Landlock news #4
Mickaël Salaün
mic at digikod.net
Tue Jul 16 15:27:21 UTC 2024
Here is the fourth Landlock newsletter!
Official website: https://landlock.io
Previews newsletter:
https://lore.kernel.org/landlock/d4ed5733-d07b-5548-2534-a63e22906778@digikod.net
Articles and conferences
------------------------
We wrote a detailed article about Landlock explaining the underlying
concepts, the implementation, and the community:
https://landlock.io/talks/2024-06-06_landlock-article.pdf
This was written for the SSTIC conference:
https://www.sstic.org/2024/presentation/landlock-design/
I did a workshop at the Pass the Salt conference to explain how to
mitigate security vulnerabilities with Landlock (demonstrated with
ImageMagick): https://cfp.pass-the-salt.org/pts2024/talk/8FVYDF/
Related materials are freely available to do it at home:
https://github.com/landlock-lsm/workshop-imagemagick
Arto Niemi published a "Survey of Real-World Process Sandboxing" at the
Conference of Open Innovations Association (FRUCT):
https://fruct.org/publications/volume-35/fruct35/files/Niem.pdf
Their conclusion: "[...] we found Landlock and minijail [which uses
Landlock] to be relatively convenient from a developer perspective. In
general, process self-containment and process-wrapping seems to be an
order of magnitude easier to configure than MAC policies."
Researchers from University of Bergamo gave a talk at ASIA CCS
conference about Cage4Deno: A Fine-Grained Sandbox for Deno Subprocesses
(leveraging Landlock)
https://cs.unibg.it/seclab-papers/2023/ASIACCS/paper/cage4deno.pdf
They also gave a talk at the RAID conference about NatiSand: Native Code
Sandboxing for JavaScript Runtimes (leveraging Landlock)
https://cs.unibg.it/seclab-papers/2023/RAID/natisand.pdf
Eric Leblond gave a talk (in French) at the SSTIC conference about
sandboxing with Landlock to mitigate real world security issues:
https://www.sstic.org/2023/presentation/attaque_supply_chain_suricata/
Günther Noack will give a talk at LSS Europe about Landlock and the new
IOCTL support: https://sched.co/1ebVW
I'll give a talk at OSS Europe to better explain sandboxing with
Landlock: https://sched.co/1ej3a
The XZ backdoor
---------------
XZ Utils is a widely used compression tool and library. The main
maintainer implemented sandboxing with Landlock, and released a new
version 5.6.0 with this feature. In March 2024, a backdoor was found
and reported. It was introduced in February by a new maintainer who
earned this trust after more than two years of effort.
Among the malicious changes, the attacker disabled Landlock's support
for XZ Utils and released a new version 5.6.1:
https://research.swtch.com/xz-timeline
The sabotaged configuration check has since been fixed with version
5.6.2, but this effort to stealthily disable sandboxing is a clear sign
that Landlock disturbs attackers:
https://github.com/tukaani-project/xz/commit/f9cf4c05edd1
Merged kernel features
----------------------
Linux 6.7 (Landlock ABI 4) supports initial network access control with
the LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP
rights thanks to Konstantin Meskhidze. We can now control inbound and
outbound TCP connections according to the source or the destination
port. This led to kernel code refactoring which opens the way to more
network protocol support. See user space documentation:
https://docs.kernel.org/userspace-api/landlock.html#network-flags
Linux 6.10 (Landlock ABI 5) supports IOCTL control with the new
LANDLOCK_ACCESS_FS_IOCTL_DEV right thanks to Günther Noack. This
restriction only applies to IOCTL commands implemented by device drivers
(i.e. block or character devices). As other file system access rights,
this can be used to only allow such IOCTL commands on a specified set of
file hierarchies per sandbox. See user space documentation:
https://docs.kernel.org/userspace-api/landlock.html#filesystem-flags
We also added a slight change in all supported kernels to inform system
administrators (with kernel logs) how they can configure the system to
support Landlock, if a process tried to sandbox itself on a kernel where
Landlock is disabled. New documentation will help enable Landlock on
systems when it is not already the case:
https://docs.kernel.org/userspace-api/landlock.html#kernel-support
Since Linux 6.3, we improved documentation and kselftests (user space
testing), and added support for KUnit (kernel testing). Part of this
work lead us to support the UML architecture to easily run application
tests in a CI against different kernel versions. With this support we
can make sure that backward compatibility works fine for the tested
applications. I encourage to take a look at landlock-test-tools and the
GitHub CI configuration for the Rust library:
https://github.com/landlock-lsm/landlock-test-tools
https://github.com/landlock-lsm/rust-landlock/blob/main/.github/workflows/rust.yml#L166-L179
Roadmap and ongoing development
-------------------------------
We created GitHub issues to track ongoing and future work:
https://github.com/landlock-lsm/linux/issues
https://github.com/orgs/landlock-lsm/projects/1
Feel free to reach out if you want to contribute!
https://github.com/landlock-lsm/linux/contribute
We also plan to improve the website with extended documentation and
examples.
