-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identify tasks' domain #26
Comments
Will the TIDs used here be host visible ones and not the ones within the PID namespace? If these TIDs are host visible ones then we can rest assured that they will be unique per process. Secondly, does this design allow checking if a thread is sandboxed from within and outside the PID namespace? |
A challenge with IDs, and especially ones available to unprivileged processes, is that they must not leak information (e.g. the number of existing or created Landlock domains). Tying domain IDs to PID namespaces make them relative to the process reading such value. The same way, a The idea is to see the same things as with a PID: a process will see a domain ID with value The audit log will contain a domain ID value according to the initial PID namespace, so never
It allows a process A with a |
The |
Here is a new proposal for the ID generator: https://lore.kernel.org/all/20241022161009.982584-5-mic@digikod.net/ Instead of managing absolute and relative IDs, only use absolute IDs that are OK to be exposed to unprivileged processes. These IDs have important properties:
This approach is more secure than other kernel IDs such as socket's inodes. |
We can now extend the new |
It would be useful to identify the Landlock domain restricting threads for tests and auditing purpose. To make easy to get this information, we could create a
/proc/<pid>/attr/landlock/current
entry containing a Landlock domain ID.Dealing with IDs may be challenging in the context of Landlock because of the unprivileged constraints (e.g. confidentiality: don't leak information about other domains). We should also keep in mind CRIU that should be able to recreate the same IDs without too much trouble.
I think the most promising approach is to rely on the thread ID that restricts itself. We can rely on
struct pid
andget_task_pid()
to safely manage Landlock domain IDs. This way, we can have the guarantee that the domain's ID is tied to the domain's lifetime, which is a superset of the sandboxed tasks' lifetime. It should also be a superset of the/proc/<pid>/attr/landlock/current
file descriptor's lifetime. In the future, we could also use the related file descriptor to reference a domain (instead of with the raw ID value).Because a thread can sandbox itself several times (up to 16), we also need a version to make such domain ID unique at a given time. The content of
/proc/<pid>/attr/landlock/current
could then look like123.0
Because TIDs are tied to PID namespaces and then the
proc
filesytem, it would be a good fit to use the/proc/<pid>/attr/landlock/current
interface. This should also make it compatible with the newlsm_get_self_attr()
system call.These domain IDs must also be part of audit logs: #3
The text was updated successfully, but these errors were encountered: