SlideShare uma empresa Scribd logo
1 de 23
Baixar para ler offline
[RFC] Landlock LSM: Unprivileged sandboxing
Micka¨el Sala¨un
September 29, 2016
1 / 12
Goal: restrict processes without needing root privileges
Examples
files beneath a list of directories
bind to a range of ports
2 / 12
Goal: restrict processes without needing root privileges
Examples
files beneath a list of directories
bind to a range of ports
Append restrictions
stackable LSM
global system view
without SUID and complex brokers
2 / 12
Goal: restrict processes without needing root privileges
Examples
files beneath a list of directories
bind to a range of ports
Append restrictions
stackable LSM
global system view
without SUID and complex brokers
What is concerned?
applications with built-in sandboxing
sandboxing managers
2 / 12
How do we use Landlock?
Process hierarchy (application)
1. create or receive Landlock rules
2. attach them to the current process via seccomp(2)
3 / 12
How do we use Landlock?
Process hierarchy (application)
1. create or receive Landlock rules
2. attach them to the current process via seccomp(2)
cgroup (container)
1. create Landlock rules
2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed)
3. attach the rules to this cgroup via bpf(2)
4. migrate processes into this cgroup
3 / 12
How do we use Landlock?
Process hierarchy (application)
1. create or receive Landlock rules
2. attach them to the current process via seccomp(2)
cgroup (container)
1. create Landlock rules
2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed)
3. attach the rules to this cgroup via bpf(2)
4. migrate processes into this cgroup
Demo
3 / 12
Why Landlock?
Why unprivileged access control?
prevent privilege escalation
minimize risk of sandbox escape
same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge
4 / 12
Why Landlock?
Why unprivileged access control?
prevent privilege escalation
minimize risk of sandbox escape
same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge
Why existing features do not fit in with this model?
SELinux, AppArmor, Smack or Tomoyo
seccomp-BPF
(user) namespaces
4 / 12
Needs for Landlock
Flexible and dynamic rules
express a wide range of restrictions
extend over time
5 / 12
Needs for Landlock
Flexible and dynamic rules
express a wide range of restrictions
extend over time
Constraints for an unprivileged access control
minimal attack surface
prevent DoS
do not leak sensitive kernel data
avoid confused deputy attack
multiple independent and stackable rules
5 / 12
Using eBPF to express access rules
extended Berkeley Packet Filter
in-kernel bytecode machine:
optimized to be easily JITable
arithmetic operations, comparisons, jump forward, function calls
restricted memory read/write (i.e. program context and stack)
exchange data through maps between eBPF programs and userland
a program return a 32-bit value
static program verification at load time:
memory access checks
register typing and tainting
pointer leak restrictions
widely used in the kernel: network filtering, tracing. . .
6 / 12
How does Landlock works?
LSM hooks
atomic security checks (e.g. file permission)
can be called multiple times in a syscall
7 / 12
How does Landlock works?
LSM hooks
atomic security checks (e.g. file permission)
can be called multiple times in a syscall
Landlock rules
a rule is tied to one LSM hook
some LSM hook arguments available in the eBPF program context
use maps to store kernel object references (e.g. struct file)
dedicated functions to compare kernel objects
7 / 12
New eBPF features used by Landlock
Map of handles
describe a kernel object from userland
evaluation when updating an entry
8 / 12
New eBPF features used by Landlock
Map of handles
describe a kernel object from userland
evaluation when updating an entry
File system checker functions (eBPF helpers)
bpf landlock cmp fs beneath with struct file(...)
bpf landlock cmp fs prop with struct file(...)
8 / 12
New eBPF features used by Landlock
Map of handles
describe a kernel object from userland
evaluation when updating an entry
File system checker functions (eBPF helpers)
bpf landlock cmp fs beneath with struct file(...)
bpf landlock cmp fs prop with struct file(...)
Program subtype
hook ID
access bitfield tied to capabilities
8 / 12
New eBPF features used by Landlock
Map of handles
describe a kernel object from userland
evaluation when updating an entry
File system checker functions (eBPF helpers)
bpf landlock cmp fs beneath with struct file(...)
bpf landlock cmp fs prop with struct file(...)
Program subtype
hook ID
access bitfield tied to capabilities
cgroups attachment (by Daniel Mack)
extend bpf(2) to be able to tie an eBPF program to a cgroup
8 / 12
A Landlock rule for the file permission hook (C)
1 err = bpf_landlock_cmp_fs_beneath (0, map_fs ,
2 BPF_MAP_ARRAY_OP_OR , ctx ->args [0]);
3 if (!err)
4 return 0;
5 return EACCES;
9 / 12
A Landlock rule for the file permission hook (eBPF)
1 /* specify an option , if any */
2 BPF_MOV32_IMM(BPF_REG_1 , 0),
3 /* handles to compare with */
4 BPF_LD_MAP_FD(BPF_REG_2 , map_fs),
5 BPF_MOV64_IMM(BPF_REG_3 , BPF_MAP_ARRAY_OP_OR ),
6 /* hook argument (struct file) */
7 BPF_LDX_MEM(BPF_DW , BPF_REG_4 , BPF_REG_6 ,
8 offsetof(struct landlock_data , args [0])) ,
9 /* checker function */
10 BPF_EMIT_CALL( BPF_FUNC_landlock_cmp_fs_beneath ),
11 /* if the file is beneath a handle from the map */
12 BPF_JMP_IMM(BPF_JNE , BPF_REG_0 , 0, 1),
13 BPF_EXIT_INSN (),
14 /* deny by default , if any error */
15 BPF_MOV32_IMM(BPF_REG_0 , EACCES),
16 BPF_EXIT_INSN (),
10 / 12
Two complementary ways to enforce Landlock rules
Process hierarchy: application with built-in sandboxing
restrict the current process and its future children
use the seccomp(2) interface
native use of no new privs
11 / 12
Two complementary ways to enforce Landlock rules
Process hierarchy: application with built-in sandboxing
restrict the current process and its future children
use the seccomp(2) interface
native use of no new privs
cgroup: container sandboxing
restrict processes from a cgroup
complementary to rules for process hierarchies
handle cgroup delegation with no new privs
11 / 12
Landlock LSM: Wrap-up
Unprivileged sandboxing
use eBPF programs as access control rules
applied through seccomp or tied to a cgroup
can handle privileged features
limited attack surface
efficient and flexible
https://lwn.net/Articles/700607
mic@digikod.net
@l0kod
12 / 12

