Landlock news #1

Landlock news #1

[Mickaël Salaün]

Hi,

Landlock landed in Linux 5.13 and here is an overview of the ongoing
developments.

User space
----------

### Rust library

This Rust library enables to manage Landlock in a best-effort way. It is
still a work-in-progress, but we plan to release a new major version in
the coming weeks, including documentation. Feedback is welcome!
https://github.com/landlock-lsm/rust-landlock

### Go library

We are pleased to welcome Günther Noack and his Go library which enables
to create sandboxes with Landlock. This will be useful for any projects
developed in Go.
https://github.com/landlock-lsm/go-landlock

### Open Container Initiative Runtime Specification

This project is intended to be a shared specification amongst container
runtimes (e.g. Docker/runc). Thanks to H. Vetinari for bringing the
subject and to Kailun Qin, Günther Noack, Konstantin Meskhidze, Aleksa
Sarai, Akihiro Suda for working on this and giving feedback!
https://github.com/opencontainers/runtime-spec/pull/1111

### runc

Bringing Landlock support to runc has started.
https://github.com/opencontainers/runc/pull/3194

### strace

strace 5.13 (2021-07-19) now supports Landlock syscalls and especially
their argument decoding. We can now easily debug programs using
Landlock. Thanks to Eugene Syromyatnikov and Dmitry V. Levin!
https://github.com/strace/strace/commit/7592a0eeab2588162c1741077053f8a052c8418f

### glibc

glibc 2.34 (2021-08-01) now includes Landlock system call IDs, which are
required to properly use Landlock in C and C++ programs.
https://sourceware.org/git/?p=glibc.git;a=commit;h=b1b4f7209ecaad4bf9a5d0d2ef1338409d364bac

### musl libc

A patch series is under review for musl libc to include Landlock system
call IDs in this alternative libc.
https://www.openwall.com/lists/musl/2021/07/10/12

### Man Pages

Four manual pages dedicated to Landlock are being reviewed by Alejandro
Colomar and G. Branden Robinson. Thanks to them! This documentation is
splitted into a general overview landlock(7) and one page per syscall.
https://lore.kernel.org/linux-man/20210818155931.484070-1-mic@digikod.net/

Conferences
-----------

I'm glad that two (complementary) Landlock talks have been accepted to
the Open Source Summit and to the Linux Security Summit. I have given a
few talks in the last years but Landlock has changed drastically since
then (i.e. no more eBPF). These talks will unfortunately be virtual, but
I'll still be available for questions. See you at the end of the month!

### Open Source Summit 2021 - Sandboxing Applications with Landlock

This talk focuses on the use of Landlock by user space, explaining the
rationale behind the design, how backward and forward compatibility is
handled, what features are currently available and what could come next.
https://sched.co/lAVl

### Linux Security Summit 2021 - Deep Dive into Landlock Internals

This talk first explains the goal of Landlock and the related
consequences. This will enable to explain the kernel implementation
constraints, the choices that led to the current design, and the
potential and limits of the current and future features.
https://sched.co/ljRQ

Roadmap (kernel-side)
---------------------

Last but not least, here is an overview of the roadmap for Landlock.
We'll add a proper dedicated page to the website soon: https://landlock.io

Short term:
* improve kernel performance for the current features;
* add the ability to change the parent directory of files (see current
Landlock limitations).

Medium term:
* add audit features to ease debugging;
* extend filesystem access-control types to address the current limitations;
* add the ability to follow a deny listing approach, which is required
for some use cases.

Long term:
* add minimal network access-control types;
* add the ability to create (file descriptor) capabilities compatible
with Capsicum.

