Re: [PATCH v24 00/12] Landlock LSM

[James Morris]

On Thu, 12 Nov 2020, Mickaël Salaün wrote:

> Hi,
> 
> This patch series simplifies the code, makes stacked access-control more
> consistent (from the user point of view), properly handles memory
> allocation errors, and adds more tests (covering layered ruleset corner
> cases).  Most of these changes were sent as a separate patch series:
> https://lore.kernel.org/lkml/2020213442.434639-1-...@digikod.net/
> 
> James and Jann, could you please take a look at the main changes
> (patches 2, 7 and 8)?

We definitely need more review on these changes that came in. I'll drop 
the previous patchset from my tree and wait until the latest code is fully 
reviewed.

Fundamental locking issues and similar should be worked out before 
submitting for mainline merge.

-- 
James Morris

[PATCH v24 00/12] Landlock LSM

[Mickaël Salaün]

Hi,

This patch series simplifies the code, makes stacked access-control more
consistent (from the user point of view), properly handles memory
allocation errors, and adds more tests (covering layered ruleset corner
cases).  Most of these changes were sent as a separate patch series:
https://lore.kernel.org/lkml/2020213442.434639-1-...@digikod.net/

James and Jann, could you please take a look at the main changes
(patches 2, 7 and 8)?

The SLOC count is 1185 for security/landlock/ and 1767 for
tools/testing/selftest/landlock/ .  Test coverage for security/landlock/
is 94.8% of lines.  The code not covered only deals with internal kernel
errors (e.g. memory allocation) and race conditions.

The compiled documentation is available here:
https://landlock.io/linux-doc/landlock-v24/userspace-api/landlock.html

This series can be applied on top of v5.10-rc3 .  This can be tested
with CONFIG_SECURITY_LANDLOCK, CONFIG_SAMPLE_LANDLOCK and by prepending
"landlock," to CONFIG_LSM.  This patch series can be found in a Git
repository here:
https://github.com/landlock-lsm/linux/commits/landlock-v24
I would really appreciate constructive comments on this patch series.


# Landlock LSM

The goal of Landlock is to enable to restrict ambient rights (e.g.
global filesystem access) for a set of processes.  Because Landlock is a
stackable LSM [1], it makes possible to create safe security sandboxes
as new security layers in addition to the existing system-wide
access-controls. This kind of sandbox is expected to help mitigate the
security impact of bugs or unexpected/malicious behaviors in user-space
applications. Landlock empowers any process, including unprivileged
ones, to securely restrict themselves.

Landlock is inspired by seccomp-bpf but instead of filtering syscalls
and their raw arguments, a Landlock rule can restrict the use of kernel
objects like file hierarchies, according to the kernel semantic.
Landlock also takes inspiration from other OS sandbox mechanisms: XNU
Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.

In this current form, Landlock misses some access-control features.
This enables to minimize this patch series and ease review.  This series
still addresses multiple use cases, especially with the combined use of
seccomp-bpf: applications with built-in sandboxing, init systems,
security sandbox tools and security-oriented APIs [2].

Previous version:
https://lore.kernel.org/lkml/20201103182109.1014179-1-...@digikod.net/

[1] 
https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b...@schaufler-ca.com/
[2] 
https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad046...@digikod.net/


Casey Schaufler (1):
  LSM: Infrastructure management of the superblock

Mickaël Salaün (11):
  landlock: Add object management
  landlock: Add ruleset and domain management
  landlock: Set up the security framework and manage credentials
  landlock: Add ptrace restrictions
  fs,security: Add sb_delete hook
  landlock: Support filesystem access-control
  landlock: Add syscall implementations
  arch: Wire up Landlock syscalls
  selftests/landlock: Add user space tests
  samples/landlock: Add a sandbox manager example
  landlock: Add user and kernel documentation

 Documentation/security/index.rst  |1 +
 Documentation/security/landlock.rst   |   79 +
 Documentation/userspace-api/index.rst |1 +
 Documentation/userspace-api/landlock.rst  |  275 +++
 MAINTAINERS   |   13 +
 arch/Kconfig  |7 +
 arch/alpha/kernel/syscalls/syscall.tbl|3 +
 arch/arm/tools/syscall.tbl|3 +
 arch/arm64/include/asm/unistd.h   |2 +-
 arch/arm64/include/asm/unistd32.h |6 +
 arch/ia64/kernel/syscalls/syscall.tbl |3 +
 arch/m68k/kernel/syscalls/syscall.tbl |3 +
 arch/microblaze/kernel/syscalls/syscall.tbl   |3 +
 arch/mips/kernel/syscalls/syscall_n32.tbl |3 +
 arch/mips/kernel/syscalls/syscall_n64.tbl |3 +
 arch/mips/kernel/syscalls/syscall_o32.tbl |3 +
 arch/parisc/kernel/syscalls/syscall.tbl   |3 +
 arch/powerpc/kernel/syscalls/syscall.tbl  |3 +
 arch/s390/kernel/syscalls/syscall.tbl |3 +
 arch/sh/kernel/syscalls/syscall.tbl   |3 +
 arch/sparc/kernel/syscalls/syscall.tbl|3 +
 arch/um/Kconfig   |1 +
 arch/x86/entry/syscalls/syscall_32.tbl|3 +
 arch/x86/entry/syscalls/syscall_64.tbl|3 +
 arch/xtensa/kernel/syscalls/syscall.tbl   |3 +
 fs/super.c|1 +
 include/linux/lsm_hook_defs.h |1 +
 include/linux/lsm_hooks.h |3 +
 include/linux/security.h  |4 +
 include/linux/syscalls.h  |7 +
 include/uapi/asm-generic/unistd.h |8 +-
 include/uapi/linux/landlock.h