Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3541731pxb; Mon, 16 Nov 2020 18:28:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJxEIE7CEnp9fZSvTnp+bGBMtNezWXI8uEwBw4IhI+zYb+KAPcE/wQn5O46smU7gIszsYsuA X-Received: by 2002:a50:a45c:: with SMTP id v28mr1726325edb.329.1605580115071; Mon, 16 Nov 2020 18:28:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605580114; cv=none; d=google.com; s=arc-20160816; b=Zu90EzjhWgjD3yU4HhV4eYGxS9cYmGZdRX4Mtvg05oRYmjPjUGHn19AyiG8mmWIizX e/kipRlto0eSO6ZEytsM5I+RKQlB4+kTRpqMjx68GCV4yjhEmo0bZnYrmEDsBJmHHLWg qQ68rGXiwomZzkcLKVD3ABX1Smzw2LIxk6tRUu+TRb6euxh8F+mO1QFC7l30/FVAriPY LTKQRgtvDbS62NgfoNl20fXGW4MlP/Bd1/WcKgD7IBG+QZ6t44bfcgRiJvNKNPNeyVBN CJzeYS5IU1AsFK5xNcvnOghTPLzOYggcs3Gs5jW9Iv7KuYg7j1UGBtMDeHEu8W4ZAwfE z/fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=RhP4LVGClyPW+5m+hC69iubgwX/Z8hIDhnJHc1K2r+g=; b=gKMRzK6TBtU8FvmImN4vwMspRUsABquYSAt5uzOUN4QWIDQuHWYXCghQ0UFVvGd3gw jXp301XDTtmU4AjUkuPTwLbxl75FCgztZXNaN3g0tyv/ikN2vQ9imR+MDlPZZwUHMP2p QuI4IkahlEEtQdBSFPeNzmA4E0Eib78pn0ld1dC0D2yHiHxVl9mXsI5xqTf7tzKgcpEI EkJz+Zr89U71NpKRIVDxE8lD+PFEA4Q3HsMeBJ13yZtjL6nk3eCFZ+q4xqsorHbYs/rf zigZof2TQcS2EyDV9USpGEKQ8P04W+N10Bcg8Bs3v56F+oqZrBGfcKh51doNaQPO5sii 1Izw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ob22si385552ejb.735.2020.11.16.18.28.00; Mon, 16 Nov 2020 18:28:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729809AbgKPVgZ (ORCPT + 99 others); Mon, 16 Nov 2020 16:36:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729760AbgKPVgZ (ORCPT ); Mon, 16 Nov 2020 16:36:25 -0500 Received: from smtp-1908.mail.infomaniak.ch (smtp-1908.mail.infomaniak.ch [IPv6:2001:1600:4:17::1908]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D66FC0613D2 for ; Mon, 16 Nov 2020 13:36:25 -0800 (PST) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CZj7S2n4nzlhKBs; Mon, 16 Nov 2020 22:36:20 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CZj7P4XQrzlh8TF; Mon, 16 Nov 2020 22:36:17 +0100 (CET) Subject: Re: [PATCH v22 01/12] landlock: Add object management To: Pavel Machek Cc: James Morris , "Serge E . Hallyn" , Al Viro , Andy Lutomirski , Anton Ivanov , Arnd Bergmann , Casey Schaufler , Jann Horn , Jeff Dike , Jonathan Corbet , Kees Cook , Michael Kerrisk , Richard Weinberger , Shuah Khan , Vincent Dagonneau , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.kernel.org, x86@kernel.org, =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20201027200358.557003-1-mic@digikod.net> <20201027200358.557003-2-mic@digikod.net> <20201116212609.GA13063@amd> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <523d2141-e6f9-354d-d102-ae8345c84686@digikod.net> Date: Mon, 16 Nov 2020 22:36:17 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <20201116212609.GA13063@amd> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 16/11/2020 22:26, Pavel Machek wrote: > Hi! > >> A Landlock object enables to identify a kernel object (e.g. an inode). >> A Landlock rule is a set of access rights allowed on an object. Rules >> are grouped in rulesets that may be tied to a set of processes (i.e. >> subjects) to enforce a scoped access-control (i.e. a domain). >> >> Because Landlock's goal is to empower any process (especially >> unprivileged ones) to sandbox themselves, we cannot rely on a >> system-wide object identification such as file extended attributes. > > >> +config SECURITY_LANDLOCK >> + bool "Landlock support" >> + depends on SECURITY >> + select SECURITY_PATH >> + help >> + Landlock is a safe sandboxing mechanism which enables processes to >> + restrict themselves (and their future children) by gradually >> + enforcing tailored access control policies. A security policy is a >> + set of access rights (e.g. open a file in read-only, make a >> + directory, etc.) tied to a file hierarchy. Such policy can be configured >> + and enforced by any processes for themselves thanks to dedicated system >> + calls: landlock_create_ruleset(), landlock_add_rule(), and >> + landlock_enforce_ruleset_current(). > > How does it interact with setuid binaries? Being able to exec passwd > in a sandbox sounds like ... fun way to get root? :-). It works like seccomp: if you run with CAP_SYS_ADMIN in the current namespace, then SUID binaries may be allowed, otherwise if you use PR_SET_NO_NEW_PRIVS, then executing a SUID binary is denied. The 24th version is here: https://lore.kernel.org/lkml/20201112205141.775752-1-mic@digikod.net/ > > Best regards, > Pavel > >