projects / linux-2.6-block.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Linux 6.17-rc6
[linux-2.6-block.git] / Documentation / userspace-api / landlock.rst
... / ...
CommitLineData
1.. SPDX-License-Identifier: GPL-2.0
2.. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3.. Copyright © 2019-2020 ANSSI
4.. Copyright © 2021-2022 Microsoft Corporation
5
6=====================================
7Landlock: unprivileged access control
8=====================================
9
10:Author: Mickaël Salaün
11:Date: March 2025
12
13The goal of Landlock is to enable restriction of ambient rights (e.g. global
14filesystem or network access) for a set of processes. Because Landlock
15is a stackable LSM, it makes it possible to create safe security sandboxes as
16new security layers in addition to the existing system-wide access-controls.
17This kind of sandbox is expected to help mitigate the security impact of bugs or
18unexpected/malicious behaviors in user space applications. Landlock empowers
19any process, including unprivileged ones, to securely restrict themselves.
20
21We can quickly make sure that Landlock is enabled in the running system by
22looking for "landlock: Up and running" in kernel logs (as root):
23``dmesg | grep landlock || journalctl -kb -g landlock`` .
24Developers can also easily check for Landlock support with a
25:ref:`related system call <landlock_abi_versions>`.
26If Landlock is not currently supported, we need to
27:ref:`configure the kernel appropriately <kernel_support>`.
28
29Landlock rules
30==============
31
32A Landlock rule describes an action on an object which the process intends to
33perform. A set of rules is aggregated in a ruleset, which can then restrict
34the thread enforcing it, and its future children.
35
36The two existing types of rules are:
37
38Filesystem rules
39 For these rules, the object is a file hierarchy,
40 and the related filesystem actions are defined with
41 `filesystem access rights`.
42
43Network rules (since ABI v4)
44 For these rules, the object is a TCP port,
45 and the related actions are defined with `network access rights`.
46
47Defining and enforcing a security policy
48----------------------------------------
49
50We first need to define the ruleset that will contain our rules.
51
52For this example, the ruleset will contain rules that only allow filesystem
53read actions and establish a specific TCP connection. Filesystem write
54actions and other TCP actions will be denied.
55
56The ruleset then needs to handle both these kinds of actions. This is
57required for backward and forward compatibility (i.e. the kernel and user
58space may not know each other's supported restrictions), hence the need
59to be explicit about the denied-by-default access rights.
60
61.. code-block:: c
62
63 struct landlock_ruleset_attr ruleset_attr = {
64 .handled_access_fs =
65 LANDLOCK_ACCESS_FS_EXECUTE |
66 LANDLOCK_ACCESS_FS_WRITE_FILE |
67 LANDLOCK_ACCESS_FS_READ_FILE |
68 LANDLOCK_ACCESS_FS_READ_DIR |
69 LANDLOCK_ACCESS_FS_REMOVE_DIR |
70 LANDLOCK_ACCESS_FS_REMOVE_FILE |
71 LANDLOCK_ACCESS_FS_MAKE_CHAR |
72 LANDLOCK_ACCESS_FS_MAKE_DIR |
73 LANDLOCK_ACCESS_FS_MAKE_REG |
74 LANDLOCK_ACCESS_FS_MAKE_SOCK |
75 LANDLOCK_ACCESS_FS_MAKE_FIFO |
76 LANDLOCK_ACCESS_FS_MAKE_BLOCK |
77 LANDLOCK_ACCESS_FS_MAKE_SYM |
78 LANDLOCK_ACCESS_FS_REFER |
79 LANDLOCK_ACCESS_FS_TRUNCATE |
80 LANDLOCK_ACCESS_FS_IOCTL_DEV,
81 .handled_access_net =
82 LANDLOCK_ACCESS_NET_BIND_TCP |
83 LANDLOCK_ACCESS_NET_CONNECT_TCP,
84 .scoped =
85 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
86 LANDLOCK_SCOPE_SIGNAL,
87 };
88
89Because we may not know which kernel version an application will be executed
90on, it is safer to follow a best-effort security approach. Indeed, we
91should try to protect users as much as possible whatever the kernel they are
92using.
