Landlock LSM: toward unprivileged sandboxing

Similar documents
File access-control per container with Landlock

Namespaces and Capabilities Overview and Recent Developments

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Practical Techniques to Obviate Setuid-to-Root Binaries

PROCESS MANAGEMENT Operating Systems Design Euiseong Seo

Distribution Kernel Security Hardening with ftrace

Linux Kernel Security Overview

Overlayfs And Containers. Miklos Szeredi, Red Hat Vivek Goyal, Red Hat

Virtual File System. Don Porter CSE 506

THE ROUTE TO ROOTLESS

RCU. ò Dozens of supported file systems. ò Independent layer from backing storage. ò And, of course, networked file system support

Quick Introduction to ebpf & BCC Suchakrapani Sharma. Kernel Meetup (Reserved Bit, Pune)

Azure Sphere: Fitting Linux Security in 4 MiB of RAM. Ryan Fairfax Principal Software Engineering Lead Microsoft

Linux Kernel Security Update LinuxCon Europe Berlin, 2016

Sandboxing. (1) Motivation. (2) Sandboxing Approaches. (3) Chroot

Container Isolation at Scale (... and introducing gvisor) Dawn Chen and Zhengyu He

Virtual File System. Don Porter CSE 306

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Secure Architecture Principles

Is it safe to run applications in Linux Containers?

The Challenges of XDP Hardware Offload

CSE 565 Computer Security Fall 2018

Android Kernel Security

February Syscall Filtering and You Paul Moore

Fall 2014:: CSE 506:: Section 2 (PhD) Securing Linux. Hyungjoon Koo and Anke Li

BPF Hardware Offload Deep Dive

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Containers and isolation as implemented in the Linux kernel

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

The failure of Operating Systems,

The Case for Security Enhanced (SE) Android. Stephen Smalley Trusted Systems Research National Security Agency

SELinux Sandbox. Daniel Walsh Red Hat

1 Virtualization Recap

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

13th ANNUAL WORKSHOP 2017 VERBS KERNEL ABI. Liran Liss, Matan Barak. Mellanox Technologies LTD. [March 27th, 2017 ]

Input & Output 1: File systems

What's new in the Linux kernel

Flatpak a technical walk-through. Alexander Larsson, Red Hat

Using ebpf for network traffic analysis. Samuele Sabella Luca Deri

Container mechanics in Linux and rkt FOSDEM 2016

Secure Architecture Principles

OS security mechanisms:

Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33

How To Write a Linux Security Module That Makes Sense For You. Casey Schaufler February 2016

Runtime Analysis. November 28, Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

TEN LAYERS OF CONTAINER SECURITY

Container Security. Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com

OS Containers. Michal Sekletár November 06, 2016

ebpf Debugging Infrastructure Current Techniques and Additional Proposals

SELinux. Don Porter CSE 506

Linux Security Summit Europe 2018

Building socket-aware BPF programs

Understanding user namespaces

Secure Software Programming and Vulnerability Analysis

Core Policy Management Infrastructure for SELinux

Pastures: Towards Usable Security Policy Engineering

Building blocks for Unix power tools

Data Security and Privacy. Unix Discretionary Access Control

Secure and Simple Sandboxing in SELinux

TraceLeft. A Configuration Driven ebpf Tracing Framework. Suchakra Sharma & Alban Crequy All Systems Go, 29th September 2018, Berlin

DPDK+eBPF KONSTANTIN ANANYEV INTEL

OCI Runtime Tools for Container Standardization

Lustre & SELinux: in theory and in practice

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

SMB3: Bringing High Performance File Access to Linux: A Status Update. How do you use it? What works? What is coming soon?

