1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
6 =====================================
7 Landlock: unprivileged access control
8 =====================================
10 :Author: Mickaël Salaün
13 The goal of Landlock is to enable to restrict ambient rights (e.g. global
14 filesystem access) for a set of processes. Because Landlock is a stackable
15 LSM, it makes possible to create safe security sandboxes as new security layers
16 in addition to the existing system-wide access-controls. This kind of sandbox
17 is expected to help mitigate the security impact of bugs or
18 unexpected/malicious behaviors in user space applications. Landlock empowers
19 any process, including unprivileged ones, to securely restrict themselves.
21 We can quickly make sure that Landlock is enabled in the running system by
22 looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep
23 landlock || journalctl -kg landlock`` . Developers can also easily check for
24 Landlock support with a :ref:`related system call <landlock_abi_versions>`. If
25 Landlock is not currently supported, we need to :ref:`configure the kernel
26 appropriately <kernel_support>`.
31 A Landlock rule describes an action on an object. An object is currently a
32 file hierarchy, and the related filesystem actions are defined with `access
33 rights`_. A set of rules is aggregated in a ruleset, which can then restrict
34 the thread enforcing it, and its future children.
36 Defining and enforcing a security policy
37 ----------------------------------------
39 We first need to define the ruleset that will contain our rules. For this
40 example, the ruleset will contain rules that only allow read actions, but write
41 actions will be denied. The ruleset then needs to handle both of these kind of
42 actions. This is required for backward and forward compatibility (i.e. the
43 kernel and user space may not know each other's supported restrictions), hence
44 the need to be explicit about the denied-by-default access rights.
48 struct landlock_ruleset_attr ruleset_attr = {
50 LANDLOCK_ACCESS_FS_EXECUTE |
51 LANDLOCK_ACCESS_FS_WRITE_FILE |
52 LANDLOCK_ACCESS_FS_READ_FILE |
53 LANDLOCK_ACCESS_FS_READ_DIR |
54 LANDLOCK_ACCESS_FS_REMOVE_DIR |
55 LANDLOCK_ACCESS_FS_REMOVE_FILE |
56 LANDLOCK_ACCESS_FS_MAKE_CHAR |
57 LANDLOCK_ACCESS_FS_MAKE_DIR |
58 LANDLOCK_ACCESS_FS_MAKE_REG |
59 LANDLOCK_ACCESS_FS_MAKE_SOCK |
60 LANDLOCK_ACCESS_FS_MAKE_FIFO |
61 LANDLOCK_ACCESS_FS_MAKE_BLOCK |
62 LANDLOCK_ACCESS_FS_MAKE_SYM |
63 LANDLOCK_ACCESS_FS_REFER |
64 LANDLOCK_ACCESS_FS_TRUNCATE,
67 Because we may not know on which kernel version an application will be
68 executed, it is safer to follow a best-effort security approach. Indeed, we
69 should try to protect users as much as possible whatever the kernel they are
70 using. To avoid binary enforcement (i.e. either all security features or
71 none), we can leverage a dedicated Landlock command to get the current version
72 of the Landlock ABI and adapt the handled accesses. Let's check if we should
73 remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE``
74 access rights, which are only supported starting with the second and third
81 abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
83 /* Degrades gracefully if Landlock is not handled. */
84 perror("The running kernel does not enable to use Landlock");
89 /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
90 ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
91 __attribute__((fallthrough));
93 /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
94 ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
97 This enables to create an inclusive ruleset that will contain our rules.
103 ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
104 if (ruleset_fd < 0) {
105 perror("Failed to create a ruleset");
109 We can now add a new rule to this ruleset thanks to the returned file
110 descriptor referring to this ruleset. The rule will only allow reading the
111 file hierarchy ``/usr``. Without another rule, write actions would then be
112 denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
113 ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
119 struct landlock_path_beneath_attr path_beneath = {
121 LANDLOCK_ACCESS_FS_EXECUTE |
122 LANDLOCK_ACCESS_FS_READ_FILE |
123 LANDLOCK_ACCESS_FS_READ_DIR,
126 path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
127 if (path_beneath.parent_fd < 0) {
128 perror("Failed to open file");
132 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
134 close(path_beneath.parent_fd);
136 perror("Failed to update ruleset");
141 It may also be required to create rules following the same logic as explained
142 for the ruleset creation, by filtering access rights according to the Landlock
143 ABI version. In this example, this is not required because all of the requested
144 ``allowed_access`` rights are already available in ABI 1.
