subject:"\[PATCH v26 11\/12\] samples\/landlock\: Add a sandbox manager example"

Re: [PATCH v26 11/12] samples/landlock: Add a sandbox manager example

2021-01-14 Thread Mickaël Salaün



On 14/01/2021 04:21, Jann Horn wrote:
> On Wed, Dec 9, 2020 at 8:29 PM Mickaël Salaün  wrote:
>> Add a basic sandbox tool to launch a command which can only access a
>> whitelist of file hierarchies in a read-only or read-write way.
> 
> I have to admit that I didn't really look at this closely before
> because it's just sample code... but I guess I should. You can add
> 
> Reviewed-by: Jann Horn 
> 
> if you fix the following nits:

OK, I will!

> 
> [...]
>> diff --git a/samples/Kconfig b/samples/Kconfig
> [...]
>> +config SAMPLE_LANDLOCK
>> +   bool "Build Landlock sample code"
>> +   depends on HEADERS_INSTALL
>> +   help
>> + Build a simple Landlock sandbox manager able to launch a process
>> + restricted by a user-defined filesystem access control.
> 
> nit: s/filesystem access control/filesystem access control policy/
> 
> [...]
>> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> [...]
>> +/*
>> + * Simple Landlock sandbox manager able to launch a process restricted by a
>> + * user-defined filesystem access control.
> 
> nit: s/filesystem access control/filesystem access control policy/
> 
> [...]
>> +int main(const int argc, char *const argv[], char *const *const envp)
>> +{
> [...]
>> +   if (argc < 2) {
> [...]
>> +   fprintf(stderr, "* %s: list of paths allowed to be used in a 
>> read-only way.\n",
>> +   ENV_FS_RO_NAME);
>> +   fprintf(stderr, "* %s: list of paths allowed to be used in a 
>> read-write way.\n",
>> +   ENV_FS_RO_NAME);
> 
> s/ENV_FS_RO_NAME/ENV_FS_RW_NAME/
> 
>> +   fprintf(stderr, "\nexample:\n"
>> +   
>> "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
>> +   
>> "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
>> +   "%s bash -i\n",
>> +   ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
>> +   return 1;
>> +   }
>> +
>> +   ruleset_fd = landlock_create_ruleset(_attr, 
>> sizeof(ruleset_attr), 0);
>> +   if (ruleset_fd < 0) {
>> +   perror("Failed to create a ruleset");
>> +   switch (errno) {
> 
> (Just as a note: In theory perror() can change the value of errno, as
> far as I know - so AFAIK you'd theoretically have to do something
> like:
> 
> int errno_ = errno;
> perror("...");
> switch (errno_) {
>  ...
> }

Indeed :)

> 
> I'll almost certainly work fine as-is in practice though.)
>

Re: [PATCH v26 11/12] samples/landlock: Add a sandbox manager example

2021-01-13 Thread Jann Horn

On Wed, Dec 9, 2020 at 8:29 PM Mickaël Salaün  wrote:
> Add a basic sandbox tool to launch a command which can only access a
> whitelist of file hierarchies in a read-only or read-write way.

I have to admit that I didn't really look at this closely before
because it's just sample code... but I guess I should. You can add

Reviewed-by: Jann Horn 

if you fix the following nits:

[...]
> diff --git a/samples/Kconfig b/samples/Kconfig
[...]
> +config SAMPLE_LANDLOCK
> +   bool "Build Landlock sample code"
> +   depends on HEADERS_INSTALL
> +   help
> + Build a simple Landlock sandbox manager able to launch a process
> + restricted by a user-defined filesystem access control.

nit: s/filesystem access control/filesystem access control policy/

[...]
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
[...]
> +/*
> + * Simple Landlock sandbox manager able to launch a process restricted by a
> + * user-defined filesystem access control.

nit: s/filesystem access control/filesystem access control policy/

[...]
> +int main(const int argc, char *const argv[], char *const *const envp)
> +{
[...]
> +   if (argc < 2) {
[...]
> +   fprintf(stderr, "* %s: list of paths allowed to be used in a 
> read-only way.\n",
> +   ENV_FS_RO_NAME);
> +   fprintf(stderr, "* %s: list of paths allowed to be used in a 
> read-write way.\n",
> +   ENV_FS_RO_NAME);

s/ENV_FS_RO_NAME/ENV_FS_RW_NAME/

> +   fprintf(stderr, "\nexample:\n"
> +   
> "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
> +   
> "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
> +   "%s bash -i\n",
> +   ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
> +   return 1;
> +   }
> +
> +   ruleset_fd = landlock_create_ruleset(_attr, 
> sizeof(ruleset_attr), 0);
> +   if (ruleset_fd < 0) {
> +   perror("Failed to create a ruleset");
> +   switch (errno) {

(Just as a note: In theory perror() can change the value of errno, as
far as I know - so AFAIK you'd theoretically have to do something
like:

int errno_ = errno;
perror("...");
switch (errno_) {
 ...
}

I'll almost certainly work fine as-is in practice though.)

[PATCH v26 11/12] samples/landlock: Add a sandbox manager example

2020-12-09 Thread Mickaël Salaün

From: Mickaël Salaün 

Add a basic sandbox tool to launch a command which can only access a
whitelist of file hierarchies in a read-only or read-write way.

Cc: James Morris 
Cc: Jann Horn 
Cc: Kees Cook 
Cc: Serge E. Hallyn 
Signed-off-by: Mickaël Salaün 
---

Changes since v25:
* Remove useless errno set in the syscall wrappers.
* Cosmetic variable renames.

