Extending Landlocked Processes

Mickaël Salaün posted a patch to improve communication
between landlocked processes. Landlock is a security module that creates an isolated “sandbox”
where a process is prevented from interacting with the rest of the system,
even if that process itself is compromised by a hostile attacker. The
ultimate goal is to allow regular user processes to isolate themselves in
this way, reducing the likelihood that they could be an entry point for an
attack against the system.

Mickaël’s patch, which didn’t get very far in the review process, aimed
specifically at allowing landlocked processes to use system calls to
manipulate other processes. To do that, he wanted to force the landlocked
process to obey any constraints that also might apply to the target process.
For example, the target process may not allow other processes to trace its
execution. In that case, the landlocked process should be prevented from
doing so.

Andy Lutomirski looked at the patch and offered some technical suggestions,
but on further reflection, he felt Mickaël’s approach was too complicated. He
felt it was possible that the patch itself was simply unnecessary, but that
if it did have a value, it simply should prevent any landlocked process from
tracing another process’ execution. Andy pointed to certain kernel features
that would make the whole issue a lot more problematic. He said, “If
something like Tycho’s notifiers goes in, then it’s not obvious that, just
because you have the same set of filters, you have the same privilege.
Similarly, if a feature that lets a filter query its cgroup goes in (and you
proposed this once!), then the logic you implemented here is wrong.”

Andy’s overall assessment of landlock was, “I take this as further evidence
that Landlock makes much more sense as part of seccomp than as a totally
separate thing. We’ve very carefully reviewed these things for seccomp.
Please don’t make us do it again from scratch.”

But Mickaël felt that landlock did have some valid use cases Andy hadn’t
mentioned—for example, “running a container constrained with some Landlock
programs”. Without his patch, Mickaël felt it would be impossible for users
in that situation to debug their work. As he put it, “This patch adds the
minimal protections which are needed to have a meaningful Landlock security
policy. Without it, they may be easily bypassable, hence useless.”

And as for folding landlock into seccomp, Mickaël replied, “Landlock is more
complex than seccomp, because of its different goal. seccomp is less
restrictive because it is more simple.”

Powered by WPeMatico