dtprobed: adopt Landlock

[thesamesam]

dtprobed already uses seccomp, but there's a new Linux sandboxing LSM in town which solves a bunch of problems seccomp has wrt abstraction and targeting the wrong layer.

We should be able to use it to restrict precisely our access to the device node/socket. See https://docs.kernel.org/userspace-api/landlock.html. xz has a nice example of some simple usage.

[nickalcock]

I know next to nothing about it, but IIRC landlock replaces seccomp's non-strict mode (BPF filtering). I don't think anything replaces what dtprobed uses, which is strict-mode seccomp (which is intentionally totally insanely harsh and unconfigurable, i.e. just what we want). In particular if landlocking a process stops its children from being strict-mode-seccomped, it isn't really usable for our purposes.

If landlock doesn't interfere with strict-mode seccomp, we could always landlock-confine the parent dtprobed so that it can't write to anything but the CUSE socket, /run/dtrace and whatever else it needs, but the problem is that "whatever else it needs" includes things like chasing /proc/$pid/fd symlinks which could point almost anywhere. So we can't restrict reading much. Still, if it can do better, I'd be interested!

For now I'm relying on systemd doing a bunch of containerization of dtprobed's parent...

[thesamesam]

IIRC landlock replaces seccomp's non-strict mode (BPF filtering).
[...]
In particular if landlocking a process stops its children from being strict-mode-seccomped, it isn't really usable for our purposes.

Ah, you might be right. OK. I'll check it out and if it's incompatible, we'll (obviously) leave it.

but the problem is that "whatever else it needs" includes things like chasing /proc/$pid/fd symlinks which could point almost anywhere.

... oh, duh. I hadn't thought about that part. I suggest we keep it open as I'd like a chance to play with landlock, but if I don't get around to it, I don't think it matters at all. Either way is fine (closing now or not).

For now I'm relying on systemd doing a bunch of containerization of dtprobed's parent...

That's what I was worrying you'd say ;)

Right now, there's nothing like this for OpenRC, which is a big shame.