On 16/11/2020 22:26, Pavel Machek wrote:
Hi!
A Landlock object enables to identify a kernel object (e.g. an inode). A Landlock rule is a set of access rights allowed on an object. Rules are grouped in rulesets that may be tied to a set of processes (i.e. subjects) to enforce a scoped access-control (i.e. a domain).
Because Landlock's goal is to empower any process (especially unprivileged ones) to sandbox themselves, we cannot rely on a system-wide object identification such as file extended attributes.
+config SECURITY_LANDLOCK
- bool "Landlock support"
- depends on SECURITY
- select SECURITY_PATH
- help
Landlock is a safe sandboxing mechanism which enables processes torestrict themselves (and their future children) by graduallyenforcing tailored access control policies. A security policy is aset of access rights (e.g. open a file in read-only, make adirectory, etc.) tied to a file hierarchy. Such policy can be configuredand enforced by any processes for themselves thanks to dedicated systemcalls: landlock_create_ruleset(), landlock_add_rule(), andlandlock_enforce_ruleset_current().How does it interact with setuid binaries? Being able to exec passwd in a sandbox sounds like ... fun way to get root? :-).
It works like seccomp: if you run with CAP_SYS_ADMIN in the current namespace, then SUID binaries may be allowed, otherwise if you use PR_SET_NO_NEW_PRIVS, then executing a SUID binary is denied.
The 24th version is here: https://lore.kernel.org/lkml/20201112205141.775752-1-mic@digikod.net/
Best regards, Pavel