From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
Changes since v23:
* Re-add hints
ace is
allocated there.
Cc: Kees Cook
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
---
Changes since v20:
* Remove all Reviewed-by except Stephen Smalley:
https://lore.kernel.org/lkml/CAEjxPJ7ARJO57MBW66=xsBzMMRb=9ulgqock5eskhcai
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 94.8% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc: James Morris
Cc
astructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
landlock: Support filesys
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
security/landlock/ruleset.c | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 7654a66cea43..1fb85daeb750 100644
--- a/security
Improve comments and make get_inode_object() more readable. The kfree()
call is correct but we should mimimize as much as possible lock windows.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
security/landlock/fs.c | 24
1 file
and layout1.inherit_subset tests
accordingly.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
security/landlock/ruleset.c| 17 -
tools/testing/selftests/landlock/fs_test.c | 41 +++---
2 files changed, 34 insertions
-...@intel.com/
Reported-by: kernel test robot
Signed-off-by: Mickaël Salaün
---
security/landlock/syscall.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/security/landlock/syscall.c b/security/landlock/syscall.c
index 486136d4f46e..543ae36cd339 100644
corner-case
layered rule combinations.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
security/landlock/fs.c | 38 +
tools/testing/selftests/landlock/fs_test.c | 95 ++
2 files changed, 115 insertions(+), 18
These additional checks test that layers are handled as expected in the
superset use case, which complete the inherit_subset checks.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
tools/testing/selftests/landlock/fs_test.c | 8
1 file changed, 8
Handle memory allocation errors in landlock_create_object() call. This
prevent to inadvertently hold an inode. Also, make get_inode_object()
more readable.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
security/landlock/fs.c | 5 +
security
of
https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git/log/?h=landlock_lsm
Regards,
Mickaël Salaün (9):
landlock: Fix memory allocation error handling
landlock: Cosmetic fixes for filesystem management
landlock: Enforce deterministic interleaved path rules
landlock
.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
samples/landlock/sandboxer.c | 21 +++--
security/landlock/Kconfig| 4 +++-
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock
Explain limitations for the maximum number of stacked ruleset, and the
memory usage restrictions.
Cc: James Morris
Cc: Jann Horn
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
Documentation/userspace-api/landlock.rst | 17 +
security/landlock/syscall.c
On 10/11/2020 07:47, James Morris wrote:
> On Tue, 3 Nov 2020, Mickaël Salaün wrote:
>
>> Hi,
>>
>> Can you please consider to merge this into the tree?
>>
>
> I've added this to my tree:
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-secur
From: Mickaël Salaün
Thanks to the Landlock objects and ruleset, it is possible to identify
inodes according to a process's domain. To enable an unprivileged
process to express a file hierarchy, it first needs to open a directory
(or a file) and pass this file descriptor to the kernel through
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested
access, e.g. to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing syscalls) which enables
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 95.5% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc: James Morris
Cc
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_enforce_ruleset_current(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
From: Mickaël Salaün
This documentation can be built with the Sphinx framework.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
---
Changes since v22:
* Fix spelling and remove obsolete sentence (spotted
: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
landlock: Support filesystem
ace is
allocated there.
Cc: Kees Cook
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
---
Changes since v20:
* Remove all Reviewed-by except Stephen Smalley:
https://lore.kernel.org/lkml/CAEjxPJ7ARJO57MBW66=xsBzMMRb=9ulgqock5eskhcai
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
Changes since v21:
* Remove
From: Mickaël Salaün
Process's credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
On 29/10/2020 02:06, Jann Horn wrote:
> (On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> [...]
