From: "Mickaël Salaün" <mic@digikod.net> To: linux-kernel@vger.kernel.org Cc: "Mickaël Salaün" <mic@digikod.net>, "Al Viro" <viro@zeniv.linux.org.uk>, "Andy Lutomirski" <luto@amacapital.net>, "Arnd Bergmann" <arnd@arndb.de>, "Casey Schaufler" <casey@schaufler-ca.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "James Morris" <jmorris@namei.org>, "Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Serge E . Hallyn" <serge@hallyn.com>, "Shuah Khan" <shuah@kernel.org>, "Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.kernel.org, x86@kernel.org Subject: [RFC PATCH v14 00/10] Landlock LSM Date: Mon, 24 Feb 2020 17:02:05 +0100 [thread overview] Message-ID: <20200224160215.4136-1-mic@digikod.net> (raw) Hi, This new version of Landlock is a major revamp of the previous series [1], hence the RFC tag. The three main changes are the replacement of eBPF with a dedicated safe management of access rules, the replacement of the use of seccomp(2) with a dedicated syscall, and the management of filesystem access-control (back from the v10). As discussed in [2], eBPF may be too powerful and dangerous to be put in the hand of unprivileged and potentially malicious processes, especially because of side-channel attacks against access-controls or other parts of the kernel. Thanks to this new implementation (1540 SLOC), designed from the ground to be used by unprivileged processes, this series enables a process to sandbox itself without requiring CAP_SYS_ADMIN, but only the no_new_privs constraint (like seccomp). Not relying on eBPF also enables to improve performances, especially for stacked security policies thanks to mergeable rulesets. The compiled documentation is available here: https://landlock.io/linux-doc/landlock-v14/security/landlock/index.html This series can be applied on top of v5.6-rc3. This can be tested with CONFIG_SECURITY_LANDLOCK and CONFIG_SAMPLE_LANDLOCK. This patch series can be found in a Git repository here: https://github.com/landlock-lsm/linux/commits/landlock-v14 I would really appreciate constructive comments on the design and the code. # Landlock LSM The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM [3], it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empower any process, including unprivileged ones, to securely restrict themselves. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil. # Current limitations ## Path walk Landlock need to use dentries to identify a file hierarchy, which is needed for composable and unprivileged access-controls. This means that path resolution/walking (handled with inode_permission()) is not supported, yet. This could be filled with a future extension first of the LSM framework. The Landlock userspace ABI can handle such change with new option (e.g. to the struct landlock_ruleset). ## UnionFS An UnionFS super-block use a set of upper and lower directories. An access request to a file in one of these hierarchy trigger a call to ovl_path_real() which generate another access request according to the matching hierarchy. Because such super-block is not aware of its current mount point, OverlayFS can't create a dedicated mnt_parent for each of the upper and lower directories mount clones. It is then not currently possible to track the source of such indirect access-request, and then not possible to identify a unified OverlayFS hierarchy. ## Syscall Because it is only tested on x86_64, the syscall is only wired up for this architecture. The whole x86 family (and probably all the others) will be supported in the next patch series. ## Memory limits There is currently no limit on the memory usage. Any idea to leverage an existing mechanism (e.g. rlimit)? # Changes since v13 * Revamp of the LSM: remove the need for eBPF and seccomp(2). * Implement a full filesystem access-control. * Take care of the backward compatibility issues, especially for this security features. Previous version: https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ [1] https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ [2] https://lore.kernel.org/lkml/a6b61f33-82dc-0c1c-7a6c-1926343ef63e@digikod.net/ [3] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/ Regards, Mickaël Salaün (10): landlock: Add object and rule management landlock: Add ruleset and domain management landlock: Set up the security framework and manage credentials landlock: Add ptrace restrictions