landlock.rst - OpenGrok cross reference for /Linux-v6.6/Documentation/userspace-api/landlock.rst

Lines Matching +full:container +full:- +full:rules
1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
16 in addition to the existing system-wide access-controls. This kind of sandbox
23 landlock || journalctl -kg landlock`` .  Developers can also easily check for
28 Landlock rules
33 rights`_.  A set of rules is aggregated in a ruleset, which can then restrict
37 ----------------------------------------
39 We first need to define the ruleset that will contain our rules.  For this
40 example, the ruleset will contain rules that only allow read actions, but write
44 the need to be explicit about the denied-by-default access rights.
46 .. code-block:: c
68 executed, it is safer to follow a best-effort security approach.  Indeed, we
77 .. code-block:: c
97 This enables to create an inclusive ruleset that will contain our rules.
99 .. code-block:: c
116 .. code-block:: c
141 It may also be required to create rules following the same logic as explained
151 .. code-block:: c
161 .. code-block:: c
180 --------------
184 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
185 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
186 Following this good practice leads to self-sufficient hierarchies that do not
193 Having self-sufficient hierarchies also helps to tighten the required access
197 In this case, granting read-write access to ``~/tmp/``, instead of write-only
198 access, would potentially allow to move ``~/tmp/`` to a non-readable directory
202 ---------------------------------
210 One policy layer grants access to a file path if at least one of its rules
217 -------------------------
225 hierarchy is then composed of the exact same files, on which Landlock rules can
226 be tied, either via the source or the destination path.  These rules restrict
243 -----------
247 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
249 Landlock rules to itself, but they will not be automatically applied to other
260 -------------------
262 A sandboxed process has less privileges than a non-sandboxed process and must
265 process, a sandboxed process should have a subset of the target process rules,
266 which means the tracee must be in a sub-domain of the tracer.
269 ----------------
273 overlap in non-intuitive ways.  It is recommended to always specify both of
303 ----------------------------------
316 encouraged to follow a best-effort security approach by checking the Landlock
322 ---------------------
327 .. code-block:: c
355 -------------
357 .. kernel-doc:: include/uapi/linux/landlock.h
361 ----------------------
363 .. kernel-doc:: security/landlock/syscalls.c
366 .. kernel-doc:: include/uapi/linux/landlock.h
370 -------------------
372 .. kernel-doc:: security/landlock/syscalls.c
375 .. kernel-doc:: include/uapi/linux/landlock.h
379 -------------------
381 .. kernel-doc:: security/landlock/syscalls.c
388 --------------------------------
395 -------------------
399 come from a user-visible filesystem (e.g. pipe, socket), but can still be
409 --------------
416 that may also want to sandbox themselves (e.g. shells, container managers,
420 ------------
423 by the Documentation/admin-guide/cgroup-v1/memory.rst.
429 -----------------------------------
432 handle composition of rules.  Such property also implies rules nesting.
446 -------------------------
469 Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
476 ---------------------------------------
481 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
484 -------------------------------------
487 access-control and then miss useful features for such use case (e.g. no
488 fine-grained restrictions).  Moreover, their complexity can lead to security