55/papers/traps.pdf
[3]
https://lkml.kernel.org/r/1477390454-12553-1-git-send-email-dan...@zonque.org
[4]
https://lkml.kernel.org/r/20160829114542.GA20836@ircssh.c.rugged-nimbus-611.internal
Regards,
Mickaël Salaün (18):
landlock: Add Kconfig
bpf: Move u64_to_ptr() to BPF headers and inline it
bpf,landl
Initial Landlock Kconfig needed to split the Landlock eBPF and seccomp
parts to ease the review.
Changes from v2:
* add seccomp filter or cgroups (with eBPF programs attached support)
dependencies
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
e the understanding
* fix some ifdef
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
Cc: Andrew Morton
Link:
https://lkml.kernel.org/r/cagxu5j+qowiyquhifobtupfpxp6xevdgf08bw4yzkvdtcha...@mail.gmail.com
---
include/linux/landlock.h | 5 +
include/linux/secc
On 19/10/2016 17:19, Thomas Graf wrote:
> On 09/14/16 at 09:23am, Mickaël Salaün wrote:
>> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
>> index 9aa01d9d3d80..36c3e482239c 100644
>> --- a/include/linux/bpf.h
>> +++ b/include/linux/bpf.h
>> @@
Could someone push this please?
On 20/09/2016 19:39, Mickaël Salaün wrote:
> Fix struct seccomp_filter and seccomp_run_filters() signatures.
>
> Signed-off-by: Mickaël Salaün
> Cc: Andy Lutomirski
> Cc: James Morris
> Cc: Kees Cook
> Cc: Will Drewry
> ---
On 04/10/2016 01:53, Kees Cook wrote:
> On Wed, Sep 14, 2016 at 12:23 AM, Mickaël Salaün wrote:
>> This new arraymap looks like a set and brings new properties:
>> * strong typing of entries: the eBPF functions get the array type of
>> elements instead of
On 04/10/2016 01:52, Kees Cook wrote:
> On Wed, Sep 14, 2016 at 3:34 PM, Mickaël Salaün wrote:
>>
>> On 14/09/2016 20:43, Andy Lutomirski wrote:
>>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote:
>>>> A Landlock program will be triggered according
On 04/10/2016 01:46, Kees Cook wrote:
> On Wed, Sep 14, 2016 at 6:19 PM, Andy Lutomirski wrote:
>> On Wed, Sep 14, 2016 at 3:14 PM, Mickaël Salaün wrote:
>>>
>>> On 14/09/2016 20:29, Andy Lutomirski wrote:
>>>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Sa
On 04/10/2016 01:43, Kees Cook wrote:
> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote:
>> This allows to add new eBPF programs to Landlock hooks dedicated to a
>> cgroup thanks to the BPF_PROG_ATTACH command. Like for socket eBPF
>> programs, the Landlock hooks att
On 04/10/2016 00:56, Kees Cook wrote:
> On Tue, Sep 20, 2016 at 10:08 AM, Mickaël Salaün wrote:
>>
>> On 15/09/2016 11:19, Pavel Machek wrote:
>>> Hi!
>>>
>>>> This series is a proof of concept to fill some missing part of seccomp as
>>>&g
allowed is for
socket filtering and all the types from its context are UNKNOWN_VALUE.
However, this fix is important for future unprivileged eBPF programs
which could use pointers in their context.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
kernel/bpf
unprivileged eBPF program types which could use pointers in their
context.
Signed-off-by: Mickaël Salaün
Fixes: 969bf05eb3ce ("bpf: direct packet access")
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: Kees Cook
Acked-by: Sargun Dhillon
---
kernel/bpf/verifier.c | 5 ++-
On 22/09/2016 21:41, Daniel Borkmann wrote:
> On 09/22/2016 08:35 PM, Mickaël Salaün wrote:
>> This fix a pointer leak when an unprivileged eBPF program read a pointer
>> value from the context. Even if is_valid_access() returns a pointer
>> type, the eBPF verifier replace
unprivileged eBPF program types which could use pointers in their
context.
