Here is the fourth Landlock newsletter! Official website: https://landlock.io Previews newsletter: https://lore.kernel.org/landlock/d4ed5733-d07b-5548-2534-a63e22906...@digikod.net
Articles and conferences ------------------------ We wrote a detailed article about Landlock explaining the underlying concepts, the implementation, and the community: https://landlock.io/talks/2024-06-06_landlock-article.pdf This was written for the SSTIC conference: https://www.sstic.org/2024/presentation/landlock-design/ I did a workshop at the Pass the Salt conference to explain how to mitigate security vulnerabilities with Landlock (demonstrated with ImageMagick): https://cfp.pass-the-salt.org/pts2024/talk/8FVYDF/ Related materials are freely available to do it at home: https://github.com/landlock-lsm/workshop-imagemagick Arto Niemi published a "Survey of Real-World Process Sandboxing" at the Conference of Open Innovations Association (FRUCT): https://fruct.org/publications/volume-35/fruct35/files/Niem.pdf Their conclusion: "[...] we found Landlock and minijail [which uses Landlock] to be relatively convenient from a developer perspective. In general, process self-containment and process-wrapping seems to be an order of magnitude easier to configure than MAC policies." Researchers from University of Bergamo gave a talk at ASIA CCS conference about Cage4Deno: A Fine-Grained Sandbox for Deno Subprocesses (leveraging Landlock) https://cs.unibg.it/seclab-papers/2023/ASIACCS/paper/cage4deno.pdf They also gave a talk at the RAID conference about NatiSand: Native Code Sandboxing for JavaScript Runtimes (leveraging Landlock) https://cs.unibg.it/seclab-papers/2023/RAID/natisand.pdf Eric Leblond gave a talk (in French) at the SSTIC conference about sandboxing with Landlock to mitigate real world security issues: https://www.sstic.org/2023/presentation/attaque_supply_chain_suricata/ Günther Noack will give a talk at LSS Europe about Landlock and the new IOCTL support: https://sched.co/1ebVW I'll give a talk at OSS Europe to better explain sandboxing with Landlock: https://sched.co/1ej3a The XZ backdoor --------------- XZ Utils is a widely used compression tool and library. The main maintainer implemented sandboxing with Landlock, and released a new version 5.6.0 with this feature. In March 2024, a backdoor was found and reported. It was introduced in February by a new maintainer who earned this trust after more than two years of effort. Among the malicious changes, the attacker disabled Landlock's support for XZ Utils and released a new version 5.6.1: https://research.swtch.com/xz-timeline The sabotaged configuration check has since been fixed with version 5.6.2, but this effort to stealthily disable sandboxing is a clear sign that Landlock disturbs attackers: https://github.com/tukaani-project/xz/commit/f9cf4c05edd1 Merged kernel features ---------------------- Linux 6.7 (Landlock ABI 4) supports initial network access control with the LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP rights thanks to Konstantin Meskhidze. We can now control inbound and outbound TCP connections according to the source or the destination port. This led to kernel code refactoring which opens the way to more network protocol support. See user space documentation: https://docs.kernel.org/userspace-api/landlock.html#network-flags Linux 6.10 (Landlock ABI 5) supports IOCTL control with the new LANDLOCK_ACCESS_FS_IOCTL_DEV right thanks to Günther Noack. This restriction only applies to IOCTL commands implemented by device drivers (i.e. block or character devices). As other file system access rights, this can be used to only allow such IOCTL commands on a specified set of file hierarchies per sandbox. See user space documentation: https://docs.kernel.org/userspace-api/landlock.html#filesystem-flags We also added a slight change in all supported kernels to inform system administrators (with kernel logs) how they can configure the system to support Landlock, if a process tried to sandbox itself on a kernel where Landlock is disabled. New documentation will help enable Landlock on systems when it is not already the case: https://docs.kernel.org/userspace-api/landlock.html#kernel-support Since Linux 6.3, we improved documentation and kselftests (user space testing), and added