Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
From: Christian Brauner <brauner@xxxxxxxxxx>
Date: Mon, 11 Sep 2023 14:35:15 +0200
Cc: Alexander Mikhalitsyn <alexander@xxxxxxxxxxxxx>, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>, Daniel Borkmann <daniel@xxxxxxxxxxxxx>, Andrii Nakryiko <andrii@xxxxxxxxxx>, Martin KaFai Lau <martin.lau@xxxxxxxxx>, Song Liu <song@xxxxxxxxxx>, Yonghong Song <yhs@xxxxxx>, John Fastabend <john.fastabend@xxxxxxxxx>, KP Singh <kpsingh@xxxxxxxxxx>, Stanislav Fomichev <sdf@xxxxxxxxxx>, Hao Luo <haoluo@xxxxxxxxxx>, Jiri Olsa <jolsa@xxxxxxxxxx>, Quentin Monnet <quentin@xxxxxxxxxxxxx>, Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>, bpf@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, gyroidos@xxxxxxxxxxxxxxxxxxx, paul@xxxxxxxxxxxxxx, Miklos Szeredi <miklos@xxxxxxxxxx>, Amir Goldstein <amir73il@xxxxxxxxx>
In-reply-to: <c0a32db6-b798-4430-476d-dc74e9f79766@aisec.fraunhofer.de>

> So are OK with the checks here?

I'm ok with figuring out whether we can do this nicely, yes.

> > Because right now device access management seems its own form of
> > mandatory access control.
> 
> I'm currently testing an updated version which has incorporated the locking
> changes already mention by Alex and the change which avoids setting SB_I_NODEV
> in fs/super.c.

Not having to hack around SB_I_NODEV would be pretty crucial imho. It's
a core security assumption so we need to integrate with it nicely.

References:
- [PATCH RFC 0/4] bpf: cgroup device guard for non-initial user namespace
  - From: Michael Weiß
- [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
  - From: Michael Weiß
- Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
  - From: Christian Brauner
- Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
  - From: Alexei Starovoitov
- Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
  - From: Alexander Mikhalitsyn
- Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
  - From: Christian Brauner
- Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
  - From: Michael Weiß

Prev by Date: Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
Next by Date: Re: [PATCH v2 1/3] selftests/hid: ensure we can compile the tests on kernels pre-6.3
Previous by thread: Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
Next by thread: Re: [PATCH RFC 1/4] bpf: add cgroup device guard to flag a cgroup device prog
Index(es):
- Date
- Thread

[Index of Archives] [Linux Samsung SoC] [Linux Rockchip SoC] [Linux Actions SoC] [Linux for Synopsys ARC Processors] [Linux NFS] [Linux NILFS] [Linux USB Devel] [Video for Linux] [Linux Audio Users] [Yosemite News] [Linux Kernel] [Linux SCSI]