On 5/22/2023 11:13 PM, Jeff Xu wrote: > On Mon, May 22, 2023 at 12:56 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: >> On Thu, May 18, 2023 at 5:26 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >>> On 5/18/2023 1:45 PM, Shervin Oloumi wrote: >>>> Adds a new getprocattr hook function to the Landlock LSM, which tracks >>>> the landlocked state of the process. This is invoked when user-space >>>> reads /proc/[pid]/attr/domain >>> Please don't add a Landlock specific entry directly in the attr/ >>> directory. Add it only to attr/landlock. >>> >>> Also be aware that the LSM maintainer (Paul Moore) wants to move >>> away from the /proc/.../attr interfaces in favor of a new system call, >>> which is in review. >> What Casey said above. >> >> There is still some uncertainty around timing, and if we're perfectly >> honest, acceptance of the new syscalls at the Linus level, but yes, I >> would very much like to see the LSM infrastructure move away from >> procfs and towards a syscall API. Part of the reasoning is that the >> current procfs API is ill-suited to handle the multiple, stacked LSMs >> and the other part being the complexity of procfs in a namespaced >> system. If the syscall API is ultimately rejected, we will need to >> revisit the idea of a procfs API, but even then I think we'll need to >> make some changes to the current approach. >> >> As I believe we are in the latter stages of review for the syscall >> API, perhaps you could take a look and ensure that the current >> proposed API works for what you are envisioning with Landlock? >> > Which review/patch to look for the proposed API ? https://lore.kernel.org/lkml/20230428203417.159874-3-casey@xxxxxxxxxxxxxxxx/T/ > I guess ChromeOS will need to backport to 5.10 when the proposal is accepted. > > Thanks > -Jeff > > >> -- >> paul-moore.com