93
94To be compatible with older Linux versions, we detect the available Landlock ABI
95version, and only use the available subset of access rights:
96
97.. code-block:: c
98
99 int abi;
100
101 abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
102 if (abi < 0) {
103 /* Degrades gracefully if Landlock is not handled. */
104 perror("The running kernel does not enable to use Landlock");
105 return 0;
106 }
107 switch (abi) {
108 case 1:
109 /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
110 ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
111 __attribute__((fallthrough));
112 case 2:
113 /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
114 ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
115 __attribute__((fallthrough));
116 case 3:
117 /* Removes network support for ABI < 4 */
118 ruleset_attr.handled_access_net &=
119 ~(LANDLOCK_ACCESS_NET_BIND_TCP |
120 LANDLOCK_ACCESS_NET_CONNECT_TCP);
121 __attribute__((fallthrough));
122 case 4:
123 /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */
124 ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
125 __attribute__((fallthrough));
126 case 5:
127 /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
128 ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
129 LANDLOCK_SCOPE_SIGNAL);
130 }
131
132This enables the creation of an inclusive ruleset that will contain our rules.
133
134.. code-block:: c
135
136 int ruleset_fd;
137
138 ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
139 if (ruleset_fd < 0) {
140 perror("Failed to create a ruleset");
141 return 1;
142 }
143
144We can now add a new rule to this ruleset thanks to the returned file
145descriptor referring to this ruleset. The rule will only allow reading the
146file hierarchy ``/usr``. Without another rule, write actions would then be
147denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
148``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
149descriptor.
150
151.. code-block:: c
152
153 int err;
154 struct landlock_path_beneath_attr path_beneath = {
155 .allowed_access =
156 LANDLOCK_ACCESS_FS_EXECUTE |
157 LANDLOCK_ACCESS_FS_READ_FILE |
158 LANDLOCK_ACCESS_FS_READ_DIR,
159 };
160
161 path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
162 if (path_beneath.parent_fd < 0) {
163 perror("Failed to open file");
164 close(ruleset_fd);
165 return 1;
166 }
167 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
168 &path_beneath, 0);
169 close(path_beneath.parent_fd);
170 if (err) {
171 perror("Failed to update ruleset");
172 close(ruleset_fd);
173 return 1;
174 }
175
176It may also be required to create rules following the same logic as explained
177for the ruleset creation, by filtering access rights according to the Landlock
178ABI version. In this example, this is not required because all of the requested
179``allowed_access`` rights are already available in ABI 1.
180
181For network access-control, we can add a set of rules that allow to use a port
182number for a specific action: HTTPS connections.
183
184.. code-block:: c
185
186 struct landlock_net_port_attr net_port = {
187 .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
188 .port = 443,
189 };
190
191 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
192 &net_port, 0);
193
194The next step is to restrict the current thread from gaining more privileges
195(e.g. through a SUID binary). We now have a ruleset with the first rule
196allowing read access to ``/usr`` while denying all other handled accesses for
197the filesystem, and a second rule allowing HTTPS connections.
198
199.. code-block:: c
200
201 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
202 perror("Failed to restrict privileges");
203 close(ruleset_fd);
204 return 1;
205 }
206
207The current thread is now ready to sandbox itself with the ruleset.
208
209.. code-block:: c
210
211 if (landlock_restrict_self(ruleset_fd, 0)) {
212 perror("Failed to enforce ruleset");
213 close(ruleset_fd);
214 return 1;
215 }
216 close(ruleset_fd);
217
218If the ``landlock_restrict_self`` system call succeeds, the current thread is
219now restricted and this policy will be enforced on all its subsequently created
220children as well. Once a thread is landlocked, there is no way to remove its
221security policy; only adding more restrictions is allowed. These threads are
222now in a new Landlock domain, which is a merger of their parent one (if any)
223with the new ruleset.
224
225Full working code can be found in `samples/landlock/sandboxer.c`_.
