Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210422154123.13086-1-mic@digikod.net>
Date: Thu, 22 Apr 2021 17:41:10 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: James Morris <jmorris@...ei.org>,
	Jann Horn <jannh@...gle.com>,
	Kees Cook <keescook@...omium.org>,
	"Serge E . Hallyn" <serge@...lyn.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
	Al Viro <viro@...iv.linux.org.uk>,
	Andy Lutomirski <luto@...capital.net>,
	Anton Ivanov <anton.ivanov@...bridgegreys.com>,
	Arnd Bergmann <arnd@...db.de>,
	Casey Schaufler <casey@...aufler-ca.com>,
	David Howells <dhowells@...hat.com>,
	Jeff Dike <jdike@...toit.com>,
	Jonathan Corbet <corbet@....net>,
	Michael Kerrisk <mtk.manpages@...il.com>,
	Richard Weinberger <richard@....at>,
	Shuah Khan <shuah@...nel.org>,
	Vincent Dagonneau <vincent.dagonneau@....gouv.fr>,
	kernel-hardening@...ts.openwall.com,
	linux-api@...r.kernel.org,
	linux-arch@...r.kernel.org,
	linux-doc@...r.kernel.org,
	linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-kselftest@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	x86@...nel.org
Subject: [PATCH v34 00/13] Landlock LSM

Hi,

This updated patch series adds a new patch on top of the previous ones.
It brings a new flag to landlock_create_ruleset(2) that enables
efficient and simple backward compatibility checks for future evolutions
of Landlock (e.g. new access-control rights).  Indeed, it is important
to help user space to follow a best-effort security.  This new flag is
not strictly useful for applications using the current Landlock features
but it will be useful when applications developed for newer kernels will
be run on older kernels (e.g. the current one).

Here is an example of a (work in progress) library using this
information to provide a nice backward compatible API:
https://github.com/landlock-lsm/rust-landlock

The SLOC count is 1331 for security/landlock/ and 2626 for
tools/testing/selftest/landlock/ .
Test coverage for security/landlock/ is 93.6% of lines:
https://landlock.io/linux-lcov/landlock-v34/security/landlock/index.html
The code not covered only deals with internal kernel errors (e.g. memory
allocation), race conditions and safety checks that should not be
triggered.  This series is being fuzzed by syzkaller (covering internal
kernel errors) that now supports Landlock:
https://github.com/google/syzkaller/pull/2380
syzkaller coverage reached 72% (ci-upstream-linux-next-kasan-gce-root):
https://syzkaller.appspot.com/upstream

The HTML documentation is available here:
https://landlock.io/linux-doc/landlock-v34/userspace-api/landlock.html

This series can be applied on top of v5.12-rc3 .  This can be tested with
CONFIG_SECURITY_LANDLOCK, CONFIG_SAMPLE_LANDLOCK and by prepending
"landlock," to CONFIG_LSM.  This patch series can be found in a Git
repository here:
https://github.com/landlock-lsm/linux/commits/landlock-v34
This patch series seems ready for upstream and I would really appreciate
final reviews.

Landlock LSM
============

The goal of Landlock is to enable to restrict ambient rights (e.g.
global filesystem access) for a set of processes.  Because Landlock is a
stackable LSM [1], it makes possible to create safe security sandboxes
as new security layers in addition to the existing system-wide
access-controls. This kind of sandbox is expected to help mitigate the
security impact of bugs or unexpected/malicious behaviors in user-space
applications. Landlock empowers any process, including unprivileged
ones, to securely restrict themselves.

Landlock is inspired by seccomp-bpf but instead of filtering syscalls
and their raw arguments, a Landlock rule can restrict the use of kernel
objects like file hierarchies, according to the kernel semantic.
Landlock also takes inspiration from other OS sandbox mechanisms: XNU
Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.

In this current form, Landlock misses some access-control features.
This enables to minimize this patch series and ease review.  This series
still addresses multiple use cases, especially with the combined use of
seccomp-bpf: applications with built-in sandboxing, init systems,
security sandbox tools and security-oriented APIs [2].

[1] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/
[2] https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/

Previous versions:
v33: https://lore.kernel.org/lkml/20210407160726.542794-1-mic@digikod.net/
v32: https://lore.kernel.org/lkml/20210401205208.2756565-1-mic@digikod.net/
v31: https://lore.kernel.org/lkml/20210324191520.125779-1-mic@digikod.net/
v30: https://lore.kernel.org/lkml/20210316204252.427806-1-mic@digikod.net/
v29: https://lore.kernel.org/lkml/20210225190614.2181147-1-mic@digikod.net/
v28: https://lore.kernel.org/lkml/20210202162710.657398-1-mic@digikod.net/
v27: https://lore.kernel.org/lkml/20210121205119.793296-1-mic@digikod.net/
v26: https://lore.kernel.org/lkml/20201209192839.1396820-1-mic@digikod.net/
v25: https://lore.kernel.org/lkml/20201201192322.213239-1-mic@digikod.net/
v24: https://lore.kernel.org/lkml/20201112205141.775752-1-mic@digikod.net/
v23: https://lore.kernel.org/lkml/20201103182109.1014179-1-mic@digikod.net/
v22: https://lore.kernel.org/lkml/20201027200358.557003-1-mic@digikod.net/
v21: https://lore.kernel.org/lkml/20201008153103.1155388-1-mic@digikod.net/
v20: https://lore.kernel.org/lkml/20200802215903.91936-1-mic@digikod.net/
v19: https://lore.kernel.org/lkml/20200707180955.53024-1-mic@digikod.net/
v18: https://lore.kernel.org/lkml/20200526205322.23465-1-mic@digikod.net/
v17: https://lore.kernel.org/lkml/20200511192156.1618284-1-mic@digikod.net/
v16: https://lore.kernel.org/lkml/20200416103955.145757-1-mic@digikod.net/
v15: https://lore.kernel.org/lkml/20200326202731.693608-1-mic@digikod.net/
v14: https://lore.kernel.org/lkml/20200224160215.4136-1-mic@digikod.net/
v13: https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/
v12: https://lore.kernel.org/lkml/20191031164445.29426-1-mic@digikod.net/
v11: https://lore.kernel.org/lkml/20191029171505.6650-1-mic@digikod.net/
v10: https://lore.kernel.org/lkml/20190721213116.23476-1-mic@digikod.net/
v9: https://lore.kernel.org/lkml/20190625215239.11136-1-mic@digikod.net/
v8: https://lore.kernel.org/lkml/20180227004121.3633-1-mic@digikod.net/
v7: https://lore.kernel.org/lkml/20170821000933.13024-1-mic@digikod.net/
v6: https://lore.kernel.org/lkml/20170328234650.19695-1-mic@digikod.net/
v5: https://lore.kernel.org/lkml/20170222012632.4196-1-mic@digikod.net/
v4: https://lore.kernel.org/lkml/20161026065654.19166-1-mic@digikod.net/
v3: https://lore.kernel.org/lkml/20160914072415.26021-1-mic@digikod.net/
v2: https://lore.kernel.org/lkml/1472121165-29071-1-git-send-email-mic@digikod.net/
v1: https://lore.kernel.org/kernel-hardening/1458784008-16277-1-git-send-email-mic@digikod.net/

Casey Schaufler (1):
  LSM: Infrastructure management of the superblock

Mickaël Salaün (12):
  landlock: Add object management
  landlock: Add ruleset and domain management
  landlock: Set up the security framework and manage credentials
  landlock: Add ptrace restrictions
  fs,security: Add sb_delete hook
  landlock: Support filesystem access-control
  landlock: Add syscall implementations
  arch: Wire up Landlock syscalls
  selftests/landlock: Add user space tests
  samples/landlock: Add a sandbox manager example
  landlock: Add user and kernel documentation
  landlock: Enable user space to infer supported features

 Documentation/security/index.rst              |    1 +
 Documentation/security/landlock.rst           |   85 +
 Documentation/userspace-api/index.rst         |    1 +
 Documentation/userspace-api/landlock.rst      |  311 ++
 MAINTAINERS                                   |   15 +
 arch/Kconfig                                  |    7 +
 arch/alpha/kernel/syscalls/syscall.tbl        |    3 +
 arch/arm/tools/syscall.tbl                    |    3 +
 arch/arm64/include/asm/unistd.h               |    2 +-
 arch/arm64/include/asm/unistd32.h             |    6 +
 arch/ia64/kernel/syscalls/syscall.tbl         |    3 +
 arch/m68k/kernel/syscalls/syscall.tbl         |    3 +
 arch/microblaze/kernel/syscalls/syscall.tbl   |    3 +
 arch/mips/kernel/syscalls/syscall_n32.tbl     |    3 +
 arch/mips/kernel/syscalls/syscall_n64.tbl     |    3 +
 arch/mips/kernel/syscalls/syscall_o32.tbl     |    3 +
 arch/parisc/kernel/syscalls/syscall.tbl       |    3 +
 arch/powerpc/kernel/syscalls/syscall.tbl      |    3 +
 arch/s390/kernel/syscalls/syscall.tbl         |    3 +
 arch/sh/kernel/syscalls/syscall.tbl           |    3 +
 arch/sparc/kernel/syscalls/syscall.tbl        |    3 +
 arch/um/Kconfig                               |    1 +
 arch/x86/entry/syscalls/syscall_32.tbl        |    3 +
 arch/x86/entry/syscalls/syscall_64.tbl        |    3 +
 arch/xtensa/kernel/syscalls/syscall.tbl       |    3 +
 fs/super.c                                    |    1 +
 include/linux/lsm_hook_defs.h                 |    1 +
 include/linux/lsm_hooks.h                     |    4 +
 include/linux/security.h                      |    4 +
 include/linux/syscalls.h                      |    7 +
 include/uapi/asm-generic/unistd.h             |    8 +-
 include/uapi/linux/landlock.h                 |  137 +
 kernel/sys_ni.c                               |    5 +
 samples/Kconfig                               |    7 +
 samples/Makefile                              |    1 +
 samples/landlock/.gitignore                   |    1 +
 samples/landlock/Makefile                     |   13 +
 samples/landlock/sandboxer.c                  |  238 ++
 security/Kconfig                              |   11 +-
 security/Makefile                             |    2 +
 security/landlock/Kconfig                     |   21 +
 security/landlock/Makefile                    |    4 +
 security/landlock/common.h                    |   20 +
 security/landlock/cred.c                      |   46 +
 security/landlock/cred.h                      |   58 +
 security/landlock/fs.c                        |  692 ++++
 security/landlock/fs.h                        |   70 +
 security/landlock/limits.h                    |   21 +
 security/landlock/object.c                    |   67 +
 security/landlock/object.h                    |   91 +
 security/landlock/ptrace.c                    |  120 +
 security/landlock/ptrace.h                    |   14 +
 security/landlock/ruleset.c                   |  473 +++
 security/landlock/ruleset.h                   |  165 +
 security/landlock/setup.c                     |   40 +
 security/landlock/setup.h                     |   18 +
 security/landlock/syscalls.c                  |  451 +++
 security/security.c                           |   51 +-
 security/selinux/hooks.c                      |   58 +-
 security/selinux/include/objsec.h             |    6 +
 security/selinux/ss/services.c                |    3 +-
 security/smack/smack.h                        |    6 +
 security/smack/smack_lsm.c                    |   35 +-
 tools/testing/selftests/Makefile              |    1 +
 tools/testing/selftests/landlock/.gitignore   |    2 +
 tools/testing/selftests/landlock/Makefile     |   24 +
 tools/testing/selftests/landlock/base_test.c  |  266 ++
 tools/testing/selftests/landlock/common.h     |  183 ++
 tools/testing/selftests/landlock/config       |    7 +
 tools/testing/selftests/landlock/fs_test.c    | 2791 +++++++++++++++++
 .../testing/selftests/landlock/ptrace_test.c  |  337 ++
 tools/testing/selftests/landlock/true.c       |    5 +
 72 files changed, 6986 insertions(+), 77 deletions(-)
 create mode 100644 Documentation/security/landlock.rst
 create mode 100644 Documentation/userspace-api/landlock.rst
 create mode 100644 include/uapi/linux/landlock.h
 create mode 100644 samples/landlock/.gitignore
 create mode 100644 samples/landlock/Makefile
 create mode 100644 samples/landlock/sandboxer.c
 create mode 100644 security/landlock/Kconfig
 create mode 100644 security/landlock/Makefile
 create mode 100644 security/landlock/common.h
 create mode 100644 security/landlock/cred.c
 create mode 100644 security/landlock/cred.h
 create mode 100644 security/landlock/fs.c
 create mode 100644 security/landlock/fs.h
 create mode 100644 security/landlock/limits.h
 create mode 100644 security/landlock/object.c
 create mode 100644 security/landlock/object.h
 create mode 100644 security/landlock/ptrace.c
 create mode 100644 security/landlock/ptrace.h
 create mode 100644 security/landlock/ruleset.c
 create mode 100644 security/landlock/ruleset.h
 create mode 100644 security/landlock/setup.c
 create mode 100644 security/landlock/setup.h
 create mode 100644 security/landlock/syscalls.c
 create mode 100644 tools/testing/selftests/landlock/.gitignore
 create mode 100644 tools/testing/selftests/landlock/Makefile
 create mode 100644 tools/testing/selftests/landlock/base_test.c
 create mode 100644 tools/testing/selftests/landlock/common.h
 create mode 100644 tools/testing/selftests/landlock/config
 create mode 100644 tools/testing/selftests/landlock/fs_test.c
 create mode 100644 tools/testing/selftests/landlock/ptrace_test.c
 create mode 100644 tools/testing/selftests/landlock/true.c


base-commit: 1e28eed17697bcf343c6743f0028cc3b5dd88bf0
-- 
2.31.1

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.