Signed-off-by: Mickaël Salaün
Fixes: 969bf05eb3ce ("bpf: direct packet access")
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: Kees Cook
Acked-by: Sargun Dhillon
---
kernel/bpf/verifier.c | 6 ++--
Fix struct seccomp_filter and seccomp_run_filters() signatures.
Signed-off-by: Mickaël Salaün
Cc: Andy Lutomirski
Cc: James Morris
Cc: Kees Cook
Cc: Will Drewry
---
kernel/seccomp.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/kernel/seccomp.c b/kernel
On 15/09/2016 11:19, Pavel Machek wrote:
> Hi!
>
>> This series is a proof of concept to fill some missing part of seccomp as the
>> ability to check syscall argument pointers or creating more dynamic security
>> policies. The goal of this new stackable Linux Security Module (LSM) called
>> Landl
On 20/09/2016 06:37, Sargun Dhillon wrote:
> On Thu, Sep 15, 2016 at 09:41:33PM +0200, Mickaël Salaün wrote:
>>
>> On 15/09/2016 06:48, Alexei Starovoitov wrote:
>>> On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote:
>>>> On Wed, Sep 14,
forward for your review.
>
> On Mon, Sep 19, 2016 at 5:12 PM, Alexei Starovoitov
> wrote:
>> On Thu, Sep 15, 2016 at 11:25:10PM +0200, Mickaël Salaün wrote:
>>>>> Agreed. With this RFC, the Checmate features (i.e. network helpers)
>>>>> should be able t
On 20/09/2016 02:30, Alexei Starovoitov wrote:
> On Tue, Sep 20, 2016 at 12:49:13AM +0200, Mickaël Salaün wrote:
>> Add security access check for cgroup backed FD. The "cgroup.procs" file
>> of the corresponding cgroup should be readable to identify the cgroup,
>>
ck done by
cgroup_procs_write_permission().
Fixes: 4ed8ec521ed5 ("cgroup: bpf: Add BPF_MAP_TYPE_CGROUP_ARRAY")
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: Daniel Mack
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Martin KaFai Lau
Cc: Tej
On 15/09/2016 01:28, Alexei Starovoitov wrote:
> On Thu, Sep 15, 2016 at 01:22:49AM +0200, Mickaël Salaün wrote:
>>
>> On 14/09/2016 20:51, Alexei Starovoitov wrote:
>>> On Wed, Sep 14, 2016 at 09:23:56AM +0200, Mickaël Salaün wrote:
>>>> This new arra
On 15/09/2016 01:24, Alexei Starovoitov wrote:
> On Thu, Sep 15, 2016 at 01:02:22AM +0200, Mickaël Salaün wrote:
>>>
>>> I would suggest for the next RFC to do minimal 7 patches up to this point
>>> with simple example that demonstrates the use case.
>>> I
On 15/09/2016 06:48, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:38:16PM -0700, Andy Lutomirski wrote:
>> On Wed, Sep 14, 2016 at 9:31 PM, Alexei Starovoitov
>> wrote:
>>> On Wed, Sep 14, 2016 at 09:08:57PM -0700, Andy Lutomirski wrote:
On Wed, Sep 14, 2016 at 9:00 PM, Alexei Star
On 15/09/2016 03:25, Andy Lutomirski wrote:
> On Wed, Sep 14, 2016 at 3:11 PM, Mickaël Salaün wrote:
>>
>> On 14/09/2016 20:27, Andy Lutomirski wrote:
>>> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote:
>>>> Add a new flag CGRP_NO_NEW_PRIVS for
On 14/09/2016 20:51, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:23:56AM +0200, Mickaël Salaün wrote:
>> This new arraymap looks like a set and brings new properties:
>> * strong typing of entries: the eBPF functions get the array type of
>> elements instead of
On 14/09/2016 23:06, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:24:00AM +0200, Mickaël Salaün wrote:
>> Add eBPF functions to compare file system access with a Landlock file
>> system handle:
>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, fil
On 14/09/2016 23:20, Alexei Starovoitov wrote:
> On Wed, Sep 14, 2016 at 09:24:14AM +0200, Mickaël Salaün wrote:
>> This is a proof of concept to expose optional values that could depend
>> of the process access rights.
