Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Landlock LSM: Towards unprivileged sandboxing @...
Search
Michael Schubert
October 22, 2017
Programming
0
800
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
Michael Schubert
October 22, 2017
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
Applied Kubernetes Security Pitfalls
schu
0
2.4k
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
860
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Programming
See All in Programming
Create a website using Spatial Web
akkeylab
0
300
C++20 射影変換
faithandbrave
0
530
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
falcon8823
4
940
Deep Dive into ~/.claude/projects
hiragram
8
1.5k
Result型で“失敗”を型にするPHPコードの書き方
kajitack
4
370
GoのGenericsによるslice操作との付き合い方
syumai
3
690
関数型まつり2025登壇資料「関数プログラミングと再帰」
taisontsukada
2
850
AIコーディング道場勉強会#2 君(エンジニア)たちはどう生きるか
misakiotb
1
250
エンジニア向け採用ピッチ資料
inusan
0
160
地方に住むエンジニアの残酷な現実とキャリア論
ichimichi
5
1.3k
Beyond Portability: Live Migration for Evolving WebAssembly Workloads
chikuwait
0
390
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
400
Featured
See All Featured
Become a Pro
speakerdeck
PRO
28
5.4k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
For a Future-Friendly Web
brad_frost
179
9.8k
The Invisible Side of Design
smashingmag
299
51k
Facilitating Awesome Meetings
lara
54
6.4k
Statistics for Hackers
jakevdp
799
220k
The Cost Of JavaScript in 2023
addyosmani
51
8.4k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Why You Should Never Use an ORM
jnunemaker
PRO
57
9.4k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.8k
Transcript
Landlock LSM Towards unprivileged sandboxing
[email protected]
Proposed new LSM by Mickaël Salaün First RFC March 2016,
Today in iteration v7 "seccomp-object: From attack surface reduction to sandboxing"
Goal "empower any process, including unprivileged ones, to securely restrict
themselves" Note: current version (Landlock patch v7) requires CAP_SYS_ADMIN
Patchset v7 a minimum viable product a stackable LSM using
eBPF (new pogram type BPF_PROG_TYPE_LANDLOCK_RULE) focused on filesystem access control source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Why eBPF very limited kernel attack surface strict rules for
policies (enforced through eBPF verifier)
Demo ./landlock landlock1_kern.o /usr/bin/bash
Events Landlock groups 33 filesystem-related LSM hooks into LANDLOCK_SUBTYPE_EVENT_FS an
event "describes the kind of kernel object for which a rule will be triggered to allow or deny an action"
Actions events further distinguished by action type, e.g. LANDLOCK_ACTION_FS_WRITE or
subevent specific arg, e.g. ioctl request
How it works linux:security_init: Landlock LSM hooks are set up
user application loads Landlock program(s) with bpf(2) and applies with seccomp(2) prog is triggered for events matching the program subtype prog allows (ret == 0) or denies access (ret != 0)
Applying a rule where prog_fd is the fd of the
eBPF Landlock program prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &prog_fd);
Writing a rule requires ... a subtype a handler program
The subtype SEC("subtype") static const union bpf_prog_subtype _subtype = {
.landlock_rule = { .abi = 1, .event = LANDLOCK_SUBTYPE_EVENT_FS, .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, } };
The handler program SEC("landlock1") static int landlock_fs_prog1(struct landlock_context *ctx) {
char fmt_event_fs[] = "received event LANDLOCK_SUBTYPE_EVENT_FS\n"; char fmt_event_unknown[] = "received unknown event type\n"; if (ctx->event & LANDLOCK_SUBTYPE_EVENT_FS) { bpf_trace_printk(fmt_event_fs, sizeof(fmt_event_fs)); } else { // should not happen bpf_trace_printk(fmt_event_unknown, sizeof(fmt_event_unknown)); } return 0; // allow all }
Development LKML Patchset is based on net-next https://github.com/landlock-lsm/linux
Roadmap cgroups handling new eBPF map type for filesystem-related checks
(map fsview) unprivileged mode source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Thank you Questions? Slides can be found here soon:
[email protected]
https://speakerdeck.com/schu
Resources https://landlock.io/ https://landlock.io/linux-doc/landlock-v7/security/landlock/index.html https://landlock.io/talks/2017-09-14_landlock-lss.pdf https://landlock.io/talks/2017-06-21_landlock-linuxkit-sig.pdf https://lkml.org/lkml/2017/8/20/192 https://man.openbsd.org/pledge.2 https://www.kernel.org/doc/Documentation/security/LSM.txt