior and
current limitations.
Another document is dedicated
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
list of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Jann Horn
Reviewed-by: Kees Cook
Link: https
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control with multiple layouts.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc
ace is
allocated there.
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
Acked-by: Serge Hallyn
Reviewed-by: Kees Cook
Link: https://lore.kernel.org/r/20210401205208.2756565-6-...@digikod.net
---
Changes since v30:
* Add Reviewed-by Kees C
From: Mickaël Salaün
Using Landlock objects and ruleset, it is possible to tag inodes
according to a process's domain. To enable an unprivileged process to
express a file hierarchy, it first needs to open a directory (or a file)
and pass this file descriptor to the kernel through
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
08-16277-1-git-send-email-...@digikod.net/
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock:
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested
access, e.g. to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing syscalls) which enables
From: Mickaël Salaün
Process's credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
On 01/04/2021 04:14, Al Viro wrote:
> On Wed, Mar 31, 2021 at 07:33:50PM +0200, Mickaël Salaün wrote:
>
>>> +static inline u64 unmask_layers(
>>> + const struct landlock_ruleset *const domain,
>>> + const struct path *const path, const u32 ac
Jann, Kees, are you OK with this patch and the next one?
On 24/03/2021 20:15, Mickaël Salaün wrote:
> From: Mickaël Salaün
>
> Using Landlock objects and ruleset, it is possible to tag inodes
> according to a process's domain. To enable an unprivileged process to
> express a
On 30/03/2021 20:40, Casey Schaufler wrote:
> On 3/30/2021 11:11 AM, Mickaël Salaün wrote:
>> On 30/03/2021 19:19, Casey Schaufler wrote:
>>> On 3/30/2021 10:01 AM, Mickaël Salaün wrote:
>>>> Hi,
>>>>
>>>> Is there new comments on this
On 30/03/2021 19:19, Casey Schaufler wrote:
> On 3/30/2021 10:01 AM, Mickaël Salaün wrote:
>> Hi,
>>
>> Is there new comments on this patch? Could we move forward?
>
> I don't see that new comments are necessary when I don't see
> that you've provided compelling co
Hi,
Is there new comments on this patch? Could we move forward?
Regards,
Mickaël
On 16/03/2021 21:36, Mickaël Salaün wrote:
> From: Mickaël Salaün
>
> Being able to easily change root directories enables to ease some
> development workflow and can be used as a tool t
On 29/03/2021 18:49, Mickaël Salaün wrote:
> From: Mickaël Salaün
>
> Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in
> ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a
> metacopy error, which leads to dentry leaks when sh
From: Mickaël Salaün
Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in
ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a
metacopy error, which leads to dentry leaks when shutting down the
related superblock:
overlayfs: refusing to follow metac
On 27/03/2021 00:12, Askar Safin wrote:
> Hi. Unprivileged users already can do chroot. He should simply create userns
> and then call "chroot" inside. As an LWN commenter noted, you can simply run
> "unshare -r /usr/sbin/chroot some-dir". (I recommend reading all comments:
>
e)
> | ^~~
> kernel/sys_ni.c:39:1: note: in expansion of macro 'COND_SYSCALL'
>39 | COND_SYSCALL(io_setup);
> | ^~~~
> ...
>
> __SYS_STUB0() and __SYS_STUBx() defined a few lines above have forward
> declarations. Let
Hi David,
What is the status of this patchset? Could you please push it to -next?
Regards,
Mickaël
On 12/03/2021 18:12, Mickaël Salaün wrote:
> This new patch series is a rebase on David Howells's and Eric Snowberg's
> keys-cve-2020-26541-v3.
>
> I successfully tested this
On 24/03/2021 21:31, James Morris wrote:
> On Fri, 19 Mar 2021, Mickaël Salaün wrote:
>
>>
>>>> Cc: Kees Cook
>>>> Signed-off-by: Mickaël Salaün
>>>> Acked-by: Serge Hallyn
>>>> Link: https://lore.kernel.org/r/20210316204252.42
On 24/03/2021 20:15, Mickaël Salaün wrote:
[...]
> diff --git a/security/landlock/object.h b/security/landlock/object.h
> new file mode 100644
> index ..3e5d5b6941c3
> --- /dev/null
> +++ b/security/landlock/object.h
> @@ -0,0 +1,91 @@
> +/* SPDX-License-Ide
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested
access, e.g. to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing syscalls) which enables
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
landlock: Support filesystem acce
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control with multiple layouts.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc
From: Mickaël Salaün
Process's credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_restrict_self(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Link: https
From: Mickaël Salaün
Using Landlock objects and ruleset, it is possible to tag inodes
according to a process's domain. To enable an unprivileged process to
express a file hierarchy, it first needs to open a directory (or a file)
and pass this file descriptor to the kernel through
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
list of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Jann Horn
Reviewed-by: Kees Cook
Link: https
From: Mickaël Salaün
Add a first document describing userspace API: how to define and enforce
a Landlock security policy. This is explained with a simple example.
