Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Mar 2018 00:06:55 +0100
From: MickaĆ«l SalaĆ¼n <>
To: Tycho Andersen <>, Andy Lutomirski <>
Cc: LKML <>, Alexei Starovoitov <>,
        Arnaldo Carvalho de Melo <>,
        Casey Schaufler <>,
        Daniel Borkmann <>,
        David Drysdale
        "David S . Miller" <>,
        "Eric W . Biederman" <>,
        James Morris <>, Jann Horn <>,
        Jonathan Corbet <>,
        Michael Kerrisk <>,
        Kees Cook <>, Paul Moore <>,
        Sargun Dhillon <>,
        "Serge E . Hallyn" <>, Shuah Khan <>,
        Tejun Heo <>, Thomas Graf <>,
        Will Drewry <>,
        Kernel Hardening <>,
        Linux API <>,
        LSM List <>,
        Network Development <>
Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged

On 06/03/2018 23:46, Tycho Andersen wrote:
> On Tue, Mar 06, 2018 at 10:33:17PM +0000, Andy Lutomirski wrote:
>>>> Suppose I'm writing a container manager.  I want to run "mount" in the
>>>> container, but I don't want to allow moun() in general and I want to
>>>> emulate certain mount() actions.  I can write a filter that catches
>>>> mount using seccomp and calls out to the container manager for help.
>>>> This isn't theoretical -- Tycho wants *exactly* this use case to be
>>>> supported.
>>> Well, I think this use case should be handled with something like
>>> LD_PRELOAD and a helper library. FYI, I did something like this:
>> I doubt that will work for containers.  Containers that use user
>> namespaces and, for example, setuid programs aren't going to honor
> Or anything that calls syscalls directly, like go programs.

That's why the vDSO-like approach. Enforcing an access control is not
the issue here, patching a buggy userland (without patching its code) is
the issue isn't it?

As far as I remember, the main problem is to handle file descriptors
while "emulating" the kernel behavior. This can be done with a "shim"
code mapped in every processes. Chrome used something like this (in a
previous sandbox mechanism) as a kind of emulation (with the current
seccomp-bpf ). I think it should be doable to replace the (userland)
emulation code with an IPC wrapper receiving file descriptors through
UNIX socket.

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.