On 16/11/2020 22:26, Pavel Machek wrote: > Hi! > >> A Landlock object enables to identify a kernel object (e.g. an inode). >> A Landlock rule is a set of access rights allowed on an object. Rules >> are grouped in rulesets that may be tied to a set of processes (i.e. >> subjects) to enforce a scoped access-control (i.e. a domain). >> >> Because Landlock's goal is to empower any process (especially >> unprivileged ones) to sandbox themselves, we cannot rely on a >> system-wide object identification such as file extended attributes. > > >> +config SECURITY_LANDLOCK >> + bool "Landlock support" >> + depends on SECURITY >> + select SECURITY_PATH >> + help >> + Landlock is a safe sandboxing mechanism which enables processes to >> + restrict themselves (and their future children) by gradually >> + enforcing tailored access control policies. A security policy is a >> + set of access rights (e.g. open a file in read-only, make a >> + directory, etc.) tied to a file hierarchy. Such policy can be configured >> + and enforced by any processes for themselves thanks to dedicated system >> + calls: landlock_create_ruleset(), landlock_add_rule(), and >> + landlock_enforce_ruleset_current(). > > How does it interact with setuid binaries? Being able to exec passwd > in a sandbox sounds like ... fun way to get root? :-). It works like seccomp: if you run with CAP_SYS_ADMIN in the current namespace, then SUID binaries may be allowed, otherwise if you use PR_SET_NO_NEW_PRIVS, then executing a SUID binary is denied. The 24th version is here: https://lore.kernel.org/lkml/20201112205141.775752-1-mic@xxxxxxxxxxx/ > > Best regards, > Pavel > >
