landlock: programmatic access control · landlock: programmatic access control principles i...
TRANSCRIPT
Landlock: programmatic access control
Mickael Salaun
@l0kod
June 21, 2017
1 / 11
Secure software
What is the threat?
I compromise a process (e.g. bug in a parser)
I privilege escalation (e.g. RunC vulnerability: CVE-2016-9962)
I access sensitive data
What can we do?
I secure development
I follow the least privilege principle
I compartmentalize exposed processes (subset of initial accesses)
2 / 11
Secure software
What is the threat?
I compromise a process (e.g. bug in a parser)
I privilege escalation (e.g. RunC vulnerability: CVE-2016-9962)
I access sensitive data
What can we do?
I secure development
I follow the least privilege principle
I compartmentalize exposed processes (subset of initial accesses)
2 / 11
Existing compartmentalization solutions on Linux
fine-grained control unprivileged embedded policySELinux. . . X
seccomp-bpf X Xnamespaces ∼ X
Applications using this features
I service: OpenSSH, systemd. . .
I web browser: Chromium
I sandbox manager: Firejail, Subgraph/Oz, Minijail, StemJail. . .
I container manager: Docker, LXC. . .
3 / 11
Existing compartmentalization solutions on Linux
fine-grained control unprivileged embedded policySELinux. . . Xseccomp-bpf X Xnamespaces ∼ X
Applications using this features
I service: OpenSSH, systemd. . .
I web browser: Chromium
I sandbox manager: Firejail, Subgraph/Oz, Minijail, StemJail. . .
I container manager: Docker, LXC. . .
3 / 11
Existing compartmentalization solutions on Linux
fine-grained control unprivileged embedded policySELinux. . . Xseccomp-bpf X Xnamespaces ∼ X
Applications using this features
I service: OpenSSH, systemd. . .
I web browser: Chromium
I sandbox manager: Firejail, Subgraph/Oz, Minijail, StemJail. . .
I container manager: Docker, LXC. . .
3 / 11
Landlock: programmatic access control
Principles
I fine-grained control, unprivileged and embedded in applications
I free to choose a dedicated access control model
I stackable LSM (complementary restrictions)
I stackable rules (similar to seccomp-bpf)
I global system view (namespace agnostic)
I without SUID nor complex brokers
Interested audience
I applications with built-in sandboxing (tailored security policy)
I sandbox managers (unprivileged and dynamic compartimentalization)
I container managers (hardened containers)
4 / 11
Landlock: programmatic access control
Principles
I fine-grained control, unprivileged and embedded in applications
I free to choose a dedicated access control model
I stackable LSM (complementary restrictions)
I stackable rules (similar to seccomp-bpf)
I global system view (namespace agnostic)
I without SUID nor complex brokers
Interested audience
I applications with built-in sandboxing (tailored security policy)
I sandbox managers (unprivileged and dynamic compartimentalization)
I container managers (hardened containers)
4 / 11
Life cycle of a Landlock rule
5 / 11
Landlock rule example
I read-only access to the filesystem...
I ...but allowed to write on pipes
I rule applied on each filesystem-like access request
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock rule example
1 SEC("landlock1")2 int landlock_fs_rule1(struct landlock_context *ctx)3 {4 int mode;56 /* allow non-write actions */7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE))8 return 0;9 /* get the file mode */
10 mode = bpf_handle_fs_get_mode(ctx->arg1);11 /* allow write on pipes */12 if (S_ISFIFO(mode))13 return 0;14 return 1;15 }
6 / 11
Landlock context (WIP)
struct landlock_context {__u64 status;__u64 cookie;__u64 event;__u64 arg1;__u64 arg2;
};
Landlock events
I LANDLOCK SUBTYPE EVENT FS
I LANDLOCK SUBTYPE EVENT FS IOCTLI LANDLOCK SUBTYPE EVENT FS LOCKI LANDLOCK SUBTYPE EVENT FS FCNTL
Landlock actions for an FS event
I LANDLOCK ACTION FS EXECI LANDLOCK ACTION FS WRITEI LANDLOCK ACTION FS READI LANDLOCK ACTION FS NEWI LANDLOCK ACTION FS GETI LANDLOCK ACTION FS REMOVEI LANDLOCK ACTION FS IOCTLI LANDLOCK ACTION FS LOCKI LANDLOCK ACTION FS FCNTL
7 / 11
Landlock context (WIP)
struct landlock_context {__u64 status;__u64 cookie;__u64 event;__u64 arg1;__u64 arg2;
};
Landlock events
I LANDLOCK SUBTYPE EVENT FS
I LANDLOCK SUBTYPE EVENT FS IOCTLI LANDLOCK SUBTYPE EVENT FS LOCKI LANDLOCK SUBTYPE EVENT FS FCNTL
Landlock actions for an FS event
I LANDLOCK ACTION FS EXECI LANDLOCK ACTION FS WRITEI LANDLOCK ACTION FS READI LANDLOCK ACTION FS NEWI LANDLOCK ACTION FS GETI LANDLOCK ACTION FS REMOVEI LANDLOCK ACTION FS IOCTLI LANDLOCK ACTION FS LOCKI LANDLOCK ACTION FS FCNTL
7 / 11
Landlock context (WIP)
struct landlock_context {__u64 status;__u64 cookie;__u64 event;__u64 arg1;__u64 arg2;
};
Landlock events
I LANDLOCK SUBTYPE EVENT FS
I LANDLOCK SUBTYPE EVENT FS IOCTLI LANDLOCK SUBTYPE EVENT FS LOCKI LANDLOCK SUBTYPE EVENT FS FCNTL
Landlock actions for an FS event