226
227Good practices
228--------------
229
230It is recommended to set access rights to file hierarchy leaves as much as
231possible. For instance, it is better to be able to have ``~/doc/`` as a
232read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
233``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
234Following this good practice leads to self-sufficient hierarchies that do not
235depend on their location (i.e. parent directories). This is particularly
236relevant when we want to allow linking or renaming. Indeed, having consistent
237access rights per directory enables changing the location of such directories
238without relying on the destination directory access rights (except those that
239are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
240documentation).
241
242Having self-sufficient hierarchies also helps to tighten the required access
243rights to the minimal set of data. This also helps avoid sinkhole directories,
244i.e. directories where data can be linked to but not linked from. However,
245this depends on data organization, which might not be controlled by developers.
246In this case, granting read-write access to ``~/tmp/``, instead of write-only
247access, would potentially allow moving ``~/tmp/`` to a non-readable directory
248and still keep the ability to list the content of ``~/tmp/``.
249
250Layers of file path access rights
251---------------------------------
252
253Each time a thread enforces a ruleset on itself, it updates its Landlock domain
254with a new layer of policy. This complementary policy is stacked with any
255other rulesets potentially already restricting this thread. A sandboxed thread
256can then safely add more constraints to itself with a new enforced ruleset.
257
258One policy layer grants access to a file path if at least one of its rules
259encountered on the path grants the access. A sandboxed thread can only access
260a file path if all its enforced policy layers grant the access as well as all
261the other system access controls (e.g. filesystem DAC, other LSM policies,
262etc.).
263
264Bind mounts and OverlayFS
265-------------------------
266
267Landlock enables restricting access to file hierarchies, which means that these
268access rights can be propagated with bind mounts (cf.
269Documentation/filesystems/sharedsubtree.rst) but not with
270Documentation/filesystems/overlayfs.rst.
271
272A bind mount mirrors a source file hierarchy to a destination. The destination
273hierarchy is then composed of the exact same files, on which Landlock rules can
274be tied, either via the source or the destination path. These rules restrict
275access when they are encountered on a path, which means that they can restrict
276access to multiple file hierarchies at the same time, whether these hierarchies
277are the result of bind mounts or not.
278
279An OverlayFS mount point consists of upper and lower layers. These layers are
280combined in a merge directory, and that merged directory becomes available at
281the mount point. This merge hierarchy may include files from the upper and
282lower layers, but modifications performed on the merge hierarchy only reflect
283on the upper layer. From a Landlock policy point of view, all OverlayFS layers
284and merge hierarchies are standalone and each contains their own set of files
285and directories, which is different from bind mounts. A policy restricting an
286OverlayFS layer will not restrict the resulted merged hierarchy, and vice versa.
287Landlock users should then only think about file hierarchies they want to allow
288access to, regardless of the underlying filesystem.
289
290Inheritance
291-----------
292
293Every new thread resulting from a :manpage:`clone(2)` inherits Landlock domain
294restrictions from its parent. This is similar to seccomp inheritance (cf.
295Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
296task's :manpage:`credentials(7)`. For instance, one process's thread may apply
297Landlock rules to itself, but they will not be automatically applied to other
298sibling threads (unlike POSIX thread credential changes, cf.
299:manpage:`nptl(7)`).
300
301When a thread sandboxes itself, we have the guarantee that the related security
302policy will stay enforced on all this thread's descendants. This allows
303creating standalone and modular security policies per application, which will
304automatically be composed between themselves according to their runtime parent
305policies.
306
307Ptrace restrictions
308-------------------
309
310A sandboxed process has less privileges than a non-sandboxed process and must
311then be subject to additional restrictions when manipulating another process.
312To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
313process, a sandboxed process should have a superset of the target process's
314access rights, which means the tracee must be in a sub-domain of the tracer.
315
316IPC scoping
317-----------
318
319Similar to the implicit `Ptrace restrictions`_, we may want to further restrict
320interactions between sandboxes. Therefore, at ruleset creation time, each
321Landlock domain can restrict the scope for certain operations, so that these
322operations can only reach out to processes within the same Landlock domain or in
323a nested Landlock domain (the "scope").
324
325The operations which can be scoped are:
326
327``LANDLOCK_SCOPE_SIGNAL``
328 This limits the sending of signals to target processes which run within the
329 same or a nested Landlock domain.
