On 04/10/2018 06:48 AM, Alexei Starovoitov wrote:
> On Mon, Apr 09, 2018 at 12:01:59AM +0200, Mickaël Salaün wrote:
>>
>> On 04/08/2018 11:06 PM, Andy Lutomirski wrote:
>>> On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote:
>>>>
>>>&
On 04/08/2018 11:06 PM, Andy Lutomirski wrote:
> On Sun, Apr 8, 2018 at 6:13 AM, Mickaël Salaün wrote:
>>
>> On 02/27/2018 10:48 PM, Mickaël Salaün wrote:
>>>
>>> On 27/02/2018 17:39, Andy Lutomirski wrote:
>>>> On Tue, Feb 27, 2018 at 5:32 AM, Alex
On 02/27/2018 10:48 PM, Mickaël Salaün wrote:
>
> On 27/02/2018 17:39, Andy Lutomirski wrote:
>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov
>> wrote:
>>> On Tue, Feb 27, 2018 at 05:20:55AM +, Andy Lutomirski wrote:
>>>> On Tue, Feb
On 03/06/2018 11:28 PM, Mickaël Salaün wrote:
>
> On 28/02/2018 01:09, Andy Lutomirski wrote:
>> On Wed, Feb 28, 2018 at 12:00 AM, Mickaël Salaün wrote:
>>>
>>> On 28/02/2018 00:23, Andy Lutomirski wrote:
>>>> On Tue, Feb 27, 2018 at 11:02 PM, Andy Lut
On 03/09/2018 12:53 AM, Andy Lutomirski wrote:
> On Thu, Mar 8, 2018 at 11:51 PM, Mickaël Salaün wrote:
>>
>> On 07/03/2018 02:21, Andy Lutomirski wrote:
>>> On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote:
>>>>
>>>> On 06/03/2018 23:46, Tyc
On 02/27/2018 02:23 AM, Al Viro wrote:
> On Tue, Feb 27, 2018 at 12:57:21AM +, Al Viro wrote:
>> On Tue, Feb 27, 2018 at 01:41:11AM +0100, Mickaël Salaün wrote:
>>> The function current_nameidata_security(struct inode *) can be used to
>>> retrieve a blob's p
On 07/03/2018 02:21, Andy Lutomirski wrote:
> On Tue, Mar 6, 2018 at 11:06 PM, Mickaël Salaün wrote:
>>
>> On 06/03/2018 23:46, Tycho Andersen wrote:
>>> On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote:
>>>>>> Suppose I'm writing a c
On 06/03/2018 23:46, Tycho Andersen wrote:
> On Tue, Mar 06, 2018 at 10:33:17PM +, Andy Lutomirski wrote:
Suppose I'm writing a container manager. I want to run "mount" in the
container, but I don't want to allow moun() in general and I want to
emulate certain mount() actions.