146 We now have a ruleset with one rule allowing read access to ``/usr`` while
147 denying all other handled accesses for the filesystem. The next step is to
148 restrict the current thread from gaining more privileges (e.g. thanks to a SUID
153 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
154 perror("Failed to restrict privileges");
159 The current thread is now ready to sandbox itself with the ruleset.
163 if (landlock_restrict_self(ruleset_fd, 0)) {
164 perror("Failed to enforce ruleset");
170 If the ``landlock_restrict_self`` system call succeeds, the current thread is
171 now restricted and this policy will be enforced on all its subsequently created
172 children as well. Once a thread is landlocked, there is no way to remove its
173 security policy; only adding more restrictions is allowed. These threads are
174 now in a new Landlock domain, merge of their parent one (if any) with the new
177 Full working code can be found in `samples/landlock/sandboxer.c`_.
182 It is recommended setting access rights to file hierarchy leaves as much as
183 possible. For instance, it is better to be able to have ``~/doc/`` as a
184 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
185 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
186 Following this good practice leads to self-sufficient hierarchies that do not
187 depend on their location (i.e. parent directories). This is particularly
188 relevant when we want to allow linking or renaming. Indeed, having consistent
189 access rights per directory enables to change the location of such directory
190 without relying on the destination directory access rights (except those that
191 are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
193 Having self-sufficient hierarchies also helps to tighten the required access
194 rights to the minimal set of data. This also helps avoid sinkhole directories,
195 i.e. directories where data can be linked to but not linked from. However,
196 this depends on data organization, which might not be controlled by developers.
197 In this case, granting read-write access to ``~/tmp/``, instead of write-only
198 access, would potentially allow to move ``~/tmp/`` to a non-readable directory
199 and still keep the ability to list the content of ``~/tmp/``.
201 Layers of file path access rights
202 ---------------------------------
204 Each time a thread enforces a ruleset on itself, it updates its Landlock domain
205 with a new layer of policy. Indeed, this complementary policy is stacked with
206 the potentially other rulesets already restricting this thread. A sandboxed
207 thread can then safely add more constraints to itself with a new enforced
210 One policy layer grants access to a file path if at least one of its rules
211 encountered on the path grants the access. A sandboxed thread can only access
212 a file path if all its enforced policy layers grant the access as well as all
213 the other system access controls (e.g. filesystem DAC, other LSM policies,
216 Bind mounts and OverlayFS
217 -------------------------
219 Landlock enables to restrict access to file hierarchies, which means that these
220 access rights can be propagated with bind mounts (cf.
221 Documentation/filesystems/sharedsubtree.rst) but not with
222 Documentation/filesystems/overlayfs.rst.
224 A bind mount mirrors a source file hierarchy to a destination. The destination
225 hierarchy is then composed of the exact same files, on which Landlock rules can
226 be tied, either via the source or the destination path. These rules restrict
227 access when they are encountered on a path, which means that they can restrict
228 access to multiple file hierarchies at the same time, whether these hierarchies
229 are the result of bind mounts or not.
231 An OverlayFS mount point consists of upper and lower layers. These layers are
232 combined in a merge directory, result of the mount point. This merge hierarchy
233 may include files from the upper and lower layers, but modifications performed
234 on the merge hierarchy only reflects on the upper layer. From a Landlock
235 policy point of view, each OverlayFS layers and merge hierarchies are
236 standalone and contains their own set of files and directories, which is
237 different from bind mounts. A policy restricting an OverlayFS layer will not
238 restrict the resulted merged hierarchy, and vice versa. Landlock users should
239 then only think about file hierarchies they want to allow access to, regardless
240 of the underlying filesystem.
