Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Landlock LSM: Towards unprivileged sandboxing @...
Search
Michael Schubert
October 22, 2017
Programming
0
810
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
Michael Schubert
October 22, 2017
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
Applied Kubernetes Security Pitfalls
schu
0
2.4k
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
870
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Programming
See All in Programming
GitHubとGitLabとAWS CodePipelineでCI/CDを組み比べてみた
satoshi256kbyte
4
250
さようなら Date。 ようこそTemporal! 3年間先行利用して得られた知見の共有
8beeeaaat
3
1.5k
個人開発で徳島大学生60%以上の心を掴んだアプリ、そして手放した話
akidon0000
1
140
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
410
旅行プランAIエージェント開発の裏側
ippo012
2
920
AI Coding Agentのセキュリティリスク:PRの自己承認とメルカリの対策
s3h
0
230
AIでLINEスタンプを作ってみた
eycjur
1
230
スケールする組織の実現に向けた インナーソース育成術 - ISGT2025
teamlab
PRO
1
160
請來的 AI Agent 同事們在寫程式時,怎麼用 pytest 去除各種幻想與盲點
keitheis
0
120
HTMLの品質ってなんだっけ? “HTMLクライテリア”の設計と実践
unachang113
4
2.9k
FindyにおけるTakumi活用と脆弱性管理のこれから
rvirus0817
0
530
知っているようで知らない"rails new"の世界 / The World of "rails new" You Think You Know but Don't
luccafort
PRO
1
180
Featured
See All Featured
Bash Introduction
62gerente
615
210k
The Pragmatic Product Professional
lauravandoore
36
6.9k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Statistics for Hackers
jakevdp
799
220k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Side Projects
sachag
455
43k
How GitHub (no longer) Works
holman
315
140k
Building Applications with DynamoDB
mza
96
6.6k
Six Lessons from altMBA
skipperchong
28
4k
Transcript
Landlock LSM Towards unprivileged sandboxing
[email protected]
Proposed new LSM by Mickaël Salaün First RFC March 2016,
Today in iteration v7 "seccomp-object: From attack surface reduction to sandboxing"
Goal "empower any process, including unprivileged ones, to securely restrict
themselves" Note: current version (Landlock patch v7) requires CAP_SYS_ADMIN
Patchset v7 a minimum viable product a stackable LSM using
eBPF (new pogram type BPF_PROG_TYPE_LANDLOCK_RULE) focused on filesystem access control source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Why eBPF very limited kernel attack surface strict rules for
policies (enforced through eBPF verifier)
Demo ./landlock landlock1_kern.o /usr/bin/bash
Events Landlock groups 33 filesystem-related LSM hooks into LANDLOCK_SUBTYPE_EVENT_FS an
event "describes the kind of kernel object for which a rule will be triggered to allow or deny an action"
Actions events further distinguished by action type, e.g. LANDLOCK_ACTION_FS_WRITE or
subevent specific arg, e.g. ioctl request
How it works linux:security_init: Landlock LSM hooks are set up
user application loads Landlock program(s) with bpf(2) and applies with seccomp(2) prog is triggered for events matching the program subtype prog allows (ret == 0) or denies access (ret != 0)
Applying a rule where prog_fd is the fd of the
eBPF Landlock program prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &prog_fd);
Writing a rule requires ... a subtype a handler program
The subtype SEC("subtype") static const union bpf_prog_subtype _subtype = {
.landlock_rule = { .abi = 1, .event = LANDLOCK_SUBTYPE_EVENT_FS, .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, } };
The handler program SEC("landlock1") static int landlock_fs_prog1(struct landlock_context *ctx) {
char fmt_event_fs[] = "received event LANDLOCK_SUBTYPE_EVENT_FS\n"; char fmt_event_unknown[] = "received unknown event type\n"; if (ctx->event & LANDLOCK_SUBTYPE_EVENT_FS) { bpf_trace_printk(fmt_event_fs, sizeof(fmt_event_fs)); } else { // should not happen bpf_trace_printk(fmt_event_unknown, sizeof(fmt_event_unknown)); } return 0; // allow all }
Development LKML Patchset is based on net-next https://github.com/landlock-lsm/linux
Roadmap cgroups handling new eBPF map type for filesystem-related checks
(map fsview) unprivileged mode source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Thank you Questions? Slides can be found here soon:
[email protected]
https://speakerdeck.com/schu
Resources https://landlock.io/ https://landlock.io/linux-doc/landlock-v7/security/landlock/index.html https://landlock.io/talks/2017-09-14_landlock-lss.pdf https://landlock.io/talks/2017-06-21_landlock-linuxkit-sig.pdf https://lkml.org/lkml/2017/8/20/192 https://man.openbsd.org/pledge.2 https://www.kernel.org/doc/Documentation/security/LSM.txt