| ▲ | Landlock-Ing Linux(blog.prizrak.me) |
| 46 points by razighter777 2 hours ago | 9 comments |
| |
|
| ▲ | seethishat an hour ago | parent | next [-] |
| LandLock is a Minor LSM intended for software developers. They incorporate it into their source code to limit where the programs may read/write. Here's a simple Go example: package main
import (
"flag"
"fmt"
"github.com/landlock-lsm/go-landlock/landlock"
"io/ioutil"
"log"
"os"
)
// simple program that demonstrates how landlock works in Go on Linux systems.
// Requires 5.13 or newer kernel and .config should look something like this:
// CONFIG_SECURITY_LANDLOCK=y
// CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
func main() {
var help = flag.Bool("help", false, "landlock-example -f /path/to/file.txt")
var file = flag.String("f", "", "the file path to read")
flag.Parse()
if *help || len(os.Args) == 1 {
flag.PrintDefaults()
return
}
// allow the program to read files in /home/user/tmp
err := landlock.V1.RestrictPaths(landlock.RODirs("/home/user/tmp"))
if err != nil {
log.Fatal(err)
}
// attempt to read a file
bytes, err := ioutil.ReadFile(*file)
if err != nil {
log.Fatal(err)
}
fmt.Println(string(bytes))
}
|
| |
| ▲ | razighter777 29 minutes ago | parent [-] | | Yup. In the application code itself is where landlock shines at the moment. It's becoming increasingly usable as a wrapper for untrusted applications as well. |
|
|
| ▲ | PeterWhittaker an hour ago | parent | prev | next [-] |
| So like using seccomp with a whitelist (fairly easy to do) with per-object access rights. I'd love to see a comparison of landlock to restricted containers. |
| |
| ▲ | razighter777 33 minutes ago | parent [-] | | Comparing landlock to containers isn't really an apples to apples comparison. Containers use a bunch of linux security mechanisms together like chroot seccomp and user namespaces to accomplish their goals. Landlock is just another building block that devs can use. Fun fact: because landlock is unprivleged, you can even use it inside containers; or to build an unprivileged container runtime :) |
|
|
| ▲ | razighter777 2 hours ago | parent | prev | next [-] |
| What the Landlock LSM can add to the state of Linux security |
|
| ▲ | kosolam an hour ago | parent | prev [-] |
| So it works also by using some cli utility to run my software for example? |
| |
| ▲ | razighter777 an hour ago | parent | next [-] | | Yup. There are tools that use landlock to accomplish just that. https://github.com/Zouuup/landrun All you gotta do is apply a policy and do a fork() exec().
There is also support in firejail. | | |
| ▲ | seethishat 33 minutes ago | parent [-] | | Firejail requires SUID, LandLock does not. Also, it's very easy to write your own LandLock policy in the programming language of your choice and wrap whatever program you like rather than downloading stuff from Github. Here's another example in Go: package main
import (
"fmt"
"github.com/landlock-lsm/go-landlock/landlock"
"log"
"os"
"os/exec"
)
func main() {
// Define the LandLock policy
err := landlock.V1.RestrictPaths(...)
// Execute FireFox
cmd := exec.Command("/usr/bin/firefox")
}
|
| |
| ▲ | codethief 24 minutes ago | parent | prev [-] | | Yeah, see e.g. sydbox: https://gitlab.exherbo.org/sydbox/sydbox |
|
