landlock.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/userspace-api/landlock.rst

Lines Matching +full:build +full:- +full:rules
1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <[email protected]>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
16 new security layers in addition to the existing system-wide access-controls.
23 ``dmesg | grep landlock || journalctl -kb -g landlock`` .
29 Landlock rules
33 perform.  A set of rules is aggregated in a ruleset, which can then restrict
36 The two existing types of rules are:
38 Filesystem rules
39     For these rules, the object is a file hierarchy,
43 Network rules (since ABI v4)
44     For these rules, the object is a TCP port,
48 ----------------------------------------
50 We first need to define the ruleset that will contain our rules.
52 For this example, the ruleset will contain rules that only allow filesystem
59 to be explicit about the denied-by-default access rights.
61 .. code-block:: c
90 on, it is safer to follow a best-effort security approach.  Indeed, we
97 .. code-block:: c
132 This enables the creation of an inclusive ruleset that will contain our rules.
134 .. code-block:: c
151 .. code-block:: c
176 It may also be required to create rules following the same logic as explained
181 For network access-control, we can add a set of rules that allow to use a port
184 .. code-block:: c
199 .. code-block:: c
209 .. code-block:: c
228 --------------
232 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
233 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
234 Following this good practice leads to self-sufficient hierarchies that do not
242 Having self-sufficient hierarchies also helps to tighten the required access
246 In this case, granting read-write access to ``~/tmp/``, instead of write-only
247 access, would potentially allow moving ``~/tmp/`` to a non-readable directory
251 ---------------------------------
258 One policy layer grants access to a file path if at least one of its rules
265 -------------------------
273 hierarchy is then composed of the exact same files, on which Landlock rules can
274 be tied, either via the source or the destination path.  These rules restrict
291 -----------
295 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
297 Landlock rules to itself, but they will not be automatically applied to other
308 -------------------
310 A sandboxed process has less privileges than a non-sandboxed process and must
314 access rights, which means the tracee must be in a sub-domain of the tracer.
317 -----------
323 non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can
326 non-sandboxed process, we can specify this restriction with
329 A sandboxed process can connect to a non-sandboxed process when its domain is
332 Moreover, if a process is scoped to send signal to a non-scoped process, it can
338 scenario, a non-connected datagram socket cannot send data (with
341 A process with a scoped domain can inherit a socket created by a non-scoped
345 IPC scoping does not support exceptions, so if a domain is scoped, no rules can
349 ----------------
353 overlap in non-intuitive ways.  It is recommended to always specify both of
369 ---------------------------------------
391 ----------------------------------
404 encouraged to follow a best-effort security approach by checking the Landlock
410 ---------------------
415 .. code-block:: c
443 -------------
445 .. kernel-doc:: include/uapi/linux/landlock.h
449 ----------------------
451 .. kernel-doc:: security/landlock/syscalls.c
454 .. kernel-doc:: include/uapi/linux/landlock.h
458 -------------------
460 .. kernel-doc:: security/landlock/syscalls.c
463 .. kernel-doc:: include/uapi/linux/landlock.h
468 -------------------
470 .. kernel-doc:: security/landlock/syscalls.c
477 --------------------------------
484 -------------------
488 come from a user-visible filesystem (e.g. pipe, socket), but can still be
498 --------------
503 E2BIG.  It is then strongly suggested to carefully build rulesets once in the
509 ------------
512 by the Documentation/admin-guide/cgroup-v1/memory.rst.
515 -------------
519 means specifically that pre-existing file descriptors like stdin, stdout and
531 Landlock's IOCTL support is coarse-grained at the moment, but may become more
532 fine-grained in the future.  Until then, users are advised to establish the
540 -----------------------------------
543 handle composition of rules.  Such property also implies rules nesting.
557 -------------------------
566 ------------------------------
574 ----------------------
585 ------------------------------
592 ----------------
603 Build time configuration
604 ------------------------
606 Landlock was first introduced in Linux 5.13 but it must be configured at build
615 -----------------------
619 Documentation/admin-guide/kernel-parameters.rst in the boot loader
622 For example, if the current built-in configuration is:
624 .. code-block:: console
626     $ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
631 .. code-block:: console
633     $ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
644 .. code-block:: console
646     # dmesg | grep landlock || journalctl -kb -g landlock
652 The kernel may be configured at build time to always load the ``lockdown`` and
658 ---------------
670 ---------------------------------------
675 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
678 -------------------------------------
681 access-control and then miss useful features for such use case (e.g. no
682 fine-grained restrictions).  Moreover, their complexity can lead to security