Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-11 Thread Mickaël Salaün
On 04/10/2018 06:48 AM, Alexei Starovoitov wrote: > On Mon, Apr 09, 2018 at 12:01:59AM +0200, Mickaël Salaün wrote: >> >> On 04/08/2018 11:06 PM, Andy Lutomirski wrote: >>> On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: On 02/27/2018 10:48 PM, Mickaël Salaün

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-11 Thread Mickaël Salaün
On 04/10/2018 06:48 AM, Alexei Starovoitov wrote: > On Mon, Apr 09, 2018 at 12:01:59AM +0200, Mickaël Salaün wrote: >> >> On 04/08/2018 11:06 PM, Andy Lutomirski wrote: >>> On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: On 02/27/2018 10:48 PM, Mickaël Salaün wrote: > >

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-09 Thread Alexei Starovoitov
On Mon, Apr 09, 2018 at 12:01:59AM +0200, Mickaël Salaün wrote: > > On 04/08/2018 11:06 PM, Andy Lutomirski wrote: > > On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: > >> > >> On 02/27/2018 10:48 PM, Mickaël Salaün wrote: > >>> > >>> On 27/02/2018 17:39, Andy Lutomirski

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-09 Thread Alexei Starovoitov
On Mon, Apr 09, 2018 at 12:01:59AM +0200, Mickaël Salaün wrote: > > On 04/08/2018 11:06 PM, Andy Lutomirski wrote: > > On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: > >> > >> On 02/27/2018 10:48 PM, Mickaël Salaün wrote: > >>> > >>> On 27/02/2018 17:39, Andy Lutomirski wrote: > On

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-08 Thread Mickaël Salaün
On 04/08/2018 11:06 PM, Andy Lutomirski wrote: > On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: >> >> On 02/27/2018 10:48 PM, Mickaël Salaün wrote: >>> >>> On 27/02/2018 17:39, Andy Lutomirski wrote: On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-08 Thread Mickaël Salaün
On 04/08/2018 11:06 PM, Andy Lutomirski wrote: > On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: >> >> On 02/27/2018 10:48 PM, Mickaël Salaün wrote: >>> >>> On 27/02/2018 17:39, Andy Lutomirski wrote: On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov wrote: > On Tue, Feb

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-08 Thread Andy Lutomirski
On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: > > On 02/27/2018 10:48 PM, Mickaël Salaün wrote: >> >> On 27/02/2018 17:39, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >>> wrote: On Tue, Feb 27, 2018

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-08 Thread Andy Lutomirski
On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote: > > On 02/27/2018 10:48 PM, Mickaël Salaün wrote: >> >> On 27/02/2018 17:39, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >>> wrote: On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: >

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-08 Thread Mickaël Salaün
On 02/27/2018 10:48 PM, Mickaël Salaün wrote: > > On 27/02/2018 17:39, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >> wrote: >>> On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: On Tue, Feb 27, 2018 at 4:54 AM,

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-04-08 Thread Mickaël Salaün
On 02/27/2018 10:48 PM, Mickaël Salaün wrote: > > On 27/02/2018 17:39, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >> wrote: >>> On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Mickaël Salaün
On 27/02/2018 17:39, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov > wrote: >> On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov >>>

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Mickaël Salaün
On 27/02/2018 17:39, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov > wrote: >> On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov >>> wrote: On Tue, Feb 27, 2018 at 04:40:34AM +, Andy

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Casey Schaufler
On 2/27/2018 9:36 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler > wrote: >> On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >>> wrote: [ Snip ] >>> An

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Casey Schaufler
On 2/27/2018 9:36 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler > wrote: >> On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >>> wrote: [ Snip ] >>> An earlier version of the patch set used the seccomp

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler wrote: > On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >> wrote: >>> [ Snip ] >> An earlier version of the patch set used the seccomp

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler wrote: > On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >> wrote: >>> [ Snip ] >> An earlier version of the patch set used the seccomp filter chain. >> Mickaël, what exactly was wrong with that

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Casey Schaufler
On 2/27/2018 8:39 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov > wrote: >> [ Snip ] > An earlier version of the patch set used the seccomp filter chain. > Mickaël, what exactly was wrong with that approach other than that the >

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Casey Schaufler
On 2/27/2018 8:39 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov > wrote: >> [ Snip ] > An earlier version of the patch set used the seccomp filter chain. > Mickaël, what exactly was wrong with that approach other than that the > seccomp() syscall was awkward for

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov >> wrote: >> > On Tue, Feb 27, 2018 at 04:40:34AM

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-27 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov >> wrote: >> > On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: >> >> On Tue, Feb 27, 2018 at 2:08

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Alexei Starovoitov
On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov > wrote: > > On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: > >> On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov > >>

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Alexei Starovoitov
On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov > wrote: > > On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: > >> On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov > >> wrote: > >> > On Tue, Feb 27, 2018 at

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov >> wrote: >> > On Tue, Feb 27, 2018 at 01:41:15AM

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 4:54 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov >> wrote: >> > On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: >> >> The seccomp(2) syscall can be

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Alexei Starovoitov
On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov > wrote: > > On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: > >> The seccomp(2) syscall can be used by a task to apply a Landlock

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Alexei Starovoitov
On Tue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov > wrote: > > On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: > >> The seccomp(2) syscall can be used by a task to apply a Landlock program > >> to itself. As a

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: >> The seccomp(2) syscall can be used by a task to apply a Landlock program >> to itself. As a seccomp filter, a Landlock program is enforced

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Andy Lutomirski
On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov wrote: > On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: >> The seccomp(2) syscall can be used by a task to apply a Landlock program >> to itself. As a seccomp filter, a Landlock program is enforced for the >> current task and

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Alexei Starovoitov
On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: > The seccomp(2) syscall can be used by a task to apply a Landlock program > to itself. As a seccomp filter, a Landlock program is enforced for the > current task and all its future children. A program is immutable and a > task can

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

2018-02-26 Thread Alexei Starovoitov
On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote: > The seccomp(2) syscall can be used by a task to apply a Landlock program > to itself. As a seccomp filter, a Landlock program is enforced for the > current task and all its future children. A program is immutable and a > task can