245 Every new thread resulting from a :manpage:`clone(2)` inherits Landlock domain
246 restrictions from its parent. This is similar to the seccomp inheritance (cf.
247 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
248 task's :manpage:`credentials(7)`. For instance, one process's thread may apply
249 Landlock rules to itself, but they will not be automatically applied to other
250 sibling threads (unlike POSIX thread credential changes, cf.
253 When a thread sandboxes itself, we have the guarantee that the related security
254 policy will stay enforced on all this thread's descendants. This allows
255 creating standalone and modular security policies per application, which will
256 automatically be composed between themselves according to their runtime parent
262 A sandboxed process has less privileges than a non-sandboxed process and must
263 then be subject to additional restrictions when manipulating another process.
264 To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target
265 process, a sandboxed process should have a subset of the target process rules,
266 which means the tracee must be in a sub-domain of the tracer.
271 The operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and
272 ``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes
273 overlap in non-intuitive ways. It is recommended to always specify both of
276 A particularly surprising example is :manpage:`creat(2)`. The name suggests
277 that this system call requires the rights to create and write files. However,
278 it also requires the truncate right if an existing file under the same name is
281 It should also be noted that truncating files does not require the
282 ``LANDLOCK_ACCESS_FS_WRITE_FILE`` right. Apart from the :manpage:`truncate(2)`
283 system call, this can also be done through :manpage:`open(2)` with the flags
284 ``O_RDONLY | O_TRUNC``.
286 When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE``
287 right is associated with the newly created file descriptor and will be used for
288 subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is
289 similar to opening a file for reading or writing, where permissions are checked
290 during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
291 :manpage:`write(2)` calls.
293 As a consequence, it is possible to have multiple open file descriptors for the
294 same file, where one grants the right to truncate the file and the other does
295 not. It is also possible to pass such file descriptors between processes,
296 keeping their Landlock properties, even when these processes do not have an
297 enforced Landlock ruleset.
302 Backward and forward compatibility
303 ----------------------------------
305 Landlock is designed to be compatible with past and future versions of the
306 kernel. This is achieved thanks to the system call attributes and the
307 associated bitflags, particularly the ruleset's ``handled_access_fs``. Making
308 handled access right explicit enables the kernel and user space to have a clear
309 contract with each other. This is required to make sure sandboxing will not
310 get stricter with a system update, which could break applications.
312 Developers can subscribe to the `Landlock mailing list
313 <https://subspace.kernel.org/lists.linux.dev.html>`_ to knowingly update and
314 test their applications with the latest available features. In the interest of
315 users, and because they may use different kernel versions, it is strongly
316 encouraged to follow a best-effort security approach by checking the Landlock
317 ABI version at runtime and only enforcing the supported features.
319 .. _landlock_abi_versions:
321 Landlock ABI versions
322 ---------------------
324 The Landlock ABI version can be read with the sys_landlock_create_ruleset()
331 abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
335 printf("Landlock is not supported by the current kernel.\n");
338 printf("Landlock is currently disabled.\n");
344 printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
347 The following kernel interfaces are implicitly supported by the first ABI
348 version. Features only supported from a specific version are explicitly marked
357 .. kernel-doc:: include/uapi/linux/landlock.h
358 :identifiers: fs_access
360 Creating a new ruleset
361 ----------------------
363 .. kernel-doc:: security/landlock/syscalls.c
364 :identifiers: sys_landlock_create_ruleset
366 .. kernel-doc:: include/uapi/linux/landlock.h
367 :identifiers: landlock_ruleset_attr
372 .. kernel-doc:: security/landlock/syscalls.c
373 :identifiers: sys_landlock_add_rule
375 .. kernel-doc:: include/uapi/linux/landlock.h
376 :identifiers: landlock_rule_type landlock_path_beneath_attr
381 .. kernel-doc:: security/landlock/syscalls.c
382 :identifiers: sys_landlock_restrict_self
387 Filesystem topology modification
388 --------------------------------
390 As for file renaming and linking, a sandboxed thread cannot modify its
391 filesystem topology, whether via :manpage:`mount(2)` or
392 :manpage:`pivot_root(2)`. However, :manpage:`chroot(2)` calls are not denied.