Regards,
 Mickaël

Re: Landlock news #1

[Mickaël Salaün]

Because this newsletter includes container-related and security-related
information, I'm relaying this to other appropriate mailing lists. If
you want to get updates, you can subscribe by sending an email to
landlock+subscribe@lists.linux.dev

Regards,
 Mickaël

On 01/09/2021 18:30, Mickaël Salaün wrote:
> Hi,
> 
> Landlock landed in Linux 5.13 and here is an overview of the ongoing
> developments.
> 
> User space
> ----------
> 
> ### Rust library
> 
> This Rust library enables to manage Landlock in a best-effort way. It is
> still a work-in-progress, but we plan to release a new major version in
> the coming weeks, including documentation. Feedback is welcome!
> https://github.com/landlock-lsm/rust-landlock
> 
> ### Go library
> 
> We are pleased to welcome Günther Noack and his Go library which enables
> to create sandboxes with Landlock. This will be useful for any projects
> developed in Go.
> https://github.com/landlock-lsm/go-landlock
> 
> ### Open Container Initiative Runtime Specification
> 
> This project is intended to be a shared specification amongst container
> runtimes (e.g. Docker/runc). Thanks to H. Vetinari for bringing the
> subject and to Kailun Qin, Günther Noack, Konstantin Meskhidze, Aleksa
> Sarai, Akihiro Suda for working on this and giving feedback!
> https://github.com/opencontainers/runtime-spec/pull/1111
> 
> ### runc
> 
> Bringing Landlock support to runc has started.
> https://github.com/opencontainers/runc/pull/3194
> 
> ### strace
> 
> strace 5.13 (2021-07-19) now supports Landlock syscalls and especially
> their argument decoding. We can now easily debug programs using
> Landlock. Thanks to Eugene Syromyatnikov and Dmitry V. Levin!
> https://github.com/strace/strace/commit/7592a0eeab2588162c1741077053f8a052c8418f
> 
> ### glibc
> 
> glibc 2.34 (2021-08-01) now includes Landlock system call IDs, which are
> required to properly use Landlock in C and C++ programs.
> https://sourceware.org/git/?p=glibc.git;a=commit;h=b1b4f7209ecaad4bf9a5d0d2ef1338409d364bac
> 
> ### musl libc
> 
> A patch series is under review for musl libc to include Landlock system
> call IDs in this alternative libc.
> https://www.openwall.com/lists/musl/2021/07/10/12
> 
> ### Man Pages
> 
> Four manual pages dedicated to Landlock are being reviewed by Alejandro
> Colomar and G. Branden Robinson. Thanks to them! This documentation is
> splitted into a general overview landlock(7) and one page per syscall.
> https://lore.kernel.org/linux-man/20210818155931.484070-1-mic@digikod.net/
> 
> Conferences
> -----------
> 
> I'm glad that two (complementary) Landlock talks have been accepted to
> the Open Source Summit and to the Linux Security Summit. I have given a
> few talks in the last years but Landlock has changed drastically since
> then (i.e. no more eBPF). These talks will unfortunately be virtual, but
> I'll still be available for questions. See you at the end of the month!
> 
> ### Open Source Summit 2021 - Sandboxing Applications with Landlock
> 
> This talk focuses on the use of Landlock by user space, explaining the
> rationale behind the design, how backward and forward compatibility is
> handled, what features are currently available and what could come next.
> https://sched.co/lAVl
> 
> ### Linux Security Summit 2021 - Deep Dive into Landlock Internals
> 
> This talk first explains the goal of Landlock and the related
> consequences. This will enable to explain the kernel implementation
> constraints, the choices that led to the current design, and the
> potential and limits of the current and future features.
> https://sched.co/ljRQ
> 
> Roadmap (kernel-side)
> ---------------------
> 
> Last but not least, here is an overview of the roadmap for Landlock.
> We'll add a proper dedicated page to the website soon: https://landlock.io
> 
> Short term:
> * improve kernel performance for the current features;
> * add the ability to change the parent directory of files (see current
> Landlock limitations).
> 
> Medium term:
> * add audit features to ease debugging;
> * extend filesystem access-control types to address the current limitations;
> * add the ability to follow a deny listing approach, which is required
> for some use cases.
> 
> Long term:
> * add minimal network access-control types;
> * add the ability to create (file descriptor) capabilities compatible
> with Capsicum.
> 
> Regards,
>  Mickaël
>