>>
>> There is two dedicated flags: LANDLO
On 14/09/2016 21:07, Jann Horn wrote:
> On Wed, Sep 14, 2016 at 09:24:00AM +0200, Mickaël Salaün wrote:
>> Add eBPF functions to compare file system access with a Landlock file
>> system handle:
>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, file)
>>
On 14/09/2016 20:43, Andy Lutomirski wrote:
> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote:
>> A Landlock program will be triggered according to its subtype/origin
>> bitfield. The LANDLOCK_FLAG_ORIGIN_SECCOMP value will trigger the
>> Landlock program when a secco
On 14/09/2016 20:29, Andy Lutomirski wrote:
> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote:
>> This third origin of hook call should cover all possible trigger paths
>> (e.g. page fault). Landlock eBPF programs can then take decisions
>> accordingly.
>>
>&
On 14/09/2016 20:27, Andy Lutomirski wrote:
> On Wed, Sep 14, 2016 at 12:24 AM, Mickaël Salaün wrote:
>> Add a new flag CGRP_NO_NEW_PRIVS for each cgroup. This flag is initially
>> set for all cgroup except the root. The flag is clear when a new process
>> without the
On 14/09/2016 09:24, Mickaël Salaün wrote:
> Add security access check for cgroup backed FD. The "cgroup.procs" file
> of the corresponding cgroup must be readable to identify the cgroup, and
> writable to prove that the current process can manage this cgroup (e.g.
> throug
This will be useful to support Landlock for the next commits.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Daniel Mack
Cc: David S. Miller
Cc: Tejun Heo
---
include/linux/bpf-cgroup.h | 4 ++--
kernel/bpf/cgroup.c| 3 ++-
kernel/bpf/syscall.c
(optional) program subtype is
valid.
For now, only Landlock eBPF programs are using a program subtype but
this could be used by other program types in the future.
Cf. the next commit to see how the subtype is used by Landlock LSM.
Signed-off-by: Mickaël Salaün
Link: https://lkml.kernel.org/r
This allows CONFIG_CGROUP_BPF to manage different type of pointers
instead of only eBPF programs. This will be useful for the next commits
to support Landlock with cgroups.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Daniel Mack
Cc: David S. Miller
Cc: Tejun
Landlock programs for each of their
legitimate seccomp filter
* properly clean up all seccomp results
* cosmetic changes to ease the understanding
* fix some ifdef
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
Cc: Andrew Morton
---
include/linux/landlock.h
The semantic is unchanged. This will be useful for the Landlock
integration with seccomp (next commit).
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
---
include/linux/seccomp.h | 5 +++--
kernel/fork.c | 2 +-
kernel/seccomp.c| 18
Initial Landlock Kconfig needed to split the Landlock eBPF and seccomp
parts to ease the review.
Changes from v2:
* add seccomp filter or cgroups (with eBPF programs attached support)
dependencies
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Kees Cook
Cc: Sargun Dhillon
---
include/linux/bpf.h | 2 ++
include/uapi/linux/bpf.h | 7 ++-
kernel/bpf/verifier.c| 6 ++
security/landlock/lsm.c | 26
ck LSM.
[1] https://lkml.kernel.org/r/1472121165-29071-1-git-send-email-...@digikod.net
[2] https://crypto.stanford.edu/cs155/papers/traps.pdf
[3]
https://lkml.kernel.org/r/1473696735-11269-1-git-send-email-dan...@zonque.org
Regards,
Mickaël Salaün (22):
landlock: Add Kconfig
bpf: Move u64_to
y/landlock/checker_fs.c b/security/landlock/checker_fs.c
new file mode 100644
index ..39eb85dc7d18
--- /dev/null
+++ b/security/landlock/checker_fs.c
@@ -0,0 +1,179 @@
+/*
+ * Landlock LSM - File System Checkers
+ *
+ * Copyright (C) 2016 Mickaël Salaün
+ *
+ * This program is free so
Move code outside a switch/case to ease code factoring (cf. next
commit).