>> +static inline u32 get_file_access(const struct file *const file)
>> +{
>> + u32 access
On 30/10/2020 16:47, Jann Horn wrote:
> On Fri, Oct 30, 2020 at 1:39 PM Mickaël Salaün wrote:
>> Commit 69f594a38967 ("ptrace: do not audit capability check when outputing
>> /proc/pid/stat") replaced the use of ns_capable() with
>> has_ns_capability{,_noaudit}()
On 30/10/2020 04:07, Jann Horn wrote:
> On Thu, Oct 29, 2020 at 12:30 PM Mickaël Salaün wrote:
>> On 29/10/2020 02:06, Jann Horn wrote:
>>> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>>>> These 3 system calls are designed to be used by unprivil
From: Mickaël Salaün
Commit 69f594a38967 ("ptrace: do not audit capability check when outputing
/proc/pid/stat") replaced the use of ns_capable() with
has_ns_capability{,_noaudit}() which doesn't set PF_SUPERPRIV.
Commit 6b3ad6649a4c ("ptrace: reintroduce usage of subject
From: Mickaël Salaün
Replace the use of security_capable(current_cred(), ...) with
ns_capable_noaudit() which set PF_SUPERPRIV.
Since commit 98f368e9e263 ("kernel: Add noaudit variant of
ns_capable()"), a new ns_capable_noaudit() helper is available. Let's
use it!
Cc: Jann Horn
Cc:
This series replaces all the use of security_capable(current_cred(),
...) with ns_capable{,_noaudit}() which set PF_SUPERPRIV.
This initially come from a review of Landlock by Jann Horn:
https://lore.kernel.org/lkml/cag48ez1fqvkt78129wozbwfbvhapyar9ojahfhabbnxebr9...@mail.gmail.com/
Mickaël
seccomp_bpf.c uses unshare(CLONE_NEWPID), which requires CONFIG_PID_NS
to be set.
Cc: Kees Cook
Cc: Shuah Khan
Cc: Tycho Andersen
Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace")
Signed-off-by: Mickaël Salaün
---
tools/testing/selftests/seccomp/config | 1
On 29/10/2020 02:05, Jann Horn wrote:
> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> This new patch series improves documentation, cleans up comments,
>> renames ARCH_EPHEMERAL_STATES to ARCH_EPHEMERAL_INODES and removes
>> LANDLOCK_ACCESS_FS_CHROOT.
>
On 29/10/2020 02:07, Jann Horn wrote:
> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> This documentation can be built with the Sphinx framework.
>>
>> Cc: James Morris
>> Cc: Jann Horn
>> Cc: Kees Cook
>> Cc: Serge E. Hallyn
>&g
On 29/10/2020 02:06, Jann Horn wrote:
> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> These 3 system calls are designed to be used by unprivileged processes
>> to sandbox themselves:
>> * landlock_create_ruleset(2): Creates a ruleset and returns its
On 29/10/2020 02:06, Jann Horn wrote:
> (On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> Thanks to the Landlock objects and ruleset, it is possible to identify
>> inodes according to a process's domain. To enable an unprivileged
>> process to express a file hier
On 29/10/2020 02:05, Jann Horn wrote:
> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> A Landlock ruleset is mainly a red-black tree with Landlock rules as
>> nodes. This enables quick update and lookup to match a requested access
>> e.g., to a file. A rule
On 29/10/2020 02:05, Jann Horn wrote:
> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote:
>> A Landlock object enables to identify a kernel object (e.g. an inode).
>> A Landlock rule is a set of access rights allowed on an object. Rules
>> are grouped in rulesets that
From: Mickaël Salaün
This documentation can be built with the Sphinx framework.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
---
Changes since v21:
* Move the user space documentation to userspace-api
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_enforce_ruleset_current(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
ace is
allocated there.
Cc: Kees Cook
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
---
Changes since v20:
* Remove all Reviewed-by except Stephen Smalley:
https://lore.kernel.org/lkml/CAEjxPJ7ARJO57MBW66=xsBzMMRb=9ulgqock5eskhcai
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
Changes since v21:
* Remove
From: Mickaël Salaün
Process's credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 95.2% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc: James Morris
Cc
From: Mickaël Salaün
Thanks to the Landlock objects and ruleset, it is possible to identify
inodes according to a process's domain. To enable an unprivileged
process to express a file hierarchy, it first needs to open a directory
(or a file) and pass this file descriptor to the kernel through
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested access
e.g., to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing syscalls) which enables
Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
Andrew, could you please merge this into your tree?
