|
Message-Id: <20210422154123.13086-1-mic@digikod.net> Date: Thu, 22 Apr 2021 17:41:10 +0200 From: Mickaël Salaün <mic@...ikod.net> To: James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>, "Serge E . Hallyn" <serge@...lyn.com> Cc: Mickaël Salaün <mic@...ikod.net>, Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...capital.net>, Anton Ivanov <anton.ivanov@...bridgegreys.com>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, David Howells <dhowells@...hat.com>, Jeff Dike <jdike@...toit.com>, Jonathan Corbet <corbet@....net>, Michael Kerrisk <mtk.manpages@...il.com>, Richard Weinberger <richard@....at>, Shuah Khan <shuah@...nel.org>, Vincent Dagonneau <vincent.dagonneau@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, linux-security-module@...r.kernel.org, x86@...nel.org Subject: [PATCH v34 00/13] Landlock LSM Hi, This updated patch series adds a new patch on top of the previous ones. It brings a new flag to landlock_create_ruleset(2) that enables efficient and simple backward compatibility checks for future evolutions of Landlock (e.g. new access-control rights). Indeed, it is important to help user space to follow a best-effort security. This new flag is not strictly useful for applications using the current Landlock features but it will be useful when applications developed for newer kernels will be run on older kernels (e.g. the current one). Here is an example of a (work in progress) library using this information to provide a nice backward compatible API: https://github.com/landlock-lsm/rust-landlock The SLOC count is 1331 for security/landlock/ and 2626 for tools/testing/selftest/landlock/ . Test coverage for security/landlock/ is 93.6% of lines: https://landlock.io/linux-lcov/landlock-v34/security/landlock/index.html The code not covered only deals with internal kernel errors (e.g. memory allocation), race conditions and safety checks that should not be triggered. This series is being fuzzed by syzkaller (covering internal kernel errors) that now supports Landlock: https://github.com/google/syzkaller/pull/2380 syzkaller coverage reached 72% (ci-upstream-linux-next-kasan-gce-root): https://syzkaller.appspot.com/upstream The HTML documentation is available here: https://landlock.io/linux-doc/landlock-v34/userspace-api/landlock.html This series can be applied on top of v5.12-rc3 . This can be tested with CONFIG_SECURITY_LANDLOCK, CONFIG_SAMPLE_LANDLOCK and by prepending "landlock," to CONFIG_LSM. This patch series can be found in a Git repository here: https://github.com/landlock-lsm/linux/commits/landlock-v34 This patch series seems ready for upstream and I would really appreciate final reviews. Landlock LSM ============ The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM [1], it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil. In this current form, Landlock misses some access-control features. This enables to minimize this patch series and ease review. This series still addresses multiple use cases, especially with the combined use of seccomp-bpf: applications with built-in sandboxing, init systems, security sandbox tools and security-oriented APIs [2]. [1] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/ [2] https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/ Previous versions: v33: https://lore.kernel.org/lkml/20210407160726.542794-1-mic@digikod.net/ v32: https://lore.kernel.org/lkml/20210401205208.2756565-1-mic@digikod.net/ v31: https://lore.kernel.org/lkml/20210324191520.125779-1-mic@digikod.net/ v30: https://lore.kernel.org/lkml/20210316204252.427806-1-mic@digikod.net/ v29: https://lore.kernel.org/lkml/20210225190614.2181147-1-mic@digikod.net/ v28: https://lore.kernel.org/lkml/20210202162710.657398-1-mic@digikod.net/ v27: https://lore.kernel.org/lkml/20210121205119.793296-1-mic@digikod.net/ v26: https://lore.kernel.org/lkml/20201209192839.1396820-1-mic@digikod.net/ v25: https://lore.kernel.org/lkml/20201201192322.213239-1-mic@digikod.net/ v24: https://lore.kernel.org/lkml/20201112205141.775752-1-mic@digikod.net/ v23: https://lore.kernel.org/lkml/20201103182109.1014179-1-mic@digikod.net/ v22: https://lore.kernel.org/lkml/20201027200358.557003-1-mic@digikod.net/ v21: https://lore.kernel.org/lkml/20201008153103.1155388-1-mic@digikod.net/ v20: https://lore.kernel.org/lkml/20200802215903.91936-1-mic@digikod.net/ v19: https://lore.kernel.org/lkml/20200707180955.53024-1-mic@digikod.net/ v18: https://lore.kernel.org/lkml/20200526205322.23465-1-mic@digikod.net/ v17: https://lore.kernel.org/lkml/20200511192156.1618284-1-mic@digikod.net/ v16: https://lore.kernel.org/lkml/20200416103955.145757-1-mic@digikod.net/ v15: https://lore.kernel.org/lkml/20200326202731.693608-1-mic@digikod.net/ v14: https://lore.kernel.org/lkml/20200224160215.4136-1-mic@digikod.net/ v13: https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ v12: https://lore.kernel.org/lkml/20191031164445.29426-1-mic@digikod.net/ v11: https://lore.kernel.org/lkml/20191029171505.6650-1-mic@digikod.net/ v10: https://lore.kernel.org/lkml/20190721213116.23476-1-mic@digikod.net/ v9: https://lore.kernel.org/lkml/20190625215239.11136-1-mic@digikod.net/ v8: https://lore.kernel.org/lkml/20180227004121.3633-1-mic@digikod.net/ v7: https://lore.kernel.org/lkml/20170821000933.13024-1-mic@digikod.net/ v6: https://lore.kernel.org/lkml/20170328234650.19695-1-mic@digikod.net/ v5: https://lore.kernel.org/lkml/20170222012632.4196-1-mic@digikod.net/ v4: https://lore.kernel.org/lkml/20161026065654.19166-1-mic@digikod.net/ v3: https://lore.kernel.org/lkml/20160914072415.26021-1-mic@digikod.net/ v2: https://lore.kernel.org/lkml/1472121165-29071-1-git-send-email-mic@digikod.net/ v1: https://lore.kernel.org/kernel-hardening/1458784008-16277-1-git-send-email-mic@digikod.net/ Casey Schaufler (1): LSM: Infrastructure management of the superblock Mickaël Salaün (12): landlock: Add object management landlock: Add ruleset and domain management landlock: Set up the security framework and manage credentials landlock: Add ptrace restrictions fs,security: Add sb_delete hook landlock: Support filesystem access-control landlock: Add syscall implementations arch: Wire up Landlock syscalls selftests/landlock: Add user space tests samples/landlock: Add a sandbox manager example landlock: Add user and kernel documentation landlock: Enable user space to infer supported features Documentation/security/index.rst | 1 + Documentation/security/landlock.rst | 85 + Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/landlock.rst | 311 ++ MAINTAINERS | 15 + arch/Kconfig | 7 + arch/alpha/kernel/syscalls/syscall.tbl | 3 + arch/arm/tools/syscall.tbl | 3 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 6 + arch/ia64/kernel/syscalls/syscall.tbl | 3 + arch/m68k/kernel/syscalls/syscall.tbl | 3 + arch/microblaze/kernel/syscalls/syscall.tbl | 3 + arch/mips/kernel/syscalls/syscall_n32.tbl | 3 + arch/mips/kernel/syscalls/syscall_n64.tbl | 3 + arch/mips/kernel/syscalls/syscall_o32.tbl | 3 + arch/parisc/kernel/syscalls/syscall.tbl | 3 + arch/powerpc/kernel/syscalls/syscall.tbl | 3 + arch/s390/kernel/syscalls/syscall.tbl | 3 + arch/sh/kernel/syscalls/syscall.tbl | 3 + arch/sparc/kernel/syscalls/syscall.tbl | 3 + arch/um/Kconfig | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 3 + arch/x86/entry/syscalls/syscall_64.tbl | 3 + arch/xtensa/kernel/syscalls/syscall.tbl | 3 + fs/super.c | 1 + include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 4 + include/linux/security.h | 4 + include/linux/syscalls.h | 7 + include/uapi/asm-generic/unistd.h | 8 +- include/uapi/linux/landlock.h | 137 + kernel/sys_ni.c | 5 + samples/Kconfig | 7 + samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 13 + samples/landlock/sandboxer.c | 238 ++ security/Kconfig | 11 +- security/Makefile | 2 + security/landlock/Kconfig | 21 + security/landlock/Makefile | 4 + security/landlock/common.h | 20 + security/landlock/cred.c | 46 + security/landlock/cred.h | 58 + security/landlock/fs.c | 692 ++++ security/landlock/fs.h | 70 + security/landlock/limits.h | 21 + security/landlock/object.c | 67 + security/landlock/object.h | 91 + security/landlock/ptrace.c | 120 + security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 473 +++ security/landlock/ruleset.h | 165 + security/landlock/setup.c | 40 + security/landlock/setup.h | 18 + security/landlock/syscalls.c | 451 +++ security/security.c | 51 +- security/selinux/hooks.c | 58 +- security/selinux/include/objsec.h | 6 + security/selinux/ss/services.c | 3 +- security/smack/smack.h | 6 + security/smack/smack_lsm.c | 35 +- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 2 + tools/testing/selftests/landlock/Makefile | 24 + tools/testing/selftests/landlock/base_test.c | 266 ++ tools/testing/selftests/landlock/common.h | 183 ++ tools/testing/selftests/landlock/config | 7 + tools/testing/selftests/landlock/fs_test.c | 2791 +++++++++++++++++ .../testing/selftests/landlock/ptrace_test.c | 337 ++ tools/testing/selftests/landlock/true.c | 5 + 72 files changed, 6986 insertions(+), 77 deletions(-) create mode 100644 Documentation/security/landlock.rst create mode 100644 Documentation/userspace-api/landlock.rst create mode 100644 include/uapi/linux/landlock.h create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/common.h create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/limits.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscalls.c create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/base_test.c create mode 100644 tools/testing/selftests/landlock/common.h create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/fs_test.c create mode 100644 tools/testing/selftests/landlock/ptrace_test.c create mode 100644 tools/testing/selftests/landlock/true.c base-commit: 1e28eed17697bcf343c6743f0028cc3b5dd88bf0 -- 2.31.1
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.