On 28/02/2018 01:09, Andy Lutomirski wrote:
> On Wed, Feb 28, 2018 at 12:00 AM, Mickaël Salaün wrote:
>>
>> On 28/02/2018 00:23, Andy Lutomirski wrote:
>>> On Tue, Feb 27, 2018 at 11:02 PM, Andy Lutomirski wrote:
>>>> On Tue, Feb 27, 2018 at 10:14 PM, Mick
On 28/02/2018 00:09, Andy Lutomirski wrote:
> On Tue, Feb 27, 2018 at 10:03 PM, Mickaël Salaün wrote:
>>
>> On 27/02/2018 05:36, Andy Lutomirski wrote:
>>> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote:
>>>> Hi,
>>>>
>
>>>
On 28/02/2018 00:23, Andy Lutomirski wrote:
> On Tue, Feb 27, 2018 at 11:02 PM, Andy Lutomirski wrote:
>> On Tue, Feb 27, 2018 at 10:14 PM, Mickaël Salaün wrote:
>>>
>>> On 27/02/2018 06:01, Andy Lutomirski wrote:
>>>>
>>>>
>&g
On 27/02/2018 05:54, Andy Lutomirski wrote:
>
>
>> On Feb 26, 2018, at 8:38 PM, Kees Cook wrote:
>>
>> On Mon, Feb 26, 2018 at 8:19 PM, Andy Lutomirski wrote:
On Feb 26, 2018, at 3:20 PM, Kees Cook wrote:
On Mon, Feb 26, 2018 at 3:04 PM, Alexei Starovoitov
wrote:
>> O
On 27/02/2018 05:17, Andy Lutomirski wrote:
> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote:
>> A landlocked process has less privileges than a non-landlocked process
>> and must then be subject to additional restrictions when manipulating
>> processes. To be al
On 27/02/2018 06:01, Andy Lutomirski wrote:
>
>
>> On Feb 26, 2018, at 8:17 PM, Andy Lutomirski wrote:
>>
>>> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote:
>>> A landlocked process has less privileges than a non-landlocked process
>&g
On 27/02/2018 05:36, Andy Lutomirski wrote:
> On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün wrote:
>> Hi,
>>
>> This eight series is a major revamp of the Landlock design compared to
>> the previous series [1]. This enables more flexibility and granularity
>>
ue, Feb 27, 2018 at 04:40:34AM +, Andy Lutomirski wrote:
>>>>> On Tue, Feb 27, 2018 at 2:08 AM, Alexei Starovoitov
>>>>> wrote:
>>>>>> On Tue, Feb 27, 2018 at 01:41:15AM +0100, Mickaël Salaün wrote:
>>>>>>> The seccomp(2) sysca
to load hook filters as unprivileged users
* smaller and simpler:
* no more checker groups but dedicated arraymap of handles
* simpler userland structs thanks to eBPF functions
* distinctive name: Landlock
[1] https://lkml.kernel.org/r/20170821000933.13024-1-...@digikod.net
[2] https://lkml.ke
the same loaded fs_walk program with multiple
chains of fs_pick programs).
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andrew Morton
Cc: Andy Lutomirski
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc: Will Drewry
Link: https://lkml.kernel.org/r/c10a503d-5e35-7785-2f3d
-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: David S. Miller
Link: https://lkml.kernel.org/r/20160827205559.ga43...@ast-mbp.thefacebook.com
---
Changes since v7:
* rename LANDLOCK_SUBTYPE_* to LANDLOCK_*
* move subtype in bpf_prog_aux and use only one bit for has_subtype
For compatibility reason, MAY_CHROOT is always set with MAY_CHDIR.
However, this new flag enable to differentiate a chdir form a chroot.
This is needed for the Landlock LSM to be able to evaluate a new root
directory.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: Casey Schaufler
Cc
ogram type will be registered with the Landlock LSM
initialization.
Add an initial Landlock Kconfig and update the MAINTAINERS file.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc:
being able to read the tags from the pointed inode.
Add dedicated BPF functions to handle this type of map:
* bpf_inode_map_update_elem()
* bpf_inode_map_lookup_elem()
* bpf_inode_map_delete_elem()
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc
file path.
The LSM hook nameidata_free_security(struct inode *) is called before
freeing the associated nameidata.
Signed-off-by: Mickaël Salaün
Cc: Alexander Viro
Cc: Casey Schaufler
Cc: James Morris
Cc: John Johansen
Cc: Kees Cook
Cc: Paul Moore
Cc: "Serge E. Hallyn"
Cc: Step
rules.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v6:
* factor out ptrace check
* constify pointers
* cleanup headers
* use the new security_add_
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Jonathan Corbet
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v7:
* update documentation
Test basic context access, ptrace protection and filesystem hooks and
Landlock program chaining with multiple cases.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc
: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v7:
* major rewrite with clean Landlock hooks able to deal with file paths
Changes since v6:
* add 3 more sub-events: IOCTL
Add a basic sandbox tool to launch a command which is only allowed to
access in a read only or read-write way a whitelist of file hierarchies.
Add to the bpf_load library the ability to handle a BPF program subtype.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc
seccomp-bpf does not use cBPF but a subset of it. The reason is that it
is meant to reduce the attack surface of the kernel. By limiting the
number of instructions allowed by seccomp-bpf, it really reduce the
possibilities for an attacker to use seccomp-bpf as an entry point to
attack the kernel. M
On 26/01/2018 03:16, Alexei Starovoitov wrote:
> On Fri, Jan 26, 2018 at 01:39:30AM +0100, Mickaël Salaün wrote:
>> Do not build lib/bpf/bpf.o with this Makefile but use the one from the
>> library directory. This avoid making a buggy bpf.o file (e.g. missing
>> symbols).
&
-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
This is not a complet fix because the call to multi_depend with
$(host-cmulti) from scripts/Makefile.host force the build of bpf.o
anyway. I'm not sure how to completely avoid this automatic build
though.
---
sample
Make the code more readable.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
---
kernel/bpf/syscall.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5bdb0cc84ad2..e24aa3241387 100644
--- a
On 12/10/2017 18:33, Casey Schaufler wrote:
> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote:
>> Containers are a userspace concept. The kernel knows nothing of them.
>>
>> The Linux audit system needs a way to be able to track the container
>> provenance of events and actions. Audit needs the
On 01/09/2017 12:25, Alban Crequy wrote:
> Hi Mickaël,
>
> On 21 August 2017 at 02:09, Mickaël Salaün wrote:
>> Add a basic sandbox tool to create a process isolated from some part of
>> the system. This sandbox create a read-only environment. It is only
>> allo
On 29/08/2017 03:44, Chenbo Feng wrote:
> On Mon, Aug 28, 2017 at 6:15 PM, Alexei Starovoitov
> wrote:
>> On Mon, Aug 28, 2017 at 05:47:19PM -0700, Chenbo Feng wrote:
>>> On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov
>>> wrote:
On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann
On 26/08/2017 03:16, Alexei Starovoitov wrote:
> On Fri, Aug 25, 2017 at 10:16:39AM +0200, Mickaël Salaün wrote:
>>>
>>>> +/* a directory inode contains only one dentry */
>>>> +HOOK_NEW_FS(inode_create, 3,
>>>> + struct inode *, dir,
>&g
On 24/08/2017 04:59, Alexei Starovoitov wrote:
> On Mon, Aug 21, 2017 at 02:09:31AM +0200, Mickaël Salaün wrote:
>> Add a basic sandbox tool to create a process isolated from some part of
>> the system. This sandbox create a read-only environment. It is only
>> allowed to
On 24/08/2017 04:50, Alexei Starovoitov wrote:
> On Mon, Aug 21, 2017 at 02:09:28AM +0200, Mickaël Salaün wrote:
>> Handle 33 filesystem-related LSM hooks for the Landlock filesystem
>> event: LANDLOCK_SUBTYPE_EVENT_FS.
>>
>> A Landlock event wrap LSM hooks for simil
On 24/08/2017 04:28, Alexei Starovoitov wrote:
> On Mon, Aug 21, 2017 at 02:09:26AM +0200, Mickaël Salaün wrote:
>> Add a new type of eBPF program used by Landlock rules.
>>
>> This new BPF program type will be registered with the Landlock LSM
>> initialization.
&g
On 24/08/2017 04:31, Alexei Starovoitov wrote:
> On Mon, Aug 21, 2017 at 02:09:24AM +0200, Mickaël Salaün wrote:
>> This step mechanism may be useful to return an information about the
>> error without being able to write to TH_LOG_STREAM.
>>
>> Set _metadata->
On 23/08/2017 04:44, Alexei Starovoitov wrote:
> On Mon, Aug 21, 2017 at 02:09:25AM +0200, Mickaël Salaün wrote:
>> The goal of the program subtype is to be able to have different static
>> fine-grained verifications for a unique program type.
>>
>> The struct bpf_verif
On 21/08/2017 02:09, Mickaël Salaün wrote:
> Handle 33 filesystem-related LSM hooks for the Landlock filesystem
> event: LANDLOCK_SUBTYPE_EVENT_FS.
>
> A Landlock event wrap LSM hooks for similar kernel object types (e.g.
> struct file, struct path...). Multiple LSM hooks can t
nel.org/r/5828776a.1010...@digikod.net
[3]
https://lkml.kernel.org/r/1477390454-12553-1-git-send-email-dan...@zonque.org
[4]
https://lkml.kernel.org/r/20160829114542.GA20836@ircssh.c.rugged-nimbus-611.internal
[5] https://lkml.kernel.org/r/20161221231506.19800-1-...@digikod.net
[6] htt
rules.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v6:
* factor out ptrace check
* constify pointers
* cleanup headers
* use the new security_add_
Test basic context access, ptrace protection and filesystem event with
multiple cases.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc: Shuah Khan
Cc: Will Drewry
ess.
# :> Y
cannot create Y: Operation not permitted
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v6:
* check return value of load_and_attach()
* al
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Jonathan Corbet
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v6:
* add a check for ctx
(optional) program subtype is
valid.
For now, only Landlock eBPF programs are using a program subtype (see
next commit) but this could be used by other program types in the future.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Arnaldo Carvalho de Melo
Cc: Daniel Borkmann
Cc: David S
This step mechanism may be useful to return an information about the
error without being able to write to TH_LOG_STREAM.
Set _metadata->no_print to true to print this counter.
Signed-off-by: Mickaël Salaün
Cc: Andy Lutomirski
Cc: Arnaldo Carvalho de Melo
Cc: Kees Cook
Cc: Shuah Khan
Add a new type of eBPF program used by Landlock rules.
This new BPF program type will be registered with the Landlock LSM
initialization.
Add an initial Landlock Kconfig.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc
granted by
major (privileged) LSMs.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
Changes since v6:
* add 3 more sub-events: IOCTL, LOCK, FCNTL
https://lkml.kernel.org/r
Add an eBPF function bpf_handle_fs_get_mode(handle_fs) to get the mode
of a an abstract object wrapping either a file, a dentry, a path, or an
inode.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees
value which can deny the action on
a kernel object with a non-zero value. If every rules of the chain
return zero, then the action on the object is allowed.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andrew Morton
Cc: Andy Lutomirski
Cc: James Morris
Cc: Kees Cook
Cc: Serge E
should not be a security concern.
Signed-off-by: Mickaël Salaün
Acked-by: Daniel Borkmann
Cc: Alexei Starovoitov
Cc: David S. Miller
Cc: Kees Cook
Cc: Martin KaFai Lau
Link:
https://lkml.kernel.org/r/CAGXu5j+vRGFvJZmjtAcT8Hi8B+Wz0e1b6VKYZHfQP_=dxzc...@mail.gmail.com
---
kernel/bpf/syscall.c
The function check_uarg_tail_zero() may be useful for other part of the
code in the syscall.c file. Move this function at the beginning of the
file.
Signed-off-by: Mickaël Salaün
Acked-by: Daniel Borkmann
Cc: Alexei Starovoitov
Cc: David S. Miller
Cc: Kees Cook
Cc: Martin KaFai Lau
The function check_uarg_tail_zero() may be useful for other part of the
code in the syscall.c file. Move this function at the beginning of the
file.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Kees Cook
Cc: Martin KaFai Lau
---
This is
should not be a security concern.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: Kees Cook
Cc: Martin KaFai Lau
Link:
https://lkml.kernel.org/r/CAGXu5j+vRGFvJZmjtAcT8Hi8B+Wz0e1b6VKYZHfQP_=dxzc...@mail.gmail.com
---
kernel/bpf/syscall.c | 26
On 13/02/2017 02:43, David Ahern wrote:
> On 2/12/17 2:23 PM, Mickaël Salaün wrote:
>> diff --git a/samples/bpf/.gitignore b/samples/bpf/.gitignore
>> new file mode 100644
>> index ..a7562a5ef4c2
>> --- /dev/null
>> +++ b/samples/bpf/.gitignore
&g
On 23/03/2017 01:27, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Returns the owner uid of the socket inside a sk_buff. This is useful to
> perform per-UID accounting of network traffic or per-UID packet
> filtering. The socket need to be a fullsock otherwise overflowuid is
> returned.
>
> Signed
On 19/04/2017 00:47, Mickaël Salaün wrote:
>
> On 19/04/2017 00:23, Kees Cook wrote:
>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>>> The semantic is unchanged. This will be useful for the Landlock
>>> integration with seccomp (next commit).
>>
On 20/04/2017 00:02, Kees Cook wrote:
> On Wed, Apr 19, 2017 at 2:51 PM, Mickaël Salaün wrote:
>>
>> On 19/04/2017 02:02, Kees Cook wrote:
>>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>>>> This is useful to return an information about the error
On 19/04/2017 01:40, Kees Cook wrote:
> On Tue, Apr 18, 2017 at 4:16 PM, Casey Schaufler
> wrote:
>> On 4/18/2017 3:44 PM, Mickaël Salaün wrote:
>>> On 19/04/2017 00:17, Kees Cook wrote:
>>>> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>>&
On 19/04/2017 02:02, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> This is useful to return an information about the error without being
>> able to write to TH_LOG_STREAM.
>>
>> Helpers from test_harness.h may be useful outside
On 19/04/2017 01:26, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> This sixth series add some changes to the previous one [1], including a
>> simpler
>> rule inheritance hierarchy (similar to seccomp-bpf), a ptrace scope
>> protec
On 19/04/2017 01:16, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> Test basic context access, ptrace protection and filesystem event with
>> multiple cases.
>>
>> Changes since v5:
>> * add subtype test
>> * add ptrace tests
&
On 19/04/2017 01:06, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> Add a basic sandbox tool to create a process isolated from some part of
>> the system. This sandbox create a read-only environment. It is only
>> allowed to write to a character
On 19/04/2017 00:53, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> The seccomp(2) syscall can be used by a task to apply a Landlock rule to
>> itself. As a seccomp filter, a Landlock rule is enforced for the current
>> task and all its futur
On 19/04/2017 00:23, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> The semantic is unchanged. This will be useful for the Landlock
>> integration with seccomp (next commit).
>>
>> Signed-off-by: Mickaël Salaün
>> Cc: Kees Cook
&g
On 19/04/2017 00:17, Kees Cook wrote:
> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote:
>> Handle 33 filesystem-related LSM hooks for the Landlock filesystem
>> event: LANDLOCK_SUBTYPE_EVENT_FS.
>>
>> A Landlock event wrap LSM hooks for similar kernel object
On 29/03/2017 01:46, Mickaël Salaün wrote:
> Add a new type of eBPF program used by Landlock rules.
>
> This new BPF program type will be registered with the Landlock LSM
> initialization.
>
> Add an initial Landlock Kconfig.
>
> Changes since v5:
> * rename fil
On 10/04/2017 08:48, Djalal Harouni wrote:
> On Wed, Mar 29, 2017 at 1:46 AM, Mickaël Salaün wrote:
>> A landlocked process has less privileges than a non-landlocked process
>> and must then be subject to additional restrictions when manipulating
>> processes. To be allowed
Julia Lawall
> Subject: Re: [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and
> is_valid_subtype() verifier
>
> In-Reply-To: <20170328234650.19695-2-...@digikod.net>
> TO: "Mickaël Salaün"
>
> Hi Mickaël,
>
> [auto build test WARNIN
On 29/03/2017 12:35, Djalal Harouni wrote:
> On Wed, Mar 29, 2017 at 1:46 AM, Mickaël Salaün wrote:
>> @@ -25,6 +30,9 @@ struct seccomp_filter;
>> struct seccomp {
>> int mode;
>> struct seccomp_filter *filter;
>> +#if defined(
* with struct path* in map_landlock_handle
* add BPF protos
* fix bpf_landlock_cmp_fs_prop_with_struct_file()
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc: Jann Horn
.kernel.org/r/5828776a.1010...@digikod.net
[3]
https://lkml.kernel.org/r/1477390454-12553-1-git-send-email-dan...@zonque.org
[4]
https://lkml.kernel.org/r/20160829114542.GA20836@ircssh.c.rugged-nimbus-611.internal
[5] https://lkml.kernel.org/r/20161221231506.19800-1-...@digikod.net
Regards,
Mic
" field
* add an "option" field
* cleanup comments
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Arnaldo Carvalho de Melo
Cc: Daniel Borkmann
Cc: David S. Miller
Link: https://lkml.kernel.org/r/20160827205559.ga43...@ast-mbp.thefacebook.com
---
include/lin
Landlock programs for each of their
legitimate seccomp filter
* properly clean up all seccomp results
* cosmetic changes to ease the understanding
* fix some ifdef
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andrew Morton
Cc: Andy Lutomirski
Cc: James Morris
Cc: Kees Cook
Cc
This documentation can be built with the Sphinx framework.
Changes since v5:
* update the rule hierarchy inheritance explanation
* briefly explain ctx->arg2
* add ptrace restrictions
* explain EPERM
* update example (subtype)
* use ":manpage:"
Signed-off-by: Mickaël Salaü
-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
include/linux/landlock.h | 23
include/uapi/linux/bpf.h | 105 +++
security
Test basic context access, ptrace protection and filesystem event with
multiple cases.
Changes since v5:
* add subtype test
* add ptrace tests
* split and rename files
* cleanup and rebase
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David
This is useful to return an information about the error without being
able to write to TH_LOG_STREAM.
Helpers from test_harness.h may be useful outside of the seccomp
directory.
Signed-off-by: Mickaël Salaün
Cc: Andy Lutomirski
Cc: Arnaldo Carvalho de Melo
Cc: Kees Cook
Cc: Shuah Khan
Cc
s (e.g. SECCOMP_ADD_LANDLOCK_RULE)
Changes since v2:
* use BPF_PROG_ATTACH for cgroup handling
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
samples/bpf/Makefile | 4 ++
sampl
The semantic is unchanged. This will be useful for the Landlock
integration with seccomp (next commit).
Signed-off-by: Mickaël Salaün
Cc: Kees Cook
Cc: Andy Lutomirski
Cc: Will Drewry
---
include/linux/seccomp.h | 4 ++--
kernel/fork.c | 2 +-
kernel/seccomp.c| 18
rules.
New in v6
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
security/landlock/Makefile | 2 +-
security/landlock/hooks_ptrace.c
(needed for programs
generated by LLVM)
Changes since v3:
* split commit
* add hooks dealing with struct inode and struct path pointers:
inode_permission and inode_getattr
* add abstraction over eBPF helper arguments thanks to wrapping structs
Signed-off-by: Mickaël Salaün
Cc: Alexei
On 02/03/2017 11:22, Djalal Harouni wrote:
> On Wed, Feb 22, 2017 at 2:26 AM, Mickaël Salaün wrote:
>> The seccomp(2) syscall can be use to apply a Landlock rule to the
>> current process. As with a seccomp filter, the Landlock rule is enforced
>> for all its future childr
On 03/03/2017 01:55, Andy Lutomirski wrote:
> On Thu, Mar 2, 2017 at 4:48 PM, Mickaël Salaün wrote:
>>
>> On 02/03/2017 17:36, Andy Lutomirski wrote:
>>> On Wed, Mar 1, 2017 at 3:28 PM, Mickaël Salaün wrote:
>>>>
>>>>
>>>> On 01/03/
On 02/03/2017 17:36, Andy Lutomirski wrote:
> On Wed, Mar 1, 2017 at 3:28 PM, Mickaël Salaün wrote:
>>
>>
>> On 01/03/2017 23:20, Andy Lutomirski wrote:
>>> On Wed, Mar 1, 2017 at 2:14 PM, Mickaël Salaün wrote:
>>>>
>>>> On 28/02/2017 21:01
On 01/03/2017 23:20, Andy Lutomirski wrote:
> On Wed, Mar 1, 2017 at 2:14 PM, Mickaël Salaün wrote:
>>
>> On 28/02/2017 21:01, Andy Lutomirski wrote:
>>> On Tue, Feb 21, 2017 at 5:26 PM, Mickaël Salaün wrote:
>>>> The seccomp(2) syscall can be use to apply
On 01/03/2017 10:32, James Morris wrote:
> On Wed, 22 Feb 2017, Mickaël Salaün wrote:
>
>> Add an eBPF function bpf_handle_fs_get_mode(handle_fs) to get the mode
>> of a an abstract object wrapping either a file, a dentry, a path, or an
>> inode.