This apply on Daniel Mack's "Add eBPF hooks for cgroups":
https://lkml.kernel.org/r/1473696735-11269-1-git-send-email-dan...@zonque.org
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkm
This will be useful to be able to add more BPF attach type with
different capability checks.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Daniel Mack
---
kernel/bpf/syscall.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a
This third origin of hook call should cover all possible trigger paths
(e.g. page fault). Landlock eBPF programs can then take decisions
accordingly.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: Kees Cook
---
include/uapi/linux/bpf.h | 3
This helper will be useful for arraymap (next commit).
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: David S. Miller
Cc: Daniel Borkmann
---
include/linux/bpf.h | 6 ++
kernel/bpf/syscall.c | 6 --
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include
ed by Daniel Borkmann)
* new BPF context
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc: Will Drewry
Link: https://lkml.kernel.org/r/20160827205559.ga43...@ast-mbp.theface
(suggested by Andy Lutomirski)
* remove useless checks
Changes since v1:
* arraymap of handles replace custom checker groups
* simpler userland API
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Kees Cook
Link:
https
$$PWD clean
diff --git a/samples/landlock/sandbox.c b/samples/landlock/sandbox.c
new file mode 100644
index ..9d6ac00cdd23
--- /dev/null
+++ b/samples/landlock/sandbox.c
@@ -0,0 +1,307 @@
+/*
+ * Landlock LSM - Sandbox example
+ *
+ * Copyright (C) 2016 Mickaël Salaün
+ *
+ * This pro
hooks attached to a cgroup
in more complicated ways (e.g. continuous inheritance), but care should
be taken to properly handle error cases (e.g. memory allocation errors).
Changes since v2:
* new design based on BPF_PROG_ATTACH (suggested by Alexei Starovoitov)
Signed-off-by: Mickaël Salaün
Cc
ck done by
cgroup_procs_write_permission().
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: Daniel Mack
Cc: David S. Miller
Cc: Kees Cook
Cc: Tejun Heo
---
include/linux/cgroup.h | 2 +-
kernel/bpf/arraymap.c | 2 +-
kernel/bpf/syscall.c | 6 +++---
kerne
process without no_new_privs to this cgroup will
be denied.
This allows to safely manage Landlock rules with cgroup delegation as
with seccomp.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: Daniel Mack
Cc: David S. Miller
Cc: Kees Cook
Cc
* bpf_get_prandom_u32
* bpf_get_current_pid_tgid
* bpf_get_current_uid_gid
* bpf_get_current_comm
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Kees Cook
Cc: Sargun Dhillon
---
include/uapi/linux/bpf.h | 4 +++-
security/landlock
unprivileged eBPF programs to use functions with (legitimate)
pointer arguments.
This bug was not a problem until now because the only unprivileged eBPF
program allowed is of type BPF_PROG_TYPE_SOCKET_FILTER and all the types
from its context are UNKNOWN_VALUE.
Signed-off-by: Mickaël Salaün
Fixes
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
---
kernel/seccomp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 0db7c8a2afe2..dccfc05cb3ec 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
Set struct seccomp_filter public because of the next use of
the new field thread_prev added for Landlock LSM.