The Landlock system calls are described with their expected behavior and
current limitations.
Another document is dedicated
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
ace is
allocated there.
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
Acked-by: Serge Hallyn
Reviewed-by: Kees Cook
Link: https://lore.kernel.org/r/20210324191520.125779-6-...@digikod.net
---
Changes since v30:
* Add Reviewed-by Kees C
On 19/03/2021 19:54, Mickaël Salaün wrote:
>
> On 19/03/2021 19:03, Kees Cook wrote:
>> On Tue, Mar 16, 2021 at 09:42:52PM +0100, Mickaël Salaün wrote:
>>> From: Mickaël Salaün
[...]
>>
>>> [...]
>>> +Special filesystems
>>> +
On 19/03/2021 22:53, Mickaël Salaün wrote:
>
> On 19/03/2021 20:06, Kees Cook wrote:
>> On Tue, Mar 16, 2021 at 09:42:48PM +0100, Mickaël Salaün wrote:
>>> From: Mickaël Salaün
[...]
>>> +/**
>>> + * sys_landlock_create_ruleset - Create a new
On 19/03/2021 20:19, Mickaël Salaün wrote:
>
> On 19/03/2021 19:57, Kees Cook wrote:
>> On Tue, Mar 16, 2021 at 09:42:47PM +0100, Mickaël Salaün wrote:
>>> From: Mickaël Salaün
>>>
>>> Using Landlock objects and ruleset, it is possible to tag ino
On 19/03/2021 19:54, Mickaël Salaün wrote:
>
> On 19/03/2021 19:03, Kees Cook wrote:
>> On Tue, Mar 16, 2021 at 09:42:52PM +0100, Mickaël Salaün wrote:
>>> From: Mickaël Salaün
>>>
>>> This documentation can be built with the Sphinx framework.
On 23/03/2021 18:49, Jann Horn wrote:
> On Tue, Mar 23, 2021 at 4:54 PM Mickaël Salaün wrote:
>> On 23/03/2021 01:13, Jann Horn wrote:
>>> On Tue, Mar 16, 2021 at 9:43 PM Mickaël Salaün wrote:
>>>> Using Landlock objects and ruleset, it is possible to tag inodes
On 23/03/2021 01:13, Jann Horn wrote:
> On Tue, Mar 16, 2021 at 9:43 PM Mickaël Salaün wrote:
>> Using Landlock objects and ruleset, it is possible to tag inodes
>> according to a process's domain.
> [...]
>> +static void release_inode(struct landl
On 19/03/2021 20:11, Kees Cook wrote:
> On Fri, Mar 19, 2021 at 07:41:00PM +0100, Mickaël Salaün wrote:
>>
>> On 19/03/2021 18:56, Kees Cook wrote:
>>> On Tue, Mar 16, 2021 at 09:42:50PM +0100, Mickaël Salaün wrote:
>>>> From: Mickaël Salaün
>>>
On 19/03/2021 20:06, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:48PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün
>>
>> These 3 system calls are designed to be used by unprivileged processes
>> to sandbox themselves:
>> * landlock_create_ruleset(
On 19/03/2021 19:57, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:47PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün
>>
>> Using Landlock objects and ruleset, it is possible to tag inodes
>> according to a process's domain. To enable an unprivileged p
On 19/03/2021 19:45, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:43PM +0100, Mickaël Salaün wrote:
>> config LSM
>> string "Ordered list of enabled LSMs"
>> -default
>> "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,a
On 19/03/2021 19:40, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:42PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün
>>
>> A Landlock ruleset is mainly a red-black tree with Landlock rules as
>> nodes. This enables quick update and lookup to match
On 19/03/2021 19:13, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:41PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün
>>
>> A Landlock object enables to identify a kernel object (e.g. an inode).
>> A Landlock rule is a set of access rights allowed on an ob
On 19/03/2021 19:03, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:52PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün
>>
>> This documentation can be built with the Sphinx framework.
>
> Well, yes. :) Maybe describe what the documentation covers instead h
On 19/03/2021 18:56, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 09:42:50PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün
>>
>> Test all Landlock system calls, ptrace hooks semantic and filesystem
>> access-control with multiple layouts.
>>
>> Test
On 19/03/2021 00:26, James Morris wrote:
> I've queued this patchset here:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
> landlock_lsm
>
> and pulled it into next-testing, which will get it coverage in linux-next.
>
> All going well, I'll aim to push this to
On 17/03/2021 15:48, Eric Snowberg wrote:
>
>> On Mar 15, 2021, at 12:01 PM, Mickaël Salaün wrote:
>>
>>
>> On 15/03/2021 17:59, Eric Snowberg wrote:
>>>
>>>> On Mar 12, 2021, at 10:12 AM, Mickaël Salaün wrote:
>>>&
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
list of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Jann Horn
Link: https://lore.kernel.org/r
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control with multiple layouts.
