Using Landlock
LandlockComparedToOtherSandboxingMechanisms
Sandboxing is a developer task
With Landlock, it is the application developers who define the sandboxing policies from within the program. This means that:
- The application can be sandboxed by the person most familiar with its inner workings.
- The policy is always in sync with the code, as it lives in the same repository.
- The program can use different policy variants at different steps during its execution, starting with a loose policy and refining it later on.
General Principle
Identify the threat
It helps to have a clear understanding what you want to protect against. The different inputs to a program usually come from different sources with different levels of trust:
- Command line arguments and config files tend to be trustworthy 💚
- Data from the network, input files or stdin might be untrustworthy 🔴
It depends on the use case.
Enabling a Landlock policy before processing untrusted input
Therefore,
- we can parse trustworthy 💚 inputs up front (program startup phase),
- then enable a Landlock policy 🛡️ (LandlockRulesetEnforcement),
- then start processing untrusted 🔴 inputs.
This works well with the Unix security model, where access permissions are generally checked at the time of providing new file descriptors to a process. We can open all required file descriptors during the initialization phase, and then forbid opening of new file descriptors very broadly, but continue using the ones which are already open.
The big overview diagram is this:
Using the Landlock API
Landlock’s only API is the one required for ruleset enforcement.
This API is discussed in LandlockRulesetEnforcement.
Examples
💾 Github
- LandlockConvertExample
- LandlockTcpServerExample
- more TBD :)
Known problems and their workarounds
This is a collection of known problems and the workarounds for them which we know about.
- OnDemandFileAccessProblem – lazy access to configuration files
- Example: various config files get opened on the first call to
gethostbyname()
- Example: various config files get opened on the first call to
- PluginSystemsWithUnknownCodeProblem – plugin systems load unknown code
- EcryptFsProblem
- TerminalFileDescriptorProblem
- LandlockFileExecutionProblem