Mickaël Salaün

icon indicating a website link https://digikod.net

icon company Microsoft

Results 156 comments of Mickaël Salaün

PVF: use landlock V4 for extra networking sandbox

> However, the landlock LSM may not be available in managed cloud environments like Github Actions, or the kernel used may not be recent enough to support landlock V4. Yes,...

dashboard/config/linux: enable audit at runtime

> It would be better to figure out why syzkaller is unable to do what `auditd` does - in the end, these are just some netlink operations/syscalls that must be...

dashboard/config/linux: enable audit at runtime

I tried this but `sendmsg(2)` returns ENODATA: ``` r0 = socket$nl_audit(AUTO, AUTO, AUTO) sendmsg$AUDIT_SET(r0, &AUTO = {@audit_status={AUDIT_STATUS_ENABLED, 1}}, 0x0) ``` I'm not sure how to create a valid Netlink header+message.

Testing cleanup: Unify use of EXPECT/ASSERT in Landlock kselftests

> We've been inconsistently using EXPECT and ASSERT in Landlock's selftests, especially for teardown. (fs_test.c uses `ASSERT_EQ(0, close(fd))` whereas net_test.c uses `EXPECT_EQ(0, close(fd))` everywhere). > > I personally prefer to...

Improve "file names that don't exist" case explanation

The paths are all opened and the kernel actually only look for the related inodes. It is then not possible to create rules based on inexistant file. We should probably...

Implement Linux LandLock into runc (POC/WIP)

Related to https://github.com/opencontainers/runtime-spec/pull/1241 and https://github.com/landlock-lsm/landlockconfig (WIP)