Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Landlock LSM: Towards unprivileged sandboxing @...
Search
Michael Schubert
October 22, 2017
Programming
0
820
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
Michael Schubert
October 22, 2017
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
Applied Kubernetes Security Pitfalls
schu
0
2.4k
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
870
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Programming
See All in Programming
Web フロントエンドエンジニアに開かれる AI Agent プロダクト開発 - Vercel AI SDK を観察して AI Agent と仲良くなろう! #FEC余熱NIGHT
izumin5210
3
400
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
140
Goで実践するドメイン駆動開発 AIと歩み始めた新規プロダクト開発の現在地
imkaoru
4
660
『毎日の移動』を支えるGoバックエンド内製開発
yutautsugi
2
190
Go言語の特性を活かした公式MCP SDKの設計
hond0413
1
180
SpecKitでどこまでできる? コストはどれくらい?
leveragestech
0
540
プログラミングどうやる? ~テスト駆動開発から学ぶ達人の型~
a_okui
0
190
階層構造を表現するデータ構造とリファクタリング 〜1年で10倍成長したプロダクトの変化と課題〜
yuhisatoxxx
3
920
CSC305 Lecture 04
javiergs
PRO
0
250
CI_CD「健康診断」のススメ。現場でのボトルネック特定から、健康診断を通じた組織的な改善手法
teamlab
PRO
0
180
(Extension DC 2025) Actor境界を越える技術
teamhimeh
1
230
Railsだからできる 例外業務に禍根を残さない 設定設計パターン
ei_ei_eiichi
0
340
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
The Cost Of JavaScript in 2023
addyosmani
53
9k
GitHub's CSS Performance
jonrohan
1032
460k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.6k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Automating Front-end Workflow
addyosmani
1371
200k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
32
2.2k
Agile that works and the tools we love
rasmusluckow
331
21k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Designing for Performance
lara
610
69k
Transcript
Landlock LSM Towards unprivileged sandboxing
[email protected]
Proposed new LSM by Mickaël Salaün First RFC March 2016,
Today in iteration v7 "seccomp-object: From attack surface reduction to sandboxing"
Goal "empower any process, including unprivileged ones, to securely restrict
themselves" Note: current version (Landlock patch v7) requires CAP_SYS_ADMIN
Patchset v7 a minimum viable product a stackable LSM using
eBPF (new pogram type BPF_PROG_TYPE_LANDLOCK_RULE) focused on filesystem access control source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Why eBPF very limited kernel attack surface strict rules for
policies (enforced through eBPF verifier)
Demo ./landlock landlock1_kern.o /usr/bin/bash
Events Landlock groups 33 filesystem-related LSM hooks into LANDLOCK_SUBTYPE_EVENT_FS an
event "describes the kind of kernel object for which a rule will be triggered to allow or deny an action"
Actions events further distinguished by action type, e.g. LANDLOCK_ACTION_FS_WRITE or
subevent specific arg, e.g. ioctl request
How it works linux:security_init: Landlock LSM hooks are set up
user application loads Landlock program(s) with bpf(2) and applies with seccomp(2) prog is triggered for events matching the program subtype prog allows (ret == 0) or denies access (ret != 0)
Applying a rule where prog_fd is the fd of the
eBPF Landlock program prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &prog_fd);
Writing a rule requires ... a subtype a handler program
The subtype SEC("subtype") static const union bpf_prog_subtype _subtype = {
.landlock_rule = { .abi = 1, .event = LANDLOCK_SUBTYPE_EVENT_FS, .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, } };
The handler program SEC("landlock1") static int landlock_fs_prog1(struct landlock_context *ctx) {
char fmt_event_fs[] = "received event LANDLOCK_SUBTYPE_EVENT_FS\n"; char fmt_event_unknown[] = "received unknown event type\n"; if (ctx->event & LANDLOCK_SUBTYPE_EVENT_FS) { bpf_trace_printk(fmt_event_fs, sizeof(fmt_event_fs)); } else { // should not happen bpf_trace_printk(fmt_event_unknown, sizeof(fmt_event_unknown)); } return 0; // allow all }
Development LKML Patchset is based on net-next https://github.com/landlock-lsm/linux
Roadmap cgroups handling new eBPF map type for filesystem-related checks
(map fsview) unprivileged mode source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Thank you Questions? Slides can be found here soon:
[email protected]
https://speakerdeck.com/schu
Resources https://landlock.io/ https://landlock.io/linux-doc/landlock-v7/security/landlock/index.html https://landlock.io/talks/2017-09-14_landlock-lss.pdf https://landlock.io/talks/2017-06-21_landlock-linuxkit-sig.pdf https://lkml.org/lkml/2017/8/20/192 https://man.openbsd.org/pledge.2 https://www.kernel.org/doc/Documentation/security/LSM.txt