From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack@google.com>
Cc: "Thomas Weißschuh" <thomas@t-8ch.de>, landlock@lists.linux.dev
Subject: Re: Landlock support in setpriv(1)
Date: Wed, 13 Dec 2023 19:07:59 +0100 [thread overview]
Message-ID: <20231213.xu7Zeiquoh0i@digikod.net> (raw)
In-Reply-To: <ZXmMHfxlnK4AVvOA@google.com>
Nice work Thomas!
I agree with Günther and I just added some similar comments to the PR
before reading this email. My main concern is about compatibility, which
is not an easy topic. I tried to explain the related issues (for the
Rust library) here:
https://archive.fosdem.org/2023/schedule/event/rust_backward_and_forward_compatibility_for_security_features/
Regards,
Mickaël
On Wed, Dec 13, 2023 at 11:49:01AM +0100, Günther Noack wrote:
> Thank you Thomas! I am excited to see this :)
>
> On Sat, Dec 09, 2023 at 10:18:50AM +0100, Thomas Weißschuh wrote:
> > Hi everybody,
> >
> > For your information:
> >
> > There is a proposal to add landlock support to setpriv(1) from
> > util-linux.
> > While landlock is meant for self-sandboxing it can also be used to
> > sandbox third party executables which makes it a nice fit for setpriv.
> >
> > If you have any remarks let me know.
> >
> > Link to the PR:
> > https://github.com/util-linux/util-linux/pull/2628
>
> For inspiration, here are some other existing tools which have a similar interface:
>
> * landlock-restrict (example tool for go-landlock):
> https://github.com/landlock-lsm/go-landlock/blob/main/cmd/landlock-restrict/main.go
> (This one was written by me)
>
> * sandboxer.c (sample tool from the kernel tree):
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/landlock/sandboxer.c
>
> * sandboxer.rs (example tool for rust-landlock):
> https://github.com/landlock-lsm/rust-landlock/blob/main/examples/sandboxer.rs
>
> In my personal opinion, when I was sandboxing a few programs "from the outside"
> with the Go tool, I often found that I would start out with a more coarse
> ruleset that uses the predefined "convenience" groups of access rights, which
> are called "ROFiles", "RWFiles", "RODirs" and "RWDirs" in that tool, and which
> subsume all rights except for the "Refer" right, which is a bit more special.
>
> I think there is some value in having a mechanism that let you use such
> abbreviations for larger sets of rights, to make these tools more approachable
> and less verbose for simple (coarse-grained) use cases.
>
> Another main concern to take into account is the question of backwards
> compatibility across different kernels: When a user attempts to sandbox a
> program on a kernel that does not support that specific set of access rights
> yet, what is the fallback strategy? For the Go and Rust libraries, we have
> found that it might often be advisable to fall back to a "best effort" mode
> where we restrict as much as we can of what the user asked for, instead of
> failing altogether. But it depends on the use case. I imagine that an
> installation of util-linux will need to work with older kernels as well and does
> not have a strict dependency that ensures that it'll only run on new kernels.
>
> Backwards compatibility is also discussed in the landlock(7) man page,
> specifically under VERSIONS and EXAMPLE. I have also talked about it on my
> personal weblog at https://blog.gnoack.org/post/landlock-best-effort/ in the
> past. Specifically double check that you are getting it right for the "refer"
> right, because that one has unusual semantics compared to the other rights.
>
> Thanks,
> —Günther
>
>
prev parent reply other threads:[~2023-12-13 21:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-09 9:18 Landlock support in setpriv(1) Thomas Weißschuh
2023-12-13 10:49 ` Günther Noack
2023-12-13 18:07 ` Mickaël Salaün [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231213.xu7Zeiquoh0i@digikod.net \
--to=mic@digikod.net \
--cc=gnoack@google.com \
--cc=landlock@lists.linux.dev \
--cc=thomas@t-8ch.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).