archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <>
Subject: Landlock news #3
Date: Wed, 22 Mar 2023 09:15:10 +0100	[thread overview]
Message-ID: <> (raw)

Here is the third Landlock newsletter!

Official website:
Previews newsletter:


### Linux distributions

Landlock is now supported by default in new Linux distributions:
* chromeOS's VM (Termina)
* WSL2
* CBL-Mariner

### New features for Linux 6.2

Linux 6.2 is now starting to roll to up-to-date distros:
This new release supports a new access rights developed by Günther 
Noack: LANDLOCK_ACCESS_FS_TRUNCATE.  This enables to fully control file 
data changes (combined with LANDLOCK_ACCESS_FS_WRITE_FILE). This might 
look like a simple access right but due to the nature of file truncation 
in Linux, especially through file descriptors, this work led to a new 
way to enforce Landlock rules, which could be leveraged by future access 
When opening a file, the availability of the LANDLOCK_ACCESS_FS_TRUNCATE 
right is associated with the newly created file descriptor and will be 
used for subsequent truncation attempts using ftruncate(2). The behavior 
is similar to opening a file for reading or writing, where permissions 
are checked during open(2), but not during the subsequent read(2) and 
write(2) calls.

### Test improvements

Mark Brown kept pushing for the Landlock kselftest suite to be part of 
KernelCI, and after 6 months it was merged:
This is great because this means that different kernel flavors on 
several architectures will be tested against a lot of development kernel 
For the list of tests for v6.3-rc2, see

Jeff Xu updated the tests to make them run on systems without overlayfs 
support, and with Yama enabled, which is the case for chromeOS:
* Yama support:
* non-overlayfs support:

### Documentation

At the same time he is improving the kernel documentation, Günther Noack 
is also updating the Landlock man pages, with the new features and 
improved examples:

Kees Cook added Landlock to the KSPP recommended settings:

Landlock libraries

### Rust

At the FOSDEM event, I gave feedback about the development of a security 
library that needs to deal with backward and forward compatibility, 
because of security features tied to specific kernel versions, handling 
different use cases in a safe and secure way. We explain patterns that 
we used to make it possible to fine tune the requested (optional) 
features while providing a safe default behavior. For simple use cases, 
the idea is to provide a best-effort security approach for potentially 
unsupported kernel features: use available features and ignore others. 
However, in more complex use cases, we may want to make some features 
depend on others. We may also want to handle errors differently based on 
unsupported features.

Version 0.2.0 was released, which makes available a first milestone. 
There is still work going on to improve the backward and forward 
interface, but that would be for the next major version.

### Go

Günther Noack gave a nice talk at the Zurich Gophers Meetup about 
Landlock and how to use it with the Go library:

The Go library now supports Linux 6.2 with the new truncate access 

### Haskell

Nicolas Trangez is actively working on a Haskell library for Landlock. 
New versions are released regularly:

New Landlock user space developments

Birdcage is a cross-platform embeddable sandboxing library allowing 
restrictions to Filesystem and Network operations using native operating 
system APIs:

Keysas, a USB malware cleaning station:

A WebAssembly runtime with Landlock support:

Nicolas Bouchinet is working on bringing Landlock support to PAM:

Articles and conferences

Günther Noack wrote about the challenges of the best-effort approach: 
How to make your use of Landlock backwards compatible with older kernels?
One of Landlock's strengths is that you can deploy the same program on 
multiple kernel versions, and make it use the best available sandboxing 
on each. This "best effort" approach is already implemented for you in 
the Go-Landlock library and in the Rust Landlock library. But what if 
you need to implement it yourself?

I gave a talk at the Netdev conference about the steps to sandbox the 
lighttpd server:
Nicolas Bouchinet helped improve the tutorial material which is now 
available here:

Outreachy internship

Outreachy provides internships in open source to people subject to 
systemic bias and impacted by underrepresentation in the technical 
industry where they are living. The Linux kernel proposed 4 projects, 
and one of them is related to Landlock. Here is the description of 
"Improve Landlock tests and thread management":

Work will start by refactoring some tests to move the TEST_F_FORK helper 
to the kselftests harness library. Indeed, this helper is a fork of the 
TEST_F one, and code duplication should be avoided for maintenance reasons.
The second task is to improve Landlock ruleset merges with the thread's 
Landlock domain to avoid domains without any direct thread to them. To 
make sure that the current behavior is kept as is, new tests will be 
added (thanks to the kselftests or the KUnit framework).
If the work progress relatively quickly, a more complex task is to add a 
new feature similar to seccomp's TSYNC: being able to safely restrict 
the entire process instead of the current thread. This task would 
require a better understanding of thread
An alternative task is to improve Landlock test coverage thanks to 
kernel fault injection. This would make it possible to cover kernel 
internal errors (e.g., memory allocation, user copy) that cannot be 
tested otherwise.

Ongoing patch series

Konstantin Meskhidze is working on the TCP port access control for 
Landlock. The code is almost ready, and we are tackling the latest 
issues around user space interface and tests. We'll use an unsigned 
64-bit integer with host endianness to define a port because of 
simplicity, padding, and extensibility reasons. We are also thinking 
about a new feature to block full network protocols from being used.

Shervin Oloumi proposed a way to identify landlocked processes. That 
would be useful for chromeOS to make sure that services are properly 
sandboxed. That might be the beginning of a more advanced audit and 
debug set of tools.

I sent patches to support the User-Mode Linux architecture, which would 
be useful for tests:

Thanks to all the contributors!


                 reply	other threads:[~2023-03-22  8:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).