The secmark "one user" policy
James Morris
jmorris at namei.org
Thu Jun 29 09:10:52 UTC 2017
On Thu, 22 Jun 2017, John Johansen wrote:
> I don't see why not. The container could be built expecting smack
> labeling, selinux applies 1 or just a few labels to the whole
> container, and accesses within the container are mediated fine grained
> with smack.
This would require that all LSM-tagged objects and subjects be namespaced,
correct? If there is some way that a mediation happens across the
container boundary, things could get confusing (e.g. Smack policy not
seeming to allow things which SELinux is in fact denying).
Note also that LSM and namespaces are not abstracted in identical ways, so
we would need to know what it it means for LSM policy when say networking
is namespaced but not mounts. Or how to deal with shared subtrees.
Namespacing of LSM is probably the more fundamental issue to be resolved.
> A little more speculatively another potential example would be an LSM
> doing a personal firewalls around individual applications. Its really
> very similar to the snappy/flatpak sandboxing of apps but maybe
> someone wants that with out the additional baggage of a bigger LSM.
> Whether it would ever get in upstream is a separate question.
Landlock shows promise here, and stacking it inside one of the major MAC
LSMs seems to make sense.
--
James Morris
<jmorris at namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list