From: "Mickaël Salaün" <mic@digikod.net>
To: Shervin Oloumi <enlightened@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>,
Paul Moore <paul@paul-moore.com>
Cc: linux-security-module@vger.kernel.org, jorgelo@chromium.org,
keescook@chromium.org, groeck@chromium.org, jeffxu@chromium.org,
allenwebb@chromium.org, "Günther Noack" <gnoack3000@gmail.com>,
"Adrian Reber" <areber@redhat.com>,
criu@openvz.org, "Linux API" <linux-api@vger.kernel.org>,
"Jann Horn" <jannh@google.com>,
"Christian Brauner" <brauner@kernel.org>
Subject: Re: [PATCH 0/1] process attribute support for Landlock
Date: Wed, 24 May 2023 18:09:52 +0200 [thread overview]
Message-ID: <30aef0b6-0d2c-a0de-0152-a358805f95af@digikod.net> (raw)
In-Reply-To: <CAMb9sThs2QXid0LZ3gwtfJoJUM3mpK0=nobOGpicde7jnuAJ5Q@mail.gmail.com>
On 18/05/2023 22:44, Shervin Oloumi wrote:
> Sorry for the delay on this. I think there is a fundamental issue here
> that needs to be resolved first, and that is the limitation of the
> kernel that only one LSM's hook function can be called through the
> procfs attribute interface. This is a blocker for us (and I imagine
> for others), since implementing any LandLock attribute API would block
> the existing SELinux hook function, which is used to surface domain
> information. `ps` also uses it to display domain information when you
> pass `-Z`. Please note, this is independent of which path and filename
> we use for LandLock. Even when the "domain" file is placed under a
> different directory, for example `/proc/[pid]/attr/landlock/domain`
> the kernel only calls the Landlock hook function for any interaction
> with any files under attr (the kernel always calls only the hook
> function for the first loaded LSM in the kernel config). So if anyone
> in this thread has any information on whether there is work on
> progress for addressing this issue, that would be helpful.
This seems to be an LSM stacking issue. Do the LSM syscalls also have
this issue? This should be part of tests.
next prev parent reply other threads:[~2023-05-24 16:17 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230302185257.850681-1-enlightened@chromium.org>
2023-03-06 19:18 ` [PATCH 0/1] process attribute support for Landlock Mickaël Salaün
2023-03-07 14:16 ` Mickaël Salaün
2023-03-08 22:25 ` Shervin Oloumi
2023-03-15 9:56 ` Mickaël Salaün
2023-03-16 6:19 ` Günther Noack
2023-03-17 8:38 ` Mickaël Salaün
2023-05-18 20:44 ` Shervin Oloumi
2023-05-24 16:09 ` Mickaël Salaün [this message]
2023-05-24 16:21 ` Mickaël Salaün
2023-05-18 20:45 ` [PATCH v2] lsm: adds process attribute getter " Shervin Oloumi
2023-05-18 21:26 ` Casey Schaufler
2023-05-22 19:56 ` Paul Moore
2023-05-23 6:13 ` Jeff Xu
2023-05-23 15:32 ` Casey Schaufler
2023-05-30 18:02 ` Jeff Xu
2023-05-30 19:05 ` Casey Schaufler
2023-05-31 13:01 ` Mickaël Salaün
2023-06-01 20:45 ` Jeff Xu
2023-06-01 21:30 ` Casey Schaufler
2023-05-23 21:12 ` Paul Moore
2023-05-24 15:38 ` Mickaël Salaün
2023-05-24 16:02 ` Mickaël Salaün
2023-05-25 16:28 ` Casey Schaufler
2023-05-30 18:05 ` Jeff Xu
2023-05-30 19:19 ` Casey Schaufler
2023-05-31 13:26 ` Mickaël Salaün
2023-06-01 20:48 ` Jeff Xu
2023-06-01 21:34 ` Casey Schaufler
2023-06-01 22:08 ` Mickaël Salaün
2023-05-24 16:05 ` Mickaël Salaün
2023-05-19 5:22 ` kernel test robot
2023-05-24 16:48 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30aef0b6-0d2c-a0de-0152-a358805f95af@digikod.net \
--to=mic@digikod.net \
--cc=allenwebb@chromium.org \
--cc=areber@redhat.com \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=criu@openvz.org \
--cc=enlightened@chromium.org \
--cc=gnoack3000@gmail.com \
--cc=groeck@chromium.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=jorgelo@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).