1# Sandboxing using Landlock 2 3Landlock is a lightweight mechanism to allow unprivileged applications to 4sandbox themselves. 5 6During initial stages of running, applications can define the set of resources 7(mostly files) they need to access during their lifetime. All such rules are 8used to create a ruleset. Once the ruleset is applied, the process cannot access 9any resources outside of the ruleset during its lifetime, even if it were 10compromised. 11 12Under the scope of `read` and `write` access, Landlock currently allows some 13additional accesses (eg: for now, access to extended file attributes is always 14allowed). Eventually, Landlock will only allow accesses similar to Unix 15permissions. 16 17## Host Setup 18 19Landlock should be enabled in Host kernel to use it with cloud-hypervisor. 20Please following [Kernel-Support](https://docs.kernel.org/userspace-api/landlock.html#kernel-support) link to enable Landlock on Host kernel. 21 22 23Landlock support can be checked with following command: 24``` 25$ sudo dmesg | grep -w landlock 26[ 0.000000] landlock: Up and running. 27``` 28Linux kernel confirms Landlock support with above message in dmesg. 29 30## Implementation Details 31 32To enable Landlock, Cloud-Hypervisor process needs the full list of files it 33needs to access over its lifetime. Landlock is enabled in the `vm_create` stage. 34 35## Enable Landlock 36 37Append `--landlock` to Cloud-Hypervisor's command line to enable Landlock 38support. 39 40If you expect guest to access additional paths after it boots 41(ex: during hotplug), those paths can be passed using `--landlock-rules` command 42line parameter. 43 44## Usage Examples 45 46To enable Landlock: 47 48``` 49./cloud-hypervisor \ 50 --kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \ 51 --disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \ 52 --cmdline "console=hvc0 root=/dev/vda1 rw" \ 53 --cpus boot=4 \ 54 --memory size=1024M \ 55 --net "tap=,mac=,ip=,mask=" \ 56 --landlock 57``` 58Hotplugging any new file-backed resources to above guest will result in 59**Permission Denied** error. 60 61To enable Landlock with hotplug support: 62 63``` 64./cloud-hypervisor \ 65 --api-socket /tmpXXXX/ch.socket \ 66 --kernel ./linux-cloud-hypervisor/arch/x86/boot/compressed/vmlinux.bin \ 67 --disk path=focal-server-cloudimg-amd64.raw path=/tmp/ubuntu-cloudinit.img \ 68 --cmdline "console=hvc0 root=/dev/vda1 rw" \ 69 --cpus boot=4 \ 70 --memory size=1024M \ 71 --net "tap=,mac=,ip=,mask=" \ 72 --landlock \ 73 --landlock-rules path="/path/to/hotplug1",access="rw" path="/path/to/hotplug2",access="rw" 74 75./ch-remote --api-socket /tmpXXXX/ch.socket \ 76 add-disk "path=/path/to/hotplug/blk.raw" 77``` 78 79`--landlock-rules` accepts file or directory paths among its options. 80 81# References 82 83* https://landlock.io/ 84