Re: [PATCH v22 01/12] landlock: Add object management
From: Mickaël Salaün
Date: Mon Nov 16 2020 - 16:36:46 EST
On 16/11/2020 22:26, Pavel Machek wrote:
> Hi!
>
>> A Landlock object enables to identify a kernel object (e.g. an inode).
>> A Landlock rule is a set of access rights allowed on an object. Rules
>> are grouped in rulesets that may be tied to a set of processes (i.e.
>> subjects) to enforce a scoped access-control (i.e. a domain).
>>
>> Because Landlock's goal is to empower any process (especially
>> unprivileged ones) to sandbox themselves, we cannot rely on a
>> system-wide object identification such as file extended attributes.
>
>
>> +config SECURITY_LANDLOCK
>> + bool "Landlock support"
>> + depends on SECURITY
>> + select SECURITY_PATH
>> + help
>> + Landlock is a safe sandboxing mechanism which enables processes to
>> + restrict themselves (and their future children) by gradually
>> + enforcing tailored access control policies. A security policy is a
>> + set of access rights (e.g. open a file in read-only, make a
>> + directory, etc.) tied to a file hierarchy. Such policy can be configured
>> + and enforced by any processes for themselves thanks to dedicated system
>> + calls: landlock_create_ruleset(), landlock_add_rule(), and
>> + landlock_enforce_ruleset_current().
>
> How does it interact with setuid binaries? Being able to exec passwd
> in a sandbox sounds like ... fun way to get root? :-).
It works like seccomp: if you run with CAP_SYS_ADMIN in the current
namespace, then SUID binaries may be allowed, otherwise if you use
PR_SET_NO_NEW_PRIVS, then executing a SUID binary is denied.
The 24th version is here:
https://lore.kernel.org/lkml/20201112205141.775752-1-mic@xxxxxxxxxxx/
>
> Best regards,
> Pavel
>
>