Hi,
This patch series simplifies the code, makes stacked access-control more
consistent (from the user point of view), properly handles memory
allocation errors, and adds more tests (covering layered ruleset corner
cases). Most of these changes were sent as a separate patch series:
https://lore.kernel.org/lkml/2020213442.434639-1-...@digikod.net/
James and Jann, could you please take a look at the main changes
(patches 2, 7 and 8)?
The SLOC count is 1185 for security/landlock/ and 1767 for
tools/testing/selftest/landlock/ . Test coverage for security/landlock/
is 94.8% of lines. The code not covered only deals with internal kernel
errors (e.g. memory allocation) and race conditions.
The compiled documentation is available here:
https://landlock.io/linux-doc/landlock-v24/userspace-api/landlock.html
This series can be applied on top of v5.10-rc3 . This can be tested
with CONFIG_SECURITY_LANDLOCK, CONFIG_SAMPLE_LANDLOCK and by prepending
"landlock," to CONFIG_LSM. This patch series can be found in a Git
repository here:
https://github.com/landlock-lsm/linux/commits/landlock-v24
I would really appreciate constructive comments on this patch series.
# Landlock LSM
The goal of Landlock is to enable to restrict ambient rights (e.g.
global filesystem access) for a set of processes. Because Landlock is a
stackable LSM [1], it makes possible to create safe security sandboxes
as new security layers in addition to the existing system-wide
access-controls. This kind of sandbox is expected to help mitigate the
security impact of bugs or unexpected/malicious behaviors in user-space
applications. Landlock empowers any process, including unprivileged
ones, to securely restrict themselves.
Landlock is inspired by seccomp-bpf but instead of filtering syscalls
and their raw arguments, a Landlock rule can restrict the use of kernel
objects like file hierarchies, according to the kernel semantic.
Landlock also takes inspiration from other OS sandbox mechanisms: XNU
Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.
In this current form, Landlock misses some access-control features.
This enables to minimize this patch series and ease review. This series
still addresses multiple use cases, especially with the combined use of
seccomp-bpf: applications with built-in sandboxing, init systems,
security sandbox tools and security-oriented APIs [2].
Previous version:
https://lore.kernel.org/lkml/20201103182109.1014179-1-...@digikod.net/
[1]
https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b...@schaufler-ca.com/
[2]
https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad046...@digikod.net/
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (11):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
fs,security: Add sb_delete hook
landlock: Support filesystem access-control
landlock: Add syscall implementations
arch: Wire up Landlock syscalls
selftests/landlock: Add user space tests
samples/landlock: Add a sandbox manager example
landlock: Add user and kernel documentation
Documentation/security/index.rst |1 +
Documentation/security/landlock.rst | 79 +
Documentation/userspace-api/index.rst |1 +
Documentation/userspace-api/landlock.rst | 275 +++
MAINTAINERS | 13 +
arch/Kconfig |7 +
arch/alpha/kernel/syscalls/syscall.tbl|3 +
arch/arm/tools/syscall.tbl|3 +
arch/arm64/include/asm/unistd.h |2 +-
arch/arm64/include/asm/unistd32.h |6 +
arch/ia64/kernel/syscalls/syscall.tbl |3 +
arch/m68k/kernel/syscalls/syscall.tbl |3 +
arch/microblaze/kernel/syscalls/syscall.tbl |3 +
arch/mips/kernel/syscalls/syscall_n32.tbl |3 +
arch/mips/kernel/syscalls/syscall_n64.tbl |3 +
arch/mips/kernel/syscalls/syscall_o32.tbl |3 +
arch/parisc/kernel/syscalls/syscall.tbl |3 +
arch/powerpc/kernel/syscalls/syscall.tbl |3 +
arch/s390/kernel/syscalls/syscall.tbl |3 +
arch/sh/kernel/syscalls/syscall.tbl |3 +
arch/sparc/kernel/syscalls/syscall.tbl|3 +
arch/um/Kconfig |1 +
arch/x86/entry/syscalls/syscall_32.tbl|3 +
arch/x86/entry/syscalls/syscall_64.tbl|3 +
arch/xtensa/kernel/syscalls/syscall.tbl |3 +
fs/super.c|1 +
include/linux/lsm_hook_defs.h |1 +
include/linux/lsm_hooks.h |3 +
include/linux/security.h |4 +
include/linux/syscalls.h |7 +
include/uapi/asm-generic/unistd.h |8 +-
include/uapi/linux/landlock.h