Rules deny listing #28
Comments
|
The ability to exclude some access rights on file hierarchies in a ruleset would be a very welcome feature! Even if the current deny-by-default approach is good, being able to create deny lists mixed with allowed lists would definitely be useful in practice for users (e.g. deny access to ~/.ssh).
It should not be much more complex to implement this approach per access right. The interface could be an extension of
Indeed, it should always be denied to rename/move a file hierarchy containing any inode with a
I guess you mean on handled accesses. |
ACK.
Thanks, will take a look at it.
What I meant is that denying specific access right to a path should only be possible if the path already has been authorized in a allowed rule (at least on of the upper directories). i.e. If one want to deny access to its Or do you see it more in a way where everything is allowed by default except denied resources for the first ruleset enforcement ? |
OK, I get it, and that could indeed make sense for users. However, one thing to keep in mind is that this kind of property may be difficult to check because rules are not directly tied together but only to inodes (not paths nor dentries): file hierarchies are only checked when an access is requested. Moreover, a file (or a directory with bind mounts) can be accessible from different paths. For consistency, we should also get the same result whatever the rules order is, so that would mean to check this rule hierarchy when calling I don't see this as an issue because adding a deny (rule) to a deny (ruleset's handled access right) would always result to a deny. For the file rename restriction, I think we should still be able to automatically "taint" parent directories from the same mount point because the
We should stick to the current behavior: a domain should always deny by default its handled access rights. |
|
Noted, I'm starting to work on the issue. |
|
See related discussion. |
|
I planned to reply to the mailing list discussion, since it linked to this ticket I'll leave a note here. Just wanted to add that I'm looking a bit into making use of Landlock in snapd. Unfortunately snapd relies heavily on AppArmor to complete the sandbox, which means the sandbox is degraded on systems where AppArmor is not enabled. Hence we are looking for an alternative, and since Landlock support is quite ubiquitous these days, I'm investigating how much of the sandbox we can set up with it. In our specific case, when the |
[ Upstream commit 60f07e2 ] We use uprobe in aarch64_be, which we found the tracee task would exit due to SIGILL when we enable the uprobe trace. We can see the replace inst from uprobe is not correct in aarch big-endian. As in Armv8-A, instruction fetches are always treated as little-endian, we should treat the UPROBE_SWBP_INSN as little-endian。 The test case is as following。 bash-4.4# ./mqueue_test_aarchbe 1 1 2 1 10 > /dev/null & bash-4.4# cd /sys/kernel/debug/tracing/ bash-4.4# echo 'p:test /mqueue_test_aarchbe:0xc30 %x0 %x1' > uprobe_events bash-4.4# echo 1 > events/uprobes/enable bash-4.4# bash-4.4# ps PID TTY TIME CMD 140 ? 00:00:01 bash 237 ? 00:00:00 ps [1]+ Illegal instruction ./mqueue_test_aarchbe 1 1 2 1 100 > /dev/null which we debug use gdb as following: bash-4.4# gdb attach 155 (gdb) disassemble send Dump of assembler code for function send: 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined 0x0000000000400c34 <+4>: mov x29, sp 0x0000000000400c38 <+8>: str w0, [sp, #28] 0x0000000000400c3c <+12>: strb w1, [sp, #27] 0x0000000000400c40 <+16>: str xzr, [sp, #40] 0x0000000000400c44 <+20>: str xzr, [sp, torvalds#48] 0x0000000000400c48 <+24>: add x0, sp, #0x1b 0x0000000000400c4c <+28>: mov w3, #0x0 // #0 0x0000000000400c50 <+32>: mov x2, #0x1 // #1 0x0000000000400c54 <+36>: mov x1, x0 0x0000000000400c58 <+40>: ldr w0, [sp, #28] 0x0000000000400c5c <+44>: bl 0x405e10 <mq_send> 0x0000000000400c60 <+48>: str w0, [sp, torvalds#60] 0x0000000000400c64 <+52>: ldr w0, [sp, torvalds#60] 0x0000000000400c68 <+56>: ldp x29, x30, [sp], torvalds#64 0x0000000000400c6c <+60>: ret End of assembler dump. (gdb) info b No breakpoints or watchpoints. (gdb) c Continuing. Program received signal SIGILL, Illegal instruction. 