| Message ID | 20210712155745.831580-2-mic@digikod.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add Landlock man pages | expand |
Hi Mickaël, On 7/12/21 5:57 PM, Mickaël Salaün wrote: > From: Mickaël Salaün <mic@linux.microsoft.com> > > From the user point of view, Landlock is a set of system calls enabling > to build and enforce a set of access-control rules. A ruleset can be > created with landlock_create_ruleset(2), populated with > landlock_add_rule(2) and enforced with landlock_restrict_self(2). This > man page gives an overview of the whole mechanism. Details of these > system calls are documented in their respective man pages. > > This is an adaptation of > https://www.kernel.org/doc/html/v5.13/userspace-api/landlock.html > > Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> > Link: https://lore.kernel.org/r/20210712155745.831580-2-mic@digikod.net Please see some comments below, mostly about formatting. The text looks good to me. Thanks, Alex > --- > > Changes since v1: > * Replace all ".I" with ".IR", except when used for titles. Sorry, but I actually prefer the opposite: Use .I unless you really need .IR If there was a misunderstanding about this, I'm sorry. > * Append punctuation to ".IR" and ".BR" when it makes sense (requested > by Alejandro Colomar). > * Cut lines according to the semantic newline rules (requested by > Alejandro Colomar). > * Remove roman style from ".TP" section titles (requested by Alejandro > Colomar). > * Add comma after "i.e." and "e.g.". > * Move the example in a new EXAMPLES section. > * Improve title. > * Explain the LSM acronym at first use. > --- > man7/landlock.7 | 356 ++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 356 insertions(+) > create mode 100644 man7/landlock.7 > > diff --git a/man7/landlock.7 b/man7/landlock.7 > new file mode 100644 > index 000000000000..c89f5b1cabb6 > --- /dev/null > +++ b/man7/landlock.7 > @@ -0,0 +1,356 @@ > +.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> > +.\" Copyright © 2019-2020 ANSSI > +.\" Copyright © 2021 Microsoft Corporation > +.\" > +.\" %%%LICENSE_START(VERBATIM) > +.\" Permission is granted to make and distribute verbatim copies of this > +.\" manual provided the copyright notice and this permission notice are > +.\" preserved on all copies. > +.\" > +.\" Permission is granted to copy and distribute modified versions of this > +.\" manual under the conditions for verbatim copying, provided that the > +.\" entire resulting derived work is distributed under the terms of a > +.\" permission notice identical to this one. > +.\" > +.\" Since the Linux kernel and libraries are constantly changing, this > +.\" manual page may be incorrect or out-of-date. The author(s) assume no > +.\" responsibility for errors or omissions, or for damages resulting from > +.\" the use of the information contained herein. The author(s) may not > +.\" have taken the same level of care in the production of this manual, > +.\" which is licensed free of charge, as they might when working > +.\" professionally. > +.\" > +.\" Formatted or processed versions of this manual, if unaccompanied by > +.\" the source, must acknowledge the copyright and authors of this work. > +.\" %%%LICENSE_END > +.\" > +.TH LANDLOCK 7 2021-06-27 Linux "Linux Programmer's Manual" > +.SH NAME > +Landlock \- unprivileged access-control > +.SH DESCRIPTION > +Landlock is an access-control system that enables any processes to // securely /J/ I'll add some line breaks [//] and line joins [/J/] through the email. > +restrict themselves and their future children. > +Because Landlock is a stackable Linux Security Module (LSM), > +it makes possible to create safe security sandboxes as new security layers suggested wfix: "it makes it possible" or "it is possible"? > +in addition to the existing system-wide access-controls. > +This kind of sandbox is expected to help mitigate // the security impact of /J/ > +bugs, // and unexpected or malicious behaviors in applications. See line-break fixes above. > +.PP > +A Landlock security policy is a set of access rights > +(e.g., open a file in read-only, make a directory, etc.) > +tied to a file hierarchy. > +Such policy can be configured and enforced by processes for themselves > +using three system calls: > +.IP \(bu 2 > +.BR landlock_create_ruleset (2) > +creates a new ruleset; > +.IP \(bu > +.BR landlock_add_rule (2) > +adds a new rule to a ruleset; > +.IP \(bu > +.BR landlock_restrict_self (2) > +enforces a ruleset on the calling thread. > +.PP > +To be able to use these system calls, > +the running kernel must support Landlock and // it must be enabled at boot /J/ > +time. See line-break fixes above > +.