330
331``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``
332 This limits the set of abstract :manpage:`unix(7)` sockets to which we can
333 :manpage:`connect(2)` to socket addresses which were created by a process in
334 the same or a nested Landlock domain.
335
336 A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
337 it were doing an implicit :manpage:`connect(2)` and will be blocked if the
338 remote end does not stem from the same or a nested Landlock domain.
339
340 A :manpage:`sendto(2)` on a socket which was previously connected will not
341 be restricted. This works for both datagram and stream sockets.
342
343IPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)`.
344If an operation is scoped within a domain, no rules can be added to allow access
345to resources or processes outside of the scope.
346
347Truncating files
348----------------
349
350The operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and
351``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes
352overlap in non-intuitive ways. It is recommended to always specify both of
353these together.
354
355A particularly surprising example is :manpage:`creat(2)`. The name suggests
356that this system call requires the rights to create and write files. However,
357it also requires the truncate right if an existing file under the same name is
358already present.
359
360It should also be noted that truncating files does not require the
361``LANDLOCK_ACCESS_FS_WRITE_FILE`` right. Apart from the :manpage:`truncate(2)`
362system call, this can also be done through :manpage:`open(2)` with the flags
363``O_RDONLY | O_TRUNC``.
364
365The truncate right is associated with the opened file (see below).
366
367Rights associated with file descriptors
368---------------------------------------
369
370When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
371``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created
372file descriptor and will be used for subsequent truncation and ioctl attempts
373using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar
374to opening a file for reading or writing, where permissions are checked during
375:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
376:manpage:`write(2)` calls.
377
378As a consequence, it is possible that a process has multiple open file
379descriptors referring to the same file, but Landlock enforces different things
380when operating with these file descriptors. This can happen when a Landlock
381ruleset gets enforced and the process keeps file descriptors which were opened
382both before and after the enforcement. It is also possible to pass such file
383descriptors between processes, keeping their Landlock properties, even when some
384of the involved processes do not have an enforced Landlock ruleset.
385
386Compatibility
387=============
388
389Backward and forward compatibility
390----------------------------------
391
392Landlock is designed to be compatible with past and future versions of the
393kernel. This is achieved thanks to the system call attributes and the
394associated bitflags, particularly the ruleset's ``handled_access_fs``. Making
395handled access rights explicit enables the kernel and user space to have a clear
396contract with each other. This is required to make sure sandboxing will not
397get stricter with a system update, which could break applications.
398
399Developers can subscribe to the `Landlock mailing list
400<https://subspace.kernel.org/lists.linux.dev.html>`_ to knowingly update and
401test their applications with the latest available features. In the interest of
402users, and because they may use different kernel versions, it is strongly
403encouraged to follow a best-effort security approach by checking the Landlock
404ABI version at runtime and only enforcing the supported features.
405
406.. _landlock_abi_versions:
407
408Landlock ABI versions
409---------------------
410
411The Landlock ABI version can be read with the sys_landlock_create_ruleset()
412system call:
413
414.. code-block:: c
415
416 int abi;
417
418 abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
419 if (abi < 0) {
420 switch (errno) {
421 case ENOSYS:
422 printf("Landlock is not supported by the current kernel.\n");
423 break;
424 case EOPNOTSUPP:
425 printf("Landlock is currently disabled.\n");
426 break;
427 }
428 return 0;
429 }
430 if (abi >= 2) {
431 printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
432 }
433
434The following kernel interfaces are implicitly supported by the first ABI
435version. Features only supported from a specific version are explicitly marked
436as such.
437
438Kernel interface
439================
440
441Access rights
442-------------
443
444.. kernel-doc:: include/uapi/linux/landlock.h
445 :identifiers: fs_access net_access scope
446
447Creating a new ruleset
448----------------------
449
450.. kernel-doc:: security/landlock/syscalls.c
451 :identifiers: sys_landlock_create_ruleset
452
453.. kernel-doc:: include/uapi/linux/landlock.h
454 :identifiers: landlock_ruleset_attr
455
456Extending a ruleset
457-------------------
458
459.. kernel-doc:: security/landlock/syscalls.c
460 :identifiers: sys_landlock_add_rule
461
462.. kernel-doc:: include/uapi/linux/landlock.h
463 :identifiers: landlock_rule_type landlock_path_beneath_attr
464 landlock_net_port_attr
465
466Enforcing a ruleset
467-------------------
468
469.. kernel-doc:: security/landlock/syscalls.c
470 :identifiers: sys_landlock_restrict_self
471
472Current limitations
473===================
474
475Filesystem topology modification
476--------------------------------
477
478Threads sandboxed with filesystem restrictions cannot modify filesystem
479topology, whether via :manpage:`mount(2)` or :manpage:`pivot_root(2)`.