HTCondor: Virtualization (without Virtual Machines)

Secure Architecture Principles

Security of OS-level virtualization technologies

Using seccomp to limit the kernel attack surface

OS Security III: Sandbox and SFI

Security Assurance Requirements for Linux Application Container Deployments

How Linux Capability Works in

LSS 2016: linux-integrity subsystem status. Mimi Zohar

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Rootless Containers with runc. Aleksa Sarai Software Engineer

Seccomp. Linux Security and Isolation APIs. Outline. Michael Kerrisk, man7.org c 2017 November 2017

Secure Architecture Principles

On getting tc classifier fully programmable with cls bpf.

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

High Performance Containers. Convergence of Hyperscale, Big Data and Big Compute

Docker Security. Mika Vatanen

Status of SELinux support in Lustre

Secure Architecture Principles

Container Security. Docker London July 20, Everything You Probably Should Know

SE Linux Implementation LINUX20

Outline. Cgroup hierarchies

OS Virtualization. Linux Containers (LXC)

Security Enhanced BSD

CS2506 Quick Revision

What s new in control groups (cgroups) v2

Tizen-Meta as Security and Connectivity Layers For Yocto Project

M 3 Microkernel-based System for Heterogeneous Manycores

LSS-EU 2018: Overview and Recent Developments Linux Integrity Subsystem

Linux-CR: Transparent Application Checkpoint-Restart in Linux

Hacking and Hardening Kubernetes

Container Detection and Forensics, Gotta catch them all!

CIS 5373 Systems Security

Linux-CR: Transparent Application Checkpoint-Restart in Linux

Operating system security models

Adaptive Android Kernel Live Patching

Transcription:

Landlock LSM: toward unprivileged sandboxing Mickaël Salaün ANSSI September 14, 2017 1 / 21

Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize exposed processes 2 / 21

Secure user-space software How to harden an application? secure development follow the least privilege principle compartmentalize exposed processes Multiple sandbox uses built-in sandboxing (tailored security policy) sandbox managers (unprivileged and dynamic compartmentalization) container managers (hardened containers) 2 / 21

What can provide the needed features? SELinux... Fine-grained control Embedded policy Unprivileged use

What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux... seccomp-bpf namespaces

What can provide the needed features? Fine-grained control Embedded policy Unprivileged use SELinux... seccomp-bpf namespaces Landlock Tailored access control to match your needs: programmatic access control 3 / 21

What can provide the needed features? SELinux... Fine-grained control Embedded policy Unprivileged use seccomp-bpf namespaces Landlock Tailored access control to match your needs: programmatic access control Example Run an application allowed to write only on a terminal. 3 / 21

Landlock overview 4 / 21

Landlock: patch v7 a minimum viable product a stackable LSM using ebpf focused on filesystem access control 5 / 21

The Linux Security Modules framework (LSM) LSM framework allow or deny user-space actions on kernel objects policy decision and enforcement points kernel API: support various security models 200+ hooks: inode permission, inode unlink, file ioctl... 6 / 21

The Linux Security Modules framework (LSM) LSM framework allow or deny user-space actions on kernel objects policy decision and enforcement points kernel API: support various security models 200+ hooks: inode permission, inode unlink, file ioctl... Landlock rule: control an action on an object event: use of a kernel object type (e.g. file) action: read, write, execute, remove, IOCTL... 6 / 21

Life cycle of a Landlock rule 7 / 21

Landlock rule example read-only access to the filesystem......but allowed to write on TTY and pipes rule enforced on each filesystem access request 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

Landlock rule example 1 SEC("landlock1") 2 int landlock_fs_rule1(struct landlock_context *ctx) 3 { 4 int mode; 5 6 /* allow non-write actions */ 7 if (!(ctx->arg2 & LANDLOCK_ACTION_FS_WRITE)) 8 return 0; 9 /* get the file mode */ 10 mode = bpf_handle_fs_get_mode(ctx->arg1); 11 /* allow write on TTY and pipes */ 12 if (S_ISCHR(mode) S_ISFIFO(mode)) 13 return 0; 14 return 1; 15 } 8 / 21

extended Berkeley Packet Filter In-kernel virtual machine safely execute code in the kernel at run time widely used in the kernel: network filtering, seccomp-bpf, tracing... can call dedicated functions can exchange data through maps between ebpf programs and user-space 9 / 21

extended Berkeley Packet Filter In-kernel virtual machine safely execute code in the kernel at run time widely used in the kernel: network filtering, seccomp-bpf, tracing... can call dedicated functions can exchange data through maps between ebpf programs and user-space Static program verification at load time memory access checks register typing and tainting pointer leak restrictions execution flow restrictions 9 / 21

Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2.landlock_rule = { 3.event = LANDLOCK_EVENT_FS, 4.ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; 7 union bpf_attr attr = { 8.insns = bytecode_array, 9.prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10.prog_subtype = &metadata, 11 // [...] 12 }; 13 int rule_fd = bpf(bpf_prog_load, &attr, sizeof(attr)); 10 / 21

Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2.landlock_rule = { 3.event = LANDLOCK_EVENT_FS, 4.ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; 7 union bpf_attr attr = { 8.insns = bytecode_array, 9.prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10.prog_subtype = &metadata, 11 // [...] 12 }; 13 int rule_fd = bpf(bpf_prog_load, &attr, sizeof(attr)); 10 / 21

Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2.landlock_rule = { 3.event = LANDLOCK_EVENT_FS, 4.ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; 7 union bpf_attr attr = { 8.insns = bytecode_array, 9.prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10.prog_subtype = &metadata, 11 // [...] 12 }; 13 int rule_fd = bpf(bpf_prog_load, &attr, sizeof(attr)); 10 / 21

Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2.landlock_rule = { 3.event = LANDLOCK_EVENT_FS, 4.ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; 7 union bpf_attr attr = { 8.insns = bytecode_array, 9.prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10.prog_subtype = &metadata, 11 // [...] 12 }; 13 int rule_fd = bpf(bpf_prog_load, &attr, sizeof(attr)); 10 / 21

Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2.landlock_rule = { 3.event = LANDLOCK_EVENT_FS, 4.ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; 7 union bpf_attr attr = { 8.insns = bytecode_array, 9.prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10.prog_subtype = &metadata, 11 // [...] 12 }; 13 int rule_fd = bpf(bpf_prog_load, &attr, sizeof(attr)); 10 / 21

Loading a rule in the kernel 1 static union bpf_prog_subtype metadata = { 2.landlock_rule = { 3.event = LANDLOCK_EVENT_FS, 4.ability = LANDLOCK_ABILITY_DEBUG, 5 } 6 }; 7 union bpf_attr attr = { 8.insns = bytecode_array, 9.prog_type = BPF_PROG_TYPE_LANDLOCK_RULE, 10.prog_subtype = &metadata, 11 // [...] 12 }; 13 int rule_fd = bpf(bpf_prog_load, &attr, sizeof(attr)); 10 / 21

Loading a rule in the kernel 10 / 21

Applying a rule to a process 1 seccomp(seccomp_prepend_landlock_rule, 0, &rule_fd); 11 / 21

Applying a rule to a process 11 / 21

Applying a rule to a process 11 / 21

Applying a rule to a process 11 / 21

Rule enforcement on process hierarchy 12 / 21

Rule enforcement on process hierarchy 12 / 21

Rule enforcement on process hierarchy 12 / 21

Rule enforcement on process hierarchy 12 / 21

Rule enforcement on process hierarchy 12 / 21

Rule enforcement on process hierarchy 12 / 21

Demonstration #1 An (almost) read-only filesystem 13 / 21

Landlock: pending features unprivileged access control enforcement through cgroups ebpf map fsview coming next... 14 / 21

Unprivileged access control Why? embed a security policy in any application, following the least privilege principle 15 / 21

Unprivileged access control Why? embed a security policy in any application, following the least privilege principle Challenges applying a security policy requires privileges unlike SUID, Landlock should only reduce accesses prevent accesses through other processes: ptrace restrictions protect the kernel: ebpf static analysis prevent information leak: an ebpf program shall not have more access rights than the process which loaded it 15 / 21

