* [GIT PULL][Security] Add new Landlock LSM
@ 2021-04-28 2:54 James Morris
2021-05-02 2:02 ` pr-tracker-bot
2021-05-07 16:15 ` New mailing list for Landlock LSM user space discussions Mickaël Salaün
0 siblings, 2 replies; 3+ messages in thread
From: James Morris @ 2021-04-28 2:54 UTC (permalink / raw)
To: Linus Torvalds
Cc: linux-security-module, linux-kernel, Mickaël Salaün,
Al Viro
[-- Attachment #1: Type: text/plain, Size: 9628 bytes --]
Hi Linus,
This patchset adds a new LSM called Landlock, from Mickaël Salaün.
Briefly, Landlock provides for unprivileged application sandboxing.
From Mickaël's cover letter:
The goal of Landlock is to enable to restrict ambient rights (e.g.
global filesystem access) for a set of processes. Because Landlock is a
stackable LSM [1], it makes possible to create safe security sandboxes
as new security layers in addition to the existing system-wide
access-controls. This kind of sandbox is expected to help mitigate the
security impact of bugs or unexpected/malicious behaviors in user-space
applications. Landlock empowers any process, including unprivileged
ones, to securely restrict themselves.
Landlock is inspired by seccomp-bpf but instead of filtering syscalls
and their raw arguments, a Landlock rule can restrict the use of kernel
objects like file hierarchies, according to the kernel semantic.
Landlock also takes inspiration from other OS sandbox mechanisms: XNU
Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.
In this current form, Landlock misses some access-control features.
This enables to minimize this patch series and ease review. This series
still addresses multiple use cases, especially with the combined use of
seccomp-bpf: applications with built-in sandboxing, init systems,
security sandbox tools and security-oriented APIs [2].
[1] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/
[2] https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/
The cover letter and v34 posting is here:
https://lore.kernel.org/linux-security-module/20210422154123.13086-1-mic@digikod.net/
See also: https://landlock.io/
This code has had extensive design discussion and review over several
years. The v33 code has been in next since April 9, and was updated last
week to v34 with a relatively simple change. If you prefer to pull v33
instead, please pull "tags/landlock_v33" instead, and we'll push the
change through after merging.
There's a merge conflict in the syscall tables, with resolution by
Stephen Rothwell:
https://lore.kernel.org/linux-next/20210409143954.22329cfa@canb.auug.org.au/
Al Viro raised some issues re. the VFS in v31:
https://lore.kernel.org/linux-security-module/YGUslUPwp85Zrp4t@zeniv-ca.linux.org.uk/
which were addressed in comments and in v33:
https://lore.kernel.org/linux-security-module/5f4dfa1-f9ac-f31f-3237-dcf976cabbfc@namei.org/
Please pull.
---
The following changes since commit 1e28eed17697bcf343c6743f0028cc3b5dd88bf0:
Linux 5.12-rc3 (2021-03-14 14:41:02 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git tags/landlock_v34
for you to fetch changes up to 3532b0b4352ce79400b0aa68414f1a0fc422b920:
landlock: Enable user space to infer supported features (2021-04-22 12:22:11 -0700)
----------------------------------------------------------------
Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com>
----------------------------------------------------------------
Casey Schaufler (1):
LSM: Infrastructure management of the superblock
Mickaël Salaün (12):
landlock: Add object management
landlock: Add ruleset and domain management
landlock: Set up the security framework and manage credentials
landlock: Add ptrace restrictions
landlock: Support filesystem access-control
fs,security: Add sb_delete hook
arch: Wire up Landlock syscalls
landlock: Add syscall implementations
selftests/landlock: Add user space tests
samples/landlock: Add a sandbox manager example
