Landlock news #3

["Mickaël Salaün" <mic@digikod.net>]

Here is the third Landlock newsletter!

Official website: https://landlock.io
Previews newsletter: 
https://lore.kernel.org/landlock/441bd1cd-03fd-8e30-c370-3d0f0263d564@digikod.net/

Kernel
------

### Linux distributions

Landlock is now supported by default in new Linux distributions:
* chromeOS's VM (Termina)
* WSL2
* CBL-Mariner

### New features for Linux 6.2

Linux 6.2 is now starting to roll to up-to-date distros: 
https://git.kernel.org/torvalds/c/299e2b1967578b1442128ba8b3e86ed3427d3651
This new release supports a new access rights developed by Günther 
Noack: LANDLOCK_ACCESS_FS_TRUNCATE.  This enables to fully control file 
data changes (combined with LANDLOCK_ACCESS_FS_WRITE_FILE). This might 
look like a simple access right but due to the nature of file truncation 
in Linux, especially through file descriptors, this work led to a new 
way to enforce Landlock rules, which could be leveraged by future access 
rights.
When opening a file, the availability of the LANDLOCK_ACCESS_FS_TRUNCATE 
right is associated with the newly created file descriptor and will be 
used for subsequent truncation attempts using ftruncate(2). The behavior 
is similar to opening a file for reading or writing, where permissions 
are checked during open(2), but not during the subsequent read(2) and 
write(2) calls.
See https://docs.kernel.org/userspace-api/landlock.html#truncating-files

### Test improvements

Mark Brown kept pushing for the Landlock kselftest suite to be part of 
KernelCI, and after 6 months it was merged: 
https://github.com/kernelci/kernelci-core/pull/1236
This is great because this means that different kernel flavors on 
several architectures will be tested against a lot of development kernel 
trees.
For the list of tests for v6.3-rc2, see 
https://staging.kernelci.org/test/plan/id/640ef62de2325f9e299d58e5/

Jeff Xu updated the tests to make them run on systems without overlayfs 
support, and with Yama enabled, which is the case for chromeOS:
* Yama support: 
https://lore.kernel.org/all/20230114020306.1407195-1-jeffxu@google.com/
* non-overlayfs support: 
https://lore.kernel.org/all/20230113053229.1281774-1-jeffxu@google.com/

### Documentation

At the same time he is improving the kernel documentation, Günther Noack 
is also updating the Landlock man pages, with the new features and 
improved examples:
https://lore.kernel.org/linux-man/20230310220851.22261-1-gnoack3000@gmail.com/

Kees Cook added Landlock to the KSPP recommended settings:
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Landlock libraries
------------------

### Rust

At the FOSDEM event, I gave feedback about the development of a security 
library that needs to deal with backward and forward compatibility, 
because of security features tied to specific kernel versions, handling 
different use cases in a safe and secure way. We explain patterns that 
we used to make it possible to fine tune the requested (optional) 
features while providing a safe default behavior. For simple use cases, 
the idea is to provide a best-effort security approach for potentially 
unsupported kernel features: use available features and ignore others. 
However, in more complex use cases, we may want to make some features 
depend on others. We may also want to handle errors differently based on 
unsupported features.
See 
https://fosdem.org/2023/schedule/event/rust_backward_and_forward_compatibility_for_security_features/

Version 0.2.0 was released, which makes available a first milestone. 
There is still work going on to improve the backward and forward 
interface, but that would be for the next major version.

### Go

Günther Noack gave a nice talk at the Zurich Gophers Meetup about 
Landlock and how to use it with the Go library: 
https://blog.gnoack.org/post/go-landlock-talk/

The Go library now supports Linux 6.2 with the new truncate access 
right: https://blog.gnoack.org/post/landlock-truncate/

### Haskell

Nicolas Trangez is actively working on a Haskell library for Landlock. 
New versions are released regularly: 
https://hackage.haskell.org/package/landlock

New Landlock user space developments
------------------------------------

Birdcage is a cross-platform embeddable sandboxing library allowing 
restrictions to Filesystem and Network operations using native operating 
system APIs: https://github.com/phylum-dev/birdcage

Keysas, a USB malware cleaning station: https://github.com/r3dlight/keysas

A WebAssembly runtime with Landlock support: 
https://github.com/micheleberetta98/rust-wasm-landlock

Nicolas Bouchinet is working on bringing Landlock support to PAM: 
https://github.com/linux-pam/linux-pam/pull/486

Articles and conferences
------------------------

Günther Noack wrote about the challenges of the best-effort approach: 
How to make your use of Landlock backwards compatible with older kernels?
One of Landlock's strengths is that you can deploy the same program on 
multiple kernel versions, and make it use the best available sandboxing 
on each. This "best effort" approach is already implemented for you in 
the Go-Landlock library and in the Rust Landlock library. But what if 
you need to implement it yourself?
See https://blog.gnoack.org/post/landlock-best-effort/

I gave a talk at the Netdev conference about the steps to sandbox the 
lighttpd server: 
https://netdevconf.info/0x16/session.html?How-to-sandbox-a-network-application-with-Landlock
Nicolas Bouchinet helped improve the tutorial material which is now 
available here: https://github.com/landlock-lsm/tuto-lighttpd

Outreachy internship
--------------------

Outreachy provides internships in open source to people subject to 
systemic bias and impacted by underrepresentation in the technical 
industry where they are living. The Linux kernel proposed 4 projects, 
and one of them is related to Landlock. Here is the description of 
"Improve Landlock tests and thread management":

Work will start by refactoring some tests to move the TEST_F_FORK helper 
to the kselftests harness library. Indeed, this helper is a fork of the 
TEST_F one, and code duplication should be avoided for maintenance reasons.
The second task is to improve Landlock ruleset merges with the thread's 
Landlock domain to avoid domains without any direct thread to them. To 
make sure that the current behavior is kept as is, new tests will be 
added (thanks to the kselftests or the KUnit framework).
If the work progress relatively quickly, a more complex task is to add a 
new feature similar to seccomp's TSYNC: being able to safely restrict 
the entire process instead of the current thread. This task would 
require a better understanding of thread
management.
An alternative task is to improve Landlock test coverage thanks to 
kernel fault injection. This would make it possible to cover kernel 
internal errors (e.g., memory allocation, user copy) that cannot be 
tested otherwise.
See https://www.outreachy.org/communities/cfp/linux-kernel/

Ongoing patch series
--------------------

Konstantin Meskhidze is working on the TCP port access control for 
Landlock. The code is almost ready, and we are tackling the latest 
issues around user space interface and tests. We'll use an unsigned 
64-bit integer with host endianness to define a port because of 
simplicity, padding, and extensibility reasons. We are also thinking 
about a new feature to block full network protocols from being used.
See 
https://lore.kernel.org/all/20230116085818.165539-1-konstantin.meskhidze@huawei.com/

Shervin Oloumi proposed a way to identify landlocked processes. That 
would be useful for chromeOS to make sure that services are properly 
sandboxed. That might be the beginning of a more advanced audit and 
debug set of tools.
See 
https://lore.kernel.org/all/20230302185257.850681-1-enlightened@chromium.org/

I sent patches to support the User-Mode Linux architecture, which would 
be useful for tests: 
https://lore.kernel.org/all/20230309165455.175131-1-mic@digikod.net/


Thanks to all the contributors!

Regards,
  Mickaël