landlock.rst - OpenGrok cross reference for /Linux-v6.6/Documentation/userspace-api/landlock.rst

Lines Matching +full:kernel +full:- +full:policy
1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
16 in addition to the existing system-wide access-controls. This kind of sandbox
22 looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep
23 landlock || journalctl -kg landlock`` .  Developers can also easily check for
25 Landlock is not currently supported, we need to :ref:`configure the kernel
36 Defining and enforcing a security policy
37 ----------------------------------------
43 kernel and user space may not know each other's supported restrictions), hence
44 the need to be explicit about the denied-by-default access rights.
46 .. code-block:: c
67 Because we may not know on which kernel version an application will be
68 executed, it is safer to follow a best-effort security approach.  Indeed, we
69 should try to protect users as much as possible whatever the kernel they are
77 .. code-block:: c
84         perror("The running kernel does not enable to use Landlock");
99 .. code-block:: c
116 .. code-block:: c
151 .. code-block:: c
161 .. code-block:: c
171 now restricted and this policy will be enforced on all its subsequently created
173 security policy; only adding more restrictions is allowed.  These threads are
180 --------------
184 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
185 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
186 Following this good practice leads to self-sufficient hierarchies that do not
193 Having self-sufficient hierarchies also helps to tighten the required access
197 In this case, granting read-write access to ``~/tmp/``, instead of write-only
198 access, would potentially allow to move ``~/tmp/`` to a non-readable directory
202 ---------------------------------
205 with a new layer of policy.  Indeed, this complementary policy is stacked with
210 One policy layer grants access to a file path if at least one of its rules
212 a file path if all its enforced policy layers grant the access as well as all
217 -------------------------
235 policy point of view, each OverlayFS layers and merge hierarchies are
237 different from bind mounts.  A policy restricting an OverlayFS layer will not
243 -----------
247 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
254 policy will stay enforced on all this thread's descendants.  This allows
260 -------------------
262 A sandboxed process has less privileges than a non-sandboxed process and must
266 which means the tracee must be in a sub-domain of the tracer.
269 ----------------
273 overlap in non-intuitive ways.  It is recommended to always specify both of
303 ----------------------------------
306 kernel.  This is achieved thanks to the system call attributes and the
308 handled access right explicit enables the kernel and user space to have a clear
313 <https://subspace.kernel.org/lists.linux.dev.html>`_ to knowingly update and
315 users, and because they may use different kernel versions, it is strongly
316 encouraged to follow a best-effort security approach by checking the Landlock
322 ---------------------
327 .. code-block:: c
335             printf("Landlock is not supported by the current kernel.\n");
347 The following kernel interfaces are implicitly supported by the first ABI
351 Kernel interface
355 -------------
357 .. kernel-doc:: include/uapi/linux/landlock.h
361 ----------------------
363 .. kernel-doc:: security/landlock/syscalls.c
366 .. kernel-doc:: include/uapi/linux/landlock.h
370 -------------------
372 .. kernel-doc:: security/landlock/syscalls.c
375 .. kernel-doc:: include/uapi/linux/landlock.h
379 -------------------
381 .. kernel-doc:: security/landlock/syscalls.c
388 --------------------------------
395 -------------------
399 come from a user-visible filesystem (e.g. pipe, socket), but can still be
401 restricted.  Likewise, some special kernel filesystems such as nsfs, which can
409 --------------
420 ------------
422 Kernel memory allocated to create rulesets is accounted and can be restricted
423 by the Documentation/admin-guide/cgroup-v1/memory.rst.
429 -----------------------------------
446 -------------------------
449 always allowed when using a kernel that only supports the first or second ABI.
456 Kernel support
462 default is set with ``CONFIG_LSM``.  The kernel configuration should then
467 If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
469 Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
476 ---------------------------------------
478 Using user space process to enforce restrictions on kernel resources can lead
481 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
484 -------------------------------------
487 access-control and then miss useful features for such use case (e.g. no
488 fine-grained restrictions).  Moreover, their complexity can lead to security
500 … https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/samples/landlock/sandboxer.c