[PATCH v2] lsm: adds process attribute getter for Landlock
Casey Schaufler
casey at schaufler-ca.com
Thu Jun 1 21:30:25 UTC 2023
On 6/1/2023 1:45 PM, Jeff Xu wrote:
> On Wed, May 31, 2023 at 6:01 AM Mickaël Salaün <mic at digikod.net> wrote:
>>
>> On 30/05/2023 20:02, Jeff Xu wrote:
>>>>>> As I believe we are in the latter stages of review for the syscall
>>>>>> API, perhaps you could take a look and ensure that the current
>>>>>> proposed API works for what you are envisioning with Landlock?
>>>>>>
>>>>> Which review/patch to look for the proposed API ?
>>>> https://lore.kernel.org/lkml/20230428203417.159874-3-casey@schaufler-ca.com/T/
>>>>
>>>>
>>> How easy is it to add a customized LSM with new APIs?
>>> I'm asking because there are some hard-coded constant/macro, i.e.
>> I guess this question is related to the Chromium OS LSM right? I think
>> this would be a good opportunity to think about mainlining this LSM to
>> avoid the hassle of dealing with LSM IDs.
>>
> Yes :-)
> I agree it is good to think about upstream, there are things chromeOS
> did that can be beneficial to the main. At the same time, part of it
> might never be accepted by upstream because it is chromeOS specific,
> so those need to be cleaned up.
Perhaps, but look at what's been done with SELinux in support of Android.
You don't believe that the binder LSM hooks are for any other purpose, do
you? You'll never know what turns out to be acceptable unless you give it
a try.
More information about the Linux-security-module-archive
mailing list