Landlock news #3#
Here is the third Landlock newsletter!
Kernel#
Linux distributions#
Landlock is now supported by default in new Linux distributions:
chromeOS’s VM (Termina)
WSL2
CBL-Mariner
New features for Linux 6.2#
Linux 6.2 is now starting to roll out to up-to-date distros.
This new release supports a new access right developed by Günther Noack:
LANDLOCK_ACCESS_FS_TRUNCATE.
This enables developers to fully control file
data changes (combined with LANDLOCK_ACCESS_FS_WRITE_FILE). This might
look like a simple access right but due to the nature of file truncation
in Linux, especially through file descriptors, this work led to a new
way to enforce Landlock rules, which could be leveraged by future access
rights.
When opening a file, the availability of the LANDLOCK_ACCESS_FS_TRUNCATE
right is associated with the newly created file descriptor and will be
used for subsequent truncation attempts using ftruncate(2). The behavior
is similar to opening a file for reading or writing, where permissions
are checked during open(2), but not during the subsequent read(2) and
write(2) calls.
Test improvements#
Mark Brown kept pushing for the Landlock kselftest suite to be part of KernelCI, and after 6 months it was merged. This is great because this means that different kernel flavors on several architectures will be tested against a lot of development kernel trees. See the list of tests for v6.3-rc2.
Jeff Xu updated the tests to make them run on systems without overlayfs support, and with Yama enabled, which is the case for chromeOS:
Documentation#
At the same time he is improving the kernel documentation, Günther Noack is also updating the Landlock man pages, with the new features and improved examples.
Kees Cook added Landlock to the KSPP recommended settings.
Landlock libraries#
Rust#
At the FOSDEM event, I gave feedback about the development of a security library that needs to deal with backward and forward compatibility, because of security features tied to specific kernel versions, handling different use cases in a safe and secure way. We explain patterns that we used to make it possible to fine tune the requested (optional) features while providing a safe default behavior. For simple use cases, the idea is to provide a best-effort security approach for potentially unsupported kernel features: use available features and ignore others. However, in more complex use cases, we may want to make some features depend on others. We may also want to handle errors differently based on unsupported features.
Version 0.2.0 was released, which makes available a first milestone. There is still work going on to improve the backward and forward interface, but that would be for the next major version.
Go#
Günther Noack gave a nice talk at the Zurich Gophers Meetup about Landlock and how to use it with the Go library.
The Go library now supports Linux 6.2 with the new truncate access right.
Haskell#
Nicolas Trangez is actively working on a Haskell library for Landlock. New versions are released regularly.
New Landlock user space developments#
Birdcage is a cross-platform embeddable sandboxing library allowing restrictions to Filesystem and Network operations using native operating system APIs.
Keysas, a USB malware cleaning station.
A WebAssembly runtime with Landlock support.
Nicolas Bouchinet is working on bringing Landlock support to PAM.
Articles and conferences#
Günther Noack wrote about the challenges of the best-effort approach: How to make your use of Landlock backwards compatible with older kernels? One of Landlock’s strengths is that you can deploy the same program on multiple kernel versions, and make it use the best available sandboxing on each. This “best effort” approach is already implemented for you in the Go-Landlock library and in the Rust Landlock library. But what if you need to implement it yourself?
I gave a talk at the Netdev conference about the steps to sandbox the lighttpd server. Nicolas Bouchinet helped improve the tutorial material which is now available.
Outreachy internship#
Outreachy provides internships in open source to people subject to systemic bias and impacted by underrepresentation in the technical industry where they are living. The Linux kernel proposed 4 projects, and one of them is related to Landlock. Here is the description of “Improve Landlock tests and thread management”:
Work will start by refactoring some tests to move the TEST_F_FORK helper
to the kselftests harness library. Indeed, this helper is a fork of the
TEST_F one, and code duplication should be avoided for maintenance reasons.
The second task is to improve Landlock ruleset merges with the thread’s
Landlock domain to avoid domains without any direct thread to them. To
make sure that the current behavior is kept as is, new tests will be
added (thanks to the kselftests or the KUnit framework).
If the work progress relatively quickly, a more complex task is to add a
new feature similar to seccomp’s TSYNC: being able to safely restrict
the entire process instead of the current thread. This task would
require a better understanding of thread
management.
An alternative task is to improve Landlock test coverage thanks to
kernel fault injection. This would make it possible to cover kernel
internal errors (e.g., memory allocation, user copy) that cannot be
tested otherwise.
See Linux Kernel in Outreachy.
Ongoing patch series#
Konstantin Meskhidze is working on the TCP port access control for Landlock. The code is almost ready, and we are tackling the latest issues around user space interface and tests. We’ll use an unsigned 64-bit integer with host endianness to define a port because of simplicity, padding, and extensibility reasons. We are also thinking about a new feature to block full network protocols from being used.
Shervin Oloumi proposed a way to identify landlocked processes. That would be useful for chromeOS to make sure that services are properly sandboxed. That might be the beginning of a more advanced audit and debug set of tools.
I sent patches to support the User-Mode Linux architecture, which would be useful for tests.
Thanks to all the contributors!
Regards, Mickaël