Skip to content

Commit 5dbef36

Browse files
committed
specs-go/config: add Landlock LSM support
Linux kernel 5.13 adds support for Landlock Linux Security Module (LSM). This allows unprivileged processes to create safe security sandboxes that can securely restrict the ambient rights (e.g. global filesystem access) for themselves. opencontainers#1110 Signed-off-by: Kailun Qin <[email protected]>
1 parent 8961758 commit 5dbef36

File tree

2 files changed

+140
-1
lines changed

2 files changed

+140
-1
lines changed

config.md

Lines changed: 68 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,14 @@ For Linux-based systems, the `process` object supports the following process-spe
211211
This is a per-process setting, where as [`disableOOMKiller`](config-linux.md#memory) is scoped for a memory cgroup.
212212
For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
213213
* **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
214-
For more information about SELinux, see [SELinux documentation][selinux].
214+
For more information about SELinux, see [SELinux documentation][selinux].
215+
* **`landlock`** (object, OPTIONAL) specifies the Landlock unprivileged access control settings for the container process.
216+
For more information about Landlock, see [Landlock documentation][landlock].
217+
`landlock` contains the following properties:
218+
219+
* **`ruleset`** (object, OPTIONAL) the `ruleset` field identifies a set of rules (i.e., actions on objects) that need to be handled (i.e., restricted).
220+
* **`rules`** (array of objects, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset
221+
* **`abi`** (object, OPTIONAL) the `abi` field defines the specific Landlock ABI version.
215222

216223
### <a name="configUser" />User
217224

@@ -253,6 +260,65 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
253260
],
254261
"apparmorProfile": "acme_secure_profile",
255262
"selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
263+
"landlock": {
264+
"ruleset": {
265+
"handledAcessFS": [
266+
"LANDLOCK_ACCESS_FS_EXECUTE",
267+
"LANDLOCK_ACCESS_FS_WRITE_FILE",
268+
"LANDLOCK_ACCESS_FS_READ_FILE",
269+
"LANDLOCK_ACCESS_FS_READ_DIR",
270+
"LANDLOCK_ACCESS_FS_REMOVE_DIR",
271+
"LANDLOCK_ACCESS_FS_REMOVE_FILE",
272+
"LANDLOCK_ACCESS_FS_MAKE_CHAR",
273+
"LANDLOCK_ACCESS_FS_MAKE_DIR",
274+
"LANDLOCK_ACCESS_FS_MAKE_REG",
275+
"LANDLOCK_ACCESS_FS_MAKE_SOCK",
276+
"LANDLOCK_ACCESS_FS_MAKE_FIFO",
277+
"LANDLOCK_ACCESS_FS_MAKE_BLOCK",
278+
"LANDLOCK_ACCESS_FS_MAKE_SYM"
279+
]
280+
},
281+
"rules": [
282+
{
283+
"type": "path_beneath",
284+
"restrictPaths": {
285+
"allowedAccess": [
286+
"LANDLOCK_ACCESS_FS_EXECUTE",
287+
"LANDLOCK_ACCESS_FS_READ_FILE",
288+
"LANDLOCK_ACCESS_FS_READ_DIR"
289+
],
290+
"paths": [
291+
"/usr",
292+
"/bin"
293+
]
294+
}
295+
},
296+
{
297+
"type": "path_beneath",
298+
"restrictPaths": {
299+
"allowedAccess": [
300+
"LANDLOCK_ACCESS_FS_EXECUTE",
301+
"LANDLOCK_ACCESS_FS_WRITE_FILE",
302+
"LANDLOCK_ACCESS_FS_READ_FILE",
303+
"LANDLOCK_ACCESS_FS_READ_DIR",
304+
"LANDLOCK_ACCESS_FS_REMOVE_DIR",
305+
"LANDLOCK_ACCESS_FS_REMOVE_FILE",
306+
"LANDLOCK_ACCESS_FS_MAKE_CHAR",
307+
"LANDLOCK_ACCESS_FS_MAKE_DIR",
308+
"LANDLOCK_ACCESS_FS_MAKE_REG",
309+
"LANDLOCK_ACCESS_FS_MAKE_SOCK",
310+
"LANDLOCK_ACCESS_FS_MAKE_FIFO",
311+
"LANDLOCK_ACCESS_FS_MAKE_BLOCK",
312+
"LANDLOCK_ACCESS_FS_MAKE_SYM"
313+
],
314+
"paths": [
315+
"/tmp"
316+
]
317+
}
318+
},
319+
],
320+
"abi": "v1"
321+
},
256322
"noNewPrivileges": true,
257323
"capabilities": {
258324
"bounding": [
@@ -959,6 +1025,7 @@ Here is a full example `config.json` for reference.
9591025
[apparmor]: https://wiki.ubuntu.com/AppArmor
9601026
[cgroup-v1-memory_2]: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt
9611027
[selinux]:http://selinuxproject.org/page/Main_Page
1028+
[landlock]:https://landlock.io
9621029
[no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
9631030
[proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt
9641031
[umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html

specs-go/config.go

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,8 +58,80 @@ type Process struct {
5858
OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
5959
// SelinuxLabel specifies the selinux context that the container process is run as.
6060
SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
61+
// Landlock specifies the Landlock unprivileged access control settings for the container process.
62+
Landlock Landlock `json:"landlock,omitempty" platform:"linux"`
6163
}
6264

65+
// Landlock specifies the Landlock unprivileged access control settings for the container process.
66+
type Landlock struct {
67+
// Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled.
68+
Ruleset LandlockRuleset `json:"ruleset,omitempty" platform:"linux"`
69+
// Rules are the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
70+
Rules []LandlockRule `json:"rules,omitempty" platform:"linux"`
71+
// ABI is the specific Landlock ABI version.
72+
ABI LandlockABIVersion `json:"abi,omitempty" platform:"linux"`
73+
}
74+
75+
// LandlockRuleset identifies a set of rules (i.e., actions on objects) that need to be handled.
76+
type LandlockRuleset struct {
77+
// HandledAccessFS is a list of actions that is handled by this ruleset and should then be
78+
// forbidden if no rule explicitly allow them.
79+
HandledAccessFS []LandlockFSAction `json:"handledAcessFS,omitempty" platform:"linux"`
80+
}
81+
82+
// LandlockRule represents the security policies (i.e., actions allowed on objects) .
83+
type LandlockRule struct {
84+
// Type is the Landlock rule type pointing to the rules to be added to an existing ruleset.
85+
Type LandlockRuleType `json:"type,omitempty" platform:"linux"`
86+
// RestrictPaths defines the file-hierarchy typed rule.
87+
RestrictPaths LandlockRestrictPaths `json:"restrictPaths,omitempty" platform:"linux"`
88+
}
89+
90+
// LandlockRestrictPaths defines the file-hierarchy typed rule that grants the access rights specified by
91+
// `AllowedAccess` to the file hierarchies under the given `Paths`.
92+
type LandlockRestrictPaths struct {
93+
// AllowedAccess contains a list of allowed filesystem actions for the file hierarchies.
94+
AllowedAccess []LandlockFSAction `json:"allowedAccess,omitempty" platform:"linux"`
95+
// Paths are the files or parent directories of the file hierarchies to restrict.
96+
Paths []string `json:"paths,omitempty" platform:"linux"`
97+
}
98+
99+
// LandlockABIVersion used to identify the ABI level to use for Landlock.
100+
type LandlockABIVersion string
101+
102+
// Define the supported Landlock ABI versions. There is currently only one supported Landlock ABI version.
103+
const (
104+
V1 LandlockABIVersion = "v1"
105+
)
106+
107+
// LandlockRuleType taken upon adding a new Landlock rule to a ruleset.
108+
type LandlockRuleType string
109+
110+
// Define types for Landlock rules. There is currently only one Landlock rule type.
111+
const (
112+
PathBeneath LandlockRuleType = "path_beneath"
113+
)
114+
115+
// LandlockFSAction used to specify the FS actions that are handled by a ruleset or allowed by a rule.
116+
type LandlockFSAction string
117+
118+
// Define actions on files and directories that Landlock can restrict a sandboxed process to.
119+
const (
120+
FSActExecute LandlockFSAction = "LANDLOCK_ACCESS_FS_EXECUTE"
121+
FSActWriteFile LandlockFSAction = "LANDLOCK_ACCESS_FS_WRITE_FILE"
122+
FSActReadFile LandlockFSAction = "LANDLOCK_ACCESS_FS_READ_FILE"
123+
FSActReadDir LandlockFSAction = "LANDLOCK_ACCESS_FS_READ_DIR"
124+
FSActRemoveDir LandlockFSAction = "LANDLOCK_ACCESS_FS_REMOVE_DIR"
125+
FSActRemoveFile LandlockFSAction = "LANDLOCK_ACCESS_FS_REMOVE_FILE"
126+
FSActMakeChar LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_CHAR"
127+
FSActMakeDir LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_DIR"
128+
FSActMakeReg LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_REG"
129+
FSActMakeSock LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_SOCK"
130+
FSActMakeFifo LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_FIFO"
131+
FSActMakeBlock LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_BLOCK"
132+
FSActMakeSym LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_SYM"
133+
)
134+
63135
// LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
64136
// http://man7.org/linux/man-pages/man7/capabilities.7.html
65137
type LinuxCapabilities struct {

0 commit comments

Comments
 (0)