Mais conteúdo relacionado

Mais procurados

OpenZFS Channel programs
OpenZFS Channel programsOpenZFS Channel programs
OpenZFS Channel programsMatthew Ahrens
 
OpenZFS send and receive
OpenZFS send and receiveOpenZFS send and receive
OpenZFS send and receiveMatthew Ahrens
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPFRogerColl2
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayAnne Nicolas
 
Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstAnne Nicolas
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyAnne Nicolas
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Golinuxlab_conf
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationLinaro
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me_xhr_
 
Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productAnne Nicolas
 

Mais procurados (20)

OpenZFS Channel programs
OpenZFS Channel programsOpenZFS Channel programs
OpenZFS Channel programs
 
OpenZFS send and receive
OpenZFS send and receiveOpenZFS send and receive
OpenZFS send and receive
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
 
Embedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops wayEmbedded Recipes 2019 - Testing firmware the devops way
Embedded Recipes 2019 - Testing firmware the devops way
 
Kernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream firstKernel Recipes 2019 - Driving the industry toward upstream first
Kernel Recipes 2019 - Driving the industry toward upstream first
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
 
Kernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are moneyKernel Recipes 2019 - Metrics are money
Kernel Recipes 2019 - Metrics are money
 
Mirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in GoMirko Damiani - An Embedded soft real time distributed system in Go
Mirko Damiani - An Embedded soft real time distributed system in Go
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
OpenZFS - BSDcan 2014
OpenZFS - BSDcan 2014OpenZFS - BSDcan 2014
OpenZFS - BSDcan 2014
 
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationBKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP Integration
 
