landlock.rst - OpenGrok cross reference for /linux-6.14.4/Documentation/userspace-api/landlock.rst

Lines Matching +full:layers +full:- +full:configurable
1 .. SPDX-License-Identifier: GPL-2.0
2 .. Copyright © 2017-2020 Mickaël Salaün <[email protected]>
3 .. Copyright © 2019-2020 ANSSI
4 .. Copyright © 2021-2022 Microsoft Corporation
16 new security layers in addition to the existing system-wide access-controls.
23 ``dmesg | grep landlock || journalctl -kb -g landlock`` .
48 ----------------------------------------
59 to be explicit about the denied-by-default access rights.
61 .. code-block:: c
90 on, it is safer to follow a best-effort security approach.  Indeed, we
97 .. code-block:: c
134 .. code-block:: c
151 .. code-block:: c
181 For network access-control, we can add a set of rules that allow to use a port
184 .. code-block:: c
199 .. code-block:: c
209 .. code-block:: c
228 --------------
232 read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to
233 ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy.
234 Following this good practice leads to self-sufficient hierarchies that do not
242 Having self-sufficient hierarchies also helps to tighten the required access
246 In this case, granting read-write access to ``~/tmp/``, instead of write-only
247 access, would potentially allow moving ``~/tmp/`` to a non-readable directory
250 Layers of file path access rights
251 ---------------------------------
260 a file path if all its enforced policy layers grant the access as well as all
265 -------------------------
279 An OverlayFS mount point consists of upper and lower layers.  These layers are
282 lower layers, but modifications performed on the merge hierarchy only reflect
283 on the upper layer.  From a Landlock policy point of view, all OverlayFS layers
291 -----------
295 Documentation/userspace-api/seccomp_filter.rst) or any other LSM dealing with
308 -------------------
310 A sandboxed process has less privileges than a non-sandboxed process and must
314 access rights, which means the tracee must be in a sub-domain of the tracer.
317 -----------
323 non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can
326 non-sandboxed process, we can specify this restriction with
329 A sandboxed process can connect to a non-sandboxed process when its domain is
332 Moreover, if a process is scoped to send signal to a non-scoped process, it can
338 scenario, a non-connected datagram socket cannot send data (with
341 A process with a scoped domain can inherit a socket created by a non-scoped
349 ----------------
353 overlap in non-intuitive ways.  It is recommended to always specify both of
369 ---------------------------------------
391 ----------------------------------
404 encouraged to follow a best-effort security approach by checking the Landlock
410 ---------------------
415 .. code-block:: c
443 -------------
445 .. kernel-doc:: include/uapi/linux/landlock.h
449 ----------------------
451 .. kernel-doc:: security/landlock/syscalls.c
454 .. kernel-doc:: include/uapi/linux/landlock.h
458 -------------------
460 .. kernel-doc:: security/landlock/syscalls.c
463 .. kernel-doc:: include/uapi/linux/landlock.h
468 -------------------
470 .. kernel-doc:: security/landlock/syscalls.c
477 --------------------------------
484 -------------------
488 come from a user-visible filesystem (e.g. pipe, socket), but can still be
497 Ruleset layers
498 --------------
500 There is a limit of 16 layers of stacked rulesets.  This can be an issue for a
509 ------------
512 by the Documentation/admin-guide/cgroup-v1/memory.rst.
515 -------------
519 means specifically that pre-existing file descriptors like stdin, stdout and
525 the behavior is configurable for ``TIOCSTI``.
531 Landlock's IOCTL support is coarse-grained at the moment, but may become more
532 fine-grained in the future.  Until then, users are advised to establish the
540 -----------------------------------
544 Properly handling multiple layers of rulesets, each one of them able to
557 -------------------------
566 ------------------------------
574 ----------------------
585 ------------------------------
592 ----------------
604 ------------------------
615 -----------------------
619 Documentation/admin-guide/kernel-parameters.rst in the boot loader
622 For example, if the current built-in configuration is:
624 .. code-block:: console
626     $ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
631 .. code-block:: console
633     $ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
644 .. code-block:: console
646     # dmesg | grep landlock || journalctl -kb -g landlock
658 ---------------
670 ---------------------------------------
675 <https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interpos…
678 -------------------------------------
681 access-control and then miss useful features for such use case (e.g. no
682 fine-grained restrictions).  Moreover, their complexity can lead to security