Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 May 2020 12:27:45 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: James Morris <jmorris@...ei.org>
Cc: linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
 Andy Lutomirski <luto@...capital.net>, Arnd Bergmann <arnd@...db.de>,
 Casey Schaufler <casey@...aufler-ca.com>, Jann Horn <jannh@...gle.com>,
 Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>,
 Michael Kerrisk <mtk.manpages@...il.com>,
 Mickaël Salaün <mickael.salaun@....gouv.fr>,
 "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>,
 Vincent Dagonneau <vincent.dagonneau@....gouv.fr>,
 kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
 linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
 linux-fsdevel@...r.kernel.org, linux-kselftest@...r.kernel.org,
 linux-security-module@...r.kernel.org, x86@...nel.org
Subject: Re: [PATCH v17 02/10] landlock: Add ruleset and domain management


On 14/05/2020 05:09, James Morris wrote:
> On Mon, 11 May 2020, Mickaël Salaün wrote:
> 
>> + * .. warning::
>> + *
>> + *   It is currently not possible to restrict some file-related actions
>> + *   accessible through these syscall families: :manpage:`chdir(2)`,
>> + *   :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
>> + *   :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
>> + *   :manpage:`ioctl(2)`, :manpage:`fcntl(2)`.
>> + *   Future Landlock evolutions will enable to restrict them.
> 
> I have to wonder how useful Landlock will be without more coverage per 
> the above.

This is the result of previous discussions (on mailing lists and
conferences) to minimize the code of Landlock to ease review. There is
also network and other subsystems which are not covered, the same way
other LSMs may not cover everything. However, Landlock is designed to be
extensible without breaking user space, so extending this access-control
will not be a problem. Previous versions of this patch series handled
much more.

Moreover, we can compare the current situation with seccomp. Indeed,
seccomp only enables to restrict system calls according to their number
and their raw arguments. seccomp is designed to limit the attack surface
of the kernel but it is also used to remove ways to access kernel
resources. Application developers willing to sandbox their products are
already using seccomp but there is limitations (e.g. file access
control). Landlock addresses such limitations, which improves the
current situation.

We can also view seccomp as a complementary solution to the current
limitations of Landlock. Indeed, seccomp filters can block or restrict
the use of syscall families which may not be currently handled by Landlock.

> 
> It would be helpful if you could outline a threat model for this initial 
> version, so people can get an idea of what kind of useful protection may
> be gained from it.

The main threat model may be seen as protecting from vulnerable (i.e.
malicious) code. But because Landlock policies are defined by
application developers, they also define their own threat model.

> 
> Are there any distros or other major users who are planning on enabling or 
> at least investigating Landlock?

I think the question should be: is there any distros which are not
interested to improve the security of their users? :)
Landlock is mainly designed for application developers, and most Linux
distros rely on applications which are not developed by themselves.

Some hardened distros such as CLIP OS and Chrome OS are interested to
extend the security of the whole system with tailored sandboxing (e.g.
internal and critical services, security brokers). For example, Chrome
OS folks investigated with a previous version of Landlock:
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel-next/+/658517/
I'm sure there is other tailored distros which will be interested once
Landlock will be upstream (e.g. Tails, Qubes OS, Subgraph OS, etc.).

> 
> Do you have any examples of a practical application of this scheme?

We can start with applications with builtin sandboxing, like web
browsers, web services, email services, SSH, etc. There is also all
system services handled by an init system which provides security
features (e.g. systemd). There is also the security sandbox tools (e.g.
Minijail [1], Firejail [2], nsjail [3], Flatpak [4], etc.). And finally,
security-oriented APIs such as Sandboxed API [5]. Most of them should
welcome new Linux sandboxing features provided by Landlock.

[1] https://android.googlesource.com/platform/external/minijail
[2] https://firejail.wordpress.com/
[3] https://nsjail.dev/
[4] https://flatpak.org/
[5] https://github.com/google/sandboxed-api

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.