Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Landlock LSM: Towards unprivileged sandboxing @...
Search
Michael Schubert
October 22, 2017
Programming
0
820
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
Michael Schubert
October 22, 2017
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
Applied Kubernetes Security Pitfalls
schu
0
2.4k
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
880
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Programming
See All in Programming
NixOS + Kubernetesで構築する自宅サーバーのすべて
ichi_h3
0
1.1k
Go言語の特性を活かした公式MCP SDKの設計
hond0413
1
450
デミカツ切り抜きで面倒くさいことはPythonにやらせよう
aokswork3
0
260
CSC305 Lecture 08
javiergs
PRO
0
270
オープンソースソフトウェアへの解像度🔬
utam0k
17
3.1k
Android16 Migration Stories ~Building a Pattern for Android OS upgrades~
reoandroider
0
130
monorepo の Go テストをはやくした〜い!~最小の依存解決への道のり~ / faster-testing-of-monorepos
convto
2
530
TransformerからMCPまで(現代AIを理解するための羅針盤)
mickey_kubo
6
3.8k
技術的負債の正体を知って向き合う
irof
0
230
AI駆動で0→1をやって見えた光と伸びしろ
passion0102
1
780
CSC509 Lecture 06
javiergs
PRO
0
260
Server Side Kotlin Meetup vol.16: 内部動作を理解して ハイパフォーマンスなサーバサイド Kotlin アプリケーションを書こう
ternbusty
3
230
Featured
See All Featured
Faster Mobile Websites
deanohume
310
31k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.6k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Six Lessons from altMBA
skipperchong
29
4k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
How to train your dragon (web standard)
notwaldorf
97
6.3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
30
2.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.7k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Making Projects Easy
brettharned
120
6.4k
Building Applications with DynamoDB
mza
96
6.7k
Documentation Writing (for coders)
carmenintech
75
5.1k
Transcript
Landlock LSM Towards unprivileged sandboxing
[email protected]
Proposed new LSM by Mickaël Salaün First RFC March 2016,
Today in iteration v7 "seccomp-object: From attack surface reduction to sandboxing"
Goal "empower any process, including unprivileged ones, to securely restrict
themselves" Note: current version (Landlock patch v7) requires CAP_SYS_ADMIN
Patchset v7 a minimum viable product a stackable LSM using
eBPF (new pogram type BPF_PROG_TYPE_LANDLOCK_RULE) focused on filesystem access control source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Why eBPF very limited kernel attack surface strict rules for
policies (enforced through eBPF verifier)
Demo ./landlock landlock1_kern.o /usr/bin/bash
Events Landlock groups 33 filesystem-related LSM hooks into LANDLOCK_SUBTYPE_EVENT_FS an
event "describes the kind of kernel object for which a rule will be triggered to allow or deny an action"
Actions events further distinguished by action type, e.g. LANDLOCK_ACTION_FS_WRITE or
subevent specific arg, e.g. ioctl request
How it works linux:security_init: Landlock LSM hooks are set up
user application loads Landlock program(s) with bpf(2) and applies with seccomp(2) prog is triggered for events matching the program subtype prog allows (ret == 0) or denies access (ret != 0)
Applying a rule where prog_fd is the fd of the
eBPF Landlock program prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &prog_fd);
Writing a rule requires ... a subtype a handler program
The subtype SEC("subtype") static const union bpf_prog_subtype _subtype = {
.landlock_rule = { .abi = 1, .event = LANDLOCK_SUBTYPE_EVENT_FS, .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, } };
The handler program SEC("landlock1") static int landlock_fs_prog1(struct landlock_context *ctx) {
char fmt_event_fs[] = "received event LANDLOCK_SUBTYPE_EVENT_FS\n"; char fmt_event_unknown[] = "received unknown event type\n"; if (ctx->event & LANDLOCK_SUBTYPE_EVENT_FS) { bpf_trace_printk(fmt_event_fs, sizeof(fmt_event_fs)); } else { // should not happen bpf_trace_printk(fmt_event_unknown, sizeof(fmt_event_unknown)); } return 0; // allow all }
Development LKML Patchset is based on net-next https://github.com/landlock-lsm/linux
Roadmap cgroups handling new eBPF map type for filesystem-related checks
(map fsview) unprivileged mode source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Thank you Questions? Slides can be found here soon:
[email protected]
https://speakerdeck.com/schu
Resources https://landlock.io/ https://landlock.io/linux-doc/landlock-v7/security/landlock/index.html https://landlock.io/talks/2017-09-14_landlock-lss.pdf https://landlock.io/talks/2017-06-21_landlock-linuxkit-sig.pdf https://lkml.org/lkml/2017/8/20/192 https://man.openbsd.org/pledge.2 https://www.kernel.org/doc/Documentation/security/LSM.txt
schu
ichi_h3
%20(2)%20(1).png){kind=avatar}
hond0413
aokswork3
javiergs
utam0k
reoandroider
convto
mickey_kubo
irof
passion0102
ternbusty
deanohume
marktimemedia
malarkey
skipperchong
maggiecrowley
notwaldorf
danielanewman
eileencodes
yeseniaperezcruz
brettharned
mza
carmenintech
![Landlock LSM Towards unprivileged sandboxing [email protected]](https://files.speakerdeck.com/presentations/3d48949289b04056b216fbbfa03b9188/slide_0.jpg){kind=link}
![Thank you Questions? Slides can be found here soon: [email protected]](https://files.speakerdeck.com/presentations/3d48949289b04056b216fbbfa03b9188/slide_15.jpg){kind=link}
