Landlock-Ing Linux(blog.prizrak.me)
30 points byrazighter7771 hour ago |4 comments
seethishat31 minutes ago
LandLock is a Minor LSM intended for software developers. They incorporate it into their source code to limit where the programs may read/write. Here's a simple Go example:

    package main

    import (
     "flag"
     "fmt"
     "github.com/landlock-lsm/go-landlock/landlock"
     "io/ioutil"
     "log"
     "os"
    )

    // simple program that demonstrates how landlock works in Go on Linux systems.
    // Requires 5.13 or newer kernel and .config should look something like this:
    // CONFIG_SECURITY_LANDLOCK=y
    //  CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
    func main() {
     var help = flag.Bool("help", false, "landlock-example -f /path/to/file.txt")
     var file = flag.String("f", "", "the file path to read")

    flag.Parse()
     if *help || len(os.Args) == 1 {
      flag.PrintDefaults()
      return
     }
    
    // allow the program to read files in /home/user/tmp
     err := landlock.V1.RestrictPaths(landlock.RODirs("/home/user/tmp"))
     if err != nil {
     log.Fatal(err)
     }
    
    // attempt to read a file
     bytes, err := ioutil.ReadFile(*file)
     if err != nil {
     log.Fatal(err)
     }
    
    fmt.Println(string(bytes))
    }
razighter77714 minutes ago
Yup. In the application code itself is where landlock shines at the moment.

It's becoming increasingly usable as a wrapper for untrusted applications as well.

PeterWhittaker57 minutes ago
So like using seccomp with a whitelist (fairly easy to do) with per-object access rights.

I'd love to see a comparison of landlock to restricted containers.

razighter77717 minutes ago
Comparing landlock to containers isn't really an apples to apples comparison. Containers use a bunch of linux security mechanisms together like chroot seccomp and user namespaces to accomplish their goals. Landlock is just another building block that devs can use.

Fun fact: because landlock is unprivleged, you can even use it inside containers; or to build an unprivileged container runtime :)

razighter7771 hour ago
What the Landlock LSM can add to the state of Linux security
kosolam50 minutes ago
So it works also by using some cli utility to run my software for example?
razighter77729 minutes ago
Yup. There are tools that use landlock to accomplish just that.

https://github.com/Zouuup/landrun

All you gotta do is apply a policy and do a fork() exec(). There is also support in firejail.

seethishat17 minutes ago
Firejail requires SUID, LandLock does not.

Also, it's very easy to write your own LandLock policy in the programming language of your choice and wrap whatever program you like rather than downloading stuff from Github. Here's another example in Go:

    package main

    import (
     "fmt"
     "github.com/landlock-lsm/go-landlock/landlock"
     "log"
     "os"
     "os/exec"
    )

    func main() {
        // Define the LandLock policy
        err := landlock.V1.RestrictPaths(...)

        // Execute FireFox
        cmd := exec.Command("/usr/bin/firefox")
    }
codethief8 minutes ago
Yeah, see e.g. sydbox: https://gitlab.exherbo.org/sydbox/sydbox