480However, :manpage:`chroot(2)` calls are not denied.
481
482Special filesystems
483-------------------
484
485Access to regular files and directories can be restricted by Landlock,
486according to the handled accesses of a ruleset. However, files that do not
487come from a user-visible filesystem (e.g. pipe, socket), but can still be
488accessed through ``/proc/<pid>/fd/*``, cannot currently be explicitly
489restricted. Likewise, some special kernel filesystems such as nsfs, which can
490be accessed through ``/proc/<pid>/ns/*``, cannot currently be explicitly
491restricted. However, thanks to the `ptrace restrictions`_, access to such
492sensitive ``/proc`` files are automatically restricted according to domain
493hierarchies. Future Landlock evolutions could still enable to explicitly
494restrict such paths with dedicated ruleset flags.
495
496Ruleset layers
497--------------
498
499There is a limit of 16 layers of stacked rulesets. This can be an issue for a
500task willing to enforce a new ruleset in complement to its 16 inherited
501rulesets. Once this limit is reached, sys_landlock_restrict_self() returns
502E2BIG. It is then strongly suggested to carefully build rulesets once in the
503life of a thread, especially for applications able to launch other applications
504that may also want to sandbox themselves (e.g. shells, container managers,
505etc.).
506
507Memory usage
508------------
509
510Kernel memory allocated to create rulesets is accounted and can be restricted
511by the Documentation/admin-guide/cgroup-v1/memory.rst.
512
513IOCTL support
514-------------
515
516The ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of
517:manpage:`ioctl(2)`, but it only applies to *newly opened* device files. This
518means specifically that pre-existing file descriptors like stdin, stdout and
519stderr are unaffected.
520
521Users should be aware that TTY devices have traditionally permitted to control
522other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL
523commands. Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but
524the behavior is configurable for ``TIOCSTI``.
525
526On older systems, it is therefore recommended to close inherited TTY file
527descriptors, or to reopen them from ``/proc/self/fd/*`` without the
528``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible.
529
530Landlock's IOCTL support is coarse-grained at the moment, but may become more
531fine-grained in the future. Until then, users are advised to establish the
532guarantees that they need through the file hierarchy, by only allowing the
533``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required.
534
535Previous limitations
536====================
537
538File renaming and linking (ABI < 2)
539-----------------------------------
540
541Because Landlock targets unprivileged access controls, it needs to properly
542handle composition of rules. Such property also implies rules nesting.
543Properly handling multiple layers of rulesets, each one of them able to
544restrict access to files, also implies inheritance of the ruleset restrictions
545from a parent to its hierarchy. Because files are identified and restricted by
546their hierarchy, moving or linking a file from one directory to another implies
547propagation of the hierarchy constraints, or restriction of these actions
548according to the potentially lost constraints. To protect against privilege
549escalations through renaming or linking, and for the sake of simplicity,
550Landlock previously limited linking and renaming to the same directory.
551Starting with the Landlock ABI version 2, it is now possible to securely
552control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER``
553access right.
554
555File truncation (ABI < 3)
556-------------------------
557
558File truncation could not be denied before the third Landlock ABI, so it is
559always allowed when using a kernel that only supports the first or second ABI.
560
561Starting with the Landlock ABI version 3, it is now possible to securely control
562truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.
563
564TCP bind and connect (ABI < 4)
565------------------------------
566
567Starting with the Landlock ABI version 4, it is now possible to restrict TCP
568bind and connect actions to only a set of allowed ports thanks to the new
569``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
570access rights.
