1b785e003SPraveen K Paladugu# Sandboxing using Landlock 2b785e003SPraveen K Paladugu 3b785e003SPraveen K PaladuguLandlock is a lightweight mechanism to allow unprivileged applications to 4b785e003SPraveen K Paladugusandbox themselves. 5b785e003SPraveen K Paladugu 6b785e003SPraveen K PaladuguDuring initial stages of running, applications can define the set of resources 7b785e003SPraveen K Paladugu(mostly files) they need to access during their lifetime. All such rules are 8b785e003SPraveen K Paladuguused to create a ruleset. Once the ruleset is applied, the process cannot access 9b785e003SPraveen K Paladuguany resources outside of the ruleset during its lifetime, even if it were 10b785e003SPraveen K Paladugucompromised. 11b785e003SPraveen K Paladugu 12b785e003SPraveen K PaladuguUnder the scope of `read` and `write` access, Landlock currently allows some 13b785e003SPraveen K Paladuguadditional accesses (eg: for now, access to extended file attributes is always 14b785e003SPraveen K Paladuguallowed). Eventually, Landlock will only allow accesses similar to Unix 15b785e003SPraveen K Paladugupermissions. 16b785e003SPraveen K Paladugu 17b785e003SPraveen K Paladugu## Host Setup 18b785e003SPraveen K Paladugu 19b785e003SPraveen K PaladuguLandlock should be enabled in Host kernel to use it with cloud-hypervisor. 20b785e003SPraveen K PaladuguPlease following [Kernel-Support](https://docs.kernel.org/userspace-api/landlock.html#kernel-support) link to enable Landlock on Host kernel. 21b785e003SPraveen K Paladugu 22b785e003SPraveen K Paladugu 23b785e003SPraveen K PaladuguLandlock support can be checked with following command: 24b785e003SPraveen K Paladugu``` 25b785e003SPraveen K Paladugu$ sudo dmesg | grep -w landlock 26b785e003SPraveen K Paladugu[ 0.000000] landlock: Up and running. 27b785e003SPraveen K Paladugu``` 28b785e003SPraveen K PaladuguLinux kernel confirms Landlock support with above message in dmesg. 29b785e003SPraveen K Paladugu 30b785e003SPraveen K Paladugu## Enable Landlock 31b785e003SPraveen K Paladugu 32*026e2c6aSPraveen K PaladuguAt the time of enabling Landlock, Cloud-Hypervisor process needs the complete 33*026e2c6aSPraveen K Paladugulist of files it accesses over its lifetime. So, Landlock is enabled `vm_create` 34*026e2c6aSPraveen K Paladugustage of guest boot. 35*026e2c6aSPraveen K Paladugu 36*026e2c6aSPraveen K Paladugu### Command Line 37b785e003SPraveen K PaladuguAppend `--landlock` to Cloud-Hypervisor's command line to enable Landlock 38b785e003SPraveen K Paladugusupport. 39b785e003SPraveen K Paladugu 40b785e003SPraveen K PaladuguIf you expect guest to access additional paths after it boots 41b785e003SPraveen K Paladugu(ex: during hotplug), those paths can be passed using `--landlock-rules` command 42b785e003SPraveen K Paladuguline parameter. 43b785e003SPraveen K Paladugu 44*026e2c6aSPraveen K Paladugu### API 45*026e2c6aSPraveen K PaladuguLandlock can also be enabled during `vm.create` request by passing a config like below: 46*026e2c6aSPraveen K Paladugu 47*026e2c6aSPraveen K Paladugu``` 48*026e2c6aSPraveen K Paladugu{ 49*026e2c6aSPraveen K Paladugu... 50*026e2c6aSPraveen K Paladugu "landlock_enable": true, 51*026e2c6aSPraveen K Paladugu "landlock_rules": [ 52*026e2c6aSPraveen K Paladugu { 53*026e2c6aSPraveen K Paladugu "path": "/tmp/disk1", 54*026e2c6aSPraveen K Paladugu "access": "rw" 55*026e2c6aSPraveen K Paladugu }, 56*026e2c6aSPraveen K Paladugu { 57*026e2c6aSPraveen K Paladugu "path": "/tmp/disk2", 58*026e2c6aSPraveen K Paladugu "access": "rw" 59*026e2c6aSPraveen K Paladugu } 60*026e2c6aSPraveen K Paladugu ] 61*026e2c6aSPraveen K Paladugu... 62*026e2c6aSPraveen K Paladugu} 63*026e2c6aSPraveen K Paladugu``` 64*026e2c6aSPraveen K Paladugu 65*026e2c6aSPraveen K Paladugu 66b785e003SPraveen K Paladugu## Usage Examples 67b785e003SPraveen K Paladugu 68b785e003SPraveen K PaladuguTo enable Landlock: 69b785e003SPraveen K Paladugu 70b785e003SPraveen K Paladugu``` 71b785e003SPraveen K Paladugu./cloud-hypervisor \ 72b785e003SPraveen K Paladugu --kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \ 73b785e003SPraveen K Paladugu --disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \ 74b785e003SPraveen K Paladugu --cmdline "console=hvc0 root=/dev/vda1 rw" \ 75b785e003SPraveen K Paladugu --cpus boot=4 \ 76b785e003SPraveen K Paladugu --memory size=1024M \ 77b785e003SPraveen K Paladugu --net "tap=,mac=,ip=,mask=" \ 78b785e003SPraveen K Paladugu --landlock 79b785e003SPraveen K Paladugu``` 80b785e003SPraveen K PaladuguHotplugging any new file-backed resources to above guest will result in 81b785e003SPraveen K Paladugu**Permission Denied** error. 82b785e003SPraveen K Paladugu 83b785e003SPraveen K PaladuguTo enable Landlock with hotplug support: 84b785e003SPraveen K Paladugu 85b785e003SPraveen K Paladugu``` 86b785e003SPraveen K Paladugu./cloud-hypervisor \ 87b785e003SPraveen K Paladugu --api-socket /tmpXXXX/ch.socket \ 88b785e003SPraveen K Paladugu --kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \ 89b785e003SPraveen K Paladugu --disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \ 90b785e003SPraveen K Paladugu --cmdline "console=hvc0 root=/dev/vda1 rw" \ 91b785e003SPraveen K Paladugu --cpus boot=4 \ 92b785e003SPraveen K Paladugu --memory size=1024M \ 93b785e003SPraveen K Paladugu --net "tap=,mac=,ip=,mask=" \ 94b785e003SPraveen K Paladugu --landlock \ 95b785e003SPraveen K Paladugu --landlock-rules path="/path/to/hotplug1",access="rw" path="/path/to/hotplug2",access="rw" 96b785e003SPraveen K Paladugu 97b785e003SPraveen K Paladugu./ch-remote --api-socket /tmpXXXX/ch.socket \ 98b785e003SPraveen K Paladugu add-disk "path=/path/to/hotplug/blk.raw" 99b785e003SPraveen K Paladugu``` 100b785e003SPraveen K Paladugu 101b785e003SPraveen K Paladugu`--landlock-rules` accepts file or directory paths among its options. 102b785e003SPraveen K Paladugu 103b785e003SPraveen K Paladugu# References 104b785e003SPraveen K Paladugu 105b785e003SPraveen K Paladugu* https://landlock.io/ 106