Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libcontainer: add support for Landlock #3194

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ require (
github.com/cyphar/filepath-securejoin v0.2.3
github.com/docker/go-units v0.4.0
github.com/godbus/dbus/v5 v5.0.4
github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4
github.com/moby/sys/mountinfo v0.4.1
github.com/mrunalp/fileutils v0.5.0
github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
Expand All @@ -22,6 +23,6 @@ require (
github.com/urfave/cli v1.22.1
github.com/vishvananda/netlink v1.1.0
golang.org/x/net v0.0.0-20201224014010-6772e930b67b
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887
golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
google.golang.org/protobuf v1.27.1
)
8 changes: 6 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4 h1:5FNPB9FxONNZ10VtNC2n15+0O4O6wfCqCBmkxm2O5x0=
github.com/landlock-lsm/go-landlock v0.0.0-20210908180355-c56710719da4/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8=
github.com/moby/sys/mountinfo v0.4.1 h1:1O+1cHA1aujwEwwVMa2Xm2l+gIpUHyd3+D+d7LZh1kM=
github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
Expand Down Expand Up @@ -76,8 +78,8 @@ golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs=
golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf h1:2ucpDCmfkl8Bd/FsLtiD653Wf96cW37s+iGx93zsu4k=
golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
Expand All @@ -94,3 +96,5 @@ google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+Rur
google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
kernel.org/pub/linux/libs/security/libcap/psx v1.2.51 h1:VXVXjnTUsA9zeHIolNb6moSXZavDe1pD8Q0lPXZEOwc=
kernel.org/pub/linux/libs/security/libcap/psx v1.2.51/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
29 changes: 29 additions & 0 deletions libcontainer/configs/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

"github.com/sirupsen/logrus"

"github.com/landlock-lsm/go-landlock/landlock"
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runtime-spec/specs-go"
)
Expand Down Expand Up @@ -81,6 +82,30 @@ type Syscall struct {
Args []*Arg `json:"args"`
}

// Landlock specifies the Landlock unprivileged access control settings for the container process.
type Landlock struct {
Ruleset *Ruleset `json:"ruleset"`
Rules *Rules `json:"rules"`
DisableBestEffort bool `json:"disableBestEffort"`
}

// Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled in Landlock.
type Ruleset struct {
HandledAccessFS landlock.AccessFSSet `json:"handledAccessFS"`
}

// Rules represents the security policies (i.e., actions allowed on objects) in Landlock.
type Rules struct {
PathBeneath []*RulePathBeneath `json:"pathBeneath"`
}

// RulePathBeneath defines the file-hierarchy typed rule that grants the access rights specified by
// AllowedAccess to the file hierarchies under the given Paths in Landlock.
type RulePathBeneath struct {
AllowedAccess landlock.AccessFSSet `json:"allowedAccess"`
Paths []string `json:"paths"`
}

// TODO Windows. Many of these fields should be factored out into those parts
// which are common across platforms, and those which are platform specific.

Expand Down Expand Up @@ -209,6 +234,10 @@ type Config struct {
// RootlessCgroups is set when unlikely to have the full access to cgroups.
// When RootlessCgroups is set, cgroups errors are ignored.
RootlessCgroups bool `json:"rootless_cgroups,omitempty"`

// Landlock specifies the Landlock unprivileged access control settings for the container process.
// NoNewPrivileges must be enabled to use Landlock.
Landlock *Landlock `json:"landlock,omitempty"`
}

type (
Expand Down
35 changes: 35 additions & 0 deletions libcontainer/landlock/config.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package landlock

import (
"fmt"

"github.com/landlock-lsm/go-landlock/landlock"
ll "github.com/landlock-lsm/go-landlock/landlock/syscall"
)

var accessFSSets = map[string]landlock.AccessFSSet{
"execute": ll.AccessFSExecute,
"write_file": ll.AccessFSWriteFile,
"read_file": ll.AccessFSReadFile,
"read_dir": ll.AccessFSReadDir,
"remove_dir": ll.AccessFSRemoveDir,
"remove_file": ll.AccessFSRemoveFile,
"make_char": ll.AccessFSMakeChar,
"make_dir": ll.AccessFSMakeDir,
"make_reg": ll.AccessFSMakeReg,
"make_sock": ll.AccessFSMakeSock,
"make_fifo": ll.AccessFSMakeFifo,
"make_block": ll.AccessFSMakeBlock,
"make_sym": ll.AccessFSMakeSym,
}

// ConvertStringToAccessFSSet converts a string into a go-landlock AccessFSSet
// access right.
// This gives more explicit control over the mapping between the permitted
// values in the spec and the ones supported in go-landlock library.
func ConvertStringToAccessFSSet(in string) (landlock.AccessFSSet, error) {
if access, ok := accessFSSets[in]; ok {
return access, nil
}
return 0, fmt.Errorf("string %s is not a valid access right for landlock", in)
}
58 changes: 58 additions & 0 deletions libcontainer/landlock/landlock.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
package landlock

import (
"errors"
"fmt"

"github.com/landlock-lsm/go-landlock/landlock"

"github.com/opencontainers/runc/libcontainer/configs"
)

// Initialize Landlock unprivileged access control for the container process
// based on the given settings.
// The specified `ruleset` identifies a set of rules (i.e., actions on objects)
// that need to be handled (i.e., restricted) by Landlock. And if no `rule`
// explicitly allow them, they should then be forbidden.
// The `disableBestEffort` input gives control over whether the best-effort
// security approach should be applied for Landlock access rights.
func InitLandlock(config *configs.Landlock) error {
if config == nil {
return errors.New("cannot initialize Landlock - nil config passed")
}

ruleset := config.Ruleset.HandledAccessFS
llConfig, err := landlock.NewConfig(ruleset)
if err != nil {
return fmt.Errorf("could not create ruleset: %w", err)
}

if !config.DisableBestEffort {
*llConfig = llConfig.BestEffort()
}

if err := llConfig.RestrictPaths(
pathAccesses(config.Rules)...,
); err != nil {
return fmt.Errorf("could not restrict paths: %w", err)
}

return nil
}

// Convert Libcontainer RulePathBeneath to go-landlock PathOpt.
func pathAccess(rule *configs.RulePathBeneath) landlock.PathOpt {
return landlock.PathAccess(rule.AllowedAccess, rule.Paths...)
}

// Convert Libcontainer Rules to an array of go-landlock PathOpt.
func pathAccesses(rules *configs.Rules) []landlock.PathOpt {
pathAccesses := []landlock.PathOpt{}

for _, rule := range rules.PathBeneath {
opt := pathAccess(rule)
pathAccesses = append(pathAccesses, opt)
}

return pathAccesses
}
7 changes: 7 additions & 0 deletions libcontainer/setns_init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (

"github.com/opencontainers/runc/libcontainer/apparmor"
"github.com/opencontainers/runc/libcontainer/keys"
"github.com/opencontainers/runc/libcontainer/landlock"
"github.com/opencontainers/runc/libcontainer/seccomp"
"github.com/opencontainers/runc/libcontainer/system"
)
Expand Down Expand Up @@ -86,6 +87,12 @@ func (l *linuxSetnsInit) Init() error {
if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
return err
}
// `noNewPrivileges` must be enabled to use Landlock.
if l.config.Config.Landlock != nil && l.config.NoNewPrivileges {
if err := landlock.InitLandlock(l.config.Config.Landlock); err != nil {
return fmt.Errorf("unable to init Landlock: %w", err)
}
}
// Set seccomp as close to execve as possible, so as few syscalls take
// place afterward (reducing the amount of syscalls that users need to
// enable in their seccomp profiles).
Expand Down
56 changes: 56 additions & 0 deletions libcontainer/specconv/spec_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/devices"
"github.com/opencontainers/runc/libcontainer/landlock"
"github.com/opencontainers/runc/libcontainer/seccomp"
libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
"github.com/opencontainers/runtime-spec/specs-go"
Expand Down Expand Up @@ -319,6 +320,12 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
Ambient: spec.Process.Capabilities.Ambient,
}
}

landlock, err := SetupLandlock(spec.Process.Landlock)
if err != nil {
return nil, err
}
config.Landlock = landlock
}
createHooks(spec, config)
config.Version = specs.Version
Expand Down Expand Up @@ -845,6 +852,55 @@ func parseMountOptions(options []string) (int, []int, string, int) {
return flag, pgflag, strings.Join(data, ","), extFlags
}

func SetupLandlock(ll *specs.Landlock) (*configs.Landlock, error) {
if ll == nil {
return nil, nil
}

// No ruleset specified, assume landlock disabled.
if ll.Ruleset == nil || len(ll.Ruleset.HandledAccessFS) == 0 {
return nil, nil
}

newConfig := &configs.Landlock{
Ruleset: new(configs.Ruleset),
Rules: &configs.Rules{
PathBeneath: []*configs.RulePathBeneath{},
},
DisableBestEffort: ll.DisableBestEffort,
}

for _, access := range ll.Ruleset.HandledAccessFS {
newAccessFS, err := landlock.ConvertStringToAccessFSSet(string(access))
if err != nil {
return nil, err
}
newConfig.Ruleset.HandledAccessFS |= newAccessFS
}

// Loop through all Landlock path beneath rule blocks and convert them to libcontainer format.
for _, rulePath := range ll.Rules.PathBeneath {
if len(rulePath.AllowedAccess) > 0 {
newRule := configs.RulePathBeneath{
AllowedAccess: 0,
Paths: rulePath.Paths,
}

for _, access := range rulePath.AllowedAccess {
newAllowedAccess, err := landlock.ConvertStringToAccessFSSet(string(access))
if err != nil {
return nil, err
}
newRule.AllowedAccess |= newAllowedAccess
}

newConfig.Rules.PathBeneath = append(newConfig.Rules.PathBeneath, &newRule)
}
}

return newConfig, nil
}

func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
if config == nil {
return nil, nil
Expand Down
Loading