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
---
include/linux/seccomp.h | 27 ++-
kernel/seccomp.c| 26
09/08/2016 02:35, James Morris wrote:
> On Mon, 1 Aug 2016, Mickaël Salaün wrote:
>
>> Hi,
>>
>> This series fix the recent seccomp update for the User-mode Linux
>> architecture
>> (32-bit and 64-bit) since commit 26703c636c1f ("um/ptrace: run seccomp after
On 30/08/2016 22:23, Andy Lutomirski wrote:
> On Tue, Aug 30, 2016 at 1:20 PM, Mickaël Salaün wrote:
>>
>> On 30/08/2016 20:55, Andy Lutomirski wrote:
>>> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote:
>>>>
>>>>
>>>> On 28/08
On 30/08/2016 22:18, Andy Lutomirski wrote:
> On Tue, Aug 30, 2016 at 1:10 PM, Mickaël Salaün wrote:
>>
>> On 30/08/2016 20:56, Andy Lutomirski wrote:
>>> On Aug 25, 2016 12:34 PM, "Mickaël Salaün" wrote:
>>>>
>>>> Add LSM
On 30/08/2016 20:55, Andy Lutomirski wrote:
> On Sun, Aug 28, 2016 at 2:42 AM, Mickaël Salaün wrote:
>>
>>
>> On 28/08/2016 10:13, Andy Lutomirski wrote:
>>> On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote:
>>>>
>>>>
>>
On 30/08/2016 20:56, Andy Lutomirski wrote:
> On Aug 25, 2016 12:34 PM, "Mickaël Salaün" wrote:
>>
>> Add LSM hooks which can be used by userland through Landlock (eBPF)
>> programs. This programs are limited to a whitelist of functions (cf.
>> next commit).
On 30/08/2016 18:06, Andy Lutomirski wrote:
> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>> Hi,
>>
>> This series is a proof of concept to fill some missing part of seccomp as the
>> ability to check syscall argument pointers or creating more dynamic securi
On 28/08/2016 10:13, Andy Lutomirski wrote:
> On Aug 27, 2016 11:14 PM, "Mickaël Salaün" wrote:
>>
>>
>> On 27/08/2016 22:43, Alexei Starovoitov wrote:
>>> On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote:
>>>> On 27/08/2016 2
On 27/08/2016 22:56, Alexei Starovoitov wrote:
> On Sat, Aug 27, 2016 at 09:55:01PM +0200, Mickaël Salaün wrote:
>>
>> On 27/08/2016 20:19, Alexei Starovoitov wrote:
>>> On Sat, Aug 27, 2016 at 04:34:55PM +0200, Mickaël Salaün wrote:
>>>>
>>>&g
On 27/08/2016 22:43, Alexei Starovoitov wrote:
> On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote:
>> On 27/08/2016 20:06, Alexei Starovoitov wrote:
>>> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote:
>>>> As said above, Landlock will
On 27/08/2016 20:19, Alexei Starovoitov wrote:
> On Sat, Aug 27, 2016 at 04:34:55PM +0200, Mickaël Salaün wrote:
>>
>> On 27/08/2016 01:05, Alexei Starovoitov wrote:
>>> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote:
>>>
>>>>> As f
On 27/08/2016 20:06, Alexei Starovoitov wrote:
> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote:
>>
>> On 27/08/2016 01:05, Alexei Starovoitov wrote:
>>> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote:
>>>>
>>>>>
&
Cc Tejun and the cgroups ML.
On 27/08/2016 17:10, Mickaël Salaün wrote:
> On 27/08/2016 09:40, Andy Lutomirski wrote:
>> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>>>
>>> # Sandbox example with conditional access control depending on cgroup
>>>
&g
On 27/08/2016 09:40, Andy Lutomirski wrote:
> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>> Hi,
>>
>> This series is a proof of concept to fill some missing part of seccomp as the
>> ability to check syscall argument pointers or creating more dynamic securi
On 27/08/2016 01:05, Alexei Starovoitov wrote:
> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote:
>
>>> As far as safety and type checking that bpf programs has to do,
>>> I like the approach of patch 06/10:
>>> +LANDLOCK_HOOK2(file_open, FILE_OPE
On 27/08/2016 01:05, Alexei Starovoitov wrote:
> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote:
>> To sum up, there is four related patchsets:
>> * "Landlock LSM: Unprivileged sandboxing" (this series)
>> * "Add Checmate, BPF-driven minor LS
On 27/08/2016 01:05, Alexei Starovoitov wrote:
> On Fri, Aug 26, 2016 at 05:10:40PM +0200, Mickaël Salaün wrote:
>>
>>>
>>> - I don't think such 'for' loop can scale. The solution needs to work
>>> with thousands of containers and thousands of
On 26/08/2016 16:57, Andy Lutomirski wrote:
> On Thu, Aug 25, 2016 at 7:10 AM, Mickaël Salaün wrote:
>>
>> On 25/08/2016 13:12, Andy Lutomirski wrote:
>>> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>>>> Add eBPF functions to compare fil
On 26/08/2016 04:14, Alexei Starovoitov wrote:
> On Thu, Aug 25, 2016 at 12:32:44PM +0200, Mickaël Salaün wrote:
>> Add an eBPF function bpf_landlock_cmp_cgroup_beneath(opt, map, map_op)
>> to compare the current process cgroup with a cgroup handle, The handle
>> can match
On 25/08/2016 13:09, Andy Lutomirski wrote:
> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>> Add an eBPF function bpf_landlock_cmp_cgroup_beneath(opt, map, map_op)
>> to compare the current process cgroup with a cgroup handle, The handle
>> can match the curren
On 25/08/2016 13:12, Andy Lutomirski wrote:
> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>> Add eBPF functions to compare file system access with a Landlock file
>> system handle:
>> * bpf_landlock_cmp_fs_prop_with_struct_file(prop, map, map_op, file)
>>
On 25/08/2016 13:05, Andy Lutomirski wrote:
> On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote:
>> Hi,
>>
>> This series is a proof of concept to fill some missing part of seccomp as the
>> ability to check syscall argument pointers or creating more dynamic securi
Add a max errno value.
This is not strictly needed but should improve reliability.
Signed-off-by: Mickaël Salaün
Cc: Arnd Bergmann
Cc: Serge E. Hallyn
Cc: James Morris
Cc: Kees Cook
---
include/uapi/asm-generic/errno-base.h | 1 +
security/landlock/lsm.c | 6 +++---
2 files
This helper will be useful for arraymap (next commit).
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: David S. Miller
Cc: Daniel Borkmann
---
include/linux/bpf.h | 6 ++
kernel/bpf/syscall.c | 6 --
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include
programs can be triggered by
one or more seccomp filters. This way, each RET_LANDLOCK (with specific
cookie) will trigger all the allowed Landlock programs once.
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
Cc: Andrew Morton
---
include/linux/seccomp.h | 49
The semantic is unchanged. This will be useful for the Landlock
integration with seccomp (next commit).
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
---
include/linux/seccomp.h | 5 +++--
kernel/fork.c | 2 +-
kernel/seccomp.c| 18
Initial Landlock Kconfig needed to split the Landlock eBPF and seccomp
parts to ease the review.
Signed-off-by: Mickaël Salaün
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
security/Kconfig | 1 +
security/landlock/Kconfig | 16
2 files changed, 17
listed in enum bpf_map_array_type
(e.g. BPF_MAP_ARRAY_TYPE_LANDLOCK_FS).
For now, this new arraymap is only used by Landlock LSM (cf. next
commits) but it could be useful for other needs.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: David S. Miller
Cc: Daniel Borkmann
Cc: James
to an eBPF function according to their types (e.g. the
bpf_landlock_cmp_fs_beneath_with_struct_file function can use a struct
file pointer).
For now, there is three hooks for file system access control:
* file_open;
* file_permission;
* mmap_file.
Signed-off-by: Mickaël Salaün
Cc: Alexei
. path or glob string).
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Alexei Starovoitov
Cc: James Morris
Cc: Serge E. Hallyn
Cc: David S. Miller
Cc: Daniel Borkmann
---
include/linux/bpf.h| 4 +-
include/uapi/linux/bpf.h | 52 +++-
kernel/bpf/arraymap.c
p:/proc/self/fd/0' \
./sandbox /bin/sh -i
$ ls /home
user1
$ echo $$ > /sys/fs/cgroup/sandboxed/cgroup.procs
$ ls /home
ls: cannot open directory '/home': Permission denied
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Alexei Starovoitov
Cc: James Morris
PS. I would really appreciate
constructive comments on the usability, architecture, code and userland API of
Landlock LSM.