On 19/10/2020 18:49, Mickaël Salaün wrote:
> Hi,
>
> Can you please consider to merge this into the tree?
>
>
> Overview
>
>
> The final goal of this patch series is to enable the kernel to be a
> globa
From: Mickaël Salaün
Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring. Instead of relying on the builtin trusted keyring
(with hard-coded certificates), the second trusted keyring can
It seems that there is no more question. Mike, Alasdair, could you
please consider to merge this into the tree?
On 16/10/2020 14:19, Mickaël Salaün wrote:
>
> On 16/10/2020 13:08, Milan Broz wrote:
>> On 16/10/2020 10:49, Mickaël Salaün wrote:
>>> On 16/10/2020 10:29,
From: Mickaël Salaün
Test that checks performed by trusted_for(2) on file descriptors are
consistent with noexec mount points and file execute permissions,
according to the policy configured with the fs.trust_policy sysctl.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Al
ml/0c70debd-e79e-d514-06c6-4cd1e021f...@python.org/
Regards,
Mickaël Salaün (3):
fs: Add trusted_for(2) syscall implementation and related sysctl
arch: Wire up trusted_for(2)
selftest/interpreter: Add tests for trusted_for(2) policies
Documentation/admin-guide/sysctl/fs.rst
From: Mickaël Salaün
The trusted_for() syscall enables user space tasks to check that files
are trusted to be executed or interpreted by user space. This may allow
script interpreters to check execution permission before reading
commands from a file, or dynamic linkers to allow shared object
From: Mickaël Salaün
Wire up trusted_for(2) for all architectures.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Al Viro
Cc: Andrew Morton
Cc: Arnd Bergmann
Cc: Kees Cook
Cc: Vincent Strubel
---
Changes since v9:
* Rename introspect_access(2) to trusted_for(2
On 16/10/2020 13:08, Milan Broz wrote:
> On 16/10/2020 10:49, Mickaël Salaün wrote:
>> On 16/10/2020 10:29, Mickaël Salaün wrote:
>>>
>>> On 15/10/2020 18:52, Mike Snitzer wrote:
>>>> Can you please explain why you've decided to make this a Kconfig CONF
On 16/10/2020 10:29, Mickaël Salaün wrote:
>
> On 15/10/2020 18:52, Mike Snitzer wrote:
>> On Thu, Oct 15 2020 at 11:05am -0400,
>> Mickaël Salaün wrote:
>>
>>> From: Mickaël Salaün
>>>
>>> Add a new configuration DM_VERITY_VERIFY_ROO
On 15/10/2020 18:52, Mike Snitzer wrote:
> On Thu, Oct 15 2020 at 11:05am -0400,
> Mickaël Salaün wrote:
>
>> From: Mickaël Salaün
>>
>> Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
>> to enable dm-verity signatures to be verified
From: Mickaël Salaün
Add a new configuration DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
to enable dm-verity signatures to be verified against the secondary
trusted keyring. Instead of relying on the builtin trusted keyring
(with hard-coded certificates), the second trusted keyring can
On 08/10/2020 17:31, Mickaël Salaün wrote:
> From: Mickaël Salaün
>
> This documentation can be built with the Sphinx framework.
>
> Cc: James Morris
> Cc: Jann Horn
> Cc: Kees Cook
> Cc: Serge E. Hallyn
> Signed-off-by: Mickaël Salaün
> Reviewed-by: Vincent
On 14/10/2020 20:52, Mickaël Salaün wrote:
>
> On 14/10/2020 20:07, James Morris wrote:
>> On Thu, 8 Oct 2020, Mickaël Salaün wrote:
>>
>>> +config ARCH_EPHEMERAL_STATES
>>> + def_bool n
>>> + help
>>> + An arch should select t
On 14/10/2020 20:07, James Morris wrote:
> On Thu, 8 Oct 2020, Mickaël Salaün wrote:
>
>> +config ARCH_EPHEMERAL_STATES
>> +def_bool n
>> +help
>> + An arch should select this symbol if it does not keep an internal
>> kernel
>> +
On 13/10/2020 01:55, Jarkko Sakkinen wrote:
> On Fri, Oct 09, 2020 at 11:50:03AM +0200, Mickaël Salaün wrote:
>> Hi,
>>
>> What do you think about this patch?