0x0000000000400c30 in send () (gdb) x/10x 0x400c30 0x400c30 <send>: 0xd42000a0 0xfd030091 0xe01f00b9 0xe16f0039 0x400c40 <send+16>: 0xff1700f9 0xff1b00f9 0xe06f0091 0x03008052 0x400c50 <send+32>: 0x220080d2 0xe10300aa (gdb) disassemble 0x400c30 Dump of assembler code for function send: => 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined 0x0000000000400c34 <+4>: mov x29, sp 0x0000000000400c38 <+8>: str w0, [sp, #28] 0x0000000000400c3c <+12>: strb w1, [sp, #27] 0x0000000000400c40 <+16>: str xzr, [sp, #40] Signed-off-by: junhua huang <huang.junhua@zte.com.cn> Link: https://lore.kernel.org/r/202212021511106844809@zte.com.cn Signed-off-by: Will Deacon <will@kernel.org> Stable-dep-of: 13f8f1e ("arm64: probes: Fix uprobes for big-endian kernels") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 60f07e2 ] We use uprobe in aarch64_be, which we found the tracee task would exit due to SIGILL when we enable the uprobe trace. We can see the replace inst from uprobe is not correct in aarch big-endian. As in Armv8-A, instruction fetches are always treated as little-endian, we should treat the UPROBE_SWBP_INSN as little-endian。 The test case is as following。 bash-4.4# ./mqueue_test_aarchbe 1 1 2 1 10 > /dev/null & bash-4.4# cd /sys/kernel/debug/tracing/ bash-4.4# echo 'p:test /mqueue_test_aarchbe:0xc30 %x0 %x1' > uprobe_events bash-4.4# echo 1 > events/uprobes/enable bash-4.4# bash-4.4# ps PID TTY TIME CMD 140 ? 00:00:01 bash 237 ? 00:00:00 ps [1]+ Illegal instruction ./mqueue_test_aarchbe 1 1 2 1 100 > /dev/null which we debug use gdb as following: bash-4.4# gdb attach 155 (gdb) disassemble send Dump of assembler code for function send: 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined 0x0000000000400c34 <+4>: mov x29, sp 0x0000000000400c38 <+8>: str w0, [sp, #28] 0x0000000000400c3c <+12>: strb w1, [sp, #27] 0x0000000000400c40 <+16>: str xzr, [sp, #40] 0x0000000000400c44 <+20>: str xzr, [sp, torvalds#48] 0x0000000000400c48 <+24>: add x0, sp, #0x1b 0x0000000000400c4c <+28>: mov w3, #0x0 // #0 0x0000000000400c50 <+32>: mov x2, #0x1 // #1 0x0000000000400c54 <+36>: mov x1, x0 0x0000000000400c58 <+40>: ldr w0, [sp, #28] 0x0000000000400c5c <+44>: bl 0x405e10 <mq_send> 0x0000000000400c60 <+48>: str w0, [sp, torvalds#60] 0x0000000000400c64 <+52>: ldr w0, [sp, torvalds#60] 0x0000000000400c68 <+56>: ldp x29, x30, [sp], torvalds#64 0x0000000000400c6c <+60>: ret End of assembler dump. (gdb) info b No breakpoints or watchpoints. (gdb) c Continuing. Program received signal SIGILL, Illegal instruction. 0x0000000000400c30 in send () (gdb) x/10x 0x400c30 0x400c30 <send>: 0xd42000a0 0xfd030091 0xe01f00b9 0xe16f0039 0x400c40 <send+16>: 0xff1700f9 0xff1b00f9 0xe06f0091 0x03008052 0x400c50 <send+32>: 0x220080d2 0xe10300aa (gdb) disassemble 0x400c30 Dump of assembler code for function send: => 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined 0x0000000000400c34 <+4>: mov x29, sp 0x0000000000400c38 <+8>: str w0, [sp, #28] 0x0000000000400c3c <+12>: strb w1, [sp, #27] 0x0000000000400c40 <+16>: str xzr, [sp, #40] Signed-off-by: junhua huang <huang.junhua@zte.com.cn> Link: https://lore.kernel.org/r/202212021511106844809@zte.com.cn Signed-off-by: Will Deacon <will@kernel.org> Stable-dep-of: 13f8f1e ("arm64: probes: Fix uprobes for big-endian kernels") Signed-off-by: Sasha Levin <sashal@kernel.org>
The construction of a Landlock ruleset is based on an authorization list model. Thus, in order to sandbox an application, all necessary resources and their associated permissions must be first established (directories being recursively included).
It would be great to be able to deny itself access to specific resources (i.e. Give a RO access to / but deny access to /home).
Another benefit of this approach would be ruleset refining, in other word, dropping an access rule after ruleset enforcement.
To achieve this goal with the current API, the original ruleset contents and restrictions have to be maintained aside (i.e. an array of structure containing paths and their restrictions).
Once the task want to refines it restrictions, it can evict it from the maintained array, build back a ruleset and enforce it.
Maintaining such a data structure is cumbersome and would be made much easier by rule deny listing. (see #25)
For a first implementation, I think every Landlocks filesystem actions could be denied to the evicted resource.
Extra care should be given in order to avoid sandbox escapes, i.e. renaming a file in order to access it.
A deny rule should be applied only on resources already authorized in a Landlock ruleset.
@l0kod do you think of anything to add ?
The text was updated successfully, but these errors were encountered: