Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Landlock LSM? #2859

Open
h-vetinari opened this issue Mar 16, 2021 · 16 comments · May be fixed by #3194
Open

Support Landlock LSM? #2859

h-vetinari opened this issue Mar 16, 2021 · 16 comments · May be fixed by #3194
Milestone

Comments

@h-vetinari
Copy link

With the discussions about some of the limitations of (lib)seccomp (#2151, #2735 etc.), especially in the context of determining which error to return for syscalls that may or may not be around at runtime, the following caught my eye.

I presume most people here are aware of the series of "landlock" patches that have been through 30 iterations over the last 5 years. The cover letter states:

Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic.

I don't pretend to understand well enough if this could - in principle - solve some of the problems around the returned errors or other tricky bits in that regard, but it sounded intriguing - i.e. if that whole error dance could be avoided by letting landlock rather than seccomp handle things.

If landlock's approach is fundamentally unsuited to solving the problems here, I apologise. If OTOH there are only a few things missing for it to be usable, perhaps it would be a good time to reach out on LKML to see if they can be closed (or at least roadmapped) before the series is merged (looks like it's finalising).

@cyphar
Copy link
Member

cyphar commented Mar 18, 2021

Landlock is trying to solve a separate problem and doesn't really help with the libseccomp issues we have -- Landlock is a new LSM (Linux Security Module) and it's probably better to compare it with AppArmor or SELinux. It does have some similarities with seccomp (it uses BPF -- though it uses eBPF while seccomp is restricted to cBPF) but aside from that it's not really comparable (and it doesn't replace seccomp's primary use-case -- removing kernel attack surface by disabling syscall entrypoints).

It should be noted that the issues we've had recently are purely related to libseccomp, not with seccomp itself. The solution we applied still uses seccomp, it just works around the limitations of libseccomp's filter generation.

@h-vetinari
Copy link
Author

[...] aside from that it's not really comparable (and it doesn't replace seccomp's primary use-case -- removing kernel attack surface by disabling syscall entrypoints).

I was thinking that - if it performs as advertised - the availability of those syscall entry points would be irrelevant as long as one cannot do anything with them (because they access or manipulate kernel structures that are blocked by landlock) - i.e. getting EPERM for anything you try to do with them, unless they don't exist on that box (-> ENOSYS), which would give the "canonically" correct errors within the container, without having to go through the leaky abstraction of the syscall-profiles.

@cyphar
Copy link
Member

cyphar commented Apr 2, 2021

Well, that is the argument behind LSMs in general (they restrict access to kernel objects). However that assumes there are no bugs in the LSM -- what seccomp does is that completely removes the ability to access kernel code that may be buggy (such as compat or old and unmaintained syscalls). LSMs simply cannot do that because they are applied so far into syscall execution that you've already run most of the code that might be buggy.

Seccomp doesn't solve many other problems that LSMs try to solve, but it does solve this problem that LSMs simply cannot. (And this isn't hypothetical, quite a few kernel 0days were blocked by seccomp policies because the buggy kernel code in question simply could not be reached by the container.)

@h-vetinari
Copy link
Author

Well-understood, thanks for the explanation - at least I wasn't completely off with my understanding of the mechanics.

Would it make sense to consider using both though? That would also allow the user (or at least profile-maintainer) to specify a hybrid approach where e.g. seccomp is only used to filter out the "old and unmaintained" syscalls, and leaves the rest to the LSM.

@cyphar
Copy link
Member

cyphar commented Apr 2, 2021

Well, landlock isn't upstream yet. But once it is I imagine we'd add support to it in the runtime-spec (just like we support SELinux and AppArmor today).

@h-vetinari
Copy link
Author

Well, landlock isn't upstream yet.

FYI, it landed in -next a couple days ago, might make it into 5.13.

@h-vetinari
Copy link
Author

Landlock PR for 5.13 was sent and honoured. 🥳

I guess the next step (after waiting a while for things to stabilize) is adding this to the runtime-spec?

