Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

Hi Mickaël, On Mon, Apr 02, 2018 at 12:04:36AM +0200, Mickaël Salaün wrote: > >> vDSO is a code mapped for all processes. As you said, these processes > >> may use it or not. What I was thinking about is to use the same concept, > >> i.e. map a "shim" code into each processes pertaining to a

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

Hi Mickaël, On Mon, Apr 02, 2018 at 12:04:36AM +0200, Mickaël Salaün wrote: > >> vDSO is a code mapped for all processes. As you said, these processes > >> may use it or not. What I was thinking about is to use the same concept, > >> i.e. map a "shim" code into each processes pertaining to a

[PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 03/09/2018 12:53 AM, Andy Lutomirski wrote: > On Thu, Mar 8, 2018 at 11:51 PM, Mickaël Salaün wrote: >> >> On 07/03/2018 02:21, Andy Lutomirski wrote: >>> On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: On 06/03/2018 23:46, Tycho Andersen

[PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 03/09/2018 12:53 AM, Andy Lutomirski wrote: > On Thu, Mar 8, 2018 at 11:51 PM, Mickaël Salaün wrote: >> >> On 07/03/2018 02:21, Andy Lutomirski wrote: >>> On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: On 06/03/2018 23:46, Tycho Andersen wrote: > On Tue, Mar 06, 2018 at

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Thu, Mar 8, 2018 at 11:51 PM, Mickaël Salaün wrote: > > On 07/03/2018 02:21, Andy Lutomirski wrote: >> On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: >>> >>> On 06/03/2018 23:46, Tycho Andersen wrote: On Tue, Mar 06, 2018 at 10:33:17PM +,

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Thu, Mar 8, 2018 at 11:51 PM, Mickaël Salaün wrote: > > On 07/03/2018 02:21, Andy Lutomirski wrote: >> On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: >>> >>> On 06/03/2018 23:46, Tycho Andersen wrote: On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: >>>

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 07/03/2018 02:21, Andy Lutomirski wrote: > On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: >> >> On 06/03/2018 23:46, Tycho Andersen wrote: >>> On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: >> Suppose I'm writing a container manager. I want to

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 07/03/2018 02:21, Andy Lutomirski wrote: > On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: >> >> On 06/03/2018 23:46, Tycho Andersen wrote: >>> On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: >> Suppose I'm writing a container manager. I want to run "mount" in the

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: > > On 06/03/2018 23:46, Tycho Andersen wrote: >> On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: > Suppose I'm writing a container manager. I want to run "mount" in the > container, but I don't

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote: > > On 06/03/2018 23:46, Tycho Andersen wrote: >> On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: > Suppose I'm writing a container manager. I want to run "mount" in the > container, but I don't want to allow moun()

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 06/03/2018 23:46, Tycho Andersen wrote: > On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: Suppose I'm writing a container manager. I want to run "mount" in the container, but I don't want to allow moun() in general and I want to emulate certain mount() actions.

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 06/03/2018 23:46, Tycho Andersen wrote: > On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: Suppose I'm writing a container manager. I want to run "mount" in the container, but I don't want to allow moun() in general and I want to emulate certain mount() actions.

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: > >> Suppose I'm writing a container manager. I want to run "mount" in the > >> container, but I don't want to allow moun() in general and I want to > >> emulate certain mount() actions. I can write a filter that catches > >> mount

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote: > >> Suppose I'm writing a container manager. I want to run "mount" in the > >> container, but I don't want to allow moun() in general and I want to > >> emulate certain mount() actions. I can write a filter that catches > >> mount

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Mar 6, 2018 at 10:25 PM, Mickaël Salaün wrote: > > > On 28/02/2018 00:09, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote: >>> >>> On 27/02/2018 05:36, Andy Lutomirski wrote: On Tue, Feb 27, 2018 at 12:41 AM,

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Mar 6, 2018 at 10:25 PM, Mickaël Salaün wrote: > > > On 28/02/2018 00:09, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote: >>> >>> On 27/02/2018 05:36, Andy Lutomirski wrote: On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: > Hi, > >>

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 28/02/2018 00:09, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote: >> >> On 27/02/2018 05:36, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: Hi, > ## Why use the

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 28/02/2018 00:09, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote: >> >> On 27/02/2018 05:36, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: Hi, > ## Why use the seccomp(2) syscall? Landlock

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote: > > On 27/02/2018 05:36, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: >>> Hi, >>> >>> >>> ## Why use the seccomp(2) syscall? >>> >>> Landlock use the same semantic as

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote: > > On 27/02/2018 05:36, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: >>> Hi, >>> >>> >>> ## Why use the seccomp(2) syscall? >>> >>> Landlock use the same semantic as seccomp to apply access rule >>>

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 27/02/2018 05:36, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: >> Hi, >> >> This eight series is a major revamp of the Landlock design compared to >> the previous series [1]. This enables more flexibility and granularity >> of access

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On 27/02/2018 05:36, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: >> Hi, >> >> This eight series is a major revamp of the Landlock design compared to >> the previous series [1]. This enables more flexibility and granularity >> of access control with file

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: > Hi, > > This eight series is a major revamp of the Landlock design compared to > the previous series [1]. This enables more flexibility and granularity > of access control with file paths. It is now possible to enforce an

Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote: > Hi, > > This eight series is a major revamp of the Landlock design compared to > the previous series [1]. This enables more flexibility and granularity > of access control with file paths. It is now possible to enforce an > access control

[PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

Hi, This eight series is a major revamp of the Landlock design compared to the previous series [1]. This enables more flexibility and granularity of access control with file paths. It is now possible to enforce an access control according to a file hierarchy. Landlock uses the concept of inode

[PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing

Hi, This eight series is a major revamp of the Landlock design compared to the previous series [1]. This enables more flexibility and granularity of access control with file paths. It is now possible to enforce an access control according to a file hierarchy. Landlock uses the concept of inode