Documentation/userspace-api/landlock.rst

1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
14 filesystem or network access) for a set of processes.  Because Landlock
16 new security layers in addition to the existing system-wide access-controls.
23 ``dmesg | grep landlock || journalctl -kb -g landlock`` .
33 perform.  A set of rules is aggregated in a ruleset, which can then restrict
48 ----------------------------------------
52 For this example, the ruleset will contain rules that only allow filesystem
59 to be explicit about the denied-by-default access rights.
61 .. code-block:: c
90 on, it is safer to follow a best-effort security approach.  Indeed, we
97 .. code-block:: c
134 .. code-block:: c
145 descriptor referring to this ruleset.  The rule will only allow reading the
151 .. code-block:: c
181 For network access-control, we can add a set of rules that allow to use a port
184 .. code-block:: c
199 .. code-block:: c
209 .. code-block:: c
228 --------------
230 It is recommended to set access rights to file hierarchy leaves as much as
232 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
233 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
234 Following this good practice leads to self-sufficient hierarchies that do not
236 relevant when we want to allow linking or renaming.  Indeed, having consistent
242 Having self-sufficient hierarchies also helps to tighten the required access
243 rights to the minimal set of data.  This also helps avoid sinkhole directories,
246 In this case, granting read-write access to ``~/tmp/``, instead of write-only
247 access, would potentially allow moving ``~/tmp/`` to a non-readable directory
251 ---------------------------------
253 Each time a thread enforces a ruleset on itself, it updates its Landlock domain
265 -------------------------
276 access to multiple file hierarchies at the same time, whether these hierarchies
284 and merge hierarchies are standalone and each contains their own set of files
287 Landlock users should then only think about file hierarchies they want to allow
291 -----------
295 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
308 -------------------
310 A sandboxed process has less privileges than a non-sandboxed process and must
314 access rights, which means the tracee must be in a sub-domain of the tracer.
317 -----------
320 interactions between sandboxes.  Therefore, at ruleset creation time, each
332     This limits the set of abstract :manpage:`unix(7)` sockets to which we can
336     A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
344 If an operation is scoped within a domain, no rules can be added to allow access
348 ----------------
352 overlap in non-intuitive ways.  It is recommended to always specify both of
368 ---------------------------------------
390 ----------------------------------
403 encouraged to follow a best-effort security approach by checking the Landlock
409 ---------------------
414 .. code-block:: c
442 -------------
444 .. kernel-doc:: include/uapi/linux/landlock.h
448 ----------------------
450 .. kernel-doc:: security/landlock/syscalls.c
453 .. kernel-doc:: include/uapi/linux/landlock.h
457 -------------------
459 .. kernel-doc:: security/landlock/syscalls.c
462 .. kernel-doc:: include/uapi/linux/landlock.h
467 -------------------
469 .. kernel-doc:: security/landlock/syscalls.c
476 --------------------------------
483 -------------------
487 come from a user-visible filesystem (e.g. pipe, socket), but can still be
497 --------------
508 ------------
511 by the Documentation/admin-guide/cgroup-v1/memory.rst.
514 -------------
518 means specifically that pre-existing file descriptors like stdin, stdout and
530 Landlock's IOCTL support is coarse-grained at the moment, but may become more
531 fine-grained in the future.  Until then, users are advised to establish the
539 -----------------------------------
556 -------------------------
565 ------------------------------
568 bind and connect actions to only a set of allowed ports thanks to the new
573 ----------------------
584 ------------------------------
591 ----------------
598 -----------------
604 sys_landlock_restrict_self().  See Documentation/admin-guide/LSM/landlock.rst
612 Build time configuration
613 ------------------------
616 time with ``CONFIG_SECURITY_LANDLOCK=y``.  Landlock must also be enabled at boot
617 time like other security modules.  The list of security modules enabled by
618 default is set with ``CONFIG_LSM``.  The kernel configuration should then
623 Boot time configuration
624 -----------------------
628 Documentation/admin-guide/kernel-parameters.rst in the boot loader
631 For example, if the current built-in configuration is:
633 .. code-block:: console
635     $ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
640 .. code-block:: console
642     $ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
645 ...we should configure the boot loader to set a cmdline extending the ``lsm``
653 .. code-block:: console
655     # dmesg | grep landlock || journalctl -kb -g landlock
661 The kernel may be configured at build time to always load the ``lockdown`` and
667 ---------------
669 To be able to explicitly allow TCP operations (e.g., adding a network rule with
679 ---------------------------------------
684 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
687 -------------------------------------
690 access-control and then miss useful features for such use case (e.g. no
691 fine-grained restrictions).  Moreover, their complexity can lead to security
696 --------------------------------------
699 Documentation/admin-guide/LSM/landlock.rst
704 * Documentation/admin-guide/LSM/landlock.rst