Rules deny listing

[nbouchinet-anssi]

The construction of a Landlock ruleset is based on an authorization list model. Thus, in order to sandbox an application, all necessary resources and their associated permissions must be first established (directories being recursively included).

It would be great to be able to deny itself access to specific resources (i.e. Give a RO access to / but deny access to /home).

Another benefit of this approach would be ruleset refining, in other word, dropping an access rule after ruleset enforcement.
To achieve this goal with the current API, the original ruleset contents and restrictions have to be maintained aside (i.e. an array of structure containing paths and their restrictions).
Once the task want to refines it restrictions, it can evict it from the maintained array, build back a ruleset and enforce it.
Maintaining such a data structure is cumbersome and would be made much easier by rule deny listing. (see #25)

For a first implementation, I think every Landlocks filesystem actions could be denied to the evicted resource.
Extra care should be given in order to avoid sandbox escapes, i.e. renaming a file in order to access it.
A deny rule should be applied only on resources already authorized in a Landlock ruleset.

@l0kod do you think of anything to add ?

[l0kod]

The ability to exclude some access rights on file hierarchies in a ruleset would be a very welcome feature! Even if the current deny-by-default approach is good, being able to create deny lists mixed with allowed lists would definitely be useful in practice for users (e.g. deny access to ~/.ssh).

For a first implementation, I think every Landlocks filesystem actions could be denied to the evicted resource.

It should not be much more complex to implement this approach per access right. The interface could be an extension of struct landlock_path_beneath_attr adding a new denied_access field.

Extra care should be given in order to avoid sandbox escapes, i.e. renaming a file in order to access it.

Indeed, it should always be denied to rename/move a file hierarchy containing any inode with a denied_access set. This means that we probably need to (automatically) create "taint" rules for all parents of such inode/dentry (in the same mount point). See past discussion with @thejh.

A deny rule should be applied only on resources already authorized in a Landlock ruleset.

I guess you mean on handled accesses.

[nbouchinet-anssi]

For a first implementation, I think every Landlocks filesystem actions could be denied to the evicted resource.

It should not be much more complex to implement this approach per access right. The interface could be an extension of struct landlock_path_beneath_attr adding a new denied_access field.

ACK.

Extra care should be given in order to avoid sandbox escapes, i.e. renaming a file in order to access it.

Indeed, it should always be denied to rename/move a file hierarchy containing any inode with a denied_access set. This means that we probably need to (automatically) create "taint" rules for all parents of such inode/dentry (in the same mount point). See past discussion with @thejh.

Thanks, will take a look at it.

A deny rule should be applied only on resources already authorized in a Landlock ruleset.

I guess you mean on handled accesses.

What I meant is that denying specific access right to a path should only be possible if the path already has been authorized in a allowed rule (at least on of the upper directories).

i.e. If one want to deny access to its /home/<username>/.ssh one of the upper directories should already have been allowed and enforced, either /, /home/ or /home/<username>/ for example.

Or do you see it more in a way where everything is allowed by default except denied resources for the first ruleset enforcement ?

[l0kod]

What I meant is that denying specific access right to a path should only be possible if the path already has been authorized in a allowed rule (at least on of the upper directories).

i.e. If one want to deny access to its /home/<username>/.ssh one of the upper directories should already have been allowed and enforced, either /, /home/ or /home/<username>/ for example.

OK, I get it, and that could indeed make sense for users. However, one thing to keep in mind is that this kind of property may be difficult to check because rules are not directly tied together but only to inodes (not paths nor dentries): file hierarchies are only checked when an access is requested. Moreover, a file (or a directory with bind mounts) can be accessible from different paths. For consistency, we should also get the same result whatever the rules order is, so that would mean to check this rule hierarchy when calling landlock_restrict_self(), which would be too complex and would make related errors difficult to understand.

I don't see this as an issue because adding a deny (rule) to a deny (ruleset's handled access right) would always result to a deny.

For the file rename restriction, I think we should still be able to automatically "taint" parent directories from the same mount point because the landlock_add_rule() syscall gets a struct path from which we can walk through the mount root (see collect_domain_accesses()).

