Received: by 10.223.185.116 with SMTP id b49csp5473966wrg; Tue, 27 Feb 2018 14:05:39 -0800 (PST) X-Google-Smtp-Source: AG47ELuvERm63vPZya2+f3p/eUnyBXhAFe5+meVj2M8cvI8wR9ywPikfkZpxCrETdgKYtaaXIpOn X-Received: by 2002:a17:902:28c3:: with SMTP id f61-v6mr4821799plb.346.1519769139394; Tue, 27 Feb 2018 14:05:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519769139; cv=none; d=google.com; s=arc-20160816; b=0t8othXwll7wK4IFGjYQyRmRN38X0Qpboji49wtFKS0MDmQ4GvTvCnrR0AyVaJFNwN xgkq2QgeeKCF+OnllExH2ywuuunLlRgcMs4aotuseuHBoYLK2LUQHUOc+mw7A4Imqn1+ 9ZhxhMs5Az5Y8thTLyRQ6j0uCQJWiZxHvub5cwmrYnjNN+nQZNDZGHDoEjMyFfF6l6C+ LdQRoOR10DsXdKJKwWporGN+puZgf1cRGxNcNO+ODMAWkPQZwY2lORvG19St8REh23HC UKeZe/hQ2TgORxGwPiBoX5McWefi+SsRqQjA/ovlaSUSIdflQw/hkssYWNRfUv8bTWT1 udZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=QipvQHPO+1ag0aDUwrPVZ1w8pJLqz8OLNeHZEadnxvs=; b=L6N7YV5VrZs1wQY5tXvAqmqIpynt8ZQjFMRpDtOqyQpGomcBubGgsEMuCqI0BV35wm kJragTasEItL9VbhNDRQbeNDAB7l1Q0NCkDXI0Lo++MCiIeKHhtuIlrtMcZ/Fh8cG6Gv UyGdkSjZ25nplqyTEwAkRGqbj//UOcC7yps4MdCp8U5s00cesjdzRnoi2W4Kc2yUQU+P FJi6jNgrX0Bzuc0dcT3GUKvkSkOfHfiBl8Gdgzu/O78ym8EBoWDMyvff0ddMqn1Dtr0g mCVZy4c+Q8meCVq7ksaQSqroGg5MyXZMHKPt1f78cyKtpku7TMS5GtTHVO2CJKydRDVB tKMQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b61-v6si117361plc.385.2018.02.27.14.05.24; Tue, 27 Feb 2018 14:05:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751889AbeB0WEl (ORCPT + 99 others); Tue, 27 Feb 2018 17:04:41 -0500 Received: from smtp-sh.infomaniak.ch ([128.65.195.4]:44874 "EHLO smtp-sh.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751646AbeB0WEi (ORCPT ); Tue, 27 Feb 2018 17:04:38 -0500 Received: from smtp8.infomaniak.ch (smtp8.infomaniak.ch [83.166.132.38]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id w1RM3WDH031834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 27 Feb 2018 23:03:32 +0100 Received: from ns3096276.ip-94-23-54.eu (ns3096276.ip-94-23-54.eu [94.23.54.103]) (authenticated bits=0) by smtp8.infomaniak.ch (8.14.5/8.14.5) with ESMTP id w1RM3RqN149916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 27 Feb 2018 23:03:27 +0100 Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing To: Andy Lutomirski Cc: LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development References: <20180227004121.3633-1-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <2e06621c-08e9-dc12-9b6e-9c09d5d8f458@digikod.net> Date: Tue, 27 Feb 2018 23:03:21 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="NNBuAyNJX1patDVCOQjx8daLF7SLGAZ8l" X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NNBuAyNJX1patDVCOQjx8daLF7SLGAZ8l Content-Type: multipart/mixed; boundary="tHO53Qh91QSg47LdegCJFtRUDAs1rmtic"; protected-headers="v1" From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= To: Andy Lutomirski Cc: LKML , Alexei Starovoitov , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Michael Kerrisk , Kees Cook , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Tycho Andersen , Will Drewry , Kernel Hardening , Linux API , LSM List , Network Development Message-ID: <2e06621c-08e9-dc12-9b6e-9c09d5d8f458@digikod.net> Subject: Re: [PATCH bpf-next v8 00/11] Landlock LSM: Toward unprivileged sandboxing References: <20180227004121.3633-1-mic@digikod.net> In-Reply-To: --tHO53Qh91QSg47LdegCJFtRUDAs1rmtic Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 27/02/2018 05:36, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 12:41 AM, Micka=C3=ABl Sala=C3=BCn wrote: >> Hi, >> >> This eight series is a major revamp of the Landlock design compared to= >> the previous series [1]. This enables more flexibility and granularity= >> of access control with file paths. It is now possible to enforce an >> access control according to a file hierarchy. Landlock uses the concep= t >> of inode and path to identify such hierarchy. In a way, it brings tool= s >> to program what is a file hierarchy. >> >> There is now three types of Landlock hooks: FS_WALK, FS_PICK and FS_GE= T. >> Each of them accepts a dedicated eBPF program, called a Landlock >> program. They can be chained to enforce a full access control accordi= ng >> to a list of directories or files. The set of actions on a file is wel= l >> defined (e.g. read, write, ioctl, append, lock, mount...) taking >> inspiration from the major Linux LSMs and some other access-controls >> like Capsicum. These program types are designed to be cache-friendly,= >> which give room for optimizations in the future. >> >> The documentation patch contains some kernel documentation and >> explanations on how to use Landlock. The compiled documentation and >> a talk I gave at FOSDEM can be found here: https://landlock.io >> This patch series can be found in the branch landlock-v8 in this repo:= >> https://github.com/landlock-lsm/linux >> >> There is still some minor issues with this patch series but it should >> demonstrate how powerful this design may be. One of these issues is th= at >> it is not a stackable LSM anymore, but the infrastructure management o= f >> security blobs should allow to stack it with other LSM [4]. >> >> This is the first step of the roadmap discussed at LPC [2]. While the= >> intended final goal is to allow unprivileged users to use Landlock, th= is >> series allows only a process with global CAP_SYS_ADMIN to load and >> enforce a rule. This may help to get feedback and avoid unexpected >> behaviors. >> >> This series can be applied on top of bpf-next, commit 7d72637eb39f >> ("Merge branch 'x86-jit'"). This can be tested with >> CONFIG_SECCOMP_FILTER and CONFIG_SECURITY_LANDLOCK. I would really >> appreciate constructive comments on the design and the code. >> >> >> # Landlock LSM >> >> The goal of this new Linux Security Module (LSM) called Landlock is to= >> allow any process, including unprivileged ones, to create powerful >> security sandboxes comparable to XNU Sandbox or OpenBSD Pledge. This >> kind of sandbox is expected to help mitigate the security impact of bu= gs >> or unexpected/malicious behaviors in user-space applications. >> >> The approach taken is to add the minimum amount of code while still >> allowing the user-space application to create quite complex access >> rules. A dedicated security policy language such as the one used by >> SELinux, AppArmor and other major LSMs involves a lot of code and is >> usually permitted to only a trusted user (i.e. root). On the contrary= , >> eBPF programs already exist and are designed to be safely loaded by >> unprivileged user-space. >> >> This design does not seem too intrusive but is flexible enough to allo= w >> a powerful sandbox mechanism accessible by any process on Linux. The u= se >> of seccomp and Landlock is more suitable with the help of a user-space= >> library (e.g. libseccomp) that could help to specify a high-level >> language to express a security policy instead of raw eBPF programs. >> Moreover, thanks to the LLVM front-end, it is quite easy to write an >> eBPF program with a subset of the C language. >> >> >> # Frequently asked questions >> >> ## Why is seccomp-bpf not enough? >> >> A seccomp filter can access only raw syscall arguments (i.e. the >> register values) which means that it is not possible to filter accordi= ng >> to the value pointed to by an argument, such as a file pathname. As an= >> embryonic Landlock version demonstrated, filtering at the syscall leve= l >> is complicated (e.g. need to take care of race conditions). This is >> mainly because the access control checkpoints of the kernel are not at= >> this high-level but more underneath, at the LSM-hook level. The LSM >> hooks are designed to handle this kind of checks. Landlock abstracts >> this approach to leverage the ability of unprivileged users to limit >> themselves. >> >> Cf. section "What it isn't?" in Documentation/prctl/seccomp_filter.txt= >> >> >> ## Why use the seccomp(2) syscall? >> >> Landlock use the same semantic as seccomp to apply access rule >> restrictions. It add a new layer of security for the current process >> which is inherited by its children. It makes sense to use an unique >> access-restricting syscall (that should be allowed by seccomp filters)= >> which can only drop privileges. Moreover, a Landlock rule could come >> from outside a process (e.g. passed through a UNIX socket). It is the= n >> useful to differentiate the creation/load of Landlock eBPF programs vi= a >> bpf(2), from rule enforcement via seccomp(2). >=20 > This seems like a weak argument to me. Sure, this is a bit different > from seccomp(), and maybe shoving it into the seccomp() multiplexer is > awkward, but surely the bpf() multiplexer is even less applicable. I think using the seccomp syscall is fine, and everyone agreed on it. >=20 > But I think that you have more in common with seccomp() than you're > giving it credit for. With seccomp, you need to either prevent > ptrace() of any more-privileged task or you need to filter to make > sure you can't trace a more privileged program. With landlock, you > need exactly the same thing. You have basically the same no_new_privs > considerations, etc. Right, I did not mean to not give credit to seccomp at all. >=20 > Also, looking forward, I think you're going to want a bunch of the > stuff that's under consideration as new seccomp features. Tycho is > working on a "user notifier" feature for seccomp where, in addition to > accepting, rejecting, or kicking to ptrace, you can send a message to > the creator of the filter and wait for a reply. I think that Landlock > will want exactly the same feature. I don't think why this may be useful at all her. Landlock does not filter at the syscall level but handles kernel object and actions as does an LSM. That is the whole purpose of Landlock. >=20 > In other words, it really seems to be that you should extend seccomp() > with the ability to attach filters to things that aren't syscall > entry, e.g. file open. It seems that it is what I do=E2=80=A6 Not sure to understand you here. >=20 > I would also seriously consider doing a scaled-back Landlock variant > first, with the intent of getting the main mechanism into the kernel. > In particular, there are two big sources of complexity in Landlock. > You need to deal with the API for managing bpf programs that filter > various actions beyond just syscall entry, and you need to deal with > giving those filters a way to deal with inodes, paths, etc. But you > can do the former without the latter. For example, you could start > with some Landlock-style filters on things that have nothing to do > with files. For example, you could allow a filter for connecting to > an abstract-namespace unix socket. Or you could have a hook for > file_receive. (You couldn't meaningfully filter based on the *path* > of the fd being received without adding all the path infrastructure, > but you could fitler on the *type* of the fd being received.) Both of > these add new sandboxing abilities that don't currently exist. In > particular, you can't write a seccomp rule that prevents receiving an > fd using recvmsg() right now unless you block cmsg entirely. And you > can't write a filter that allows connecting to unix sockets by path > without allowing abstract namespace sockets either. What you are proposing here seems like my previous patch series (v7). As it was suggested by Kees (and requested by future users), this patch series is able to handle file paths. This is a good thing because it highlight that this design can scale to evaluate complex objects (i.e. file paths), which was not the case for the previous patch series. >=20 > If you split up Landlock like this then, once you got all the > installation and management of filters down, you could submit patches > to add all the path stuff and deal with that review separately. >=20 > What do you all think? >=20 I may be able to strip some parts for a first inclusion, but a complex use case like controlling access to files is an important use case. --tHO53Qh91QSg47LdegCJFtRUDAs1rmtic-- --NNBuAyNJX1patDVCOQjx8daLF7SLGAZ8l Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEUysCyY8er9Axt7hqIt7+33O9apUFAlqV1akACgkQIt7+33O9 apX3RAf/Vh1bZkIdMHhgQcqBuFYZhfGucJV/oz28btHZBbludlxFzMOZzwOrMl3c 6YTaajUH2fq4PMB1nmi6hFrt9YZBUNCD7omgpS1CqYfp5fATK+bHnZ407u9Xm8ox z9bQXgwBJMyXMh0wdjLYoDJ3NTN2i6sNBVZJ9sJhjjV2KT0N7wZJQ1HtK+8dgX7x ZuLHQsmTsefGcU5FUTJt09OKVshqi1NTTST5nygm9HO1C8XlvLxw3zJgH61GXnPd nb4RvNsPe+9HJ7addbl/tji0qW/CVBF1ZRq1QOlhMcOA9Lt8YXfuRvOXOFuyUUN+ WS5sPTKmod3XY8N+moKAxNSUvLVVCg== =uHFL -----END PGP SIGNATURE----- --NNBuAyNJX1patDVCOQjx8daLF7SLGAZ8l--