Kernel development highlights
-----------------------------
Günther Noack is now an official reviewer of Landlock!
https://git.kernel.org/torvalds/c/5bf9e57e634b
After the IOCTL feature, he is now working on improving the
documentation, including man pages.
Mikhail Ivanov is working on socket type control. This is an important
feature that will make it possible to create sandboxes without any
network access, except for an explicit list of allowed protocols. This
will nicely complement the TCP port control (and future ones for other
protocols): https://github.com/landlock-lsm/linux/issues/6
He is also working on controlling TCP listen calls:
https://github.com/landlock-lsm/linux/issues/15
Tahera Fahimi was selected as an Outreachy intern to work on IPC
restrictions (e.g. abstract unix socket, signals) to better isolate a
Landlock domain:
https://github.com/landlock-lsm/linux/issues/7
https://github.com/landlock-lsm/linux/issues/8
I'm working on bringing audit support to Landlock:
https://github.com/landlock-lsm/linux/issues/3
Landlock libraries
------------------
As explained by Günther Noack, the Go library now supports TCP and IOCTL
restrictions: https://blog.gnoack.org/post/landlock-v4/
https://blog.gnoack.org/post/landlock-ioctl/
A new version of the Rust crate was released, with support for TCP
control and some miscellaneous improvements:
https://github.com/landlock-lsm/rust-landlock/releases/tag/v0.4.0
Please update your dependencies and use the latest Landlock ABI version
for improved sandboxing.
We are also working on a new minimal C library:
https://github.com/landlock-lsm/linux/issues/38
New Landlock user space supports
--------------------------------
Firejail 0.9.74 (sandboxer) will be able to use landlock:
https://github.com/netblue30/firejail/pull/6078
setpriv 2.40 (sandboxer):
https://github.com/util-linux/util-linux/pull/2628
extrasafe 0.4.0 (sandbox library):
https://github.com/boustrophedon/extrasafe/pull/28
bevy_mod_lockdown (sandbox library):
https://github.com/FrTerstappen/bevy_mod_lockdown
Cloud Hypervisor (VM monitor) will be sandboxed with Landlock:
https://github.com/cloud-hypervisor/cloud-hypervisor/pull/6214
Ukuleleweb (wiki server):
https://github.com/gnoack/ukuleleweb/commit/0ecdd54b36fa
websrv 3.2.0 (web server):
https://github.com/ngergs/websrv/commit/40fa2d7d2bbb
egress-eddie 0.5.0 (network filtering):
https://github.com/capnspacehook/egress-eddie/releases/tag/v0.5.0
Suricata 7.0.0 (network security monitoring engine):
https://docs.suricata.io/en/latest/configuration/landlock.html
sslh 2.1.0 (protocol multiplexer):
https://lore.kernel.org/landlock/Zfq6f30spnYCx_9Y@rutschle.net/
https://github.com/yrutschle/sslh/releases/tag/v2.1.0
wireproxy 1.0.8 (Wireguard client):
https://github.com/pufferffish/wireproxy/pull/108
Emilua 0.5.0 (Lua runtime):
https://lore.kernel.org/landlock/CAK9RveLxro4zUG4jfFB=UNgcv5gdc8JuzNhMt=YbNhH=35ADzg@mail.gmail.com/
https://docs.emilua.org/api/0.5/changelog.html
Polkadot (blockchain SDK):
https://github.com/paritytech/polkadot/pull/7303
XZ Utils 5.6.2 (archive manager):
https://github.com/tukaani-project/xz/commit/374868d81d47
Zathura (document viewer) will be sandboxed with Landlock:
https://github.com/pwmt/zathura/pull/575
Pacman 7.0.0 (Arch Linux's package manager):
https://gitlab.archlinux.org/pacman/pacman/-/merge_requests/167
Thanks to all contributors!
Regards,
Mickaël
More information about the Linux-security-module-archive
mailing list