From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754863AbcH0Hpm (ORCPT ); Sat, 27 Aug 2016 03:45:42 -0400 Received: from mail-ua0-f171.google.com ([209.85.217.171]:35330 "EHLO mail-ua0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750825AbcH0Hpk (ORCPT ); Sat, 27 Aug 2016 03:45:40 -0400 MIME-Version: 1.0 In-Reply-To: <1472121165-29071-1-git-send-email-mic@digikod.net> References: <1472121165-29071-1-git-send-email-mic@digikod.net> From: Andy Lutomirski Date: Sat, 27 Aug 2016 00:40:14 -0700 Message-ID: Subject: Re: [RFC v2 00/10] Landlock LSM: Unprivileged sandboxing To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: "linux-kernel@vger.kernel.org" , Alexei Starovoitov , Arnd Bergmann , Casey Schaufler , Daniel Borkmann , Daniel Mack , David Drysdale , "David S . Miller" , Elena Reshetova , James Morris , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Will Drewry , "kernel-hardening@lists.openwall.com" , Linux API , LSM List , Network Development Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id u7R7jmnW014781 On Thu, Aug 25, 2016 at 3:32 AM, Mickaël Salaün wrote: > Hi, > > This series is a proof of concept to fill some missing part of seccomp as the > ability to check syscall argument pointers or creating more dynamic security > policies. The goal of this new stackable Linux Security Module (LSM) called > Landlock is to allow any process, including unprivileged ones, to create > powerful security sandboxes comparable to the Seatbelt/XNU Sandbox or the > OpenBSD Pledge. This kind of sandbox help to mitigate the security impact of > bugs or unexpected/malicious behaviors in userland applications. > > The first RFC [1] was focused on extending seccomp while staying at the syscall > level. This brought a working PoC but with some (mitigated) ToCToU race > conditions due to the seccomp ptrace hole (now fixed) and the non-atomic > syscall argument evaluation (hence the LSM hooks). > > > # Landlock LSM > > This second RFC is a fresh revamp of the code while keeping some working ideas. > This series is mainly focused on LSM hooks, while keeping the possibility to > tied them to syscalls. This new code removes all race conditions by design. It > now use eBPF instead of a subset of cBPF (as used by seccomp-bpf). This allow > to remove the previous stacked cBPF hack to do complex access checks thanks to > dedicated eBPF functions. An eBPF program is still very limited (i.e. can only > call a whitelist of functions) and can not do a denial of service (i.e. no > loop). The other major improvement is the replacement of the previous custom > checker groups of syscall arguments with a new dedicated eBPF map to collect > and compare Landlock handles with system resources (e.g. files or network > connections). > > The approach taken is to add the minimum amount of code while still allowing > the userland to create quite complex access rules. A dedicated security policy > language such as used by SELinux, AppArmor and other major LSMs is a lot of > code and dedicated to a trusted process (i.e. root/administrator). > I think there might be a problem with the current design. If I add a seccomp filter that uses RET_LANDLOCK and some landlock filters, what happens if a second seccomp filter *also* uses RET_LANDLOCK? I think they'll interfere with each other. It might end up being necessary to require only one landlock seccomp layer at a time or to find a way to stick all the filters in a layer together with the LSM callbacks or maybe to just drop RET_LANDLOCK and let the callbacks look at the syscall args. BTW, what happens if an LSM hook is called outside a syscall context, e.g. from a page fault? > > > # Sandbox example with conditional access control depending on cgroup > > $ mkdir /sys/fs/cgroup/sandboxed > $ ls /home > user1 > $ LANDLOCK_CGROUPS='/sys/fs/cgroup/sandboxed' \ > LANDLOCK_ALLOWED='/bin:/lib:/usr:/tmp:/proc/self/fd/0' \ > ./sandbox /bin/sh -i > $ ls /home > user1 > $ echo $$ > /sys/fs/cgroup/sandboxed/cgroup.procs > $ ls /home > ls: cannot open directory '/home': Permission denied > Something occurs to me that isn't strictly relevant to landlock but may be relevant to unprivileged cgroups: can you cause trouble by setting up a nastily-configured cgroup and running a setuid program in it?