From: "Mickaël Salaün" <mic@digikod.net>
To: Eric Leblond <el@stamus-networks.com>
Cc: landlock@lists.linux.dev
Subject: Re: Adding landlock support to Suricata
Date: Thu, 4 Aug 2022 18:37:21 +0200 [thread overview]
Message-ID: <40247c34-3f38-6b6c-ba72-7522596b7801@digikod.net> (raw)
In-Reply-To: <CAGW2j+54_09ij9x2CUtYaWKz=k6ckHLY5un72=VVmeXuJxJoMQ@mail.gmail.com>
On 03/08/2022 15:29, Eric Leblond wrote:
> Hello,
Hi!
>
> I worked on implementing support for landlock in Suricata. Suricata is
> an open source network threat
> detection engine that reads packets from the network or files and
> outputs analysis in other files.
> As such it is a good candidate for Landlock sandboxing.
Indeed!
>
> The MR on Suricata is here and feedbacks and reviews are welcome:
> https://github.com/OISF/suricata/pull/7688
>
> With regards to the usage of Landlock API, it was overall really fine
> and it did not took me long to obtain something working.
> I did although struggle with a few things (yes I'm a newbie here):
> - I looked at first if I had to add a library to the build system
> before realizing that up to date headers were enough
There is no C library. I don't plan to write one but if someone wants to
get on that boat I'd be please to help. We're focusing on a Go and Rust
library (WIP) for now.
> - The examples and documentation I found don't cover multiple calls to
> setup a policy and it got me confused a bit:
> - I had to test to verify that the logic is create ruleset/add
> multiple rules/enforce ruleset
Hmm, the doc example [1] only explains how to add one rule indeed. The
sandboxer example [2] should help though. I'll update the doc to deal
with an array of paths.
[1] https://docs.kernel.org/userspace-api/landlock.html
[2]
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c
> - I did struggle a bit on the ruleset scope flags (handled_access_fs)
> as it was not clear to me this was a choice of the sandbox software
> implementation
Was it about the fact that we need to populate handled_access_fs or that
we need to mask some bits?
Which modification could have helped you here?
https://docs.kernel.org/userspace-api/landlock.html#defining-and-enforcing-a-security-policy
>
> It is just small things that are easy to fix in documentation, for the
> rest it was really easy to implement (if you know the software you are
> adding support to).
>
> Thanks a lot for Landlock, this is a great feature that is easy to implement.
Thanks for the feedback, it's valuable to improve documentation and help
others.
>
> Best regards,
prev parent reply other threads:[~2022-08-04 16:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-03 13:29 Adding landlock support to Suricata Eric Leblond
2022-08-04 16:37 ` Mickaël Salaün [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40247c34-3f38-6b6c-ba72-7522596b7801@digikod.net \
--to=mic@digikod.net \
--cc=el@stamus-networks.com \
--cc=landlock@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).