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesKernel Recipes 2015 - The Dronecode Project – A step in open source drones
Kernel Recipes 2015 - The Dronecode Project – A step in open source drones
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
BPF - All your packets belong to me
BPF - All your packets belong to meBPF - All your packets belong to me
BPF - All your packets belong to me
 
Kernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a productKernel Recipes 2015: How to choose a kernel to ship with a product
Kernel Recipes 2015: How to choose a kernel to ship with a product
 
Experimental dtrace
Experimental dtraceExperimental dtrace
Experimental dtrace
 

Semelhante a Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing

Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Dru Lavigne
 
gLite Data Management System
gLite Data Management SystemgLite Data Management System
gLite Data Management SystemLeandro Ciuffo
 
Java Hates Linux. Deal With It.
Java Hates Linux.  Deal With It.Java Hates Linux.  Deal With It.
Java Hates Linux. Deal With It.Greg Banks
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesRobert Lemke
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation PlatformFPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation PlatformFlexTiles Team
 
Technical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques NadeauTechnical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques NadeauMapR Technologies
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link AccessLJ PROJECTS
 
Flink Apachecon Presentation
Flink Apachecon PresentationFlink Apachecon Presentation
Flink Apachecon PresentationGyula Fóra
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyNugroho Gito
 
Firebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The FutureFirebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The FutureAlexey Kovyazin
 
Working with the IFS on System i
Working with the IFS on System iWorking with the IFS on System i
Working with the IFS on System iChuck Walker
 
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OOVirtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OOPaolo Cristofaro
 
Dissertation defense
Dissertation defenseDissertation defense
Dissertation defensemarek_pomocka
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 

Semelhante a Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing (20)

Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012Lavigne bsdmag-jan2012
Lavigne bsdmag-jan2012
 
gLite Data Management System
gLite Data Management SystemgLite Data Management System
gLite Data Management System
 
Java Hates Linux. Deal With It.
Java Hates Linux.  Deal With It.Java Hates Linux.  Deal With It.
Java Hates Linux. Deal With It.
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
 
Scaleable PHP Applications in Kubernetes
Scaleable PHP Applications in KubernetesScaleable PHP Applications in Kubernetes
Scaleable PHP Applications in Kubernetes
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation PlatformFPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
FPL'2014 - FlexTiles Workshop - 5 - FlexTiles Simulation Platform
 
Technical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques NadeauTechnical Overview of Apache Drill by Jacques Nadeau
Technical Overview of Apache Drill by Jacques Nadeau
 
Socket Programming- Data Link Access
Socket Programming- Data Link AccessSocket Programming- Data Link Access
Socket Programming- Data Link Access
 
Flink Apachecon Presentation
Flink Apachecon PresentationFlink Apachecon Presentation
Flink Apachecon Presentation
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Linux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of TechnologyLinux Survival Kit for Proof of Concept & Proof of Technology
Linux Survival Kit for Proof of Concept & Proof of Technology
 
Firebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The FutureFirebird Security (in English): The Past and The Future
Firebird Security (in English): The Past and The Future
 
Working with the IFS on System i
Working with the IFS on System iWorking with the IFS on System i
Working with the IFS on System i
 
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OOVirtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
Virtuoso RDF Triple Store Analysis Benchmark & mapping tools RDF / OO
 
Sockets and Socket-Buffer
Sockets and Socket-BufferSockets and Socket-Buffer
Sockets and Socket-Buffer
 
Dissertation defense
Dissertation defenseDissertation defense
Dissertation defense
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 

Mais de Anne Nicolas

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelAnne Nicolas
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureAnne Nicolas
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataAnne Nicolas
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Anne Nicolas
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxAnne Nicolas
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialAnne Nicolas
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconAnne Nicolas
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureAnne Nicolas
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerAnne Nicolas
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationAnne Nicolas
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaAnne Nicolas
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedAnne Nicolas
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPAnne Nicolas
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Anne Nicolas
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyAnne Nicolas
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Anne Nicolas
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 -  XDP closer integration with network stackKernel Recipes 2019 -  XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stackAnne Nicolas
 

Mais de Anne Nicolas (20)

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernelKernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
Kernel Recipes 2019 - Hunting and fixing bugs all over the Linux kernel
 
Kernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and futureKernel Recipes 2019 - Kernel documentation: past, present, and future
Kernel Recipes 2019 - Kernel documentation: past, present, and future
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary dataKernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
Kernel Recipes 2019 - GNU poke, an extensible editor for structured binary data
 
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
Kernel Recipes 2019 - Analyzing changes to the binary interface exposed by th...
 