>>
>> Regards,
>> Mickaël
>>
>> On 02/10/2020 09:18, Mickaël Salaün
Hi,
What do you think about this patch?
Regards,
Mickaël
On 02/10/2020 09:18, Mickaël Salaün wrote:
> From: Mickaël Salaün
>
> Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
> to enable dm-verity signatures to be verified against the secondary
>
From: Mickaël Salaün
The sb_delete security hook is called when shutting down a superblock,
which may be useful to release kernel objects tied to the superblock's
lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged
struct inodes. This comes from
From: Mickaël Salaün
A Landlock ruleset is mainly a red-black tree with Landlock rules as
nodes. This enables quick update and lookup to match a requested access
e.g., to a file. A ruleset is usable through a dedicated file
descriptor (cf. following commit implementing the syscall) which
From: Mickaël Salaün
A process credentials point to a Landlock domain, which is underneath
implemented with a ruleset. In the following commits, this domain is
used to check and enforce the ptrace and filesystem security policies.
A domain is inherited from a parent to its child the same way
From: Mickaël Salaün
Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
---
Changes since v20:
* Update with new
From: Mickaël Salaün
Wire up the following system calls for all architectures:
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_enforce_ruleset_current(2)
Cc: Arnd Bergmann
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
From: Mickaël Salaün
These 3 system calls are designed to be used by unprivileged processes
to sandbox themselves:
* landlock_create_ruleset(2): Creates a ruleset and returns its file
descriptor.
* landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a
ruleset, identified
From: Mickaël Salaün
Using ptrace(2) and related debug features on a target process can lead
to a privilege escalation. Indeed, ptrace(2) can be used by an attacker
to impersonate another task and to remain undetected while performing
malicious activities. Thanks to ptrace_may_access
From: Mickaël Salaün
Thanks to the Landlock objects and ruleset, it is possible to identify
inodes according to a process's domain. To enable an unprivileged
process to express a file hierarchy, it first needs to open a directory
(or a file) and pass this file descriptor to the kernel through
ace is
allocated there.
Cc: Kees Cook
Cc: John Johansen
Signed-off-by: Casey Schaufler
Signed-off-by: Mickaël Salaün
Reviewed-by: Stephen Smalley
---
Changes since v20:
* Remove all Reviewed-by except Stephen Smalley:
https://lore.kernel.org/lkml/CAEjxPJ7ARJO57MBW66=xsBzMMRb=9ulgqock5eskhcai
From: Mickaël Salaün
This documentation can be built with the Sphinx framework.
Cc: James Morris
Cc: Jann Horn
Cc: Kees Cook
Cc: Serge E. Hallyn
Signed-off-by: Mickaël Salaün
Reviewed-by: Vincent Dagonneau
---
Changes since v20:
* Update examples and documentation with the new syscalls
From: Mickaël Salaün
Test all Landlock system calls, ptrace hooks semantic and filesystem
access-control.
Test coverage for security/landlock/ is 95.4% of lines. The code not
covered only deals with internal kernel errors (e.g. memory allocation)
and race conditions.