Regards,
Mickaël Salaün (10):
landlock: Add Kconfig
bpf: Move u64_to_ptr() to BPF headers and inline it
bpf,landlock: Add a new arraymap type to deal with (Landlock) hand
manipulate cgroups thanks to
cgroup delegation.
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Alexei Starovoitov
Cc: James Morris
Cc: Serge E. Hallyn
Cc: David S. Miller
Cc: Daniel Borkmann
---
include/linux/bpf.h| 8
include/uapi/linux/bpf.h | 15 ++
kernel
On 15/08/2016 05:09, Sargun Dhillon wrote:
> On Mon, Aug 15, 2016 at 12:57:44AM +0200, Mickaël Salaün wrote:
>> Our approaches have some common points (i.e. use eBPF in an LSM, stacked
>> filters like seccomp) but I'm focused on a kind of unprivileged LSM (i.e. no
>&g
Hi,
I've been working on an extension to seccomp-bpf since last year and published
a first RFC about it [1]. I'm working on a second RFC/PoC which use eBPF
instead of cBPF and is more close to a common LSM than the first RFC. I plan to
publish this second RFC by the end of the month.
Our appro
ormally instead of by signal
> (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_ptrace
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün
Acked-by: Kees Cook
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: James Morris
Cc: user-mode-linux-de...@lists.sourceforge.net
nic - not syncing: BUG!
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün
Acked-by: Kees Cook
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: James Morris
Cc: user-mode-linux-de...@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 5 +++--
typo [2/3]
* add Kees Cook's Acked-by
* rebased on commit 7616ac70d1bb ("apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT
parameter handling")
Available in the git repository at:
https://github.com/l0kod/linux heads/um-fix-seccomp-ptrace-v2
Regards,
Mickaël Salaün
Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
Signed-off-by: Mickaël Salaün
Acked-by: Kees Cook
Cc: Andy Lutomirski
Cc: James Morris
---
arch/Kconfig | 11 ---
1 file changed, 11 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index d794384a0404..96e434638
Hi,
I have been looking for this kind of feature for StemJail [1]. One of the main
idea is to being able to create mount points inside a jail as an unprivileged
user but to keep as much as possible the same environment from outside the
jail. For now, I can only create a mapping for the current
Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: James Morris
---
arch/Kconfig | 11 ---
1 file changed, 11 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index d794384a0404..96e434638767 100644
ormally instead of by signal
> (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_ptrace
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: James Morris
Cc: user-mode-linux-de...@lists.sourceforge.net
---
arch
Hi,
This series fix the recent seccomp update for the User-mode Linux architecture
(32-bit and 64-bit) since commit 26703c636c1f3272b39bd0f6d04d2e970984f1b6
(close the hole where ptrace can change a syscall out from under seccomp).
Regards,
Mickaël Salaün (3):
um/ptrace: Fix the
nic - not syncing: BUG!
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Jeff Dike
Cc: Richard Weinberger
Cc: James Morris
Cc: user-mode-linux-de...@lists.sourceforge.net
---
arch/um/kernel/skas/syscall.c | 5 +++--
1 file ch
Fixes: a1db74209483 ("module: replace copy_module_from_fd with kernel version")
Signed-off-by: Mickaël Salaün
Cc: Mimi Zohar
Cc: Kees Cook
Cc: Luis R. Rodriguez
Cc: Rusty Russell
Cc: Linus Torvalds
Cc: Greg Kroah-Hartman
---
include/linux/lsm_hooks.h | 1 -
include/linux/secur
On 20/02/2016 18:10, Al Viro wrote:
> On Sat, Feb 20, 2016 at 02:25:40PM +0100, Mickaël Salaün wrote:
>
>> I think the bug may be somewhere in the nd->depth handling (when its value
>> is 0) in fs/namei.c:get_link(): struct saved *last = nd->stack + nd->depth -
>
901 - 1000 of 1051 matches
Mail list logo