Minijail and Landlock LSM
86 views
Skip to first unread message
Mickaël Salaün
Feb 26, 2017, 8:51:46 AM2/26/17
to mini...@chromium.org, Kees Cook
Hi,
You may be interested by Landlock [1]. It's an LSM proposal I'm working
on to bring programmatic access control to Linux. The final goal is to
allow unprivileged sandboxing.
I know you'd like some way to do deep inspection of syscall arguments
with seccomp-bpf (e.g. for file path), which was the approach taken with
the first version of Landlock (named seccomp-object at the time). The
current version is much more advanced and should be a nice base to
enhance sandboxing tools such as Minijail. The current version of
Landlock is an MVP and hence lacks of features, but I plan to bring them
back (especially an eBPF map type and function to check if a file is
part of a file hierarchy) once/if a framework base is accepted.
I'd like to get some feedback from your team, whether it's about your
use cases, the UAPI, the kernel code or the documentation. Feel free to
drop an email to the LKML. :)
Regards,
Mickaël
[1] https://lwn.net/Articles/715203/
You may be interested by Landlock [1]. It's an LSM proposal I'm working
on to bring programmatic access control to Linux. The final goal is to
allow unprivileged sandboxing.
I know you'd like some way to do deep inspection of syscall arguments
with seccomp-bpf (e.g. for file path), which was the approach taken with
the first version of Landlock (named seccomp-object at the time). The
current version is much more advanced and should be a nice base to
enhance sandboxing tools such as Minijail. The current version of
Landlock is an MVP and hence lacks of features, but I plan to bring them
back (especially an eBPF map type and function to check if a file is
part of a file hierarchy) once/if a framework base is accepted.
I'd like to get some feedback from your team, whether it's about your
use cases, the UAPI, the kernel code or the documentation. Feel free to
drop an email to the LKML. :)
Regards,
Mickaël
[1] https://lwn.net/Articles/715203/
Jorge Lucangeli Obes
Feb 28, 2017, 4:56:39 PM2/28/17
to Mickaël Salaün, mini...@chromium.org, Kees Cook
That sounds interesting! Do you have code somewhere that we could play around with?
In my opinion, being able to have Minijail policies that can express restrictions on files names would be extremely useful.
Cheers,
Jorge
--
You received this message because you are subscribed to the Google Groups "minijail" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/6f12bace-5796-c8ac-55a3-15e05a45f4ed%40digikod.net.
Mickaël Salaün
Mar 1, 2017, 6:04:03 PM3/1/17
to Jorge Lucangeli Obes, mini...@chromium.org, Kees Cook
On 28/02/2017 22:56, Jorge Lucangeli Obes wrote:
> That sounds interesting! Do you have code somewhere that we could play
> around with?
pieces of code in tools/testing/selftests/landlock/ .
You can checkout the current version from here:
https://github.com/landlock-lsm/linux/commits/landlock-v5
However, if you want to get a taste of the feature to check if a file is
beneath another, you'll need to take a look at the landlock-v4 branch.
The BPF helper was in an early stage and didn't properly handled mount
points, though, which I plan to do next.
> In my opinion, being able to have Minijail policies that can express
> restrictions on files names would be extremely useful.
but to check their dentry hierarchy instead (closer to SELinux than
AppArmor approach). To express such a file hierarchy, the process open
the root file/directory and pass its file descriptor to the kernel.
Something like this (from the previous version):
https://github.com/landlock-lsm/linux/blob/landlock-v4/samples/landlock/sandbox.c#L98-L118
But we'll hopefully see that in a next patch series.
Mickaël
>
> Cheers,
> Jorge
>
> On Sun, Feb 26, 2017 at 8:51 AM, Mickaël Salaün <m...@digikod.net
> <mailto:m...@digikod.net>> wrote:
>
> Hi,
>
> You may be interested by Landlock [1]. It's an LSM proposal I'm working
> on to bring programmatic access control to Linux. The final goal is to
> allow unprivileged sandboxing.
>
> I know you'd like some way to do deep inspection of syscall arguments
> with seccomp-bpf (e.g. for file path), which was the approach taken with
> the first version of Landlock (named seccomp-object at the time). The
> current version is much more advanced and should be a nice base to
> enhance sandboxing tools such as Minijail. The current version of
> Landlock is an MVP and hence lacks of features, but I plan to bring them
> back (especially an eBPF map type and function to check if a file is
> part of a file hierarchy) once/if a framework base is accepted.
>
> I'd like to get some feedback from your team, whether it's about your
> use cases, the UAPI, the kernel code or the documentation. Feel free to
> drop an email to the LKML. :)
>
> Regards,
> Mickaël
>
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "minijail" group.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/minijail/6f12bace-5796-c8ac-55a3-15e05a45f4ed%40digikod.net
> <https://groups.google.com/a/chromium.org/d/msgid/minijail/6f12bace-5796-c8ac-55a3-15e05a45f4ed%40digikod.net>.
> --
> You received this message because you are subscribed to the Google
> Groups "minijail" group.
> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/minijail/6f12bace-5796-c8ac-55a3-15e05a45f4ed%40digikod.net
>
>
Reply all
Reply to author
Forward
0 new messages