Changes since v23:
* Re-add hints to help users understand the required kernel
  configuration.  This was removed with the removal of
  landlock_get_features(2).

Changes since v21:
* Remove LANDLOCK_ACCESS_FS_CHROOT.
* Clean up help.

Changes since v20:
* Update with new syscalls and type names.
* Update errno check for EOPNOTSUPP.
* Use the full syscall interfaces: explicitely set the "flags" field to
  zero.

Changes since v19:
* Update with the new Landlock syscalls.
* Comply with commit 5f2fb52fac15 ("kbuild: rename hostprogs-y/always to
  hostprogs/always-y").

Changes since v16:
* Switch syscall attribute pointer and size arguments.

Changes since v15:
* Update access right names.
* Properly assign access right to files according to the new related
  syscall restriction.
* Replace "select" with "depends on" HEADERS_INSTALL (suggested by Randy
  Dunlap).

Changes since v14:
* Fix Kconfig dependency.
* Remove access rights that may be required for FD-only requests:
  mmap, truncate, getattr, lock, chmod, chown, chgrp, ioctl.
* Fix useless hardcoded syscall number.
* Use execvpe().
* Follow symlinks.
* Extend help with common file paths.
* Constify variables.
* Clean up comments.
* Improve error message.

Changes since v11:
* Add back the filesystem sandbox manager and update it to work with the
  new Landlock syscall.

Previous changes:
https://lore.kernel.org/lkml/20190721213116.23476-9-...@digikod.net/
---
 samples/Kconfig  |   7 ++
 samples/Makefile |   1 +
 samples/landlock/.gitignore  |   1 +
 samples/landlock/Makefile|  15 +++
 samples/landlock/sandboxer.c | 233 +++
 5 files changed, 257 insertions(+)
 create mode 100644 samples/landlock/.gitignore
 create mode 100644 samples/landlock/Makefile
 create mode 100644 samples/landlock/sandboxer.c

diff --git a/samples/Kconfig b/samples/Kconfig
index 0ed6e4d71d87..e6129496ced5 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -124,6 +124,13 @@ config SAMPLE_HIDRAW
bool "hidraw sample"
depends on CC_CAN_LINK && HEADERS_INSTALL

+config SAMPLE_LANDLOCK
+   bool "Build Landlock sample code"
+   depends on HEADERS_INSTALL
+   help
+ Build a simple Landlock sandbox manager able to launch a process
+ restricted by a user-defined filesystem access control.
+
 config SAMPLE_PIDFD
bool "pidfd sample"
depends on CC_CAN_LINK && HEADERS_INSTALL
diff --git a/samples/Makefile b/samples/Makefile
index c3392a595e4b..087e0988ccc5 100644
--- a/samples/Makefile
+++ b/samples/Makefile
@@ -11,6 +11,7 @@ obj-$(CONFIG_SAMPLE_KDB)  += kdb/
 obj-$(CONFIG_SAMPLE_KFIFO) += kfifo/
 obj-$(CONFIG_SAMPLE_KOBJECT)   += kobject/
 obj-$(CONFIG_SAMPLE_KPROBES)   += kprobes/
+subdir-$(CONFIG_SAMPLE_LANDLOCK)   += landlock
 obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch/
 subdir-$(CONFIG_SAMPLE_PIDFD)  += pidfd
 obj-$(CONFIG_SAMPLE_QMI_CLIENT)+= qmi/
diff --git a/samples/landlock/.gitignore b/samples/landlock/.gitignore
new file mode 100644
index ..f43668b2d318
--- /dev/null
+++ b/samples/landlock/.gitignore
@@ -0,0 +1 @@
+/sandboxer
diff --git a/samples/landlock/Makefile b/samples/landlock/Makefile
new file mode 100644
index ..21eda5774948
--- /dev/null
+++ b/samples/landlock/Makefile
@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: BSD-3-Clause
+
+hostprogs := sandboxer
+
+always-y := $(hostprogs)
+
+KBUILD_HOSTCFLAGS += -I$(objtree)/usr/include
+
+.PHONY: all clean
+
+all:
+   $(MAKE) -C ../.. samples/landlock/
+
+clean:
+   $(MAKE) -C ../.. M=samples/landlock/ clean
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
new file mode 100644
index ..82b2738b216c
--- /dev/null
+++ b/samples/landlock/sandboxer.c
@@ -0,0 +1,233 @@
+// SPDX-License-Identifier: BSD-3-Clause
+/*
+ * Simple Landlock sandbox manager able to launch a process restricted by a
+ * user-defined filesystem access control.
+ *
+ * Copyright © 2017-2020 Mickaël Salaün 
+ * Copyright © 2020 ANSSI
+ */
+
+#define _GNU_SOURCE
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#ifndef landlock_create_ruleset
+static inline int landlock_create_ruleset(
+   const struct landlock_ruleset_attr *const attr,
+   const size_t size, const __u32 flags)
+{
+   return syscall(__NR_landlock_create_ruleset, attr, size, flags);
+}
+#endif
+
+#ifndef landlock_add_rule
+static inline int landlock_add_rule(const int

Re: [PATCH v26 11/12] samples/landlock: Add a sandbox manager example

Re: [PATCH v26 11/12] samples/landlock: Add a sandbox manager example

[PATCH v26 11/12] samples/landlock: Add a sandbox manager example

3 matches

Site Navigation

Mail list logo

Footer information