Re: [kernel-hardening] [PATCH net-next v7 00/10] Landlock LSM: Toward unprivileged sandboxing

From: James Morris
Date: Sun Aug 27 2017 - 23:39:50 EST

Next message: James Morris: "Re: [PATCH net-next v7 02/10] bpf: Add eBPF program subtype and is_valid_subtype() verifier"
Previous message: Dou Liyang: "[PATCH v8 01/13] x86/apic: Construct a selector for the interrupt delivery mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 21 Aug 2017, MickaÃl SalaÃn wrote:

> ## Why a new LSM? Are SELinux, AppArmor, Smack and Tomoyo not good enough?
>
> The current access control LSMs are fine for their purpose which is to give the
> *root* the ability to enforce a security policy for the *system*. What is
> missing is a way to enforce a security policy for any application by its
> developer and *unprivileged user* as seccomp can do for raw syscall filtering.
>

You could mention here that the first case is Mandatory Access Control,
in general terms.

--
James Morris
<jmorris@xxxxxxxxx>

Next message: James Morris: "Re: [PATCH net-next v7 02/10] bpf: Add eBPF program subtype and is_valid_subtype() verifier"
Previous message: Dou Liyang: "[PATCH v8 01/13] x86/apic: Construct a selector for the interrupt delivery mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]