Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp884269pxb; Wed, 13 Jan 2021 19:24:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJyiZ8kgniRdE0XERamBa9cwOZrdeK6tImp9kAEhiQDNP4K+4uTfrBI9E/r7sFij2uWY31je X-Received: by 2002:aa7:c1c6:: with SMTP id d6mr4168953edp.275.1610594653917; Wed, 13 Jan 2021 19:24:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610594653; cv=none; d=google.com; s=arc-20160816; b=dgaa+1bSZiH5JfyLbTGFZr0dCrsOO2/BJZA4yUHvYX4fqynL/ndMLnXUjf/l6h+1MM CzuLoRD/IG1bEEwqz00+1C5/6zgf00BfFEksE8OEpR1kNpdqvTMPhMLEWZ7PhuotsN5u oRK3vhJZiXQljbL7Nqr/zZisMDn0mT4fthL05724/ur+jBO8+jcY1t+CYQW8AYfA5nvp gENIeNoRpbz50dcx0UDpw/jjUj8F1a1sBAqsRuXaes2ZPym+ldAG9tWInnLd3RQ9rnyI e3GD56m8Xvjdb4kn9nnVam09R5V75c+U1RHhXfwCBkYnjPdEgNB4lrcv6Rve7p+HKeTR IYdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=vBKhWUt1LhGAbz4nnRDMUBnzWjuIyMjEZqvvewkWv1c=; b=fz3a54km41ovDw7P63yRicvOE8gvnaMmMeHc/8kYJSu8/IK+AIVB4oJOawtmpPvOpi K8ZCC7o0wodEroRkQo16nVMU0QV/WDBhWk4d4BN2BxIX5KBAGfr/ck4HePOycUw25RFn VJOqBpzVPfSKw2XGTgPawOTp9zc5UEQndhSGwYV3x7MeOpwQvp6799d4cXpubc51g4ns 3aIkCZOkZB4yaS2TOnP9u6rROZRD9+I1xS0L7RaX0PaOdVv6HJJPjEs1pNxRcYUG1VDO kOBftIYadO98NYV1mf1Behl/w4tEYPkLPtCNoJbiLNHWB8fW+8cjGYPQnwR38YGiauxr 7IPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NaIVV7JM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r15si1850638eja.145.2021.01.13.19.23.50; Wed, 13 Jan 2021 19:24:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=NaIVV7JM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728010AbhANDWm (ORCPT + 99 others); Wed, 13 Jan 2021 22:22:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34578 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727184AbhANDWl (ORCPT ); Wed, 13 Jan 2021 22:22:41 -0500 Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85238C0617A3 for ; Wed, 13 Jan 2021 19:21:58 -0800 (PST) Received: by mail-lf1-x12e.google.com with SMTP id o17so6020983lfg.4 for ; Wed, 13 Jan 2021 19:21:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=vBKhWUt1LhGAbz4nnRDMUBnzWjuIyMjEZqvvewkWv1c=; b=NaIVV7JM8xDZ1C/WCKEpyacKuGqEWPxP6vpebXWTWTzzL1T6CKyVM2e5z2n7D/dkwY 0shB76+ANbIpUlcIUeIlgXWuxwBl4Dyl25ILehT0lz0wm7yTqX9ZIbQXm/DJfYRSCTQq /sA0p0frlZZqD8gLu4OIEuYj/VZyM0tLnHmDr5eYJQShu0NvHJqDf+OBxKv13kzaAZYX BKPcpiI95E7gIXeB67td0Oc3RAzsdxKmv69JEPxyF4yL8cUJ9eCfNPAIO3k+pEHxYnVm SlUg67QRFzYrVnG54RRpwBYMbN+Hw0PAn/grXz5aewJztLd/C/Rs7zXzpbzCt6BKz28m 3tgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=vBKhWUt1LhGAbz4nnRDMUBnzWjuIyMjEZqvvewkWv1c=; b=Xp3ifOK4cLSmU8hRxDmqfZycklvOm1ln9S3fZ4H4+BMSzHCxJbrjFd0bmMPri682vl JPwFpmvVr3RD/9BJ+esF+Dq8FTUh7pIzCwyMu629yyWMH/ElgRlyE+8U2tFvsGrLaGop sqA0HX46iAY4AapwOlkhmRzhhxfVzrWab7APHJ/xldPVJd2Cx+ZoiWNs34K6C4ZiNnFM CzTkzJufAOZd8spPFeQ3E1h528zwmSAC5PvXDnqetiPgJTcmgvP1X0GTkUvYlbhjw75k XEojut1W8NpjChq2S28bUp7/8CUK6X28DObBB+Ssd9G4YLBsub1irYT+QwoFI/0CG9dM +dsw== X-Gm-Message-State: AOAM532PMPELaJ2Y/+MBi/znTCLqlRNnnrjFjtxdrT+urVKtOiSA/FMn GbaPFyDBDPskU+uN290kHoAsi3DVOQV3CKPpmKVh3g== X-Received: by 2002:a19:8053:: with