Lines Matching +full:kernel +full:- +full:policy
1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
16 security layers in addition to the existing system-wide access-controls. This
22 looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep
23 landlock || journalctl -kg landlock`` . Developers can also easily check for
25 Landlock is not currently supported, we need to :ref:`configure the kernel
46 Defining and enforcing a security policy
47 ----------------------------------------
56 required for backward and forward compatibility (i.e. the kernel and user
58 to be explicit about the denied-by-default access rights.
60 .. code-block:: c
84 Because we may not know on which kernel version an application will be
85 executed, it is safer to follow a best-effort security approach. Indeed, we
86 should try to protect users as much as possible whatever the kernel they are
92 .. code-block:: c
99 perror("The running kernel does not enable to use Landlock");
120 .. code-block:: c
137 .. code-block:: c
167 For network access-control, we can add a set of rules that allow to use a port
170 .. code-block:: c
185 .. code-block:: c
195 .. code-block:: c
205 now restricted and this policy will be enforced on all its subsequently created
207 security policy; only adding more restrictions is allowed. These threads are
214 --------------
218 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
219 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
220 Following this good practice leads to self-sufficient hierarchies that do not
227 Having self-sufficient hierarchies also helps to tighten the required access
231 In this case, granting read-write access to ``~/tmp/``, instead of write-only
232 access, would potentially allow to move ``~/tmp/`` to a non-readable directory
236 ---------------------------------
239 with a new layer of policy. Indeed, this complementary policy is stacked with
244 One policy layer grants access to a file path if at least one of its rules
246 a file path if all its enforced policy layers grant the access as well as all
251 -------------------------
269 policy point of view, each OverlayFS layers and merge hierarchies are
271 different from bind mounts. A policy restricting an OverlayFS layer will not
277 -----------
281 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
288 policy will stay enforced on all this thread's descendants. This allows
294 -------------------
296 A sandboxed process has less privileges than a non-sandboxed process and must
300 which means the tracee must be in a sub-domain of the tracer.
303 ----------------
307 overlap in non-intuitive ways. It is recommended to always specify both of
337 ----------------------------------
340 kernel. This is achieved thanks to the system call attributes and the
342 handled access right explicit enables the kernel and user space to have a clear
347 <https://subspace.kernel.org/lists.linux.dev.html>`_ to knowingly update and
349 users, and because they may use different kernel versions, it is strongly
350 encouraged to follow a best-effort security approach by checking the Landlock
356 ---------------------
361 .. code-block:: c
369 printf("Landlock is not supported by the current kernel.\n");
381 The following kernel interfaces are implicitly supported by the first ABI
385 Kernel interface
389 -------------
391 .. kernel-doc:: include/uapi/linux/landlock.h
395 ----------------------
397 .. kernel-doc:: security/landlock/syscalls.c
400 .. kernel-doc:: include/uapi/linux/landlock.h
404 -------------------
406 .. kernel-doc:: security/landlock/syscalls.c
409 .. kernel-doc:: include/uapi/linux/landlock.h
414 -------------------
416 .. kernel-doc:: security/landlock/syscalls.c
423 --------------------------------
430 -------------------
434 come from a user-visible filesystem (e.g. pipe, socket), but can still be
436 restricted. Likewise, some special kernel filesystems such as nsfs, which can
444 --------------
455 ------------
457 Kernel memory allocated to create rulesets is accounted and can be restricted
458 by the Documentation/admin-guide/cgroup-v1/memory.rst.
464 -----------------------------------
481 -------------------------
484 always allowed when using a kernel that only supports the first or second ABI.
490 -------------------------
499 Kernel support
505 default is set with ``CONFIG_LSM``. The kernel configuration should then
510 If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
512 Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
516 ``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP
525 ---------------------------------------
527 Using user space process to enforce restrictions on kernel resources can lead
530 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
533 -------------------------------------
536 access-control and then miss useful features for such use case (e.g. no
537 fine-grained restrictions). Moreover, their complexity can lead to security
549 … https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c