Or do you see it more in a way where everything is allowed by default except denied resources for the first ruleset enforcement ?

We should stick to the current behavior: a domain should always deny by default its handled access rights.

[nbouchinet-anssi]

Noted, I'm starting to work on the issue.

[l0kod]

See related discussion.

[bboozzoo]

I planned to reply to the mailing list discussion, since it linked to this ticket I'll leave a note here. Just wanted to add that I'm looking a bit into making use of Landlock in snapd. Unfortunately snapd relies heavily on AppArmor to complete the sandbox, which means the sandbox is degraded on systems where AppArmor is not enabled. Hence we are looking for an alternative, and since Landlock support is quite ubiquitous these days, I'm investigating how much of the sandbox we can set up with it.

In our specific case, when the home interface is connected, snap sandbox gives access to $HOME, but like @nbouchinet-anssi mentioned in the first comment we do not give access to $HOME/.ssh. This can only be obtained when snap is allowed to connect a separate interface (personal-files). So definitely, being able to selectively express a deny rule for a specific filesystem object would go a long way in being able to provide a meaningful alternative.

[l0kod]

Related issue: https://gitlab.gnome.org/GNOME/localsearch/-/merge_requests/499#note_2219803

[micromaomao]

Hi @l0kod , @nbouchinet-anssi

I've also been thinking about landlock deny rules, however I thought I would comment here one particular issue, which you probably have considered already, but I have a concrete failure example.

I've noticed in the past that firejail's deny rule stops having effect when you recreate the file - I'm guessing that when the file is deleted it also causes the blacklist bind mount to disappear?

If a denial mechanism in landlock is implemented by marking the inode (which I think is probably the only sensible implementation...? given how landlock is already implemented), it will have the same "problem" (I guess whether it's a problem really depends on the intention of the process enforcing the landlock rules - maybe it wanted to deny that specific file in the first place, and don't care anymore if it is deleted).

A particularly surprising "demo" (this actually tripped me in the past):

> git config --global credential.helper
store --file /home/mao/.gitcredentials

> firejail --blacklist=$HOME/.gitcredentials /usr/bin/fish
Reading profile /etc/firejail/default.profile
...
Child process initialized in 96.23 ms
> cat .gitcredentials 
cat: .gitcredentials: Permission denied

Now, in another fresh terminal:

> git push
Everything up-to-date

Now back to the firejailed shell:

> cat .gitcredentials
https://pat:github_pat_*****@github.com

In this case it was a rename done by git credential manager, rather than actually deleting the file, but still, it shows that a deny rule implemented based on inode rather than path can fail quite easily if not careful.

(actually part of the idea behind the landlock-supervise RFC was to have a fully user-space controlled way of denying access - a supervisor can, instead of using actual inode deny rules, simulate denied files by adding allow rules / allowing the request when other files are accessed, and just not allow access to sensitive files as it sees fit (based on path, or could even be based on content / other things))

(of course, if we have mutable domains, one could also update the deny rule on an inotify event (but leaving a short gap in time where the access is allowed))

[l0kod]

File renames and deletions are indeed a valid concern.

a supervisor can, instead of using actual inode deny rules, simulate denied files by adding allow rules / allowing the request when other files are accessed, and just not allow access to sensitive files as it sees fit (based on path, or could even be based on content / other things)

The supervisor is interesting to dynamically allow or deny some requests, but for this use case, the major drawbacks of the supervisor are that:

• It would block a request, which would have a significant performance impact for this use case, which can be avoided.
• It requires a user space service, which adds a (first) dependency, making it more difficult for users to leverage this feature.
• The kernel cannot give any guarantee about this related user space code.
• It increases the risk of user space trying to interpret kernel semantic, which could lead to race conditions or inconsistent evaluations.

For this deny listing approach, it would be better that the kernel provides this feature.

An interesting approach would be to store the dentry name and be able to atomically reapply the rule when the file is recreated. This would also be useful for allow rules, but it's only a security risk for deny rules.

@nbouchinet-anssi, are you still working on this task? Any progress?