Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1216381ybk; Thu, 14 May 2020 03:31:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwpD6JkC2brrYF1Bw6c54ShFbSc9YvE66kFKhJbhA7JO7rH30R34+Hn3HXgDVKUEBcH+4Jf X-Received: by 2002:a50:be8f:: with SMTP id b15mr3191242edk.182.1589452264040; Thu, 14 May 2020 03:31:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589452264; cv=none; d=google.com; s=arc-20160816; b=GMj5z7T+up7XYLkff0LSi++p3mKbLKH8C8dQb7lE4KZXHBh/wJ+pn30626EG/xkhlp J0OzjOWp8H+B4bY/j95I9M0eSHWFt+ghp17Yw8n+iIbB/Sdvuy+QxH814PCRgc+jnjVj Dl3ue3tGhzbCHDCCnBknOaNe7nFVtxPi9VtQ3htMUq5vjJc0jxHFO9pw+l2pYMoSC4M9 0QQkbXx4vbMAQkPmuR6J8Bpys1f3SwPW9ymm1HXbV+VdauCMOhyfUDazUO3xapZ7oxxY c18LGp9F7BoWG2Zc85oTf/8FpZV+2y6gTu4S9HFgorx4WdrvDK9BO1YWArQEbruMhiI/ iZMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=ku8u0b5XR9oG0clO5N+ik6AivzeEZRKiFk5JJBF4RGY=; b=z/ebvAhv8dE2EKPNFA+o9oW1trTGEMi83e0rEs6x1zvF8ioqXCEtp7Pw6XqJZGeEme XPazbeLTJsf4JkvH6ymDXXFgbMZVTK4cauM0rWNa5sizlSQxo/wLeLlTFd71KJN/tKOa BDhqdXaaYpi9ym9kSrsMmeFbj3MQRpC+IckNkkxhyYNpFuRxo8+pqc8ENM8j96P2GPK8 dtOyNOli88ld7cYMKPPic5qiOIXNCNEJhzAPueAVQSYwPS3vg0KlLBSMF8BXkSExTyV6 XvPUtLHCUHzhh9iAFAdj2uVCymNCwsupSRAhe0BEr2RbtPGDRLVnR8YiD/sWLJPg6uqU WS5w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d4si1439499edy.155.2020.05.14.03.30.40; Thu, 14 May 2020 03:31:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726872AbgENK2W (ORCPT + 99 others); Thu, 14 May 2020 06:28:22 -0400 Received: from smtp-8faa.mail.infomaniak.ch ([83.166.143.170]:35279 "EHLO smtp-8faa.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726070AbgENK2V (ORCPT ); Thu, 14 May 2020 06:28:21 -0400 Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49N75w45kTzlhj0J; Thu, 14 May 2020 12:27:48 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 49N75t2qqnzljHmw; Thu, 14 May 2020 12:27:46 +0200 (CEST) Subject: Re: [PATCH v17 02/10] landlock: Add ruleset and domain management To: James Morris Cc: linux-kernel@vger.kernel.org, Al Viro , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Jann Horn , Jonathan Corbet , Kees Cook , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , "Serge E . Hallyn" , Shuah Khan , Vincent Dagonneau , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.kernel.org, x86@kernel.org References: <20200511192156.1618284-1-mic@digikod.net> <20200511192156.1618284-3-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: Date: Thu, 14 May 2020 12:27:45 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 14/05/2020 05:09, James Morris wrote: > On Mon, 11 May 2020, Mickaël Salaün wrote: > >> + * .. warning:: >> + * >> + * It is currently not possible to restrict some file-related actions >> + * accessible through these syscall families: :manpage:`chdir(2)`, >> + * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`, >> + * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`, >> + * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`. >> + * Future Landlock evolutions will enable to restrict them. > > I have to wonder how useful Landlock will be without more coverage per > the above. This is the result of previous discussions (on mailing lists and conferences) to minimize the code of Landlock to ease review. There is also network and other subsystems which are not covered, the same way other LSMs may not cover everything. However, Landlock is designed to be extensible without breaking user space, so extending this access-control will not be a problem. Previous versions of this patch series handled much more. Moreover, we can compare the current situation with seccomp. Indeed, seccomp only enables to restrict system calls according to their number and their raw arguments. seccomp is designed to limit the attack surface of the kernel but it is also used to remove ways to access kernel resources. Application developers willing to sandbox their products are already using seccomp but there is limitations (e.g. file access control). Landlock addresses such limitations, which improves the current situation. We can also view seccomp as a complementary solution to the current limitations of Landlock. Indeed, seccomp filters can block or restrict the use of syscall families which may not be currently handled by Landlock. > > It would be helpful if you could outline a threat model for this initial > version, so people can get an idea of what kind of useful protection may > be gained from it. The main threat model may be seen as protecting from vulnerable (i.e. malicious) code. But because Landlock policies are defined by application developers, they also define their own threat model. > > Are there any distros or other major users who are planning on enabling or > at least investigating Landlock? I think the question should be: is there any distros which are not interested to improve the security of their users? :) Landlock is mainly designed for application developers, and most Linux distros rely on applications which are not developed by themselves. Some hardened distros such as CLIP OS and Chrome OS are interested to extend the security of the whole system with tailored sandboxing (e.g. internal and critical services, security brokers). For example, Chrome OS folks investigated with a previous version of Landlock: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel-next/+/658517/ I'm sure there is other tailored distros which will be interested once Landlock will be upstream (e.g. Tails, Qubes OS, Subgraph OS, etc.). > > Do you have any examples of a practical application of this scheme? We can start with applications with builtin sandboxing, like web browsers, web services, email services, SSH, etc. There is also all system services handled by an init system which provides security features (e.g. systemd). There is also the security sandbox tools (e.g. Minijail [1], Firejail [2], nsjail [3], Flatpak [4], etc.). And finally, security-oriented APIs such as Sandboxed API [5]. Most of them should welcome new Linux sandboxing features provided by Landlock. [1] https://android.googlesource.com/platform/external/minijail [2] https://firejail.wordpress.com/ [3] https://nsjail.dev/ [4] https://flatpak.org/ [5] https://github.com/google/sandboxed-api