I LANDLOCK ACTION FS EXECI LANDLOCK ACTION FS WRITEI LANDLOCK ACTION FS READI LANDLOCK ACTION FS NEWI LANDLOCK ACTION FS GETI LANDLOCK ACTION FS REMOVEI LANDLOCK ACTION FS IOCTLI LANDLOCK ACTION FS LOCKI LANDLOCK ACTION FS FCNTL
7 / 11
Landlock context (WIP)
struct landlock_context {__u64 status;__u64 cookie;__u64 event;__u64 arg1;__u64 arg2;
};
Landlock events
I LANDLOCK SUBTYPE EVENT FS
I LANDLOCK SUBTYPE EVENT FS IOCTLI LANDLOCK SUBTYPE EVENT FS LOCKI LANDLOCK SUBTYPE EVENT FS FCNTL
Landlock actions for an FS event
I LANDLOCK ACTION FS EXECI LANDLOCK ACTION FS WRITEI LANDLOCK ACTION FS READI LANDLOCK ACTION FS NEWI LANDLOCK ACTION FS GETI LANDLOCK ACTION FS REMOVEI LANDLOCK ACTION FS IOCTLI LANDLOCK ACTION FS LOCKI LANDLOCK ACTION FS FCNTL
7 / 11
Landlock context (WIP)
struct landlock_context {__u64 status;__u64 cookie;__u64 event;__u64 arg1;__u64 arg2;
};
Landlock events
I LANDLOCK SUBTYPE EVENT FSI LANDLOCK SUBTYPE EVENT FS IOCTLI LANDLOCK SUBTYPE EVENT FS LOCKI LANDLOCK SUBTYPE EVENT FS FCNTL
Landlock actions for an FS event
I LANDLOCK ACTION FS EXECI LANDLOCK ACTION FS WRITEI LANDLOCK ACTION FS READI LANDLOCK ACTION FS NEWI LANDLOCK ACTION FS GETI LANDLOCK ACTION FS REMOVEI LANDLOCK ACTION FS IOCTLI LANDLOCK ACTION FS LOCKI LANDLOCK ACTION FS FCNTL
7 / 11
LSM + eBPF
Linux Security Modulesframework to provide a mechanism for various security checks to be hooked
extended Berkeley Packet Filter
I in-kernel bytecode machine:I optimized to be easily JITableI arithmetic operations, comparisons, jump forward, function callsI restricted memory read/write (i.e. program context and stack)I exchange data through maps between eBPF programs and userland
I static program verification at load time:I memory access checksI register typing and taintingI pointer leak restrictions
I widely used in the kernel: network filtering, tracing. . .
8 / 11
LSM + eBPF
Linux Security Modulesframework to provide a mechanism for various security checks to be hooked
extended Berkeley Packet Filter
I in-kernel bytecode machine:I optimized to be easily JITableI arithmetic operations, comparisons, jump forward, function callsI restricted memory read/write (i.e. program context and stack)I exchange data through maps between eBPF programs and userland
I static program verification at load time:I memory access checksI register typing and taintingI pointer leak restrictions
I widely used in the kernel: network filtering, tracing. . .
8 / 11
Landlock: unprivileged access control
Access control
I applying a security policy requires privileges
I alternative approach to the traditional interface (e.g. SUID) with anew one dedicated to coercitive access control
I protect other processes (e.g. tampering with ptrace)
Protect the kernel and its resourcesI reduced attack surface:
I eBPF interpreter: static analysisI LSM part: only executed on viewable objects and after other controls
I protect against DoS
I prevent side channels
9 / 11
Landlock: unprivileged access control
Access control
I applying a security policy requires privileges
I alternative approach to the traditional interface (e.g. SUID) with anew one dedicated to coercitive access control
I protect other processes (e.g. tampering with ptrace)
Protect the kernel and its resourcesI reduced attack surface:
I eBPF interpreter: static analysisI LSM part: only executed on viewable objects and after other controls
I protect against DoS
I prevent side channels
9 / 11
Landlock (WIP)
Demo
10 / 11
Landlock: wrap-up
Userland hardening
I fine-grained access control
I dynamic security policy
I designed for unprivileged use
Current status: v6
I autonomous patch series merged (eBPF, LSM, kselftest)
I ongoing patch series: LKML, github.com/landlock-lsm, @l0kodI backported as a project in LinuxKit
Roadmap: incremental upstream integration
1. minimum viable product
2. cgroup handling
3. new eBPF map type for filesystem-related checks
4. unprivileged mode
11 / 11
Landlock: wrap-up
Userland hardening
I fine-grained access control
I dynamic security policy
I designed for unprivileged use
Current status: v6
I autonomous patch series merged (eBPF, LSM, kselftest)
I ongoing patch series: LKML, github.com/landlock-lsm, @l0kodI backported as a project in LinuxKit
Roadmap: incremental upstream integration
1. minimum viable product
2. cgroup handling
3. new eBPF map type for filesystem-related checks
4. unprivileged mode
11 / 11
Landlock: wrap-up
Userland hardening
I fine-grained access control
I dynamic security policy
I designed for unprivileged use
Current status: v6
I autonomous patch series merged (eBPF, LSM, kselftest)
I ongoing patch series: LKML, github.com/landlock-lsm, @l0kodI backported as a project in LinuxKit
Roadmap: incremental upstream integration
1. minimum viable product
2. cgroup handling
3. new eBPF map type for filesystem-related checks
4. unprivileged mode
11 / 11