Date: Tue, 27 Feb 2018 09:30:35 -0800 From: Casey Schaufler <casey@...aufler-ca.com> To: Andy Lutomirski <luto@...nel.org>, Alexei Starovoitov <alexei.starovoitov@...il.com> Cc: Mickaël Salaün <mic@...ikod.net>, LKML <linux-kernel@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, Arnaldo Carvalho de Melo <acme@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, David Drysdale <drysdale@...gle.com>, "David S . Miller" <davem@...emloft.net>, "Eric W . Biederman" <ebiederm@...ssion.com>, Jann Horn <jann@...jh.net>, Jonathan Corbet <corbet@....net>, Michael Kerrisk <mtk.manpages@...il.com>, Kees Cook <keescook@...omium.org>, Paul Moore <paul@...l-moore.com>, Sargun Dhillon <sargun@...gun.me>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, Tejun Heo <tj@...nel.org>, Thomas Graf <tgraf@...g.ch>, Tycho Andersen <tycho@...ho.ws>, Will Drewry <wad@...omium.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, Network Development <netdev@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy On 2/27/2018 8:39 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov > <alexei.starovoitov@...il.com> wrote: >> [ Snip ] > An earlier version of the patch set used the seccomp filter chain. > Mickaël, what exactly was wrong with that approach other than that the > seccomp() syscall was awkward for you to use? You could add a > seccomp_add_landlock_rule() syscall if you needed to. > > As a side comment, why is this an LSM at all, let alone a non-stacking > LSM? It would make a lot more sense to me to make Landlock depend on > having LSMs configured in but to call the landlock hooks directly from > the security_xyz() hooks. Please, no. It is my serious intention to have at least the infrastructure blob management in within a release or two, and I think that's all Landlock needs. The security_xyz() hooks are sufficiently hackish as it is without unnecessarily adding more special cases.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.