Test coverage for security/landlock/ is 93.6% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc
From: Mickaël Salaün
This documentation can be built with the Sphinx framework.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
Link: https://lore.kernel.org/r/20210316204252.427806-13-...@digikod.net
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_restrict_self(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Link: https
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
From: Mickaël Salaün
Using Landlock objects and ruleset, it is possible to tag inodes
according to a process's domain. To enable an unprivileged process to
express a file hierarchy, it first needs to open a directory (or a file)
and pass this file descriptor to the kernel through
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
ace is
allocated there.
Cc: Kees Cook
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
Acked-by: Serge Hallyn
Link: https://lore.kernel.org/r/20210316204252.427806-6-...@digikod.net
---
Changes since v28:
* Add Acked-by Serge Hallyn.
Chan
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested
access, e.g. to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing syscalls) which enables
15.26021-1-...@digikod.net/
v2:
https://lore.kernel.org/lkml/1472121165-29071-1-git-send-email-...@digikod.net/
v1:
https://lore.kernel.org/kernel-hardening/1458784008-16277-1-git-send-email-...@digikod.net/
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël
From: Mickaël Salaün
Process's credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
.org/r/20210310181857.401675-1-...@digikod.net
v1: https://lore.kernel.org/r/20210310161000.382796-1-...@digikod.net
Regards,
Mickaël Salaün (1):
fs: Allow no_new_privs tasks to call chroot(2)
fs/open.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
base-
From: Mickaël Salaün
Being able to easily change root directories enables to ease some
development workflow and can be used as a tool to strengthen
unprivileged security sandboxes. chroot(2) is not an access-control
mechanism per se, but it can be used to limit the absolute view
On 16/03/2021 20:31, Jann Horn wrote:
> On Tue, Mar 16, 2021 at 8:26 PM Mickaël Salaün wrote:
>> On 16/03/2021 20:04, Jann Horn wrote:
>>> On Tue, Mar 16, 2021 at 6:02 PM Mickaël Salaün wrote:
>>>> One could argue that chroot(2) is useless without a properly popu
On 16/03/2021 20:04, Jann Horn wrote:
> On Tue, Mar 16, 2021 at 6:02 PM Mickaël Salaün wrote:
>> One could argue that chroot(2) is useless without a properly populated
>> root hierarchy (i.e. without /dev and /proc). However, there are
>> multiple use cases that don't
On 16/03/2021 20:24, Kees Cook wrote:
> On Tue, Mar 16, 2021 at 08:04:09PM +0100, Jann Horn wrote:
>> On Tue, Mar 16, 2021 at 6:02 PM Mickaël Salaün wrote:
>>> One could argue that chroot(2) is useless without a properly populated
>>> root hierarchy (i.e. withou
-...@digikod.net
v1: https://lore.kernel.org/r/20210310161000.382796-1-...@digikod.net
Regards,
Mickaël Salaün (1):
fs: Allow no_new_privs tasks to call chroot(2)
fs/open.c | 23 +--
1 file changed, 21 insertions(+), 2 deletions(-)
base-commit
From: Mickaël Salaün
Being able to easily change root directories enables to ease some
development workflow and can be used as a tool to strengthen
unprivileged security sandboxes. chroot(2) is not an access-control
mechanism per se, but it can be used to limit the absolute view
On 15/03/2021 22:17, Kees Cook wrote:
> On Thu, Mar 11, 2021 at 11:52:42AM +0100, Mickaël Salaün wrote:
>> [...]
>> This change may not impact systems relying on other permission models
>> than POSIX capabilities (e.g. Tomoyo). Being able to use chroot(2) on
>&g
On 15/03/2021 17:59, Eric Snowberg wrote:
>
>> On Mar 12, 2021, at 10:12 AM, Mickaël Salaün wrote:
>>
>> From: Mickaël Salaün
>>
>> Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
>> to dynamically add new keys to the blacklist
From: Mickaël Salaün
Before exposing this new key type to user space, make sure that only
meaningful blacklisted hashes are accepted. This is also checked for
builtin blacklisted hashes, but a following commit make sure that the
user will notice (at built time) and will fix the configuration
From: Mickaël Salaün
Factor out the blacklist hash creation with the get_raw_hash() helper.
This also centralize the "tbs" and "bin" prefixes and make them private,
which help to manage them consistently.
Cc: David Howells
Cc: David S. Miller
Cc: David Woodhouse
C
From: Mickaël Salaün
Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
to dynamically add new keys to the blacklist keyring. This enables to
invalidate new certificates, either from being loaded in a keyring, or
from being trusted in a PKCS#7 certificate chain. This also
From: Mickaël Salaün
Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes. This is useful
to debug invalid hash formats, and it make sure
p of David Howells's keys-cve-2020-26541-branch:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-cve-2020-26541-branch
Previous patch series:
https://lore.kernel.org/lkml/20210210120410.471693-1-...@digikod.net/
Regards,
Mickaël Salaün (5):
tools/certs: Add prin
1 - 100 of 1481 matches
Mail list logo