SMTP id b80mr2516185lfd.74.1610594516694; Wed, 13 Jan 2021 19:21:56 -0800 (PST) MIME-Version: 1.0 References: <20201209192839.1396820-1-mic@digikod.net> <20201209192839.1396820-12-mic@digikod.net> In-Reply-To: <20201209192839.1396820-12-mic@digikod.net> From: Jann Horn Date: Thu, 14 Jan 2021 04:21:30 +0100 Message-ID: Subject: Re: [PATCH v26 11/12] samples/landlock: Add a sandbox manager example To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: James Morris , "Serge E . Hallyn" , Al Viro , Andy Lutomirski , Anton Ivanov , Arnd Bergmann , Casey Schaufler , Jeff Dike , Jonathan Corbet , Kees Cook , Michael Kerrisk , Richard Weinberger , Shuah Khan , Vincent Dagonneau , Kernel Hardening , Linux API , linux-arch , "open list:DOCUMENTATION" , linux-fsdevel , kernel list , "open list:KERNEL SELFTEST FRAMEWORK" , linux-security-module , "the arch/x86 maintainers" , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 9, 2020 at 8:29 PM Micka=C3=ABl Sala=C3=BCn w= rote: > Add a basic sandbox tool to launch a command which can only access a > whitelist of file hierarchies in a read-only or read-write way. I have to admit that I didn't really look at this closely before because it's just sample code... but I guess I should. You can add Reviewed-by: Jann Horn if you fix the following nits: [...] > diff --git a/samples/Kconfig b/samples/Kconfig [...] > +config SAMPLE_LANDLOCK > + bool "Build Landlock sample code" > + depends on HEADERS_INSTALL > + help > + Build a simple Landlock sandbox manager able to launch a proces= s > + restricted by a user-defined filesystem access control. nit: s/filesystem access control/filesystem access control policy/ [...] > diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c [...] > +/* > + * Simple Landlock sandbox manager able to launch a process restricted b= y a > + * user-defined filesystem access control. nit: s/filesystem access control/filesystem access control policy/ [...] > +int main(const int argc, char *const argv[], char *const *const envp) > +{ [...] > + if (argc < 2) { [...] > + fprintf(stderr, "* %s: list of paths allowed to be used i= n a read-only way.\n", > + ENV_FS_RO_NAME); > + fprintf(stderr, "* %s: list of paths allowed to be used i= n a read-write way.\n", > + ENV_FS_RO_NAME); s/ENV_FS_RO_NAME/ENV_FS_RW_NAME/ > + fprintf(stderr, "\nexample:\n" > + "%s=3D\"/bin:/lib:/usr:/proc:/etc:/dev/ur= andom\" " > + "%s=3D\"/dev/null:/dev/full:/dev/zero:/de= v/pts:/tmp\" " > + "%s bash -i\n", > + ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]); > + return 1; > + } > + > + ruleset_fd =3D landlock_create_ruleset(&ruleset_attr, sizeof(rule= set_attr), 0); > + if (ruleset_fd < 0) { > + perror("Failed to create a ruleset"); > + switch (errno) { (Just as a note: In theory perror() can change the value of errno, as far as I know - so AFAIK you'd theoretically have to do something like: int errno_ =3D errno; perror("..."); switch (errno_) { ... } I'll almost certainly work fine as-is in practice though.)