Hi! > This series is a proof of concept to fill some missing part of seccomp as the > ability to check syscall argument pointers or creating more dynamic security > policies. The goal of this new stackable Linux Security Module (LSM) called > Landlock is to allow any process, including unprivileged ones, to create > powerful security sandboxes comparable to the Seatbelt/XNU Sandbox or the > OpenBSD Pledge. This kind of sandbox help to mitigate the security impact of > bugs or unexpected/malicious behaviors in userland applications. > > The first RFC [1] was focused on extending seccomp while staying at the syscall > level. This brought a working PoC but with some (mitigated) ToCToU race > conditions due to the seccomp ptrace hole (now fixed) and the non-atomic > syscall argument evaluation (hence the LSM hooks). Long and nice description follows. Should it go to Documentation/ somewhere? Because some documentation would be useful... Pavel > include/linux/bpf.h | 41 +++++ > include/linux/lsm_hooks.h | 5 + > include/linux/seccomp.h | 54 ++++++- > include/uapi/asm-generic/errno-base.h | 1 + > include/uapi/linux/bpf.h | 103 ++++++++++++ > include/uapi/linux/seccomp.h | 2 + > kernel/bpf/arraymap.c | 222 +++++++++++++++++++++++++ > kernel/bpf/syscall.c | 18 ++- > kernel/bpf/verifier.c | 32 +++- > kernel/fork.c | 41 ++++- > kernel/seccomp.c | 211 +++++++++++++++++++++++- > samples/Makefile | 2 +- > samples/landlock/.gitignore | 1 + > samples/landlock/Makefile | 16 ++ > samples/landlock/sandbox.c | 295 ++++++++++++++++++++++++++++++++++ > security/Kconfig | 1 + > security/Makefile | 2 + > security/landlock/Kconfig | 19 +++ > security/landlock/Makefile | 3 + > security/landlock/checker_cgroup.c | 96 +++++++++++ > security/landlock/checker_cgroup.h | 18 +++ > security/landlock/checker_fs.c | 183 +++++++++++++++++++++ > security/landlock/checker_fs.h | 20 +++ > security/landlock/lsm.c | 228 ++++++++++++++++++++++++++ > security/security.c | 1 + > 25 files changed, 1592 insertions(+), 23 deletions(-) > create mode 100644 samples/landlock/.gitignore > create mode 100644 samples/landlock/Makefile > create mode 100644 samples/landlock/sandbox.c > create mode 100644 security/landlock/Kconfig > create mode 100644 security/landlock/Makefile > create mode 100644 security/landlock/checker_cgroup.c > create mode 100644 security/landlock/checker_cgroup.h > create mode 100644 security/landlock/checker_fs.c > create mode 100644 security/landlock/checker_fs.h > create mode 100644 security/landlock/lsm.c > -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
