Date: Tue, 27 Feb 2018 17:36:34 +0000 From: Andy Lutomirski <luto@...nel.org> To: Casey Schaufler <casey@...aufler-ca.com> Cc: Andy Lutomirski <luto@...nel.org>, Alexei Starovoitov <alexei.starovoitov@...il.com>, Mickaël Salaün <mic@...ikod.net>, LKML <linux-kernel@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, Arnaldo Carvalho de Melo <acme@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, David Drysdale <drysdale@...gle.com>, "David S . Miller" <davem@...emloft.net>, "Eric W . Biederman" <ebiederm@...ssion.com>, Jann Horn <jann@...jh.net>, Jonathan Corbet <corbet@....net>, Michael Kerrisk <mtk.manpages@...il.com>, Kees Cook <keescook@...omium.org>, Paul Moore <paul@...l-moore.com>, Sargun Dhillon <sargun@...gun.me>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, Tejun Heo <tj@...nel.org>, Thomas Graf <tgraf@...g.ch>, Tycho Andersen <tycho@...ho.ws>, Will Drewry <wad@...omium.org>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, LSM List <linux-security-module@...r.kernel.org>, Network Development <netdev@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler <casey@...aufler-ca.com> wrote: > On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >> <alexei.starovoitov@...il.com> wrote: >>> [ Snip ] >> An earlier version of the patch set used the seccomp filter chain. >> Mickaël, what exactly was wrong with that approach other than that the >> seccomp() syscall was awkward for you to use? You could add a >> seccomp_add_landlock_rule() syscall if you needed to. >> >> As a side comment, why is this an LSM at all, let alone a non-stacking >> LSM? It would make a lot more sense to me to make Landlock depend on >> having LSMs configured in but to call the landlock hooks directly from >> the security_xyz() hooks. > > Please, no. It is my serious intention to have at least the > infrastructure blob management in within a release or two, and > I think that's all Landlock needs. The security_xyz() hooks are > sufficiently hackish as it is without unnecessarily adding more > special cases. > > What do you mean by "infrastructure blob management"?
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.