|
Message-Id: <20200224160215.4136-1-mic@digikod.net> Date: Mon, 24 Feb 2020 17:02:05 +0100 From: Mickaël Salaün <mic@...ikod.net> To: linux-kernel@...r.kernel.org Cc: Mickaël Salaün <mic@...ikod.net>, Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...capital.net>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, James Morris <jmorris@...ei.org>, Jann Horn <jann@...jh.net>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, Vincent Dagonneau <vincent.dagonneau@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-security-module@...r.kernel.org, x86@...nel.org Subject: [RFC PATCH v14 00/10] Landlock LSM Hi, This new version of Landlock is a major revamp of the previous series [1], hence the RFC tag. The three main changes are the replacement of eBPF with a dedicated safe management of access rules, the replacement of the use of seccomp(2) with a dedicated syscall, and the management of filesystem access-control (back from the v10). As discussed in [2], eBPF may be too powerful and dangerous to be put in the hand of unprivileged and potentially malicious processes, especially because of side-channel attacks against access-controls or other parts of the kernel. Thanks to this new implementation (1540 SLOC), designed from the ground to be used by unprivileged processes, this series enables a process to sandbox itself without requiring CAP_SYS_ADMIN, but only the no_new_privs constraint (like seccomp). Not relying on eBPF also enables to improve performances, especially for stacked security policies thanks to mergeable rulesets. The compiled documentation is available here: https://landlock.io/linux-doc/landlock-v14/security/landlock/index.html This series can be applied on top of v5.6-rc3. This can be tested with CONFIG_SECURITY_LANDLOCK and CONFIG_SAMPLE_LANDLOCK. This patch series can be found in a Git repository here: https://github.com/landlock-lsm/linux/commits/landlock-v14 I would really appreciate constructive comments on the design and the code. # Landlock LSM The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM [3], it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empower any process, including unprivileged ones, to securely restrict themselves. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil. # Current limitations ## Path walk Landlock need to use dentries to identify a file hierarchy, which is needed for composable and unprivileged access-controls. This means that path resolution/walking (handled with inode_permission()) is not supported, yet. This could be filled with a future extension first of the LSM framework. The Landlock userspace ABI can handle such change with new option (e.g. to the struct landlock_ruleset). ## UnionFS An UnionFS super-block use a set of upper and lower directories. An access request to a file in one of these hierarchy trigger a call to ovl_path_real() which generate another access request according to the matching hierarchy. Because such super-block is not aware of its current mount point, OverlayFS can't create a dedicated mnt_parent for each of the upper and lower directories mount clones. It is then not currently possible to track the source of such indirect access-request, and then not possible to identify a unified OverlayFS hierarchy. ## Syscall Because it is only tested on x86_64, the syscall is only wired up for this architecture. The whole x86 family (and probably all the others) will be supported in the next patch series. ## Memory limits There is currently no limit on the memory usage. Any idea to leverage an existing mechanism (e.g. rlimit)? # Changes since v13 * Revamp of the LSM: remove the need for eBPF and seccomp(2). * Implement a full filesystem access-control. * Take care of the backward compatibility issues, especially for this security features. Previous version: https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ [1] https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ [2] https://lore.kernel.org/lkml/a6b61f33-82dc-0c1c-7a6c-1926343ef63e@digikod.net/ [3] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/ Regards, Mickaël Salaün (10): landlock: Add object and rule management landlock: Add ruleset and domain management landlock: Set up the security framework and manage credentials landlock: Add ptrace restrictions fs,landlock: Support filesystem access-control landlock: Add syscall implementation arch: Wire up landlock() syscall selftests/landlock: Add initial tests samples/landlock: Add a sandbox manager example landlock: Add user and kernel documentation Documentation/security/index.rst | 1 + Documentation/security/landlock/index.rst | 18 + Documentation/security/landlock/kernel.rst | 44 ++ Documentation/security/landlock/user.rst | 233 +++++++ MAINTAINERS | 12 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + fs/super.c | 2 + include/linux/landlock.h | 22 + include/linux/syscalls.h | 3 + include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/landlock.h | 315 +++++++++ samples/Kconfig | 7 + samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 15 + samples/landlock/sandboxer.c | 226 +++++++ security/Kconfig | 11 +- security/Makefile | 2 + security/landlock/Kconfig | 16 + security/landlock/Makefile | 4 + security/landlock/cred.c | 47 ++ security/landlock/cred.h | 55 ++ security/landlock/fs.c | 591 +++++++++++++++++ security/landlock/fs.h | 42 ++ security/landlock/object.c | 341 ++++++++++ security/landlock/object.h | 134 ++++ security/landlock/ptrace.c | 118 ++++ security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 463 +++++++++++++ security/landlock/ruleset.h | 106 +++ security/landlock/setup.c | 38 ++ security/landlock/setup.h | 20 + security/landlock/syscall.c | 470 +++++++++++++ tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 3 + tools/testing/selftests/landlock/Makefile | 13 + tools/testing/selftests/landlock/config | 4 + tools/testing/selftests/landlock/test.h | 40 ++ tools/testing/selftests/landlock/test_base.c | 80 +++ tools/testing/selftests/landlock/test_fs.c | 624 ++++++++++++++++++ .../testing/selftests/landlock/test_ptrace.c | 293 ++++++++ 41 files changed, 4429 insertions(+), 6 deletions(-) create mode 100644 Documentation/security/landlock/index.rst create mode 100644 Documentation/security/landlock/kernel.rst create mode 100644 Documentation/security/landlock/user.rst create mode 100644 include/linux/landlock.h create mode 100644 include/uapi/linux/landlock.h create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscall.c create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/test.h create mode 100644 tools/testing/selftests/landlock/test_base.c create mode 100644 tools/testing/selftests/landlock/test_fs.c create mode 100644 tools/testing/selftests/landlock/test_ptrace.c -- 2.25.0
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.