\" > +.SS Landlock rules > +A Landlock rule describes an action on an object. > +An object is currently a file hierarchy, > +and the related filesystem actions are defined with access rights (see > +.BR landlock_add_rule (2)). > +A set of rules is aggregated in a ruleset, // which can /J/ > +then restrict the thread enforcing it, // and its future children. See line-break fixes above. > +.\" > +.SS Filesystem actions > +These flags enable to restrict a sandboxed process to a // set of actions on /J/ > +files and directories. > +Files or directories opened before the sandboxing // are not subject to these /J/ > +restrictions. See line-break fixes above. > +See > +.BR landlock_add_rule (2) > +and > +.BR landlock_create_ruleset (2) > +for more context. > +.PP > +A file can only receive these access rights: > +.TP > +.B LANDLOCK_ACCESS_FS_EXECUTE > +Execute a file. > +.TP > +.B LANDLOCK_ACCESS_FS_WRITE_FILE > +Open a file with write access. > +.TP > +.B LANDLOCK_ACCESS_FS_READ_FILE > +Open a file with read access. > +.PP > +A directory can receive access rights related to files or directories. > +The following access right is applied to the directory itself, > +and the directories beneath it: > +.TP > +.B LANDLOCK_ACCESS_FS_READ_DIR > +Open a directory or list its content. > +.PP > +However, > +the following access rights only apply to the content of a directory, > +not the directory itself: > +.TP > +.B LANDLOCK_ACCESS_FS_REMOVE_DIR > +Remove an empty directory or rename one. > +.TP > +.B LANDLOCK_ACCESS_FS_REMOVE_FILE > +Unlink (or rename) a file. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_CHAR > +Create (or rename or link) a character device. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_DIR > +Create (or rename) a directory. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_REG > +Create (or rename or link) a regular file. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_SOCK > +Create (or rename or link) a UNIX domain socket. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_FIFO > +Create (or rename or link) a named pipe. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_BLOCK > +Create (or rename or link) a block device. > +.TP > +.B LANDLOCK_ACCESS_FS_MAKE_SYM > +Create (or rename or link) a symbolic link. > +.\" > +.SS Layers of file path access rights > +Each time a thread enforces a ruleset on itself, // it updates its Landlock /J/ See line-break fixes above > +domain with a new layer of policy. > +Indeed, this complementary policy is composed with the potentially other > +rulesets already restricting this thread. > +A sandboxed thread can then safely add more constraints to itself with a > +new enforced ruleset. > +.PP > +One policy layer grants access to a file path // if at least one of its rules /J/ > +encountered on the path grants the access. > +A sandboxed thread can only access a file path // if all its enforced policy /J/ > +layers grant the access // as well as all the other system access controls > +(e.g., filesystem DAC, other LSM policies, etc.). See line-break fixes above. > +.\" > +.SS Bind mounts and OverlayFS > +Landlock enables restricting access to file hierarchies, > +which means that these access rights can be propagated with bind mounts > +(cf. > +.BR mount_namespaces (7)) > +but not with OverlayFS. > +.PP > +A bind mount mirrors a source file hierarchy to a destination. > +The destination hierarchy is then composed of the exact same files, > +on which Landlock rules can be tied, // either via the source or the /J/ > +destination path. > +These rules restrict access when they are encountered on a path, > +which means that they can restrict access to // multiple file hierarchies at /J/ > +the same time, > +whether these hierarchies are the result of bind mounts or not. See line-break fixes above. > +.PP > +An OverlayFS mount point consists of upper and lower layers. > +These layers are combined in a merge directory, result of the mount point. > +This merge hierarchy may include files from the upper and lower layers, > +but modifications performed on the merge hierarchy // only reflects on the /J/ s/reflects/reflect/ > +upper layer. > +From a Landlock policy point of view, > +each OverlayFS layers and merge hierarchies are standalone and contains > +their own set of files and directories, > +which is different from bind mounts. Incorrect mix of singular and plural, I think. > +A policy restricting an OverlayFS layer will not restrict the resulted > +merged hierarchy, and vice versa. > +Landlock users should then only think about file hierarchies they want to > +allow access to, regardless of the underlying filesystem. > +.\" > +.SS Inheritance > +Every new thread resulting from a > +.BR clone (2) > +inherits Landlock domain restrictions from its parent. > +This is similar to the > +.BR seccomp (2) > +inheritance or any other LSM dealing with task's Not sure: s/task/a task/ or s/task's/tasks'/ > +.BR credentials (7). > +For instance, one process's thread may apply Landlock rules to itself, s/process's/process'/ > +but they will not be automatically applied to other sibling threads > +(unlike POSIX thread credential changes, cf. > +.BR nptl (7)). > +.PP > +When a thread sandboxes itself, // we have the guarantee that the related /J/ > +security policy // will stay enforced on all this thread's descendants. > +This allows creating standalone and modular security policies // per /J/ > +application, > +which will automatically be composed between themselves // according to their /J/ > +runtime parent policies. > +.\" > +.SS Ptrace restrictions > +A sandboxed process has less privileges than a non-sandboxed process and > +must then be subject to additional restrictions // when manipulating another /J/ > +process. > +To be allowed to use > +.BR ptrace (2) > +and related syscalls on a target process, > +a sandboxed process should have a subset of the target process rules, > +which means the tracee must be in a sub-domain of the tracer. > +.SH VERSIONS > +Landlock was added in Linux 5.13. > +.SH NOTES > +Landlock is enabled by CONFIG_SECURITY_LANDLOCK. .BR CONFIG_SECURITY_LANDLOCK . > +The > +.IR lsm=lsm1,...,lsmN s/.IR/.I/ > +command line parameter controls the sequence of the initialization of > +Linux Security Modules. > +It must contain the string > +.IR landlock s/.IR/.I > +to enable Landlock. > +If the command line parameter is not specified, > +the initialization falls back to the value of the deprecated > +.IR security= s/.IR/.I/ > +command line parameter and further to the value of CONFIG_LSM. > +We can check that Landlock is enabled by looking for > +.IR "landlock: Up and running." s/.IR/.I/ > +in kernel logs. > +.PP > +It is currently not possible to restrict some file-related actions > +accessible through these syscall families: When using syscall to refer to system call (not the function syscall(2)), we use the extended form "system call". > +.BR chdir (2), > +.BR truncate (2), > +.BR stat (2), > +.BR flock (2), > +.BR chmod (2), > +.BR chown (2), > +.BR setxattr (2), > +.BR utime (2), > +.BR ioctl (2), > +.BR fcntl (2), > +.BR access (2). > +Future Landlock evolutions will enable to restrict them. > +.SH EXAMPLES I'd prefer a complete example with a main function, if you can come up with such one. If not, this will be ok. > +We first need to create the ruleset that will contain our rules. > +For this example, > +the ruleset will contain rules that only allow read actions, > +but write actions will be denied. > +The ruleset then needs to handle both of these kind of actions. > +See below for the description of filesystem actions. > +.PP > +.in +4n > +.EX > +int ruleset_fd; > +struct landlock_ruleset_attr ruleset_attr = { > + .handled_access_fs = > + LANDLOCK_ACCESS_FS_EXECUTE | > + LANDLOCK_ACCESS_FS_WRITE_FILE | > + LANDLOCK_ACCESS_FS_READ_FILE | > + LANDLOCK_ACCESS_FS_READ_DIR | > + LANDLOCK_ACCESS_FS_REMOVE_DIR | > + LANDLOCK_ACCESS_FS_REMOVE_FILE | > + LANDLOCK_ACCESS_FS_MAKE_CHAR | > + LANDLOCK_ACCESS_FS_MAKE_DIR | > + LANDLOCK_ACCESS_FS_MAKE_REG | > + LANDLOCK_ACCESS_FS_MAKE_SOCK | > + LANDLOCK_ACCESS_FS_MAKE_FIFO | > + LANDLOCK_ACCESS_FS_MAKE_BLOCK | > + LANDLOCK_ACCESS_FS_MAKE_SYM, > +}; > + > +ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); > +if (ruleset_fd < 0) { > + perror("Failed to create a ruleset"); > + return 1; > +} > +.EE > +.in > +.PP > +We can now add a new rule to this ruleset thanks to the returned file > +descriptor referring to this ruleset. > +The rule will only allow reading the file hierarchy > +.IR /usr . > +Without another rule, write actions would then be denied by the ruleset. > +To add > +.IR /usr > +to the ruleset, we open it with the > +.IR O_PATH > +flag and fill the > +.IR "struct landlock_path_beneath_attr" > +with this file descriptor. > +.PP > +.in +4n > +.EX > +int err; > +struct landlock_path_beneath_attr path_beneath = { > + .allowed_access = > + LANDLOCK_ACCESS_FS_EXECUTE | > + LANDLOCK_ACCESS_FS_READ_FILE | > + LANDLOCK_ACCESS_FS_READ_DIR, > +}; > + > +path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); > +if (path_beneath.parent_fd < 0) { > + perror("Failed to open file"); > + close(ruleset_fd); > + return 1; > +} > +err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, > + &path_beneath, 0); > +close(path_beneath.parent_fd); > +if (err) { > + perror("Failed to update ruleset"); > + close(ruleset_fd); > + return 1; > +} > +.EE > +.in > +.PP > +We now have a ruleset with one rule allowing read access to > +.IR /usr > +while denying all other handled accesses for the