@cyphar
Copy link
Member

cyphar commented May 3, 2021

Yup, runtime-spec would be the next step but I'd need to look into what model we should use for supporting it (the AppArmor/SELinux "just give me the label" model is not ideal for a few reasons, but same goes for the seccomp model 😦).

@cyphar cyphar added this to the 1.1.0 milestone Jun 11, 2021
@h-vetinari h-vetinari changed the title Seccomp vs. Landlock? Support Landlock LSM? Jun 28, 2021
@h-vetinari
Copy link
Author

Landlock has now been released with Linux 5.13.

@kailun-qin
Copy link
Contributor

Opened an runtime-spec proposal and added with a drafted version there.

Any review or comment is much welcome. Thanks a lot.

@l0kod
Copy link

l0kod commented Aug 22, 2021

About the Go support, @gnoack and I are working to move https://github.com/gnoack/golandlock: landlock-lsm/go-landlock#10. This should not take long and I suggest to not use the current location/name but wait for the new one.

@gnoack
Copy link

gnoack commented Aug 24, 2021

About the Go support, @gnoack and I are working to move https://github.com/gnoack/golandlock: landlock-lsm/go-landlock#10. This should not take long and I suggest to not use the current location/name but wait for the new one.

This is done now :) The new location is: import "github.com/landlock-lsm/go-landlock/landlock".

@BoardzMaster
Copy link

Hi guys!!! I have drafted runc landlock version based on opencontainers/runtime-spec#1111 commits by @kailun-qin for runtime-spec. I wonder if I can send it here for the discussion? Or @kailun-qin has already been working on runc landlock version?
Please your opinion, guys!!

@kailun-qin
Copy link
Contributor

Hi guys!!! I have drafted runc landlock version based on opencontainers/runtime-spec#1111 commits by @kailun-qin for runtime-spec. I wonder if I can send it here for the discussion? Or @kailun-qin has already been working on runc landlock version?
Please your opinion, guys!!

Hi @BoardzMaster, great to hear that you're also working on it! Yes, internally we have a PoC implementation based on runc using go-landlock working as mentioned here: opencontainers/runtime-spec#1111 (comment). We've been making cleanups and updating according to the go-landlock changes following the spec these days.

I'd like to propose a convergence on it if you're using the same approach so that the effort won't be wasted. WDYT? You can reach me at [email protected] and let me know if any thoughts.

kailun-qin added a commit to kailun-qin/runc that referenced this issue Sep 1, 2021
This patch introduces Landlock Linux Security Module (LSM) support in
runc, which was landed in Linux kernel 5.13.

This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.

runtime-spec: opencontainers/runtime-spec#1111

Fixes opencontainers#2859

Signed-off-by: Kailun Qin <[email protected]>
@kailun-qin kailun-qin linked a pull request Sep 1, 2021 that will close this issue
@kailun-qin
Copy link
Contributor

Hi @BoardzMaster, I've proposed my drafted version of PR here: #3194. See if you have anything to add/converge or any thoughts. I would be happy to add co-authors.

Hi All, please kindly take a look when you get a chance. Thanks a lot!

P.S. There should be a follow-up patch for integration testing.

@BoardzMaster
Copy link

BoardzMaster commented Sep 1, 2021

Hi @BoardzMaster, I've proposed my drafted version of PR here: #3194. See if you have anything to add/converge or any thoughts. I would be happy to add co-authors.

Hi All, please kindly take a look when you get a chance. Thanks a lot!

P.S. There should be a follow-up patch for integration testing.

Thank you so much @kailun-qin. I will check it.

@AkihiroSuda AkihiroSuda modified the milestones: 1.1.0, 1.2.0 Sep 2, 2021
kailun-qin added a commit to kailun-qin/runc that referenced this issue Sep 9, 2021
This patch introduces Landlock Linux Security Module (LSM) support in
runc, which was landed in Linux kernel 5.13.

This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.

runtime-spec: opencontainers/runtime-spec#1111

Fixes opencontainers#2859

Signed-off-by: Kailun Qin <[email protected]>
@kolyshkin kolyshkin modified the milestones: 1.2.0, 1.3.0 Aug 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants