On 30/12/2019 20:30, Kees Cook wrote: > On Fri, Dec 20, 2019 at 11:46:47PM +0100, Mickaël Salaün wrote: >> I'm working on a version of Landlock without eBPF, but still with the >> initial sought properties: safe unprivileged composability, modularity, and >> dynamic update. I'll send this version soon. >> >> I hope that the work and experience from Landlock to bring eBPF to LSM will >> continue to be used through KRSI. Landlock will now focus on the >> unprivileged sandboxing part, without eBPF. Stay tuned! > > Will it end up looking at all like pledge? I'm still struggling to come > up with a sensible pledge-like design on top of seccomp, especially > given the need to have it very closely tied to the running libc... > Yes, it's similar to Pledge/Unveil but with fine-grained control (and a more flexible design). And because it is not tied to syscall, there is no similar issues than with seccomp and libc. In fact, there is no more relationship with seccomp neither. The version I'm working on is similar in principle to the patch series v10 [1], without the usage complexity brought by eBPF, but with a more polished file-based access-control. The demo from LSS 2018 [2] gives an overview of the possibilities. [1] https://lore.kernel.org/lkml/20190721213116.23476-1-mic@xxxxxxxxxxx/ [2] https://landlock.io/talks/2018-08-27_landlock-lss_demo-1-web.mkv