From: "Mickaël Salaün" <mic@digikod.net>
To: linux-kernel@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Andy Lutomirski" <luto@amacapital.net>,
"Arnd Bergmann" <arnd@arndb.de>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"James Morris" <jmorris@namei.org>, "Jann Horn" <jann@thejh.net>,
"Jonathan Corbet" <corbet@lwn.net>,
"Kees Cook" <keescook@chromium.org>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Shuah Khan" <shuah@kernel.org>,
"Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-security-module@vger.kernel.org, x86@kernel.org
Subject: [PATCH v15 00/10] Landlock LSM
Date: Thu, 26 Mar 2020 21:27:21 +0100 [thread overview]
Message-ID: <20200326202731.693608-1-mic@digikod.net> (raw)
Hi,
This new patch series brings improvements, fix some bugs but mainly
simplify the code.
The object, rule and ruleset management are simplified at the expense of
a less aggressive memory freeing (contributed by Jann Horn [1]). There
is now less use of RCU for an improved readability. Access checks that
can be reached by file-descriptor-based syscalls are removed for now
(truncate, getattr, lock, chmod, chown, chgrp, ioctl). This will be
handle in a future evolution of Landlock, but right now the goal is to
lighten the code to ease review. The SLOC count for security/landlock/
was 1542 with the previous patch series while the current series shrinks
it to 1273.
The other main improvement is the addition of rule layer levels to
ensure that a nested sandbox cannot bypass the access restrictions set
by its parents.
The syscall is now wired for all architectures and the tests passed for
x86_32 and x86_64.
The compiled documentation is available here:
https://landlock.io/linux-doc/landlock-v15/security/landlock/index.html
This series can be applied on top of v5.6-rc7. This can be tested with
CONFIG_SECURITY_LANDLOCK and CONFIG_SAMPLE_LANDLOCK. This patch series
can be found in a Git repository here:
https://github.com/landlock-lsm/linux/commits/landlock-v15
I would really appreciate constructive comments on the design and the code.
# Landlock LSM
The goal of Landlock is to enable to restrict ambient rights (e.g.
global filesystem access) for a set of processes. Because Landlock is a
stackable LSM [2], it makes possible to create safe security sandboxes
as new security layers in addition to the existing system-wide
access-controls. This kind of sandbox is expected to help mitigate the
security impact of bugs or unexpected/malicious behaviors in user-space
applications. Landlock empowers any process, including unprivileged
ones, to securely restrict themselves.
Landlock is inspired by seccomp-bpf but instead of filtering syscalls
and their raw arguments, a Landlock rule can restrict the use of kernel
objects like file hierarchies, according to the kernel semantic.
Landlock also takes inspiration from other OS sandbox mechanisms: XNU
Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.
# Current limitations
## Path walk
Landlock need to use dentries to identify a file hierarchy, which is
needed for composable and unprivileged access-controls. This means that
path resolution/walking (handled with inode_permission()) is not
supported, yet. The same limitation also apply to readlink(2). This
could be filled with a future extension first of the LSM framework. The
Landlock userspace ABI can handle such change with new options (e.g. to
the struct landlock_ruleset).
## UnionFS
An UnionFS super-block use a set of upper and lower directories. Access
request to a file in one of these hierarchy trigger a call to
ovl_path_real() which generate another access request according to the
matching hierarchy. Because such super-block is not aware of its current
mount point, OverlayFS can't create a dedicated mnt_parent for each of
the upper and lower directories mount clones. It is then not currently
possible to track the source of such indirect access-request, and then
not possible to identify a unified OverlayFS hierarchy.
## Memory limits
There is currently no limit on the memory usage. Any idea to leverage
an existing mechanism (e.g. rlimit)?
# Changes since v14
* Simplify the object, rule and ruleset management at the expense of a
less aggressive memory freeing.
* Remove access checks that may be required for FD-only requests:
truncate, getattr, lock, chmod, chown, chgrp, ioctl.
* Add the notion of rule layer level to ensure that a nested sandbox
cannot bypass the access restrictions set by its parent.
* Wire up the syscall for all architectures.
* Clean up the code and add more documentation.
* Some improvements and bug fixes.
# Changes since v13
* Revamp of the LSM: remove the need for eBPF and seccomp(2).
* Implement a full filesystem access-control.
* Take care of the backward compatibility issues, especially for
security features, following a best-effort approach.