397 Access to regular files and directories can be restricted by Landlock,
398 according to the handled accesses of a ruleset. However, files that do not
399 come from a user-visible filesystem (e.g. pipe, socket), but can still be
400 accessed through ``/proc/<pid>/fd/*``, cannot currently be explicitly
401 restricted. Likewise, some special kernel filesystems such as nsfs, which can
402 be accessed through ``/proc/<pid>/ns/*``, cannot currently be explicitly
403 restricted. However, thanks to the `ptrace restrictions`_, access to such
404 sensitive ``/proc`` files are automatically restricted according to domain
405 hierarchies. Future Landlock evolutions could still enable to explicitly
406 restrict such paths with dedicated ruleset flags.
411 There is a limit of 16 layers of stacked rulesets. This can be an issue for a
412 task willing to enforce a new ruleset in complement to its 16 inherited
413 rulesets. Once this limit is reached, sys_landlock_restrict_self() returns
414 E2BIG. It is then strongly suggested to carefully build rulesets once in the
415 life of a thread, especially for applications able to launch other applications
416 that may also want to sandbox themselves (e.g. shells, container managers,
422 Kernel memory allocated to create rulesets is accounted and can be restricted
423 by the Documentation/admin-guide/cgroup-v1/memory.rst.
428 File renaming and linking (ABI < 2)
429 -----------------------------------
431 Because Landlock targets unprivileged access controls, it needs to properly
432 handle composition of rules. Such property also implies rules nesting.
433 Properly handling multiple layers of rulesets, each one of them able to
434 restrict access to files, also implies inheritance of the ruleset restrictions
435 from a parent to its hierarchy. Because files are identified and restricted by
436 their hierarchy, moving or linking a file from one directory to another implies
437 propagation of the hierarchy constraints, or restriction of these actions
438 according to the potentially lost constraints. To protect against privilege
439 escalations through renaming or linking, and for the sake of simplicity,
440 Landlock previously limited linking and renaming to the same directory.
441 Starting with the Landlock ABI version 2, it is now possible to securely
442 control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER``
445 File truncation (ABI < 3)
446 -------------------------
448 File truncation could not be denied before the third Landlock ABI, so it is
449 always allowed when using a kernel that only supports the first or second ABI.
451 Starting with the Landlock ABI version 3, it is now possible to securely control
452 truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.
459 Landlock was first introduced in Linux 5.13 but it must be configured at build
460 time with ``CONFIG_SECURITY_LANDLOCK=y``. Landlock must also be enabled at boot
461 time as the other security modules. The list of security modules enabled by
462 default is set with ``CONFIG_LSM``. The kernel configuration should then
463 contains ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other
464 potentially useful security modules for the running system (see the
465 ``CONFIG_LSM`` help).
467 If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
468 still enable it by adding ``lsm=landlock,[...]`` to
469 Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
472 Questions and answers
473 =====================
475 What about user space sandbox managers?
476 ---------------------------------------
478 Using user space process to enforce restrictions on kernel resources can lead
479 to race conditions or inconsistent evaluations (i.e. `Incorrect mirroring of
480 the OS code and state
481 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/>`_).
483 What about namespaces and containers?
484 -------------------------------------
486 Namespaces can help create sandboxes but they are not designed for
487 access-control and then miss useful features for such use case (e.g. no
488 fine-grained restrictions). Moreover, their complexity can lead to security
489 issues, especially when untrusted processes can manipulate them (cf.
490 `Controlling access to user namespaces <https://lwn.net/Articles/673597/>`_).
492 Additional documentation
493 ========================
495 * Documentation/security/landlock.rst
496 * https://landlock.io
499 .. _samples/landlock/sandboxer.c:
500 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c
projects / platform / kernel / linux-rpi.git / blob