Enforcement through cgroups Why? user/admin security policy (e.g. container): manage groups of processes 16 / 21

Enforcement through cgroups Why? user/admin security policy (e.g. container): manage groups of processes Challenges complementary to the process hierarchy rules (via seccomp(2)) processes moving in or out of a cgroup unprivileged use with cgroups delegation (e.g. user session) 16 / 21

ebpf map fsview Why? restrict access to a subset of the filesystem 17 / 21

ebpf map fsview Why? restrict access to a subset of the filesystem Challenges efficient updatable from user-space unprivileged use (i.e. no xattr) 17 / 21

ebpf map fsview Why? restrict access to a subset of the filesystem Challenges efficient updatable from user-space unprivileged use (i.e. no xattr) Proposal new ebpf map to identify a filesystem view: mount point hierarchies at a given time new ebpf function to compare a file access to such a view 17 / 21

Demonstration #2 What might a filesystem access control looks like? 18 / 21

Current roadmap Incremental upstream integration 1. minimum viable product 2. cgroups handling 3. new ebpf map type for filesystem-related checks 4. unprivileged mode 19 / 21

Landlock: wrap-up User-space hardening programmatic access control designed for unprivileged use 20 / 21

Landlock: wrap-up User-space hardening programmatic access control designed for unprivileged use Current status: patch v7 autonomous patches merged in net, security and kselftest trees security/landlock/*: 1K SLOC ongoing patch series: LKML, @l0kod growing interest for containers, secure OS and service managers 20 / 21

https://landlock.io 21 / 21

Landlock context 1 struct landlock_context { 2 u64 status; 3 u64 event; 4 u64 arg1; 5 u64 arg2; 6 }; 1 / 2

Landlock context 1 struct landlock_context { 2 u64 status; 3 u64 event; 4 u64 arg1; 5 u64 arg2; 6 }; Landlock events LANDLOCK EVENT FS 1 / 2

Landlock context 1 struct landlock_context { 2 u64 status; 3 u64 event; 4 u64 arg1; 5 u64 arg2; 6 }; Landlock events LANDLOCK EVENT FS 1 / 2

Landlock context 1 struct landlock_context { 2 u64 status; 3 u64 event; 4 u64 arg1; 5 u64 arg2; 6 }; Landlock events LANDLOCK EVENT FS Landlock actions for an FS event LANDLOCK ACTION FS EXEC LANDLOCK ACTION FS WRITE LANDLOCK ACTION FS READ LANDLOCK ACTION FS NEW LANDLOCK ACTION FS GET LANDLOCK ACTION FS REMOVE LANDLOCK ACTION FS IOCTL LANDLOCK ACTION FS LOCK LANDLOCK ACTION FS FCNTL 1 / 2

Landlock context 1 struct landlock_context { 2 u64 status; 3 u64 event; 4 u64 arg1; 5 u64 arg2; 6 }; Landlock events LANDLOCK EVENT FS LANDLOCK EVENT FS IOCTL LANDLOCK EVENT FS LOCK LANDLOCK EVENT FS FCNTL Landlock actions for an FS event LANDLOCK ACTION FS EXEC LANDLOCK ACTION FS WRITE LANDLOCK ACTION FS READ LANDLOCK ACTION FS NEW LANDLOCK ACTION FS GET LANDLOCK ACTION FS REMOVE LANDLOCK ACTION FS IOCTL LANDLOCK ACTION FS LOCK LANDLOCK ACTION FS FCNTL 1 / 2

Available ebpf functions for Landlock rules Any rule bpf handle fs get mode 2 / 2

Available ebpf functions for Landlock rules Any rule bpf handle fs get mode Debug mode: need CAP SYS ADMIN bpf get current comm bpf get current pid tgid bpf get current uid gid bpf get trace printk 2 / 2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback