On Fri, Aug 25, 2017 at 6:03 PM, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > On Fri, Aug 25, 2017 at 10:07:27PM +0200, Daniel Borkmann wrote: >> On 08/25/2017 09:52 PM, Chenbo Feng wrote: >> > On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote: >> > > On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > > > On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux >> > > > wrote: >> > > > > I’d like to get your thoughts on adding LSM permission checks on BPF >> > > > > objects. > > before reinventing the wheel please take a look at landlock work. > Everything that was discussed in this thread is covered by it. > The patches have been in development for more than a year and most of the early > issues have been resolved. > It will be presented again during security summit in LA in September. > I am not very familiar with landlock lsm, isn't this module also depend on the lsm hooks to do the landlock check? If so then adding lsm hooks for eBPF object seems not conflict with the work on progress.