571
572Device IOCTL (ABI < 5)
573----------------------
574
575IOCTL operations could not be denied before the fifth Landlock ABI, so
576:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
577earlier ABI.
578
579Starting with the Landlock ABI version 5, it is possible to restrict the use of
580:manpage:`ioctl(2)` on character and block devices using the new
581``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.
582
583Abstract UNIX socket (ABI < 6)
584------------------------------
585
586Starting with the Landlock ABI version 6, it is possible to restrict
587connections to an abstract :manpage:`unix(7)` socket by setting
588``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute.
589
590Signal (ABI < 6)
591----------------
592
593Starting with the Landlock ABI version 6, it is possible to restrict
594:manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the
595``scoped`` ruleset attribute.
596
597Logging (ABI < 7)
598-----------------
599
600Starting with the Landlock ABI version 7, it is possible to control logging of
601Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``,
602``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``, and
603``LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF`` flags passed to
604sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst
605for more details on audit.
606
607.. _kernel_support:
608
609Kernel support
610==============
611
612Build time configuration
613------------------------
614
615Landlock was first introduced in Linux 5.13 but it must be configured at build
616time with ``CONFIG_SECURITY_LANDLOCK=y``. Landlock must also be enabled at boot
617time like other security modules. The list of security modules enabled by
618default is set with ``CONFIG_LSM``. The kernel configuration should then
619contain ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other
620potentially useful security modules for the running system (see the
621``CONFIG_LSM`` help).
622
623Boot time configuration
624-----------------------
625
626If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
627enable Landlock by adding ``lsm=landlock,[...]`` to
628Documentation/admin-guide/kernel-parameters.rst in the boot loader
629configuration.
630
631For example, if the current built-in configuration is:
632
633.. code-block:: console
634
635 $ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
636 CONFIG_LSM="lockdown,yama,integrity,apparmor"
637
638...and if the cmdline doesn't contain ``landlock`` either:
639
640.. code-block:: console
641
642 $ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
643 lsm=lockdown,yama,integrity,apparmor
644
645...we should configure the boot loader to set a cmdline extending the ``lsm``
646list with the ``landlock,`` prefix::
647
648 lsm=landlock,lockdown,yama,integrity,apparmor
649
650After a reboot, we can check that Landlock is up and running by looking at
651kernel logs:
652
653.. code-block:: console
654
655 # dmesg | grep landlock || journalctl -kb -g landlock
656 [ 0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
657 [ 0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
658 [ 0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor
659 [ 0.000000] landlock: Up and running.
660
661The kernel may be configured at build time to always load the ``lockdown`` and
662``capability`` LSMs. In that case, these LSMs will appear at the beginning of
663the ``LSM: initializing`` log line as well, even if they are not configured in
664the boot loader.
665
666Network support
667---------------
668
669To be able to explicitly allow TCP operations (e.g., adding a network rule with
670``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP
671(``CONFIG_INET=y``). Otherwise, sys_landlock_add_rule() returns an
672``EAFNOSUPPORT`` error, which can safely be ignored because this kind of TCP
673operation is already not possible.
674
675Questions and answers
676=====================
677
678What about user space sandbox managers?
679---------------------------------------
680
681Using user space processes to enforce restrictions on kernel resources can lead
682to race conditions or inconsistent evaluations (i.e. `Incorrect mirroring of
683the OS code and state
684<https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).
685
686What about namespaces and containers?
687-------------------------------------
688
689Namespaces can help create sandboxes but they are not designed for
690access-control and then miss useful features for such use case (e.g. no
691fine-grained restrictions). Moreover, their complexity can lead to security
692issues, especially when untrusted processes can manipulate them (cf.
693`Controlling access to user namespaces <https://lwn.net/Articles/673597/>`_).
694
695How to disable Landlock audit records?
696--------------------------------------
697
698You might want to put in place filters as explained here:
699Documentation/admin-guide/LSM/landlock.rst
700
701Additional documentation
702========================
703
704* Documentation/admin-guide/LSM/landlock.rst
705* Documentation/security/landlock.rst
706* https://landlock.io
707
708.. Links
709.. _samples/landlock/sandboxer.c:
710 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c
Linux 6.x block layer and io_uring tree(s)