On Wed, Dec 15, 2021, at 1:45 PM, Luca Boccassi wrote:
Hmm. Some interesting stuff going on there but I would have started with a new SELinux
access vector. That'd allow fine-grained constraints, e.g. disallowing `init_t` but
allowing `unconfined_service_t`. Possibly also landlock should be able to hook into
this.
IOW it's not clear to me that a new LSM is the best thing for the ecosystem here.
But bigger picture I'd agree that fs-verity is significantly stronger when coupled
with such a policy - strong enough to block exploits like the runc one:
https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-c...
We use this in production, and those kind of constraints are just not enough, because
there's too many obvious ways around them. What we needed is for the kernel to enforce
that only signed code shall run, and thus IPE was born, so that when coupled with
dm-verity/fs-verity it allows to enforce a policy like that.