[PATCH v26 11/12] samples/landlock: Add a sandbox manager example
Jann Horn
jannh at google.com
Thu Jan 14 03:21:30 UTC 2021
On Wed, Dec 9, 2020 at 8:29 PM Mickaël Salaün <mic at digikod.net> wrote:
> Add a basic sandbox tool to launch a command which can only access a
> whitelist of file hierarchies in a read-only or read-write way.
I have to admit that I didn't really look at this closely before
because it's just sample code... but I guess I should. You can add
Reviewed-by: Jann Horn <jannh at google.com>
if you fix the following nits:
[...]
> diff --git a/samples/Kconfig b/samples/Kconfig
[...]
> +config SAMPLE_LANDLOCK
> + bool "Build Landlock sample code"
> + depends on HEADERS_INSTALL
> + help
> + Build a simple Landlock sandbox manager able to launch a process
> + restricted by a user-defined filesystem access control.
nit: s/filesystem access control/filesystem access control policy/
[...]
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
[...]
> +/*
> + * Simple Landlock sandbox manager able to launch a process restricted by a
> + * user-defined filesystem access control.
nit: s/filesystem access control/filesystem access control policy/
[...]
> +int main(const int argc, char *const argv[], char *const *const envp)
> +{
[...]
> + if (argc < 2) {
[...]
> + fprintf(stderr, "* %s: list of paths allowed to be used in a read-only way.\n",
> + ENV_FS_RO_NAME);
> + fprintf(stderr, "* %s: list of paths allowed to be used in a read-write way.\n",
> + ENV_FS_RO_NAME);
s/ENV_FS_RO_NAME/ENV_FS_RW_NAME/
> + fprintf(stderr, "\nexample:\n"
> + "%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
> + "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
> + "%s bash -i\n",
> + ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
> + return 1;
> + }
> +
> + ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
> + if (ruleset_fd < 0) {
> + perror("Failed to create a ruleset");
> + switch (errno) {
(Just as a note: In theory perror() can change the value of errno, as
far as I know - so AFAIK you'd theoretically have to do something
like:
int errno_ = errno;
perror("...");
switch (errno_) {
...
}
I'll almost certainly work fine as-is in practice though.)
More information about the Linux-security-module-archive
mailing list