Adding landlock support to Suricata

Adding landlock support to Suricata

[Eric Leblond]

Hello,

I worked on implementing support for landlock in Suricata. Suricata is
an open source network threat
detection engine that reads packets from the network or files and
outputs analysis in other files.
As such it is a good candidate for Landlock sandboxing.

The MR on Suricata is here and feedbacks and reviews are welcome:
https://github.com/OISF/suricata/pull/7688

With regards to the usage of Landlock API, it was overall really fine
and it did not took me long to obtain something working.
I did although struggle with a few things (yes I'm a newbie here):
- I looked at first if I had to add a library to the build system
before realizing that up to date headers were enough
- The examples and documentation I found don't cover multiple calls to
setup a policy and it got me confused a bit:
  - I had to test to verify that the logic is create ruleset/add
multiple rules/enforce ruleset
- I did struggle a bit on the ruleset scope flags (handled_access_fs)
as it was not clear to me this was a choice of the sandbox software
implementation

It is just small things that are easy to fix in documentation, for the
rest it was really easy to implement (if you know the software you are
adding support to).

Thanks a lot for Landlock, this is a great feature that is easy to implement.

Best regards,
-- 
Eric Leblond, CTO
Stamus Networks: https://www.stamus-networks.com/

Re: Adding landlock support to Suricata

[Mickaël Salaün]

On 03/08/2022 15:29, Eric Leblond wrote:
> Hello,

Hi!

> 
> I worked on implementing support for landlock in Suricata. Suricata is
> an open source network threat
> detection engine that reads packets from the network or files and
> outputs analysis in other files.
> As such it is a good candidate for Landlock sandboxing.

Indeed!

> 
> The MR on Suricata is here and feedbacks and reviews are welcome:
> https://github.com/OISF/suricata/pull/7688
> 
> With regards to the usage of Landlock API, it was overall really fine
> and it did not took me long to obtain something working.
> I did although struggle with a few things (yes I'm a newbie here):
> - I looked at first if I had to add a library to the build system
> before realizing that up to date headers were enough

There is no C library. I don't plan to write one but if someone wants to 
get on that boat I'd be please to help. We're focusing on a Go and Rust 
library (WIP) for now.


> - The examples and documentation I found don't cover multiple calls to
> setup a policy and it got me confused a bit:
>    - I had to test to verify that the logic is create ruleset/add
> multiple rules/enforce ruleset

Hmm, the doc example [1] only explains how to add one rule indeed. The 
sandboxer example [2] should help though. I'll update the doc to deal 
with an array of paths.

[1] https://docs.kernel.org/userspace-api/landlock.html
[2] 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c

> - I did struggle a bit on the ruleset scope flags (handled_access_fs)
> as it was not clear to me this was a choice of the sandbox software
> implementation

Was it about the fact that we need to populate handled_access_fs or that 
we need to mask some bits?

Which modification could have helped you here? 
https://docs.kernel.org/userspace-api/landlock.html#defining-and-enforcing-a-security-policy

> 
> It is just small things that are easy to fix in documentation, for the
> rest it was really easy to implement (if you know the software you are
> adding support to).
> 
> Thanks a lot for Landlock, this is a great feature that is easy to implement.

Thanks for the feedback, it's valuable to improve documentation and help 
others.

> 
> Best regards,