Cc: James Morris
Cc
://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b...@schaufler-ca.com/
[2]
https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad046...@digikod.net/
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add
From: Mickaël Salaün
A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object. Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain
From: Mickaël Salaün
Add a new DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING configuration
to enable dm-verity signatures to be verified against the secondary
trusted keyring. This allows certificate updates without kernel update
and reboot, aligning with module and kernel (kexec) signature
On 01/10/2020 21:33, Tycho Andersen wrote:
> On Thu, Oct 01, 2020 at 07:02:31PM +0200, Mickaël Salaün wrote:
>> --- a/include/uapi/asm-generic/unistd.h
>> +++ b/include/uapi/asm-generic/unistd.h
>> @@ -859,9 +859,11 @@ __SYSCALL(__NR_openat2, sys_openat2)
>>
From: Mickaël Salaün
Test that checks performed by trusted_for(2) on file descriptors are
consistent with noexec mount points and file execute permissions,
according to the policy configured with the fs.trust_policy sysctl.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Al
kernel.org/lkml/20200406221439.1469862-12-deven.de...@linux.microsoft.com/
[6]
https://lore.kernel.org/lkml/20200922215326.4603-1-madve...@linux.microsoft.com/
[7] https://www.python.org/dev/peps/pep-0578/
[8]
https://lore.kernel.org/lkml/0c70debd-e79e-d514-06c6-4cd1e021f...@python.org/
Regards,
Mickaël Salaün (3
From: Mickaël Salaün
The trusted_for() syscall enables user space tasks to check that files
are trusted to be executed or interpreted by user space. This may allow
script interpreters to check execution permission before reading
commands from a file, or dynamic linkers to allow shared object
From: Mickaël Salaün
Wire up trusted_for(2) for all architectures.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Al Viro
Cc: Andrew Morton
Cc: Arnd Bergmann
Cc: Kees Cook
Cc: Vincent Strubel
---
Changes since v9:
* Rename introspect_access(2) to trusted_for(2
On 25/09/2020 00:05, Pavel Machek wrote:
> Hi!
>
> I believe you should simply delete confusing "introduction" and
> provide details of super-secure system where your patches would be
> useful, instead.
This RFC talks about converting dynamic code (which cannot be
On 23/09/2020 22:51, Pavel Machek wrote:
> Hi!
>
Scenario 2
--
We know what code we need in advance. User trampolines are a good example
of
this. It is possible to define such code statically with some help from the
kernel.
This RFC
From: Mickaël Salaün
Test that checks performed by trusted_for(2) on file descriptors are
consistent with noexec mount points and file execute permissions,
according to the policy configured with the fs.trust_policy sysctl.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Al
From: Mickaël Salaün
The trusted_for() syscall enables user space tasks to check that files
are trusted to be executed or interpreted by user space. This may allow
script interpreters to check execution permission before reading
commands from a file, or dynamic linkers to allow shared object
From: Mickaël Salaün
Wire up trusted_for(2) for all architectures.
Signed-off-by: Mickaël Salaün
Reviewed-by: Thibaut Sautereau
Cc: Al Viro
Cc: Andrew Morton
Cc: Arnd Bergmann
Cc: Kees Cook
Cc: Vincent Strubel
---
Changes since v9:
* Rename introspect_access(2) to trusted_for(2
0922215326.4603-1-madve...@linux.microsoft.com/
[7] https://www.python.org/dev/peps/pep-0578/
[8]
https://lore.kernel.org/lkml/0c70debd-e79e-d514-06c6-4cd1e021f...@python.org/
Regards,
Mickaël Salaün (3):
fs: Add trusted_for(2) syscall implementation and related sysctl
arch: Wire u
On 04/09/2020 16:06, Stephen Smalley wrote:
> On Thu, Aug 13, 2020 at 2:39 PM Stephen Smalley
> wrote:
>>
>> On Thu, Aug 13, 2020 at 10:17 AM Mickaël Salaün wrote:
>>>
>>>
>>> On 12/08/2020 21:16, Stephen Smalley wrote:
>>>> On 8/2/20 5
Arnd and Michael,
What do you think of "should_faccessat" or "entrusted_faccessat" for
this new system call?
On 12/09/2020 02:28, James Morris wrote:
> On Thu, 10 Sep 2020, Matthew Wilcox wrote:
>
>> On Thu, Sep 10, 2020 at 08:38:21PM +0200, Mickaël Salaün wrote
On 10/09/2020 22:05, Matthew Wilcox wrote:
> On Thu, Sep 10, 2020 at 09:00:10PM +0100, Al Viro wrote:
>> On Thu, Sep 10, 2020 at 07:40:33PM +0100, Matthew Wilcox wrote:
>>> On Thu, Sep 10, 2020 at 08:38:21PM +0200, Mickaël Salaün wrote:
>>>> There is also the use
301 - 400 of 1481 matches
Mail list logo