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and BareboxEmbedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
Embedded Recipes 2019 - Remote update adventures with RAUC, Yocto and Barebox
 
Embedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less specialEmbedded Recipes 2019 - Making embedded graphics less special
Embedded Recipes 2019 - Making embedded graphics less special
 
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre SiliconEmbedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
Embedded Recipes 2019 - Linux on Open Source Hardware and Libre Silicon
 
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) pictureEmbedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
Embedded Recipes 2019 - From maintaining I2C to the big (embedded) picture
 
Embedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmakerEmbedded Recipes 2019 - Herd your socs become a matchmaker
Embedded Recipes 2019 - Herd your socs become a matchmaker
 
Embedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integrationEmbedded Recipes 2019 - LLVM / Clang integration
Embedded Recipes 2019 - LLVM / Clang integration
 
Embedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debuggingEmbedded Recipes 2019 - Introduction to JTAG debugging
Embedded Recipes 2019 - Introduction to JTAG debugging
 
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimediaEmbedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
Embedded Recipes 2019 - Pipewire a new foundation for embedded multimedia
 
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all startedKernel Recipes 2019 - ftrace: Where modifying a running kernel all started
Kernel Recipes 2019 - ftrace: Where modifying a running kernel all started
 
Kernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDPKernel Recipes 2019 - Suricata and XDP
Kernel Recipes 2019 - Suricata and XDP
 
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
Kernel Recipes 2019 - Marvels of Memory Auto-configuration (SPD)
 
Kernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easyKernel Recipes 2019 - Formal modeling made easy
Kernel Recipes 2019 - Formal modeling made easy
 
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!Kernel Recipes 2019 - CVEs are dead, long live the CVE!
Kernel Recipes 2019 - CVEs are dead, long live the CVE!
 
Kernel Recipes 2019 - XDP closer integration with network stack
Kernel Recipes 2019 -  XDP closer integration with network stackKernel Recipes 2019 -  XDP closer integration with network stack
Kernel Recipes 2019 - XDP closer integration with network stack
 

Último

Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 

Último (20)

Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 

Kernel Recipes 2016 - Landlock LSM: Unprivileged sandboxing

  • 1. [RFC] Landlock LSM: Unprivileged sandboxing Micka¨el Sala¨un September 29, 2016 1 / 12
  • 2. Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports 2 / 12
  • 3. Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports Append restrictions stackable LSM global system view without SUID and complex brokers 2 / 12
  • 4. Goal: restrict processes without needing root privileges Examples files beneath a list of directories bind to a range of ports Append restrictions stackable LSM global system view without SUID and complex brokers What is concerned? applications with built-in sandboxing sandboxing managers 2 / 12
  • 5. How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) 3 / 12
  • 6. How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) cgroup (container) 1. create Landlock rules 2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed) 3. attach the rules to this cgroup via bpf(2) 4. migrate processes into this cgroup 3 / 12
  • 7. How do we use Landlock? Process hierarchy (application) 1. create or receive Landlock rules 2. attach them to the current process via seccomp(2) cgroup (container) 1. create Landlock rules 2. open a cgroup v2 directory (e.g. /sys/fs/cgroup/sandboxed) 3. attach the rules to this cgroup via bpf(2) 4. migrate processes into this cgroup Demo 3 / 12
  • 8. Why Landlock? Why unprivileged access control? prevent privilege escalation minimize risk of sandbox escape same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge 4 / 12
  • 9. Why Landlock? Why unprivileged access control? prevent privilege escalation minimize risk of sandbox escape same approach as Seatbelt/XNU Sandbox and OpenBSD Pledge Why existing features do not fit in with this model? SELinux, AppArmor, Smack or Tomoyo seccomp-BPF (user) namespaces 4 / 12
  • 10. Needs for Landlock Flexible and dynamic rules express a wide range of restrictions extend over time 5 / 12
  • 11. Needs for Landlock Flexible and dynamic rules express a wide range of restrictions extend over time Constraints for an unprivileged access control minimal attack surface prevent DoS do not leak sensitive kernel data avoid confused deputy attack multiple independent and stackable rules 5 / 12
  • 12. Using eBPF to express access rules extended Berkeley Packet Filter in-kernel bytecode machine: optimized to be easily JITable arithmetic operations, comparisons, jump forward, function calls restricted memory read/write (i.e. program context and stack) exchange data through maps between eBPF programs and userland a program return a 32-bit value static program verification at load time: memory access checks register typing and tainting pointer leak restrictions widely used in the kernel: network filtering, tracing. . . 6 / 12
  • 13. How does Landlock works? LSM hooks atomic security checks (e.g. file permission) can be called multiple times in a syscall 7 / 12
  • 14. How does Landlock works? LSM hooks atomic security checks (e.g. file permission) can be called multiple times in a syscall Landlock rules a rule is tied to one LSM hook some LSM hook arguments available in the eBPF program context use maps to store kernel object references (e.g. struct file) dedicated functions to compare kernel objects 7 / 12
  • 15. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry 8 / 12
  • 16. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) 8 / 12
  • 17. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) Program subtype hook ID access bitfield tied to capabilities 8 / 12
  • 18. New eBPF features used by Landlock Map of handles describe a kernel object from userland evaluation when updating an entry File system checker functions (eBPF helpers) bpf landlock cmp fs beneath with struct file(...) bpf landlock cmp fs prop with struct file(...) Program subtype hook ID access bitfield tied to capabilities cgroups attachment (by Daniel Mack) extend bpf(2) to be able to tie an eBPF program to a cgroup 8 / 12
  • 19. A Landlock rule for the file permission hook (C) 1 err = bpf_landlock_cmp_fs_beneath (0, map_fs , 2 BPF_MAP_ARRAY_OP_OR , ctx ->args [0]); 3 if (!err) 4 return 0; 5 return EACCES; 9 / 12
  • 20. A Landlock rule for the file permission hook (eBPF) 1 /* specify an option , if any */ 2 BPF_MOV32_IMM(BPF_REG_1 , 0), 3 /* handles to compare with */ 4 BPF_LD_MAP_FD(BPF_REG_2 , map_fs), 5 BPF_MOV64_IMM(BPF_REG_3 , BPF_MAP_ARRAY_OP_OR ), 6 /* hook argument (struct file) */ 7 BPF_LDX_MEM(BPF_DW , BPF_REG_4 , BPF_REG_6 , 8 offsetof(struct landlock_data , args [0])) , 9 /* checker function */ 10 BPF_EMIT_CALL( BPF_FUNC_landlock_cmp_fs_beneath ), 11 /* if the file is beneath a handle from the map */ 12 BPF_JMP_IMM(BPF_JNE , BPF_REG_0 , 0, 1), 13 BPF_EXIT_INSN (), 14 /* deny by default , if any error */ 15 BPF_MOV32_IMM(BPF_REG_0 , EACCES), 16 BPF_EXIT_INSN (), 10 / 12
  • 21. Two complementary ways to enforce Landlock rules Process hierarchy: application with built-in sandboxing restrict the current process and its future children use the seccomp(2) interface native use of no new privs 11 / 12
  • 22. Two complementary ways to enforce Landlock rules Process hierarchy: application with built-in sandboxing restrict the current process and its future children use the seccomp(2) interface native use of no new privs cgroup: container sandboxing restrict processes from a cgroup complementary to rules for process hierarchies handle cgroup delegation with no new privs 11 / 12
  • 23. Landlock LSM: Wrap-up Unprivileged sandboxing use eBPF programs as access control rules applied through seccomp or tied to a cgroup can handle privileged features limited attack surface efficient and flexible https://lwn.net/Articles/700607 mic@digikod.net @l0kod 12 / 12