support for KUnit (kernel testing). Part of this work lead us to support the UML architecture to easily run application tests in a CI against different kernel versions. With this support we can make sure that backward compatibility works fine for the tested applications. I encourage to take a look at landlock-test-tools and the GitHub CI configuration for the Rust library: https://github.com/landlock-lsm/landlock-test-tools https://github.com/landlock-lsm/rust-landlock/blob/main/.github/workflows/rust.yml#L166-L179 Roadmap and ongoing development ------------------------------- We created GitHub issues to track ongoing and future work: https://github.com/landlock-lsm/linux/issues https://github.com/orgs/landlock-lsm/projects/1 Feel free to reach out if you want to contribute! https://github.com/landlock-lsm/linux/contribute We also plan to improve the website with extended documentation and examples. Kernel development highlights ----------------------------- Günther Noack is now an official reviewer of Landlock! https://git.kernel.org/torvalds/c/5bf9e57e634b After the IOCTL feature, he is now working on improving the documentation, including man pages. Mikhail Ivanov is working on socket type control. This is an important feature that will make it possible to create sandboxes without any network access, except for an explicit list of allowed protocols. This will nicely complement the TCP port control (and future ones for other protocols): https://github.com/landlock-lsm/linux/issues/6 He is also working on controlling TCP listen calls: https://github.com/landlock-lsm/linux/issues/15 Tahera Fahimi was selected as an Outreachy intern to work on IPC restrictions (e.g. abstract unix socket, signals) to better isolate a Landlock domain: https://github.com/landlock-lsm/linux/issues/7 https://github.com/landlock-lsm/linux/issues/8 I'm working on bringing audit support to Landlock: https://github.com/landlock-lsm/linux/issues/3 Landlock libraries ------------------ As explained by Günther Noack, the Go library now supports TCP and IOCTL restrictions: https://blog.gnoack.org/post/landlock-v4/ https://blog.gnoack.org/post/landlock-ioctl/ A new version of the Rust crate was released, with support for TCP control and some miscellaneous improvements: https://github.com/landlock-lsm/rust-landlock/releases/tag/v0.4.0 Please update your dependencies and use the latest Landlock ABI version for improved sandboxing. We are also working on a new minimal C library: https://github.com/landlock-lsm/linux/issues/38 New Landlock user space supports -------------------------------- Firejail 0.9.74 (sandboxer) will be able to use landlock: https://github.com/netblue30/firejail/pull/6078 setpriv 2.40 (sandboxer): https://github.com/util-linux/util-linux/pull/2628 extrasafe 0.4.0 (sandbox library): https://github.com/boustrophedon/extrasafe/pull/28 bevy_mod_lockdown (sandbox library): https://github.com/FrTerstappen/bevy_mod_lockdown Cloud Hypervisor (VM monitor) will be sandboxed with Landlock: https://github.com/cloud-hypervisor/cloud-hypervisor/pull/6214 Ukuleleweb (wiki server): https://github.com/gnoack/ukuleleweb/commit/0ecdd54b36fa websrv 3.2.0 (web server): https://github.com/ngergs/websrv/commit/40fa2d7d2bbb egress-eddie 0.5.0 (network filtering): https://github.com/capnspacehook/egress-eddie/releases/tag/v0.5.0 Suricata 7.0.0 (network security monitoring engine): https://docs.suricata.io/en/latest/configuration/landlock.html sslh 2.1.0 (protocol multiplexer): https://lore.kernel.org/landlock/zfq6f30spnycx...@rutschle.net/ https://github.com/yrutschle/sslh/releases/tag/v2.1.0 wireproxy 1.0.8 (Wireguard client): https://github.com/pufferffish/wireproxy/pull/108 Emilua 0.5.0 (Lua runtime): https://lore.kernel.org/landlock/CAK9RveLxro4zUG4jfFB=UNgcv5gdc8JuzNhMt=YbNhH=35a...@mail.gmail.com/ https://docs.emilua.org/api/0.5/changelog.html Polkadot (blockchain SDK): https://github.com/paritytech/polkadot/pull/7303 XZ Utils 5.6.2 (archive manager): https://github.com/tukaani-project/xz/commit/374868d81d47 Zathura (document viewer) will be sandboxed with Landlock: https://github.com/pwmt/zathura/pull/575 Pacman 7.0.0 (Arch Linux's package manager): https://gitlab.archlinux.org/pacman/pacman/-/merge_requests/167 Thanks to all contributors! Regards, Mickaël
