[PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing
Tycho Andersen
tycho at tycho.ws
Tue Mar 6 22:46:36 UTC 2018
On Tue, Mar 06, 2018 at 10:33:17PM +0000, Andy Lutomirski wrote:
> >> Suppose I'm writing a container manager. I want to run "mount" in the
> >> container, but I don't want to allow moun() in general and I want to
> >> emulate certain mount() actions. I can write a filter that catches
> >> mount using seccomp and calls out to the container manager for help.
> >> This isn't theoretical -- Tycho wants *exactly* this use case to be
> >> supported.
> >
> > Well, I think this use case should be handled with something like
> > LD_PRELOAD and a helper library. FYI, I did something like this:
> > https://github.com/stemjail/stemshim
>
> I doubt that will work for containers. Containers that use user
> namespaces and, for example, setuid programs aren't going to honor
> LD_PRELOAD.
Or anything that calls syscalls directly, like go programs.
Tycho
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list