Previous version:
https://lore.kernel.org/lkml/20200224160215.4136-1-mic@digikod.net/
[1] https://lore.kernel.org/lkml/CAG48ez21bEn0wL1bbmTiiu8j9jP5iEWtHOwz4tURUJ+ki0ydYw@mail.gmail.com/
[2] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/
Regards,
Mickaël Salaün (10):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,landlock: Support filesystem access-control
landlock: Add syscall implementation
arch: Wire up landlock() syscall
selftests/landlock: Add initial tests
samples/landlock: Add a sandbox manager example
landlock: Add user and kernel documentation
Documentation/security/index.rst | 1 +
Documentation/security/landlock/index.rst | 18 +
Documentation/security/landlock/kernel.rst | 69 +
Documentation/security/landlock/user.rst | 227 +++
MAINTAINERS | 12 +
arch/alpha/kernel/syscalls/syscall.tbl | 1 +
arch/arm/tools/syscall.tbl | 1 +
arch/arm64/include/asm/unistd.h | 2 +-
arch/arm64/include/asm/unistd32.h | 2 +
arch/ia64/kernel/syscalls/syscall.tbl | 1 +
arch/m68k/kernel/syscalls/syscall.tbl | 1 +
arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
arch/parisc/kernel/syscalls/syscall.tbl | 1 +
arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
arch/s390/kernel/syscalls/syscall.tbl | 1 +
arch/sh/kernel/syscalls/syscall.tbl | 1 +
arch/sparc/kernel/syscalls/syscall.tbl | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 1 +
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
fs/super.c | 2 +
include/linux/fs.h | 5 +
include/linux/landlock.h | 22 +
include/linux/syscalls.h | 3 +
include/uapi/asm-generic/unistd.h | 4 +-
include/uapi/linux/landlock.h | 311 ++++
kernel/sys_ni.c | 3 +
samples/Kconfig | 7 +
samples/Makefile | 1 +
samples/landlock/.gitignore | 1 +
samples/landlock/Makefile | 15 +
samples/landlock/sandboxer.c | 217 +++
security/Kconfig | 11 +-
security/Makefile | 2 +
security/landlock/Kconfig | 18 +
security/landlock/Makefile | 4 +
security/landlock/common.h | 20 +
security/landlock/cred.c | 46 +
security/landlock/cred.h | 55 +
security/landlock/fs.c | 561 ++++++++
security/landlock/fs.h | 42 +
security/landlock/object.c | 66 +
security/landlock/object.h | 92 ++
security/landlock/ptrace.c | 120 ++
security/landlock/ptrace.h | 14 +
security/landlock/ruleset.c | 352 +++++
security/landlock/ruleset.h | 182 +++
security/landlock/setup.c | 39 +
security/landlock/setup.h | 18 +
security/landlock/syscall.c | 521 +++++++
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/landlock/.gitignore | 4 +
tools/testing/selftests/landlock/Makefile | 26 +
tools/testing/selftests/landlock/common.h | 42 +
tools/testing/selftests/landlock/config | 5 +
tools/testing/selftests/landlock/test_base.c | 113 ++
tools/testing/selftests/landlock/test_fs.c | 1249 +++++++++++++++++
.../testing/selftests/landlock/test_ptrace.c | 294 ++++
tools/testing/selftests/landlock/true.c | 5 +
62 files changed, 4833 insertions(+), 7 deletions(-)
create mode 100644 Documentation/security/landlock/index.rst
create mode 100644 Documentation/security/landlock/kernel.rst
create mode 100644 Documentation/security/landlock/user.rst
create mode 100644 include/linux/landlock.h
create mode 100644 include/uapi/linux/landlock.h
create mode 100644 samples/landlock/.gitignore
create mode 100644 samples/landlock/Makefile
create mode 100644 samples/landlock/sandboxer.c
create mode 100644 security/landlock/Kconfig
create mode 100644 security/landlock/Makefile
create mode 100644 security/landlock/common.h
create mode 100644 security/landlock/cred.c
create mode 100644 security/landlock/cred.h
create mode 100644 security/landlock/fs.c
create mode 100644 security/landlock/fs.h
create mode 100644 security/landlock/object.c
create mode 100644 security/landlock/object.h
create mode 100644 security/landlock/ptrace.c
create mode 100644 security/landlock/ptrace.h
create mode 100644 security/landlock/ruleset.c
create mode 100644 security/landlock/ruleset.h
create mode 100644 security/landlock/setup.c
create mode 100644 security/landlock/setup.h
create mode 100644 security/landlock/syscall.c
create mode 100644 tools/testing/selftests/landlock/.gitignore
create mode 100644 tools/testing/selftests/landlock/Makefile
create mode 100644 tools/testing/selftests/landlock/common.h
create mode 100644 tools/testing/selftests/landlock/config
create mode 100644 tools/testing/selftests/landlock/test_base.c
create mode 100644 tools/testing/selftests/landlock/test_fs.c
create mode 100644 tools/testing/selftests/landlock/test_ptrace.c
create mode 100644 tools/testing/selftests/landlock/true.c
--
2.26.0.rc2
next reply other threads:[~2020-03-26 20:34 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 20:27 Mickaël Salaün [this message]
2020-03-26 20:27 ` [PATCH v15 01/10] landlock: Add object management Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 02/10] landlock: Add ruleset and domain management Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 03/10] landlock: Set up the security framework and manage credentials Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 04/10] landlock: Add ptrace restrictions Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 05/10] fs,landlock: Support filesystem access-control Mickaël Salaün
2020-03-30 18:29 ` Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 06/10] landlock: Add syscall implementation Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 07/10] arch: Wire up landlock() syscall Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 08/10] selftests/landlock: Add initial tests Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 09/10] samples/landlock: Add a sandbox manager example Mickaël Salaün
2020-03-26 23:54 ` Randy Dunlap
2020-03-27 14:59 ` Mickaël Salaün
2020-03-26 20:27 ` [PATCH v15 10/10] landlock: Add user and kernel documentation Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200326202731.693608-1-mic@digikod.net \
--to=mic@digikod.net \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=jann@thejh.net \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mickael.salaun@ssi.gouv.fr \
--cc=mtk.manpages@gmail.com \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=vincent.dagonneau@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).