On Wed, Sep 14, 2016 at 9:00 PM, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Wed, Sep 14, 2016 at 07:27:08PM -0700, Andy Lutomirski wrote: >> >> > >> >> > This RFC handle both cgroup and seccomp approaches in a similar way. I >> >> > don't see why building on top of cgroup v2 is a problem. Is there >> >> > security issues with delegation? >> >> >> >> What I mean is: cgroup v2 delegation has a functionality problem. >> >> Tejun says [1]: >> >> >> >> We haven't had to face this decision because cgroup has never properly >> >> supported delegating to applications and the in-use setups where this >> >> happens are custom configurations where there is no boundary between >> >> system and applications and adhoc trial-and-error is good enough a way >> >> to find a working solution. That wiggle room goes away once we >> >> officially open this up to individual applications. >> >> >> >> Unless and until that changes, I think that landlock should stay away >> >> from cgroups. Others could reasonably disagree with me. >> > >> > Ours and Sargun's use cases for cgroup+lsm+bpf is not for security >> > and not for sandboxing. So the above doesn't matter in such contexts. >> > lsm hooks + cgroups provide convenient scope and existing entry points. >> > Please see checmate examples how it's used. >> > >> >> To be clear: I'm not arguing at all that there shouldn't be >> bpf+lsm+cgroup integration. I'm arguing that the unprivileged >> landlock interface shouldn't expose any cgroup integration, at least >> until the cgroup situation settles down a lot. > > ahh. yes. we're perfectly in agreement here. > I'm suggesting that the next RFC shouldn't include unpriv > and seccomp at all. Once bpf+lsm+cgroup is merged, we can > argue about unpriv with cgroups and even unpriv as a whole, > since it's not a given. Seccomp integration is also questionable. > I'd rather not have seccomp as a gate keeper for this lsm. > lsm and seccomp are orthogonal hook points. Syscalls and lsm hooks > don't have one to one relationship, so mixing them up is only > asking for trouble further down the road. > If we really need to carry some information from seccomp to lsm+bpf, > it's easier to add eBPF support to seccomp and let bpf side deal > with passing whatever information. > As an argument for keeping seccomp (or an extended seccomp) as the interface for an unprivileged bpf+lsm: seccomp already checks off most of the boxes for safely letting unprivileged programs sandbox themselves. Furthermore, to the extent that there are use cases for unprivileged bpf+lsm that *aren't* expressible within the seccomp hierarchy, I suspect that syscall filters have exactly the same problem and that we should fix seccomp to cover it. If I ever add a "seccomp monitor", which is something I want to do eventually, I think it should work for lsm+bpf as well, which is another argument for keeping it in seccomp. --Andy -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
