1# Sandboxing using Landlock 2 3Landlock is a lightweight mechanism to allow unprivileged applications to 4sandbox themselves. 5 6During initial stages of running, applications can define the set of resources 7(mostly files) they need to access during their lifetime. All such rules are 8used to create a ruleset. Once the ruleset is applied, the process cannot access 9any resources outside of the ruleset during its lifetime, even if it were 10compromised. 11 12Under the scope of `read` and `write` access, Landlock currently allows some 13additional accesses (eg: for now, access to extended file attributes is always 14allowed). Eventually, Landlock will only allow accesses similar to Unix 15permissions. 16 17## Host Setup 18 19Landlock should be enabled in Host kernel to use it with cloud-hypervisor. 20Please following [Kernel-Support](https://docs.kernel.org/userspace-api/landlock.html#kernel-support) link to enable Landlock on Host kernel. 21 22 23Landlock support can be checked with following command: 24``` 25$ sudo dmesg | grep -w landlock 26[ 0.000000] landlock: Up and running. 27``` 28Linux kernel confirms Landlock support with above message in dmesg. 29 30## Enable Landlock 31 32At the time of enabling Landlock, Cloud-Hypervisor process needs the complete 33list of files it accesses over its lifetime. So, Landlock is enabled `vm_create` 34stage of guest boot. 35 36### Command Line 37Append `--landlock` to Cloud-Hypervisor's command line to enable Landlock 38support. 39 40If you expect guest to access additional paths after it boots 41(ex: during hotplug), those paths can be passed using `--landlock-rules` command 42line parameter. 43 44### API 45Landlock can also be enabled during `vm.create` request by passing a config like below: 46 47``` 48{ 49... 50 "landlock_enable": true, 51 "landlock_rules": [ 52 { 53 "path": "/tmp/disk1", 54 "access": "rw" 55 }, 56 { 57 "path": "/tmp/disk2", 58 "access": "rw" 59 } 60 ] 61... 62} 63``` 64 65 66## Usage Examples 67 68To enable Landlock: 69 70``` 71./cloud-hypervisor \ 72 --kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \ 73 --disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \ 74 --cmdline "console=hvc0 root=/dev/vda1 rw" \ 75 --cpus boot=4 \ 76 --memory size=1024M \ 77 --net "tap=,mac=,ip=,mask=" \ 78 --landlock 79``` 80Hotplugging any new file-backed resources to above guest will result in 81**Permission Denied** error. 82 83To enable Landlock with hotplug support: 84 85``` 86./cloud-hypervisor \ 87 --api-socket /tmpXXXX/ch.socket \ 88 --kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \ 89 --disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \ 90 --cmdline "console=hvc0 root=/dev/vda1 rw" \ 91 --cpus boot=4 \ 92 --memory size=1024M \ 93 --net "tap=,mac=,ip=,mask=" \ 94 --landlock \ 95 --landlock-rules path="/path/to/hotplug1",access="rw" path="/path/to/hotplug2",access="rw" 96 97./ch-remote --api-socket /tmpXXXX/ch.socket \ 98 add-disk "path=/path/to/hotplug/blk.raw" 99``` 100 101`--landlock-rules` accepts file or directory paths among its options. 102 103# References 104 105* https://landlock.io/ 106