|
Message-ID: <441bd1cd-03fd-8e30-c370-3d0f0263d564@digikod.net> Date: Wed, 17 Aug 2022 18:49:48 +0200 From: Mickaël Salaün <mic@...ikod.net> To: landlock@...ts.linux.dev Cc: linux-security-module@...r.kernel.org, oss-security@...ts.openwall.com Subject: Landlock news #2 Hi, Here is the second Landlock newsletter! It's been a while and there is some news to catch up. Official website: https://landlock.io Previews newsletter: https://lore.kernel.org/landlock/2df4887a-1710-bba2-f49c-cd5b785bb565@digikod.net/ Kernel ------ ### Linux distributions Landlock is now supported by default in major Linux distributions: * Alpine Linux * Arch Linux * chromeOS (including for Linux 5.10) * Debian Sid * Fedora 35 * Ubuntu 20.04 LTS ### New features for Linux 5.19 Linux 5.19 is now released, and it includes some Landlock changes: https://git.kernel.org/torvalds/c/cb44e4f061e1 The main one being full renaming and linking support thanks to the new LANDLOCK_ACCESS_FS_REFER access right. This lift one major limitation that was blocking for more generic sandboxing (e.g., container runtimes). This comes with a second Landlock ABI version that should be checked to leverage Landlock in a best-effort way. See the updated documentation: https://docs.kernel.org/userspace-api/landlock.html If developers don't change their ruleset's handled access rights, a sandboxed application will not change. If they add the new LANDLOCK_ACCESS_FS_REFER right, then they should first check the ABI version to make sure it will work as expected: int abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); if (abi < 2) { ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; } path_beneath_attr.allowed_access &= ruleset_attr.handled_access_fs; ### Backports A too-restrictive filesystem control for a rare corner case was fixed and backported down to Linux 5.13: https://git.kernel.org/stable/c/8ba0005ff418 The backports also include more tests to check ABI stability, and the maximum number of nested sandboxes is now down to 16: https://git.kernel.org/stable/c/75c542d6c6cc User space ---------- We are currently brainstorming about how to make libraries properly and easily handle compatibility for several kernel versions: https://lore.kernel.org/landlock/7290b021-c90f-76e9-7868-ed612595b411@digikod.net/ ### Go library As described by Günther Noack, go-landlock added support for Landlock ABI v2 and the LANDLOCK_ACCESS_FS_REFER flag. Usage example: err := landlock.V2.RestrictPaths( landlock.RWDirs("/src", "/dest").WithRefer(), ) See the documentation: https://pkg.go.dev/github.com/landlock-lsm/go-landlock/landlock ### Rust library There is some work going on for the Rust library. There is new documentation, test coverage improvements, CI checks with different kernel versions, API improvements, and new helpers to make it easier for common use cases (while leveraging the strong type system). Usage example: let abi = ABI::V1; let status = Ruleset::new() .handle_access(AccessFs::from_all(abi))? .create()? // Read-only access to /usr, /etc and /dev. .add_rules(path_beneath_rules(&["/usr", "/etc", "/dev"], AccessFs::from_read(abi)))? // Read-write access to /home and /tmp. .add_rules(path_beneath_rules(&["/home", "/tmp"], AccessFs::from_all(abi)))? .restrict_self()?; There is still some room for improvements with syntactic sugar, but the priority is to make the compatibility (with different kernel versions) flexible, easy to handle and future-proof: https://github.com/landlock-lsm/rust-landlock/pull/12 We plan to release a new version in the coming weeks, but in the meantime, you can try the development branch which is much easier to use than the currently released version: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories See the new documentation: https://landlock.io/rust-landlock/landlock/ ### New Landlock users New sandbox manager and library support: * A Pledge and Unveil implementation for Linux (with the Cosmopolitan libc): https://justine.lol/pledge/ * Minijail: https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/minijail/landlock_util.h * exile.h (header-only sandboxing library): https://github.com/quitesimpleorg/exile.h New open-source software using or working on supporting Landlock: * Game of Trees (version control system): https://git.gameoftrees.org/gitweb/?p=got-portable.git;a=blob;f=compat/landlock.c * Suricata (network IDS): https://github.com/OISF/suricata/pull/7697 * Landlock Make (zero-configuration sandboxing for hermetic builds): https://justine.lol/make/ Please let me know if I missed other Landlock users. Conferences ----------- I gave two talks about Landlock. One about the new Landlock features brought by Linux 5.19 and the other about practical example of how to sandbox an application. ### Update on Landlock: Lifting the File Reparenting Limits and Supporting Network Rules The Linux Security Summit North America talk is about the lifting of some Landlock limitations due to incremental development. One of the most annoying limitations, especially for generic containers, is the inability to change the parent directory of a file e.g., with rename(2) or link(2). In the first part, we explain what the related challenges were and how we can now use the new LANDLOCK_ACCESS_FS_REFER right to allow renaming and linking without risking bypassing the security policy. File system access control is required to protect data, but network access control is also very important. In the second part, we talk about the upcoming network access control support that will enable us to create simple app-centric or container firewalls. https://sched.co/11MXq https://youtu.be/MWjW-QwK_ZA ### Sandboxing your application with Landlock, illustration with the p7zip case The Pass the Salt talk quickly introduces the main Landlock properties, and we then explain how to sandbox your own application. We use p7zip, a C++ archive manager, as a practical example. https://cfp.pass-the-salt.org/pts2022/talk/BGQGZC/ Unconstrained access and ongoing development -------------------------------------------- One important thing to keep in mind about Landlock is that it is an incremental development, and it is not complete yet, but still useful (especially in combination with seccomp to deny some access types). See the Pledge implementation on Linux for such example. It should be noted that this also has limits: https://blog.gnoack.org/post/pledge-on-linux/ One step in this journey is to control access to truncate operations. Günther Noack is implementing such a feature which should be merged soon: https://lore.kernel.org/all/20220814192603.7387-1-gnoack3000@gmail.com/ Konstantin Meskhidze is working on the initial network implementation which will bring two new access rights (TCP_BIND and TCP_CONNECT): https://lore.kernel.org/all/20220621082313.3330667-1-konstantin.meskhidze@huawei.com/ There are still some unanswered questions about the best approach to restrict UDP: https://lore.kernel.org/all/a5ef620d-0447-3d58-d9bd-1220b8411957@digikod.net/ Feel free to reply to this thread. Roadmap ------- And finally, an update on the Landlock kernel roadmap. Short term: * add audit features to ease debugging; * add minimal network access-control types; * add minimal process signaling access-control types; * improve kernel performance for the current features; Medium term: * extend filesystem access-control types to address the current limitations; * add the ability to follow a deny listing approach, which is required for some use cases. * extend network access-control types; Long term: * add the ability to create (file descriptor) capabilities compatible with Capsicum. Regards, Mickaël
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.