Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 16 Nov 2020 22:36:17 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Pavel Machek <pavel@....cz>
Cc: James Morris <jmorris@...ei.org>, "Serge E . Hallyn" <serge@...lyn.com>,
 Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...capital.net>,
 Anton Ivanov <anton.ivanov@...bridgegreys.com>, Arnd Bergmann
 <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>,
 Jann Horn <jannh@...gle.com>, Jeff Dike <jdike@...toit.com>,
 Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>,
 Michael Kerrisk <mtk.manpages@...il.com>, Richard Weinberger
 <richard@....at>, Shuah Khan <shuah@...nel.org>,
 Vincent Dagonneau <vincent.dagonneau@....gouv.fr>,
 kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
 linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
 linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
 linux-kselftest@...r.kernel.org, linux-security-module@...r.kernel.org,
 x86@...nel.org, Mickaël Salaün
 <mic@...ux.microsoft.com>
Subject: Re: [PATCH v22 01/12] landlock: Add object management


On 16/11/2020 22:26, Pavel Machek wrote:
> Hi!
> 
>> A Landlock object enables to identify a kernel object (e.g. an inode).
>> A Landlock rule is a set of access rights allowed on an object.  Rules
>> are grouped in rulesets that may be tied to a set of processes (i.e.
>> subjects) to enforce a scoped access-control (i.e. a domain).
>>
>> Because Landlock's goal is to empower any process (especially
>> unprivileged ones) to sandbox themselves, we cannot rely on a
>> system-wide object identification such as file extended attributes.
> 
> 
>> +config SECURITY_LANDLOCK
>> +	bool "Landlock support"
>> +	depends on SECURITY
>> +	select SECURITY_PATH
>> +	help
>> +	  Landlock is a safe sandboxing mechanism which enables processes to
>> +	  restrict themselves (and their future children) by gradually
>> +	  enforcing tailored access control policies.  A security policy is a
>> +	  set of access rights (e.g. open a file in read-only, make a
>> +	  directory, etc.) tied to a file hierarchy.  Such policy can be configured
>> +	  and enforced by any processes for themselves thanks to dedicated system
>> +	  calls: landlock_create_ruleset(), landlock_add_rule(), and
>> +	  landlock_enforce_ruleset_current().
> 
> How does it interact with setuid binaries? Being able to exec passwd
> in a sandbox sounds like ... fun way to get root? :-).

It works like seccomp: if you run with CAP_SYS_ADMIN in the current
namespace, then SUID binaries may be allowed, otherwise if you use
PR_SET_NO_NEW_PRIVS, then executing a SUID binary is denied.

The 24th version is here:
https://lore.kernel.org/lkml/20201112205141.775752-1-mic@digikod.net/

> 
> Best regards,
> 								Pavel
> 								
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.