>>
>&g
On 28/02/2017 21:01, Andy Lutomirski wrote:
> On Tue, Feb 21, 2017 at 5:26 PM, Mickaël Salaün wrote:
>> The seccomp(2) syscall can be use to apply a Landlock rule to the
>> current process. As with a seccomp filter, the Landlock rule is enforced
>> for all its future childr
On 22/02/2017 02:26, Mickaël Salaün wrote:
> Add a basic sandbox tool to create a process isolated from some part of
> the system. This sandbox create a read-only environment. It is only
> allowed to write to a character device such as a TTY:
>
> # :> X
> # echo $?
>
On 22/02/2017 06:21, Andy Lutomirski wrote:
> On Tue, Feb 21, 2017 at 5:26 PM, Mickaël Salaün wrote:
>> This documentation can be built with the Sphinx framework.
>>
>> Signed-off-by: Mickaël Salaün
>> Cc: Alexei Starovoitov
>> Cc: Andy Lutomirski
>&
od.net
[2] https://lkml.kernel.org/r/5828776a.1010...@digikod.net
[3]
https://lkml.kernel.org/r/1477390454-12553-1-git-send-email-dan...@zonque.org
[4]
https://lkml.kernel.org/r/20160829114542.GA20836@ircssh.c.rugged-nimbus-611.internal
[5] https://lkml.kernel.org/r/20161221231506.19800-1-...@digikod.net
* revamp the landlock_context:
* add arch, syscall_nr and syscall_cmd (ioctl, fcntl…) to be able to
cross-check action with the event type
* replace args array with dedicated fields to ease the addition of new
fields
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
This is useful to return an information about the error without being
able to write to TH_LOG_STREAM.
Helpers from test_harness.h may be useful outside of the seccomp
directory.
Signed-off-by: Mickaël Salaün
Cc: Andy Lutomirski
Cc: Arnaldo Carvalho de Melo
Cc: Kees Cook
Cc: Shuah Khan
Cc
"access" field with "ability" (less confusing)
Changes since v3:
* remove the "origin" field
* add an "option" field
* cleanup comments
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Arnaldo Carvalho de Melo
Cc: Daniel Borkmann
Cc: David S. Miller
* use BPF_PROG_ATTACH for cgroup handling
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
---
samples/bpf/.gitignore | 32 ++
samples/bpf/Makefile | 4 ++
s
Test basic context access and filesystem event with multiple cases.
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E. Hallyn
Cc: Shuah Khan
Cc: Will Drewry
---
tools/testing
and struct path pointers:
inode_permission and inode_getattr
* add abstraction over eBPF helper arguments thanks to wrapping structs
Signed-off-by: Mickaël Salaün
Cc: Alexei Starovoitov
Cc: Andy Lutomirski
Cc: Daniel Borkmann
Cc: David S. Miller
Cc: James Morris
Cc: Kees Cook
Cc: Serge E
1 - 100 of 294 matches
Mail list logo
