Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Landlock LSM: Towards unprivileged sandboxing @...
Search
Michael Schubert
October 22, 2017
Programming
0
810
Landlock LSM: Towards unprivileged sandboxing @ All Systems Go! 2017
Michael Schubert
October 22, 2017
Tweet
Share
More Decks by Michael Schubert
See All by Michael Schubert
Applied Kubernetes Security Pitfalls
schu
0
2.4k
A gentle introduction to [e]BPF @ Open Source Summit LinuxCon 2017
schu
1
870
gobpf - utilizing eBPF from Go @ FOSDEM 2017
schu
0
1.2k
gobpf - utilizing eBPF from Go @ GDG Golang Berlin
schu
1
210
Other Decks in Programming
See All in Programming
コンテキストエンジニアリング Cursor編
kinopeee
1
740
CloudflareのChat Agent Starter Kitで簡単!AIチャットボット構築
syumai
1
320
オープンセミナー2025 @広島 LT 技術ブログを続けるには
satoshi256kbyte
0
150
Swift Updates - Learn Languages 2025
koher
1
210
Azure SRE Agentで運用は楽になるのか?
kkamegawa
0
1k
Claude Codeで実装以外の開発フロー、どこまで自動化できるか?失敗と成功
ndadayo
3
1.8k
開発チーム・開発組織の設計改善スキルの向上
masuda220
PRO
18
9.6k
オープンセミナー2025@広島 「君はどこで動かすか?」 アンケート結果
satoshi256kbyte
0
230
Ruby Parser progress report 2025
yui_knk
1
260
rage against annotate_predecessor
junk0612
0
150
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
120
CSC305 Summer Lecture 12
javiergs
PRO
0
130
Featured
See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Code Review Best Practice
trishagee
70
19k
Documentation Writing (for coders)
carmenintech
73
5k
Producing Creativity
orderedlist
PRO
347
40k
A Tale of Four Properties
chriscoyier
160
23k
The Cult of Friendly URLs
andyhume
79
6.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
Agile that works and the tools we love
rasmusluckow
330
21k
Six Lessons from altMBA
skipperchong
28
4k
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
Designing for humans not robots
tammielis
253
25k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Transcript
Landlock LSM Towards unprivileged sandboxing
[email protected]
Proposed new LSM by Mickaël Salaün First RFC March 2016,
Today in iteration v7 "seccomp-object: From attack surface reduction to sandboxing"
Goal "empower any process, including unprivileged ones, to securely restrict
themselves" Note: current version (Landlock patch v7) requires CAP_SYS_ADMIN
Patchset v7 a minimum viable product a stackable LSM using
eBPF (new pogram type BPF_PROG_TYPE_LANDLOCK_RULE) focused on filesystem access control source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Why eBPF very limited kernel attack surface strict rules for
policies (enforced through eBPF verifier)
Demo ./landlock landlock1_kern.o /usr/bin/bash
Events Landlock groups 33 filesystem-related LSM hooks into LANDLOCK_SUBTYPE_EVENT_FS an
event "describes the kind of kernel object for which a rule will be triggered to allow or deny an action"
Actions events further distinguished by action type, e.g. LANDLOCK_ACTION_FS_WRITE or
subevent specific arg, e.g. ioctl request
How it works linux:security_init: Landlock LSM hooks are set up
user application loads Landlock program(s) with bpf(2) and applies with seccomp(2) prog is triggered for events matching the program subtype prog allows (ret == 0) or denies access (ret != 0)
Applying a rule where prog_fd is the fd of the
eBPF Landlock program prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); seccomp(SECCOMP_PREPEND_LANDLOCK_RULE, 0, &prog_fd);
Writing a rule requires ... a subtype a handler program
The subtype SEC("subtype") static const union bpf_prog_subtype _subtype = {
.landlock_rule = { .abi = 1, .event = LANDLOCK_SUBTYPE_EVENT_FS, .ability = LANDLOCK_SUBTYPE_ABILITY_DEBUG, } };
The handler program SEC("landlock1") static int landlock_fs_prog1(struct landlock_context *ctx) {
char fmt_event_fs[] = "received event LANDLOCK_SUBTYPE_EVENT_FS\n"; char fmt_event_unknown[] = "received unknown event type\n"; if (ctx->event & LANDLOCK_SUBTYPE_EVENT_FS) { bpf_trace_printk(fmt_event_fs, sizeof(fmt_event_fs)); } else { // should not happen bpf_trace_printk(fmt_event_unknown, sizeof(fmt_event_unknown)); } return 0; // allow all }
Development LKML Patchset is based on net-next https://github.com/landlock-lsm/linux
Roadmap cgroups handling new eBPF map type for filesystem-related checks
(map fsview) unprivileged mode source: https://landlock.io/talks/2017-09-14_landlock-lss.pdf
Thank you Questions? Slides can be found here soon:
[email protected]
https://speakerdeck.com/schu
Resources https://landlock.io/ https://landlock.io/linux-doc/landlock-v7/security/landlock/index.html https://landlock.io/talks/2017-09-14_landlock-lss.pdf https://landlock.io/talks/2017-06-21_landlock-linuxkit-sig.pdf https://lkml.org/lkml/2017/8/20/192 https://man.openbsd.org/pledge.2 https://www.kernel.org/doc/Documentation/security/LSM.txt
schu
kinopeee
syumai
satoshi256kbyte
koher
kkamegawa
ndadayo
masuda220
yui_knk
junk0612
temoki
javiergs
mongodb
trishagee
carmenintech
orderedlist
chriscoyier
andyhume
jcasabona
rasmusluckow
skipperchong
tanoku
tammielis
hatefulcrawdad
![Landlock LSM Towards unprivileged sandboxing [email protected]](https://files.speakerdeck.com/presentations/3d48949289b04056b216fbbfa03b9188/slide_0.jpg){kind=link}
![Thank you Questions? Slides can be found here soon: [email protected]](https://files.speakerdeck.com/presentations/3d48949289b04056b216fbbfa03b9188/slide_15.jpg){kind=link}
