Lines Matching +full:build +full:- +full:rules
1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
16 new security layers in addition to the existing system-wide access-controls.
23 ``dmesg | grep landlock || journalctl -kb -g landlock`` .
29 Landlock rules
33 perform. A set of rules is aggregated in a ruleset, which can then restrict
36 The two existing types of rules are:
38 Filesystem rules
39 For these rules, the object is a file hierarchy,
43 Network rules (since ABI v4)
44 For these rules, the object is a TCP port,
48 ----------------------------------------
50 We first need to define the ruleset that will contain our rules.
52 For this example, the ruleset will contain rules that only allow filesystem
59 to be explicit about the denied-by-default access rights.
61 .. code-block:: c
90 on, it is safer to follow a best-effort security approach. Indeed, we
97 .. code-block:: c
132 This enables the creation of an inclusive ruleset that will contain our rules.
134 .. code-block:: c
151 .. code-block:: c
176 It may also be required to create rules following the same logic as explained
181 For network access-control, we can add a set of rules that allow to use a port
184 .. code-block:: c
199 .. code-block:: c
209 .. code-block:: c
228 --------------
232 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
233 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
234 Following this good practice leads to self-sufficient hierarchies that do not
242 Having self-sufficient hierarchies also helps to tighten the required access
246 In this case, granting read-write access to ``~/tmp/``, instead of write-only
247 access, would potentially allow moving ``~/tmp/`` to a non-readable directory
251 ---------------------------------
258 One policy layer grants access to a file path if at least one of its rules
265 -------------------------
273 hierarchy is then composed of the exact same files, on which Landlock rules can
274 be tied, either via the source or the destination path. These rules restrict
291 -----------
295 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
297 Landlock rules to itself, but they will not be automatically applied to other
308 -------------------
310 A sandboxed process has less privileges than a non-sandboxed process and must
314 access rights, which means the tracee must be in a sub-domain of the tracer.
317 -----------
336 A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
344 If an operation is scoped within a domain, no rules can be added to allow access
348 ----------------
352 overlap in non-intuitive ways. It is recommended to always specify both of
368 ---------------------------------------
390 ----------------------------------
403 encouraged to follow a best-effort security approach by checking the Landlock
409 ---------------------
414 .. code-block:: c
442 -------------
444 .. kernel-doc:: include/uapi/linux/landlock.h
448 ----------------------
450 .. kernel-doc:: security/landlock/syscalls.c
453 .. kernel-doc:: include/uapi/linux/landlock.h
457 -------------------
459 .. kernel-doc:: security/landlock/syscalls.c
462 .. kernel-doc:: include/uapi/linux/landlock.h
467 -------------------
469 .. kernel-doc:: security/landlock/syscalls.c
476 --------------------------------
483 -------------------
487 come from a user-visible filesystem (e.g. pipe, socket), but can still be
497 --------------
502 E2BIG. It is then strongly suggested to carefully build rulesets once in the
508 ------------
511 by the Documentation/admin-guide/cgroup-v1/memory.rst.
514 -------------
518 means specifically that pre-existing file descriptors like stdin, stdout and
530 Landlock's IOCTL support is coarse-grained at the moment, but may become more
531 fine-grained in the future. Until then, users are advised to establish the
539 -----------------------------------
542 handle composition of rules. Such property also implies rules nesting.
556 -------------------------
565 ------------------------------
573 ----------------------
584 ------------------------------
591 ----------------
598 -----------------
604 sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst
612 Build time configuration
613 ------------------------
615 Landlock was first introduced in Linux 5.13 but it must be configured at build
624 -----------------------
628 Documentation/admin-guide/kernel-parameters.rst in the boot loader
631 For example, if the current built-in configuration is:
633 .. code-block:: console
635 $ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
640 .. code-block:: console
642 $ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
653 .. code-block:: console
655 # dmesg | grep landlock || journalctl -kb -g landlock
661 The kernel may be configured at build time to always load the ``lockdown`` and
667 ---------------
679 ---------------------------------------
684 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
687 -------------------------------------
690 access-control and then miss useful features for such use case (e.g. no
691 fine-grained restrictions). Moreover, their complexity can lead to security
696 --------------------------------------
699 Documentation/admin-guide/LSM/landlock.rst
704 * Documentation/admin-guide/LSM/landlock.rst