fs,landlock: Support filesystem access-control landlock: Add syscall implementation arch: Wire up landlock() syscall selftests/landlock: Add initial tests samples/landlock: Add a sandbox manager example landlock: Add user and kernel documentation Documentation/security/index.rst | 1 + Documentation/security/landlock/index.rst | 18 + Documentation/security/landlock/kernel.rst | 44 ++ Documentation/security/landlock/user.rst | 233 +++++++ MAINTAINERS | 12 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + fs/super.c | 2 + include/linux/landlock.h | 22 + include/linux/syscalls.h | 3 + include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/landlock.h | 315 +++++++++ samples/Kconfig | 7 + samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 15 + samples/landlock/sandboxer.c | 226 +++++++ security/Kconfig | 11 +- security/Makefile | 2 + security/landlock/Kconfig | 16 + security/landlock/Makefile | 4 + security/landlock/cred.c | 47 ++ security/landlock/cred.h | 55 ++ security/landlock/fs.c | 591 +++++++++++++++++ security/landlock/fs.h | 42 ++ security/landlock/object.c | 341 ++++++++++ security/landlock/object.h | 134 ++++ security/landlock/ptrace.c | 118 ++++ security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 463 +++++++++++++ security/landlock/ruleset.h | 106 +++ security/landlock/setup.c | 38 ++ security/landlock/setup.h | 20 + security/landlock/syscall.c | 470 +++++++++++++ tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 3 + tools/testing/selftests/landlock/Makefile | 13 + tools/testing/selftests/landlock/config | 4 + tools/testing/selftests/landlock/test.h | 40 ++ tools/testing/selftests/landlock/test_base.c | 80 +++ tools/testing/selftests/landlock/test_fs.c | 624 ++++++++++++++++++ .../testing/selftests/landlock/test_ptrace.c | 293 ++++++++ 41 files changed, 4429 insertions(+), 6 deletions(-) create mode 100644 Documentation/security/landlock/index.rst create mode 100644 Documentation/security/landlock/kernel.rst create mode 100644 Documentation/security/landlock/user.rst create mode 100644 include/linux/landlock.h create mode 100644 include/uapi/linux/landlock.h create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscall.c create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/test.h create mode 100644 tools/testing/selftests/landlock/test_base.c create mode 100644 tools/testing/selftests/landlock/test_fs.c create mode 100644 tools/testing/selftests/landlock/test_ptrace.c -- 2.25.0
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net> To: linux-kernel@vger.kernel.org Cc: "Mickaël Salaün" <mic@digikod.net>, "Al Viro" <viro@zeniv.linux.org.uk>, "Andy Lutomirski" <luto@amacapital.net>, "Arnd Bergmann" <arnd@arndb.de>, "Casey Schaufler" <casey@schaufler-ca.com>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "James Morris" <jmorris@namei.org>, "Jann Horn" <jann@thejh.net>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Serge E . Hallyn" <serge@hallyn.com>, "Shuah Khan" <shuah@kernel.org>, "Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kern Subject: [RFC PATCH v14 00/10] Landlock LSM Date: Mon, 24 Feb 2020 17:02:05 +0100 [thread overview] Message-ID: <20200224160215.4136-1-mic@digikod.net> (raw) Hi, This new version of Landlock is a major revamp of the previous series [1], hence the RFC tag. The three main changes are the replacement of eBPF with a dedicated safe management of access rules, the replacement of the use of seccomp(2) with a dedicated syscall, and the management of filesystem access-control (back from the v10). As discussed in [2], eBPF may be too powerful and dangerous to be put in the hand of unprivileged and potentially malicious processes, especially because of side-channel attacks against access-controls or other parts of the kernel. Thanks to this new implementation (1540 SLOC), designed from the ground to be used by unprivileged processes, this series enables a process to sandbox itself without requiring CAP_SYS_ADMIN, but only the no_new_privs constraint (like seccomp). Not relying on eBPF also enables to improve performances, especially for stacked security policies thanks to mergeable rulesets. The compiled documentation is available here: https://landlock.io/linux-doc/landlock-v14/security/landlock/index.html This series can be applied on top of v5.6-rc3. This can be tested with CONFIG_SECURITY_LANDLOCK and CONFIG_SAMPLE_LANDLOCK. This patch series can be found in a Git repository here: https://github.com/landlock-lsm/linux/commits/landlock-v14 I would really appreciate constructive comments on the design and the code. # Landlock LSM The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM [3], it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empower any process, including unprivileged ones, to securely restrict themselves. Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil. # Current limitations ## Path walk Landlock need to use dentries to identify a file hierarchy, which is needed for composable and unprivileged access-controls. This means that path resolution/walking (handled with inode_permission()) is not supported, yet. This could be filled with a future extension first of the LSM framework. The Landlock userspace ABI can handle such change with new option (e.g. to the struct landlock_ruleset). ## UnionFS An UnionFS super-block use a set of upper and lower directories. An access request to a file in one of these hierarchy trigger a call to ovl_path_real() which generate another access request according to the matching hierarchy. Because such super-block is not aware of its current mount point, OverlayFS can't create a dedicated mnt_parent for each of the upper and lower directories mount clones. It is then not currently possible to track the source of such indirect access-request, and then not possible to identify a unified OverlayFS hierarchy. ## Syscall Because it is only tested on x86_64, the syscall is only wired up for this architecture. The whole x86 family (and probably all the others) will be supported in the next patch series. ## Memory limits There is currently no limit on the memory usage. Any idea to leverage an existing mechanism (e.g. rlimit)? # Changes since v13 * Revamp of the LSM: remove the need for eBPF and seccomp(2). * Implement a full filesystem access-control. * Take care of the backward compatibility issues, especially for this security features. Previous version: https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ [1] https://lore.kernel.org/lkml/20191104172146.30797-1-mic@digikod.net/ [2] https://lore.kernel.org/lkml/a6b61f33-82dc-0c1c-7a6c-1926343ef63e@digikod.net/ [3] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/ Regards, Mickaël Salaün (10): landlock: Add object and rule management landlock: Add ruleset and domain management landlock: Set up the security framework and manage credentials landlock: Add ptrace restrictions fs,landlock: Support filesystem access-control landlock: Add syscall implementation arch: Wire up landlock() syscall selftests/landlock: Add initial tests samples/landlock: Add a sandbox manager example landlock: Add user and kernel documentation Documentation/security/index.rst | 1 + Documentation/security/landlock/index.rst | 18 + Documentation/security/landlock/kernel.rst | 44 ++ Documentation/security/landlock/user.rst | 233 +++++++ MAINTAINERS | 12 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + fs/super.c | 2 + include/linux/landlock.h | 22 + include/linux/syscalls.h | 3 + include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/landlock.h | 315 +++++++++ samples/Kconfig | 7 + samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 15 + samples/landlock/sandboxer.c | 226 +++++++ security/Kconfig | 11 +- security/Makefile | 2 + security/landlock/Kconfig | 16 + security/landlock/Makefile | 4 + security/landlock/cred.c | 47 ++ security/landlock/cred.h | 55 ++ security/landlock/fs.c | 591 +++++++++++++++++ security/landlock/fs.h | 42 ++ security/landlock/object.c | 341 ++++++++++ security/landlock/object.h | 134 ++++ security/landlock/ptrace.c | 118 ++++ security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 463 +++++++++++++ security/landlock/ruleset.h | 106 +++ security/landlock/setup.c | 38 ++ security/landlock/setup.h | 20 + security/landlock/syscall.c | 470 +++++++++++++ tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 3 + tools/testing/selftests/landlock/Makefile | 13 + tools/testing/selftests/landlock/config | 4 + tools/testing/selftests/landlock/test.h | 40 ++ tools/testing/selftests/landlock/test_base.c | 80 +++ tools/testing/selftests/landlock/test_fs.c | 624 ++++++++++++++++++ .../testing/selftests/landlock/test_ptrace.c | 293 ++++++++ 41 files changed, 4429 insertions(+), 6 deletions(-) create mode 100644 Documentation/security/landlock/index.rst create mode 100644 Documentation/security/landlock/kernel.rst create mode 100644 Documentation/security/landlock/user.rst create mode 100644 include/linux/landlock.h create mode 100644 include/uapi/linux/landlock.h create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscall.c create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/test.h create mode 100644 tools/testing/selftests/landlock/test_base.c create mode 100644 tools/testing/selftests/landlock/test_fs.c create mode 100644 tools/testing/selftests/landlock/test_ptrace.c -- 2.25.0
next reply other threads:[~2020-02-24 16:10 UTC|newest] Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-02-24 16:02 Mickaël Salaün [this message] 2020-02-24 16:02 ` [RFC PATCH v14 00/10] Landlock LSM Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 01/10] landlock: Add object and rule management Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-25 20:49 ` Jann Horn 2020-02-25 20:49 ` Jann Horn 2020-02-26 15:31 ` Mickaël Salaün 2020-02-26 15:31 ` Mickaël Salaün 2020-02-26 20:24 ` Jann Horn 2020-02-26 20:24 ` Jann Horn 2020-02-27 16:46 ` Mickaël Salaün 2020-02-27 16:46 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 02/10] landlock: Add ruleset and domain management Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 03/10] landlock: Set up the security framework and manage credentials Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 04/10] landlock: Add ptrace restrictions Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 05/10] fs,landlock: Support filesystem access-control Mickaël Salaün 2020-02-26 20:29 ` Jann Horn 2020-02-26 20:29 ` Jann Horn 2020-02-27 16:50 ` Mickaël Salaün 2020-02-27 16:50 ` Mickaël Salaün 2020-02-27 16:51 ` Jann Horn 2020-02-27 16:51 ` Jann Horn 2020-02-24 16:02 ` [RFC PATCH v14 06/10] landlock: Add syscall implementation Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-03-17 16:47 ` Al Viro 2020-03-17 16:47 ` Al Viro 2020-03-17 17:51 ` Mickaël Salaün 2020-03-17 17:51 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 07/10] arch: Wire up landlock() syscall Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-29 10:12 ` kbuild test robot 2020-02-29 10:12 ` kbuild test robot 2020-02-24 16:02 ` [RFC PATCH v14 08/10] selftests/landlock: Add initial tests Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 09/10] samples/landlock: Add a sandbox manager example Mickaël Salaün 2020-02-24 16:02 ` Mickaël Salaün 2020-02-24 16:02 ` [RFC PATCH v14 10/10] landlock: Add user and kernel documentation Mickaël Salaün 2020-02-29 17:23 ` Randy Dunlap 2020-02-29 17:23 ` Randy Dunlap 2020-03-02 10:03 ` Mickaël Salaün 2020-03-02 10:03 ` Mickaël Salaün 2020-02-25 18:49 ` [RFC PATCH v14 00/10] Landlock LSM J Freyensee 2020-02-25 18:49 ` J Freyensee 2020-02-26 15:34 ` Mickaël Salaün 2020-02-26 15:34 ` Mickaël Salaün 2020-02-27 4:20 ` [RFC PATCH v14 01/10] landlock: Add object and rule management Hillf Danton 2020-02-27 17:01 ` Mickaël Salaün 2020-02-27 17:01 ` Mickaël Salaün 2020-03-09 23:44 ` [RFC PATCH v14 00/10] Landlock LSM Jann Horn 2020-03-09 23:44 ` Jann Horn 2020-03-11 23:38 ` Mickaël Salaün 2020-03-11 23:38 ` Mickaël Salaün 2020-03-17 16:19 ` Jann Horn 2020-03-17 16:19 ` Jann Horn 2020-03-17 17:50 ` Mickaël Salaün 2020-03-17 17:50 ` Mickaël Salaün 2020-03-17 19:45 ` Jann Horn 2020-03-17 19:45 ` Jann Horn 2020-03-18 12:06 ` Mickaël Salaün 2020-03-18 12:06 ` Mickaël Salaün 2020-03-18 23:33 ` Jann Horn 2020-03-18 23:33 ` Jann Horn 2020-03-19 16:58 ` Mickaël Salaün 2020-03-19 16:58 ` Mickaël Salaün 2020-03-19 21:17 ` Jann Horn 2020-03-19 21:17 ` Jann Horn 2020-03-30 18:26 ` Mickaël Salaün 2020-03-30 18:26 ` Mickaël Salaün
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200224160215.4136-1-mic@digikod.net \ --to=mic@digikod.net \ --cc=arnd@arndb.de \ --cc=casey@schaufler-ca.com \ --cc=corbet@lwn.net \ --cc=gregkh@linuxfoundation.org \ --cc=jann@thejh.net \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-arch@vger.kernel.org \ --cc=linux-doc@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-kselftest@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=mickael.salaun@ssi.gouv.fr \ --cc=mtk.manpages@gmail.com \ --cc=serge@hallyn.com \ --cc=shuah@kernel.org \ --cc=vincent.dagonneau@ssi.gouv.fr \ --cc=viro@zeniv.linux.org.uk \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.