Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20240716.yui4Iezai8ae@digikod.net>
Date: Tue, 16 Jul 2024 17:27:21 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: landlock@...ts.linux.dev
Cc: Günther Noack <gnoack@...gle.com>, 
	Konstantin Meskhidze <konstantin.meskhidze@...wei.com>, Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>, 
	Tahera Fahimi <fahimitahera@...il.com>, lwn@....net, linux-security-module@...r.kernel.org, 
	oss-security@...ts.openwall.com
Subject: Landlock news #4

Here is the fourth Landlock newsletter!

Official website: https://landlock.io
Previews newsletter:
https://lore.kernel.org/landlock/d4ed5733-d07b-5548-2534-a63e22906778@digikod.net

Articles and conferences
------------------------

We wrote a detailed article about Landlock explaining the underlying
concepts, the implementation, and the community:
https://landlock.io/talks/2024-06-06_landlock-article.pdf
This was written for the SSTIC conference:
https://www.sstic.org/2024/presentation/landlock-design/

I did a workshop at the Pass the Salt conference to explain how to
mitigate security vulnerabilities with Landlock (demonstrated with
ImageMagick): https://cfp.pass-the-salt.org/pts2024/talk/8FVYDF/
Related materials are freely available to do it at home:
https://github.com/landlock-lsm/workshop-imagemagick

Arto Niemi published a "Survey of Real-World Process Sandboxing" at the
Conference of Open Innovations Association (FRUCT):
https://fruct.org/publications/volume-35/fruct35/files/Niem.pdf
Their conclusion:  "[...] we found Landlock and minijail [which uses
Landlock] to be relatively convenient from a developer perspective. In
general, process self-containment and process-wrapping seems to be an
order of magnitude easier to configure than MAC policies."

Researchers from University of Bergamo gave a talk at ASIA CCS
conference about Cage4Deno: A Fine-Grained Sandbox for Deno Subprocesses
(leveraging Landlock)
https://cs.unibg.it/seclab-papers/2023/ASIACCS/paper/cage4deno.pdf
They also gave a talk at the RAID conference about NatiSand: Native Code
Sandboxing for JavaScript Runtimes (leveraging Landlock)
https://cs.unibg.it/seclab-papers/2023/RAID/natisand.pdf

Eric Leblond gave a talk (in French) at the SSTIC conference about
sandboxing with Landlock to mitigate real world security issues:
https://www.sstic.org/2023/presentation/attaque_supply_chain_suricata/

Günther Noack will give a talk at LSS Europe about Landlock and the new
IOCTL support: https://sched.co/1ebVW

I'll give a talk at OSS Europe to better explain sandboxing with
Landlock: https://sched.co/1ej3a

The XZ backdoor
---------------

XZ Utils is a widely used compression tool and library.  The main
maintainer implemented sandboxing with Landlock, and released a new
version 5.6.0 with this feature.  In March 2024, a backdoor was found
and reported.  It was introduced in February by a new maintainer who
earned this trust after more than two years of effort.

Among the malicious changes, the attacker disabled Landlock's support
for XZ Utils and released a new version 5.6.1:
https://research.swtch.com/xz-timeline
The sabotaged configuration check has since been fixed with version
5.6.2, but this effort to stealthily disable sandboxing is a clear sign
that Landlock disturbs attackers:
https://github.com/tukaani-project/xz/commit/f9cf4c05edd1

Merged kernel features
----------------------

Linux 6.7 (Landlock ABI 4) supports initial network access control with
the LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP
rights thanks to Konstantin Meskhidze.  We can now control inbound and
outbound TCP connections according to the source or the destination
port.  This led to kernel code refactoring which opens the way to more
network protocol support.  See user space documentation:
https://docs.kernel.org/userspace-api/landlock.html#network-flags

Linux 6.10 (Landlock ABI 5) supports IOCTL control with the new
LANDLOCK_ACCESS_FS_IOCTL_DEV right thanks to Günther Noack.  This
restriction only applies to IOCTL commands implemented by device drivers
(i.e. block or character devices).  As other file system access rights,
this can be used to only allow such IOCTL commands on a specified set of
file hierarchies per sandbox.  See user space documentation:
https://docs.kernel.org/userspace-api/landlock.html#filesystem-flags

We also added a slight change in all supported kernels to inform system
administrators (with kernel logs) how they can configure the system to
support Landlock, if a process tried to sandbox itself on a kernel where
Landlock is disabled.  New documentation will help enable Landlock on
systems when it is not already the case:
https://docs.kernel.org/userspace-api/landlock.html#kernel-support

Since Linux 6.3, we improved documentation and kselftests (user space
testing), and added support for KUnit (kernel testing).  Part of this
work lead us to support the UML architecture to easily run application
tests in a CI against different kernel versions.  With this support we
can make sure that backward compatibility works fine for the tested
applications.  I encourage to take a look at landlock-test-tools and the
GitHub CI configuration for the Rust library:
https://github.com/landlock-lsm/landlock-test-tools
https://github.com/landlock-lsm/rust-landlock/blob/main/.github/workflows/rust.yml#L166-L179

Roadmap and ongoing development
-------------------------------

We created GitHub issues to track ongoing and future work:
https://github.com/landlock-lsm/linux/issues
https://github.com/orgs/landlock-lsm/projects/1

Feel free to reach out if you want to contribute!
https://github.com/landlock-lsm/linux/contribute

We also plan to improve the website with extended documentation and
examples.

Kernel development highlights
-----------------------------

Günther Noack is now an official reviewer of Landlock!
https://git.kernel.org/torvalds/c/5bf9e57e634b
After the IOCTL feature, he is now working on improving the
documentation, including man pages.

Mikhail Ivanov is working on socket type control.  This is an important
feature that will make it possible to create sandboxes without any
network access, except for an explicit list of allowed protocols.  This
will nicely complement the TCP port control (and future ones for other
protocols): https://github.com/landlock-lsm/linux/issues/6
He is also working on controlling TCP listen calls:
https://github.com/landlock-lsm/linux/issues/15

Tahera Fahimi was selected as an Outreachy intern to work on IPC
restrictions (e.g. abstract unix socket, signals) to better isolate a
Landlock domain:
https://github.com/landlock-lsm/linux/issues/7
https://github.com/landlock-lsm/linux/issues/8

I'm working on bringing audit support to Landlock:
https://github.com/landlock-lsm/linux/issues/3

Landlock libraries
------------------

As explained by Günther Noack, the Go library now supports TCP and IOCTL
restrictions: https://blog.gnoack.org/post/landlock-v4/
https://blog.gnoack.org/post/landlock-ioctl/

A new version of the Rust crate was released, with support for TCP
control and some miscellaneous improvements:
https://github.com/landlock-lsm/rust-landlock/releases/tag/v0.4.0

Please update your dependencies and use the latest Landlock ABI version
for improved sandboxing.

We are also working on a new minimal C library:
https://github.com/landlock-lsm/linux/issues/38

New Landlock user space supports
--------------------------------

Firejail 0.9.74 (sandboxer) will be able to use landlock:
https://github.com/netblue30/firejail/pull/6078

setpriv 2.40 (sandboxer):
https://github.com/util-linux/util-linux/pull/2628

extrasafe 0.4.0 (sandbox library):
https://github.com/boustrophedon/extrasafe/pull/28

bevy_mod_lockdown (sandbox library):
https://github.com/FrTerstappen/bevy_mod_lockdown

Cloud Hypervisor (VM monitor) will be sandboxed with Landlock:
https://github.com/cloud-hypervisor/cloud-hypervisor/pull/6214

Ukuleleweb (wiki server):
https://github.com/gnoack/ukuleleweb/commit/0ecdd54b36fa

websrv 3.2.0 (web server):
https://github.com/ngergs/websrv/commit/40fa2d7d2bbb

egress-eddie 0.5.0 (network filtering):
https://github.com/capnspacehook/egress-eddie/releases/tag/v0.5.0

Suricata 7.0.0 (network security monitoring engine):
https://docs.suricata.io/en/latest/configuration/landlock.html

sslh 2.1.0 (protocol multiplexer):
https://lore.kernel.org/landlock/Zfq6f30spnYCx_9Y@rutschle.net/
https://github.com/yrutschle/sslh/releases/tag/v2.1.0

wireproxy 1.0.8 (Wireguard client):
https://github.com/pufferffish/wireproxy/pull/108

Emilua 0.5.0 (Lua runtime):
https://lore.kernel.org/landlock/CAK9RveLxro4zUG4jfFB=UNgcv5gdc8JuzNhMt=YbNhH=35ADzg@mail.gmail.com/
https://docs.emilua.org/api/0.5/changelog.html

Polkadot (blockchain SDK):
https://github.com/paritytech/polkadot/pull/7303

XZ Utils 5.6.2 (archive manager):
https://github.com/tukaani-project/xz/commit/374868d81d47

Zathura (document viewer) will be sandboxed with Landlock:
https://github.com/pwmt/zathura/pull/575

Pacman 7.0.0 (Arch Linux's package manager):
https://gitlab.archlinux.org/pacman/pacman/-/merge_requests/167


Thanks to all contributors!

Regards,
 Mickaël

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.