landlock: Add user and kernel documentation
landlock: Enable user space to infer supported features
Documentation/security/index.rst | 1 +
Documentation/security/landlock.rst | 85 +
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/landlock.rst | 311 +++
MAINTAINERS | 15 +
arch/Kconfig | 7 +
arch/alpha/kernel/syscalls/syscall.tbl | 3 +
arch/arm/tools/syscall.tbl | 3 +
arch/arm64/include/asm/unistd.h | 2 +-
arch/arm64/include/asm/unistd32.h | 6 +
arch/ia64/kernel/syscalls/syscall.tbl | 3 +
arch/m68k/kernel/syscalls/syscall.tbl | 3 +
arch/microblaze/kernel/syscalls/syscall.tbl | 3 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +
arch/parisc/kernel/syscalls/syscall.tbl | 3 +
arch/powerpc/kernel/syscalls/syscall.tbl | 3 +
arch/s390/kernel/syscalls/syscall.tbl | 3 +
arch/sh/kernel/syscalls/syscall.tbl | 3 +
arch/sparc/kernel/syscalls/syscall.tbl | 3 +
arch/um/Kconfig | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 3 +
arch/x86/entry/syscalls/syscall_64.tbl | 3 +
arch/xtensa/kernel/syscalls/syscall.tbl | 3 +
fs/super.c | 1 +
include/linux/lsm_hook_defs.h | 1 +
include/linux/lsm_hooks.h | 4 +
include/linux/security.h | 4 +
include/linux/syscalls.h | 7 +
include/uapi/asm-generic/unistd.h | 8 +-
include/uapi/linux/landlock.h | 137 ++
kernel/sys_ni.c | 5 +
samples/Kconfig | 7 +
samples/Makefile | 1 +
samples/landlock/.gitignore | 1 +
samples/landlock/Makefile | 13 +
samples/landlock/sandboxer.c | 238 ++
security/Kconfig | 11 +-
security/Makefile | 2 +
security/landlock/Kconfig | 21 +
security/landlock/Makefile | 4 +
security/landlock/common.h | 20 +
security/landlock/cred.c | 46 +
security/landlock/cred.h | 58 +
security/landlock/fs.c | 692 ++++++
security/landlock/fs.h | 70 +
security/landlock/limits.h | 21 +
security/landlock/object.c | 67 +
security/landlock/object.h | 91 +
security/landlock/ptrace.c | 120 +
security/landlock/ptrace.h | 14 +
security/landlock/ruleset.c | 473 ++++
security/landlock/ruleset.h | 165 ++
security/landlock/setup.c | 40 +
security/landlock/setup.h | 18 +
security/landlock/syscalls.c | 451 ++++
security/security.c | 51 +-
security/selinux/hooks.c | 58 +-
security/selinux/include/objsec.h | 6 +
security/selinux/ss/services.c | 3 +-
security/smack/smack.h | 6 +
security/smack/smack_lsm.c | 35 +-
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/landlock/.gitignore | 2 +
tools/testing/selftests/landlock/Makefile | 24 +
tools/testing/selftests/landlock/base_test.c | 266 +++
tools/testing/selftests/landlock/common.h | 183 ++
tools/testing/selftests/landlock/config | 7 +
tools/testing/selftests/landlock/fs_test.c | 2791 ++++++++++++++++++++++++
tools/testing/selftests/landlock/ptrace_test.c | 337 +++
tools/testing/selftests/landlock/true.c | 5 +
72 files changed, 6986 insertions(+), 77 deletions(-)
create mode 100644 Documentation/security/landlock.rst
create mode 100644 Documentation/userspace-api/landlock.rst
create mode 100644 include/uapi/linux/landlock.h
create mode 100644 samples/landlock/.gitignore
create mode 100644 samples/landlock/Makefile
create mode 100644 samples/landlock/sandboxer.c
create mode 100644 security/landlock/Kconfig
create mode 100644 security/landlock/Makefile
create mode 100644 security/landlock/common.h
create mode 100644 security/landlock/cred.c
create mode 100644 security/landlock/cred.h
create mode 100644 security/landlock/fs.c
create mode 100644 security/landlock/fs.h
create mode 100644 security/landlock/limits.h
create mode 100644 security/landlock/object.c
create mode 100644 security/landlock/object.h
create mode 100644 security/landlock/ptrace.c
create mode 100644 security/landlock/ptrace.h
create mode 100644 security/landlock/ruleset.c
create mode 100644 security/landlock/ruleset.h
create mode 100644 security/landlock/setup.c
create mode 100644 security/landlock/setup.h
create mode 100644 security/landlock/syscalls.c
create mode 100644 tools/testing/selftests/landlock/.gitignore
create mode 100644 tools/testing/selftests/landlock/Makefile
create mode 100644 tools/testing/selftests/landlock/base_test.c
create mode 100644 tools/testing/selftests/landlock/common.h
create mode 100644 tools/testing/selftests/landlock/config
create mode 100644 tools/testing/selftests/landlock/fs_test.c
create mode 100644 tools/testing/selftests/landlock/ptrace_test.c
create mode 100644 tools/testing/selftests/landlock/true.c
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [GIT PULL][Security] Add new Landlock LSM
2021-04-28 2:54 [GIT PULL][Security] Add new Landlock LSM James Morris
@ 2021-05-02 2:02 ` pr-tracker-bot
2021-05-07 16:15 ` New mailing list for Landlock LSM user space discussions Mickaël Salaün
1 sibling, 0 replies; 3+ messages in thread
From: pr-tracker-bot @ 2021-05-02 2:02 UTC (permalink / raw)
To: James Morris
Cc: Linus Torvalds, linux-security-module, linux-kernel,
Mickaël Salaün, Al Viro
The pull request you sent on Wed, 28 Apr 2021 12:54:22 +1000 (AEST):
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git tags/landlock_v34
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/17ae69aba89dbfa2139b7f8024b757ab3cc42f59
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* New mailing list for Landlock LSM user space discussions
2021-04-28 2:54 [GIT PULL][Security] Add new Landlock LSM James Morris
2021-05-02 2:02 ` pr-tracker-bot
@ 2021-05-07 16:15 ` Mickaël Salaün
1 sibling, 0 replies; 3+ messages in thread
From: Mickaël Salaün @ 2021-05-07 16:15 UTC (permalink / raw)
To: landlock
Cc: kernel-hardening, linux-kernel, linux-security-module,
linux-hardening
Hi,
Here is a new mailing list for application developers to ask questions
about Landlock and collaborate. This mailing list is also a place to
send patches to user space applications (in CC) to support Landlock. The
linux-security-module@vger.kernel.org mailing list should still be used
for kernel development though.
You can subscribe or just freely send emails to
landlock@lists.linux.dev: https://subspace.kernel.org/lists.linux.dev.html
Regards,
Mickaël
On 02/05/2021 04:02, pr-tracker-bot@kernel.org wrote:
> The pull request you sent on Wed, 28 Apr 2021 12:54:22 +1000 (AEST):
>
>> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git tags/landlock_v34
>
> has been merged into torvalds/linux.git:
> https://git.kernel.org/torvalds/c/17ae69aba89dbfa2139b7f8024b757ab3cc42f59
>
> Thank you!
>
On 28/04/2021 04:54, James Morris wrote:
> Hi Linus,
>
> This patchset adds a new LSM called Landlock, from Mickaël Salaün.
>
> Briefly, Landlock provides for unprivileged application sandboxing.
>
>>From Mickaël's cover letter:
>
> The goal of Landlock is to enable to restrict ambient rights (e.g.
> global filesystem access) for a set of processes. Because Landlock is a
> stackable LSM [1], it makes possible to create safe security sandboxes
> as new security layers in addition to the existing system-wide
> access-controls. This kind of sandbox is expected to help mitigate the
> security impact of bugs or unexpected/malicious behaviors in user-space
> applications. Landlock empowers any process, including unprivileged
> ones, to securely restrict themselves.
>
> Landlock is inspired by seccomp-bpf but instead of filtering syscalls
> and their raw arguments, a Landlock rule can restrict the use of kernel
> objects like file hierarchies, according to the kernel semantic.
> Landlock also takes inspiration from other OS sandbox mechanisms: XNU
> Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.
>
> In this current form, Landlock misses some access-control features.
> This enables to minimize this patch series and ease review. This series
> still addresses multiple use cases, especially with the combined use of
> seccomp-bpf: applications with built-in sandboxing, init systems,
> security sandbox tools and security-oriented APIs [2].
>
> [1] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/
> [2] https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/
>
> The cover letter and v34 posting is here:
> https://lore.kernel.org/linux-security-module/20210422154123.13086-1-mic@digikod.net/
>
> See also: https://landlock.io/
>
> This code has had extensive design discussion and review over several
> years. The v33 code has been in next since April 9, and was updated last
> week to v34 with a relatively simple change. If you prefer to pull v33
> instead, please pull "tags/landlock_v33" instead, and we'll push the
> change through after merging.
>
> There's a merge conflict in the syscall tables, with resolution by
> Stephen Rothwell:
> https://lore.kernel.org/linux-next/20210409143954.22329cfa@canb.auug.org.au/
>
> Al Viro raised some issues re. the VFS in v31:
> https://lore.kernel.org/linux-security-module/YGUslUPwp85Zrp4t@zeniv-ca.linux.org.uk/
>
> which were addressed in comments and in v33:
> https://lore.kernel.org/linux-security-module/5f4dfa1-f9ac-f31f-3237-dcf976cabbfc@namei.org/
>
>
> Please pull.
>
> ---
>
> The following changes since commit 1e28eed17697bcf343c6743f0028cc3b5dd88bf0:
>
> Linux 5.12-rc3 (2021-03-14 14:41:02 -0700)
>
> are available in the Git repository at:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git tags/landlock_v34
>
> for you to fetch changes up to 3532b0b4352ce79400b0aa68414f1a0fc422b920:
>
> landlock: Enable user space to infer supported features (2021-04-22 12:22:11 -0700)
>
> ----------------------------------------------------------------
> Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com>
>
> ----------------------------------------------------------------
> Casey Schaufler (1):
> LSM: Infrastructure management of the superblock
>
> Mickaël Salaün (12):
> landlock: Add object management
> landlock: Add ruleset and domain management
> landlock: Set up the security framework and manage credentials
> landlock: Add ptrace restrictions
> landlock: Support filesystem access-control
> fs,security: Add sb_delete hook
> arch: Wire up Landlock syscalls
> landlock: Add syscall implementations
> selftests/landlock: Add user space tests
> samples/landlock: Add a sandbox manager example
> landlock: Add user and kernel documentation
> landlock: Enable user space to infer supported features
>
> Documentation/security/index.rst | 1 +
> Documentation/security/landlock.rst | 85 +
> Documentation/userspace-api/index.rst | 1 +
> Documentation/userspace-api/landlock.rst | 311 +++
> MAINTAINERS | 15 +
> arch/Kconfig | 7 +
> arch/alpha/kernel/syscalls/syscall.tbl | 3 +
> arch/arm/tools/syscall.tbl | 3 +
> arch/arm64/include/asm/unistd.h | 2 +-
> arch/arm64/include/asm/unistd32.h | 6 +
> arch/ia64/kernel/syscalls/syscall.tbl | 3 +
> arch/m68k/kernel/syscalls/syscall.tbl | 3 +
> arch/microblaze/kernel/syscalls/syscall.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_n32.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_n64.tbl | 3 +
> arch/mips/kernel/syscalls/syscall_o32.tbl | 3 +
> arch/parisc/kernel/syscalls/syscall.tbl | 3 +
> arch/powerpc/kernel/syscalls/syscall.tbl | 3 +
> arch/s390/kernel/syscalls/syscall.tbl | 3 +
> arch/sh/kernel/syscalls/syscall.tbl | 3 +
> arch/sparc/kernel/syscalls/syscall.tbl | 3 +
> arch/um/Kconfig | 1 +
> arch/x86/entry/syscalls/syscall_32.tbl | 3 +
> arch/x86/entry/syscalls/syscall_64.tbl | 3 +
> arch/xtensa/kernel/syscalls/syscall.tbl | 3 +
> fs/super.c | 1 +
> include/linux/lsm_hook_defs.h | 1 +
> include/linux/lsm_hooks.h | 4 +
> include/linux/security.h | 4 +
> include/linux/syscalls.h | 7 +
> include/uapi/asm-generic/unistd.h | 8 +-
> include/uapi/linux/landlock.h | 137 ++
> kernel/sys_ni.c | 5 +
> samples/Kconfig | 7 +
> samples/Makefile | 1 +
> samples/landlock/.gitignore | 1 +
> samples/landlock/Makefile | 13 +
> samples/landlock/sandboxer.c | 238 ++
> security/Kconfig | 11 +-
> security/Makefile | 2 +
> security/landlock/Kconfig | 21 +
> security/landlock/Makefile | 4 +
> security/landlock/common.h | 20 +
> security/landlock/cred.c | 46 +
> security/landlock/cred.h | 58 +
> security/landlock/fs.c | 692 ++++++
> security/landlock/fs.h | 70 +
> security/landlock/limits.h | 21 +
> security/landlock/object.c | 67 +
> security/landlock/object.h | 91 +
> security/landlock/ptrace.c | 120 +
> security/landlock/ptrace.h | 14 +
> security/landlock/ruleset.c | 473 ++++
> security/landlock/ruleset.h | 165 ++
> security/landlock/setup.c | 40 +
> security/landlock/setup.h | 18 +
> security/landlock/syscalls.c | 451 ++++
> security/security.c | 51 +-
> security/selinux/hooks.c | 58 +-
> security/selinux/include/objsec.h | 6 +
> security/selinux/ss/services.c | 3 +-
> security/smack/smack.h | 6 +
> security/smack/smack_lsm.c | 35 +-
> tools/testing/selftests/Makefile | 1 +
> tools/testing/selftests/landlock/.gitignore | 2 +
> tools/testing/selftests/landlock/Makefile | 24 +
> tools/testing/selftests/landlock/base_test.c | 266 +++
> tools/testing/selftests/landlock/common.h | 183 ++
> tools/testing/selftests/landlock/config | 7 +
> tools/testing/selftests/landlock/fs_test.c | 2791 ++++++++++++++++++++++++
> tools/testing/selftests/landlock/ptrace_test.c | 337 +++
> tools/testing/selftests/landlock/true.c | 5 +
> 72 files changed, 6986 insertions(+), 77 deletions(-)
> create mode 100644 Documentation/security/landlock.rst
> create mode 100644 Documentation/userspace-api/landlock.rst
> create mode 100644 include/uapi/linux/landlock.h
> create mode 100644 samples/landlock/.gitignore
> create mode 100644 samples/landlock/Makefile
> create mode 100644 samples/landlock/sandboxer.c
> create mode 100644 security/landlock/Kconfig
> create mode 100644 security/landlock/Makefile
> create mode 100644 security/landlock/common.h
> create mode 100644 security/landlock/cred.c
> create mode 100644 security/landlock/cred.h
> create mode 100644 security/landlock/fs.c
> create mode 100644 security/landlock/fs.h
> create mode 100644 security/landlock/limits.h
> create mode 100644 security/landlock/object.c
> create mode 100644 security/landlock/object.h
> create mode 100644 security/landlock/ptrace.c
> create mode 100644 security/landlock/ptrace.h
> create mode 100644 security/landlock/ruleset.c
> create mode 100644 security/landlock/ruleset.h
> create mode 100644 security/landlock/setup.c
> create mode 100644 security/landlock/setup.h
> create mode 100644 security/landlock/syscalls.c
> create mode 100644 tools/testing/selftests/landlock/.gitignore
> create mode 100644 tools/testing/selftests/landlock/Makefile
> create mode 100644 tools/testing/selftests/landlock/base_test.c
> create mode 100644 tools/testing/selftests/landlock/common.h
> create mode 100644 tools/testing/selftests/landlock/config
> create mode 100644 tools/testing/selftests/landlock/fs_test.c
> create mode 100644 tools/testing/selftests/landlock/ptrace_test.c
> create mode 100644 tools/testing/selftests/landlock/true.c
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-07 16:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-28 2:54 [GIT PULL][Security] Add new Landlock LSM James Morris
2021-05-02 2:02 ` pr-tracker-bot
2021-05-07 16:15 ` New mailing list for Landlock LSM user space discussions Mickaël Salaün
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.