filesystem. > +The next step is to restrict the current thread from gaining more > +privileges > +(e.g., thanks to a set-user-ID binary). > +.PP > +.in +4n > +.EX > +if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { > + perror("Failed to restrict privileges"); > + close(ruleset_fd); > + return 1; > +} > +.EE > +.in > +.PP > +The current thread is now ready to sandbox itself with the ruleset. > +.PP > +.in +4n > +.EX > +if (landlock_restrict_self(ruleset_fd, 0)) { > + perror("Failed to enforce ruleset"); > + close(ruleset_fd); > + return 1; > +} > +close(ruleset_fd); > +.EE > +.in > +.PP > +If the > +.BR landlock_restrict_self (2) > +system call succeeds, the current thread is now restricted and this policy > +will be enforced on all its subsequently created children as well. > +Once a thread is landlocked, there is no way to remove its security policy; > +only adding more restrictions is allowed. > +These threads are now in a new Landlock domain, // merge of their parent one /J/ > +(if any) with the new ruleset. > +.PP > +Full working code can be found in > +.UR https://git.kernel.org\:/pub\:/scm\:/linux\:/kernel\:/git\:/stable\:/linux.git\:/tree\:/samples\:/landlock\:/sandboxer.c > +.UE > +.SH SEE ALSO > +.BR landlock_create_ruleset (2), > +.BR landlock_add_rule (2), > +.BR landlock_restrict_self (2) > +.PP > +.UR https://landlock.io\:/ > +.UE >
Hi, Alex! [regrets for the huge CC--those not interested in English/linux-man style issues can skip this] At 2021-07-29T16:56:37+0200, Alejandro Colomar (man-pages) wrote: > On 7/12/21 5:57 PM, Mickaël Salaün wrote: > > +For instance, one process's thread may apply Landlock rules to itself, > > s/process's/process'/ Many English language authorities would disagree with you, but I'll skip digging up citations to them because the Linux man-pages project's practice is already firmly in the other direction. $ git grep "s's\>" | wc -l 322 Moreover, "process's" is extensively attested as most of those... $ git grep "process's" | wc -l 320 ...and a global change in the opposite direction from your recommendation is credited to mtk in the Changes.old file. $ grep -B2 "process' " Changes.old |head -n 3 A few files mtk s/process' /process's/ Finding examples of the opposite practice is complicated by the use of apostrophes as single quotes (these usually _aren't_ confounded by code examples, however, since it would be incorrect C language syntax to quote a string literal with them). There are many such occurrences in Changes.old; I'll skip them. The remainder are few enough that I'll quote them here. $ git grep -E "s'(\s|$)" man* man2/adjtimex.2:Linux uses David L.\& Mills' clock adjustment algorithm (see RFC\ 5905). man2/move_pages.2:.\" FIXME Describe the result if pointers in the 'pages' array are man2/utimensat.2:.\" given a 'times' array in which both tv_nsec fields are UTIME_NOW, which man2/utimensat.2:.\" provides equivalent functionality to specifying 'times' as NULL, the man3/getaddrinfo.3:.\" 2008-02-26, mtk; clarify discussion of NULL 'hints' argument; other man3/printf.3:thousands' grouping character is used. man3/printf.3:the output is to be grouped with thousands' grouping characters man3/printf.3:.\" no thousands' separator, no NaN or infinity, no "%m$" and "*m$". man3/scanf.3:This specifies that the input number may include thousands' man3/xdr.3:the array elements' C form, and their external man3/xdr.3:the array elements' C form, and their external man5/elf.5:The array element is unused and the other members' values are undefined. man5/proc.5:under the default overcommit 'guess' mode (i.e., 0 in man5/proc.5:because other nodes' memory may be free, man7/bootparam.7:The Linux kernel accepts certain 'command-line options' or 'boot time man7/bootparam.7:parameters' at the moment it is started. man7/bootparam.7:The option 'reboot=bios' will man7/bootparam.7:A SCSI device can have a number of 'subdevices' contained within man7/hier.7:Users' mailboxes. man7/mount_namespaces.7:the root directory under several users' home directories. man7/uri.7:schemes; see those tools' documentation for information on those schemes. man7/uri.7:detects the users' environment (e.g., text or graphics, man8/ld.so.8:and do not apply to those objects' children, Of the above, 1. most are correct uses of the English plural possessive ("nodes'"); 2. a few occur in comments, where they're fine if present as commentary--if they're "commented out" chunks of man page source, they should follow man page formatting rules in the event they require "resurrection"; 3. we see some uses of apostrophes as quotation marks; and 4. David L. Mills's name is marked as a plural possessive. The application of apostrophe+s to singular proper names ending in "s" is a debated issue, and there is probably some room for personal preference on the part of the bearer of the name. Two side issues: A. Regarding point 3, I'd say this illustrates advantages of using special character escape sequences like \[lq] and \[rq] for quotation. First, you will get paired quotation marks in UTF-8, PDF, and HTML output. Second, you won't encounter false positives in searches like the above. Third, you semantically enrich the content. On the downside, adopting special character escapes would likely mean having to choose between U.S. and U.K. quotation styles[1]. B. Regarding another active thread we're in, I observe man2/adjtimex.2:Linux uses David L.\& Mills' clock adjustment algorithm (see RFC\ 5905). as another case where \~ recommends itself over "\ "; this isn't even a code example, and it illustrates the desirability of decoupling non-breaking from participation in space adjustment. Popping the stack, have I persuaded you on the plural possessive front? :) Best regards, Branden [1] https://man7.org/linux/man-pages/man7/groff_char.7.html (search for "the apostrophe")
Hi Branden! On 7/30/21 12:01 AM, G. Branden Robinson wrote: > Hi, Alex! > > [regrets for the huge CC--those not interested in English/linux-man > style issues can skip this] > > At 2021-07-29T16:56:37+0200, Alejandro Colomar (man-pages) wrote: >> On 7/12/21 5:57 PM, Mickaël Salaün wrote: >>> +For instance, one process's thread may apply Landlock rules to itself, >> >> s/process's/process'/ > > Many English language authorities would disagree with you, but I'll skip > digging up citations to them because the Linux man-pages project's > practice is already firmly in the other direction. > > $ git grep "s's\>" | wc -l > 322 > > Moreover, "process's" is extensively attested as most of those... > > $ git grep "process's" | wc -l > 320 My bad. It was correct. I was wrong. I learnt today that the omission of "s" after the apostrophe is only in the case of plural nouns (I don't remember having learnt that at school :/). I suspect I probably wrote that before learning that. > > ...and a global change in the opposite direction from your > recommendation is credited to mtk in the Changes.old file. > > $ grep -B2 "process' " Changes.old |head -n 3 > A few files > mtk > s/process' /process's/ > > Finding examples of the opposite practice is complicated by the use of > apostrophes as single quotes (these usually _aren't_ confounded by code > examples, however, since it would be incorrect C language syntax to > quote a string literal with them). There are many such occurrences in > Changes.old; I'll skip them. The remainder are few enough that I'll > quote them here. > > $ git grep -E "s'(\s|$)" man* > man2/adjtimex.2:Linux uses David L.\& Mills' clock adjustment algorithm (see RFC\ 5905). > man2/move_pages.2:.\" FIXME Describe the result if pointers in the 'pages' array are > man2/utimensat.2:.\" given a 'times' array in which both tv_nsec fields are UTIME_NOW, which > man2/utimensat.2:.\" provides equivalent functionality to specifying 'times' as NULL, the > man3/getaddrinfo.3:.\" 2008-02-26, mtk; clarify discussion of NULL 'hints' argument; other > man3/printf.3:thousands' grouping character is used. > man3/printf.3:the output is to be grouped with thousands' grouping characters > man3/printf.3:.\" no thousands' separator, no NaN or infinity, no "%m$" and "*m$". > man3/scanf.3:This specifies that the input number may include thousands' > man3/xdr.3:the array elements' C form, and their external > man3/xdr.3:the array elements' C form, and their external > man5/elf.5:The array element is unused and the other members' values are undefined. > man5/proc.5:under the default overcommit 'guess' mode (i.e., 0 in > man5/proc.5:because other nodes' memory may be free, > man7/bootparam.7:The Linux kernel accepts certain 'command-line options' or 'boot time > man7/bootparam.7:parameters' at the moment it is started. > man7/bootparam.7:The option 'reboot=bios' will > man7/bootparam.7:A SCSI device can have a number of 'subdevices' contained within > man7/hier.7:Users' mailboxes. > man7/mount_namespaces.7:the root directory under several users' home directories. > man7/uri.7:schemes; see those tools' documentation for information on those schemes. > man7/uri.7:detects the users' environment (e.g., text or graphics, > man8/ld.so.8:and do not apply to those objects' children, > > Of the above, > > 1. most are correct uses of the English plural possessive ("nodes'"); > 2. a few occur in comments, where they're fine if present as > commentary--if they're "commented out" chunks of man page source, > they should follow man page formatting rules in the event they > require "resurrection"; > 3. we see some uses of apostrophes as quotation marks; and > 4. David L. Mills's name is marked as a plural possessive. The > application of apostrophe+s to singular proper names ending in "s" is > a debated issue, and there is probably some room for personal > preference on the part of the bearer of the name. > > Two side issues: > > A. Regarding point 3, I'd say this illustrates advantages of using > special character escape sequences like \[lq] and \[rq] for quotation. > First, you will get paired quotation marks in UTF-8, PDF, and HTML > output. Second, you won't encounter false positives in searches like > the above. Third, you semantically enrich the content. On the > downside, adopting special character escapes would likely mean having to > choose between U.S. and U.K. quotation styles[1]. I don't know what to do about this. For searches, if you come up with a complex enough regex, you can get rid of quotations. If we use different characters, then it will be really difficult to search for actual quotations (I don't have them on my keyboard ;). But having nicer PDF/HTML pages would be an advantage. However, I think most usage of man-pages is in the terminal, so I'd focus on the terminal. What do you think about this? > > B. Regarding another active thread we're in, I observe > > man2/adjtimex.2:Linux uses David L.\& Mills' clock adjustment algorithm (see RFC\ 5905). > > as another case where \~ recommends itself over "\ "; this isn't even a > code example, and it illustrates the desirability of decoupling > non-breaking from participation in space adjustment. Agreed. > > Popping the stack, have I persuaded you on the plural possessive front? > :) Yup :) > > Best regards, > Branden > > [1] https://man7.org/linux/man-pages/man7/groff_char.7.html (search for > "the apostrophe") >
On 29/07/2021 16:56, Alejandro Colomar (man-pages) wrote: > Hi Mickaël, > > On 7/12/21 5:57 PM, Mickaël Salaün wrote: >> From: Mickaël Salaün <mic@linux.microsoft.com> >> >> From the user point of view, Landlock is a set of system calls enabling >> to build and enforce a set of access-control rules. A ruleset can be >> created with landlock_create_ruleset(2), populated with >> landlock_add_rule(2) and enforced with landlock_restrict_self(2). This >> man page gives an overview of the whole mechanism. Details of these >> system calls are documented in their respective man pages. >> >> This is an adaptation of >> https://www.kernel.org/doc/html/v5.13/userspace-api/landlock.html >> >> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> >> Link: https://lore.kernel.org/r/20210712155745.831580-2-mic@digikod.net > > Please see some comments below, mostly about formatting. > The text looks good to me. Thanks for the review. > > Thanks, > > Alex > >> --- >> >> Changes since v1: >> * Replace all ".I" with ".IR", except when used for titles. > > Sorry, but I actually prefer the opposite: Use .I unless you really need > .IR When do we really need .IR? Isn't `.I "foo bar"` the same as `.IR foo bar`? What do you use roman for? Where can we find these preferences? The best I found was https://www.man7.org/linux/man-pages/man7/groff_man.7.html but it doesn't explain what to use. The current man pages seems to use both interchangeably. > > If there was a misunderstanding about this, I'm sorry. > >> * Append punctuation to ".IR" and ".BR" when it makes sense (requested >> by Alejandro Colomar). >> * Cut lines according to the semantic newline rules (requested by >> Alejandro Colomar). >> * Remove roman style from ".TP" section titles (requested by Alejandro >> Colomar). >> * Add comma after "i.e." and "e.g.". >> * Move the example in a new EXAMPLES section. >> * Improve title. >> * Explain the LSM acronym at first use. >> --- >> man7/landlock.7 | 356 ++++++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 356 insertions(+) >> create mode 100644 man7/landlock.7 >> >> diff --git a/man7/landlock.7 b/man7/landlock.7 >> new file mode 100644 >> index 000000000000..c89f5b1cabb6 >> --- /dev/null >> +++ b/man7/landlock.7 >> @@ -0,0 +1,356 @@ >> +.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> >> +.\" Copyright © 2019-2020 ANSSI >> +.\" Copyright © 2021 Microsoft Corporation >> +.\" >> +.\" %%%LICENSE_START(VERBATIM) >> +.\" Permission is granted to make and distribute verbatim copies of this >> +.\" manual provided the copyright notice and this permission notice are >> +.\" preserved on all copies. >> +.\" >> +.\" Permission is granted to copy and distribute modified versions of >> this >> +.\" manual under the conditions for verbatim copying, provided that the >> +.\" entire resulting derived work is distributed under the terms of a >> +.\" permission notice identical to this one. >> +.\" >> +.\" Since the Linux kernel and libraries are constantly changing, this >> +.\" manual page may be incorrect or out-of-date. The author(s) >> assume no >> +.\" responsibility for errors or omissions, or for damages resulting >> from >> +.\" the use of the information contained herein. The author(s) may not >> +.\" have taken the same level of care in the production of this manual, >> +.\" which is licensed free of charge, as they might when working >> +.\" professionally. >> +.\" >> +.\" Formatted or processed versions of this manual, if unaccompanied by >> +.\" the source, must acknowledge the copyright and authors of this work. >> +.\" %%%LICENSE_END >> +.\" >> +.TH LANDLOCK 7 2021-06-27 Linux "Linux Programmer's Manual" >> +.SH NAME >> +Landlock \- unprivileged access-control >> +.SH DESCRIPTION >> +Landlock is an access-control system that enables any processes to // >> securely /J/ Why adding a line break here? This line is 75 columns as stated by the documentation: https://man7.org/linux/man-pages/man7/man-pages.7.html I guess it helps for semantic newlines, right? If so, what are the rules? > > I'll add some line breaks [//] and line joins [/J/] through the email. > >> +restrict themselves and their future children. >> +Because Landlock is a stackable Linux Security Module (LSM), >> +it makes possible to create safe security sandboxes as new security >> layers > > suggested wfix: "it makes it possible" or "it is possible"? Ok > >> +in addition to the existing system-wide access-controls. >> +This kind of sandbox is expected to help mitigate // the security >> impact of /J/ > +bugs, // and unexpected or malicious behaviors in >> applications. > > See line-break fixes above. Ok > >> +.PP >> +A Landlock security policy is a set of access rights >> +(e.g., open a file in read-only, make a directory, etc.) >> +tied to a file hierarchy. >> +Such policy can be configured and enforced by processes for themselves >> +using three system calls: >> +.IP \(bu 2 >> +.BR landlock_create_ruleset (2) >> +creates a new ruleset; >> +.IP \(bu >> +.BR landlock_add_rule (2) >> +adds a new rule to a ruleset; >> +.IP \(bu >> +.BR landlock_restrict_self (2) >> +enforces a ruleset on the calling thread. >> +.PP >> +To be able to use these system calls, >> +the running kernel must support Landlock and // it must be enabled at >> boot /J/ >> +time. > > See line-break fixes above Ok > >> +.\" >> +.SS Landlock rules >> +A Landlock rule describes an action on an object. >> +An object is currently a file hierarchy, >> +and the related filesystem actions are defined with access rights (see >> +.BR landlock_add_rule (2)). >> +A set of rules is aggregated in a ruleset, // which can /J/ >> +then restrict the thread enforcing it, // and its future children. > > See line-break fixes above. Ok > >> +.\" >> +.SS Filesystem actions >> +These flags enable to restrict a sandboxed process to a // set of >> actions on /J/ >> +files and directories. > +Files or directories opened before the >> sandboxing // are not subject > to these /J/ >> +restrictions. > > See line-break fixes above. Ok > >> +See >> +.BR landlock_add_rule (2) >> +and >> +.BR landlock_create_ruleset (2) >> +for more context. >> +.PP >> +A file can only receive these access rights: >> +.TP >> +.B LANDLOCK_ACCESS_FS_EXECUTE >> +Execute a file. >> +.TP >> +.B LANDLOCK_ACCESS_FS_WRITE_FILE >> +Open a file with write access. >> +.TP >> +.B LANDLOCK_ACCESS_FS_READ_FILE >> +Open a file with read access. >> +.PP >> +A directory can receive access rights related to files or directories. >> +The following access right is applied to the directory itself, >> +and the directories beneath it: >> +.TP >> +.B LANDLOCK_ACCESS_FS_READ_DIR >> +Open a directory or list its content. >> +.PP >> +However, >> +the following access rights only apply to the content of a directory, >> +not the directory itself: >> +.TP >> +.B LANDLOCK_ACCESS_FS_REMOVE_DIR >> +Remove an empty directory or rename one. >> +.TP >> +.B LANDLOCK_ACCESS_FS_REMOVE_FILE >> +Unlink (or rename) a file. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_CHAR >> +Create (or rename or link) a character device. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_DIR >> +Create (or rename) a directory. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_REG >> +Create (or rename or link) a regular file. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_SOCK >> +Create (or rename or link) a UNIX domain socket. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_FIFO >> +Create (or rename or link) a named pipe. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_BLOCK >> +Create (or rename or link) a block device. >> +.TP >> +.B LANDLOCK_ACCESS_FS_MAKE_SYM >> +Create (or rename or link) a symbolic link. >> +.\" >> +.SS Layers of file path access rights >> +Each time a thread enforces a ruleset on itself, // it updates its >> Landlock /J/ > > See line-break fixes above Ok > >> +domain with a new layer of policy. >> +Indeed, this complementary policy is composed with the potentially other >> +rulesets already restricting this thread. >> +A sandboxed thread can then safely add more constraints to itself with a >> +new enforced ruleset. >> +.PP >> +One policy layer grants access to a file path // if at least one of >> its rules /J/ >> +encountered on the path grants the access. >> +A sandboxed thread can only access a file path // if all its enforced >> policy /J/ >> +layers grant the access // as well as all the other system access >> controls >> +(e.g., filesystem DAC, other LSM policies, etc.). > > See line-break fixes above. Ok > >> +.\" >> +.SS Bind mounts and OverlayFS >> +Landlock enables restricting access to file hierarchies, >> +which means that these access rights can be propagated with bind mounts >> +(cf. >> +.BR mount_namespaces (7)) >> +but not with OverlayFS. >> +.PP >> +A bind mount mirrors a source file hierarchy to a destination. >> +The destination hierarchy is then composed of the exact same files, >> +on which Landlock rules can be tied, // either via the source or the /J/ >> +destination path. >> +These rules restrict access when they are encountered on a path, >> +which means that they can restrict access to // multiple file >> hierarchies at /J/ >> +the same time, >> +whether these hierarchies are the result of bind mounts or not. > > > See line-break fixes above. Ok > >> +.PP >> +An OverlayFS mount point consists of upper and lower layers. >> +These layers are combined in a merge directory, result of the mount >> point. >> +This merge hierarchy may include files from the upper and lower layers, >> +but modifications performed on the merge hierarchy // only reflects >> on the /J/ > > s/reflects/reflect/ Ok > >> +upper layer. >> +From a Landlock policy point of view, >> +each OverlayFS layers and merge hierarchies are standalone and contains >> +their own set of files and directories, >> +which is different from bind mounts. > > > Incorrect mix of singular and plural, I think. Is it OK with s/contains/contain/? > >> +A policy restricting an OverlayFS layer will not restrict the resulted >> +merged hierarchy, and vice versa. >> +Landlock users should then only think about file hierarchies they >> want to >> +allow access to, regardless of the underlying filesystem. >> +.\" >> +.SS Inheritance >> +Every new thread resulting from a >> +.BR clone (2) >> +inherits Landlock domain restrictions from its parent. >> +This is similar to the >> +.BR seccomp (2) >> +inheritance or any other LSM dealing with task's > > Not sure: > > s/task/a task/ > or > s/task's/tasks'/ I'll take "tasks'". > >> +.BR credentials (7). >> +For instance, one process's thread may apply Landlock rules to itself, > > s/process's/process'/ As pointed out by Branden, this is correct. > >> +but they will not be automatically applied to other sibling threads >> +(unlike POSIX thread credential changes, cf. >> +.BR nptl (7)). >> +.PP >> +When a thread sandboxes itself, // we have the guarantee that the >> related /J/ >> +security policy // will stay enforced on all this thread's descendants. >> +This allows creating standalone and modular security policies // per /J/ >> +application, >> +which will automatically be composed between themselves // according >> to their /J/ >> +runtime parent policies. >> +.\" >> +.SS Ptrace restrictions >> +A sandboxed process has less privileges than a non-sandboxed process and >> +must then be subject to additional restrictions // when manipulating >> another /J/ >> +process. >> +To be allowed to use >> +.BR ptrace (2) >> +and related syscalls on a target process, >> +a sandboxed process should have a subset of the target process rules, >> +which means the tracee must be in a sub-domain of the tracer. >> +.SH VERSIONS >> +Landlock was added in Linux 5.13. >> +.SH NOTES >> +Landlock is enabled by CONFIG_SECURITY_LANDLOCK. > > .BR CONFIG_SECURITY_LANDLOCK . Ok > >> +The >> +.IR lsm=lsm1,...,lsmN > > s/.IR/.I/ Ok > >> +command line parameter controls the sequence of the initialization of >> +Linux Security Modules. >> +It must contain the string >> +.IR landlock > > s/.IR/.I Ok > >> +to enable Landlock. >> +If the command line parameter is not specified, >> +the initialization falls back to the value of the deprecated >> +.IR security= > > s/.IR/.I/ Ok > >> +command line parameter and further to the value of CONFIG_LSM. >> +We can check that Landlock is enabled by looking for >> +.IR "landlock: Up and running." > > s/.IR/.I/ Ok > >> +in kernel logs. >> +.PP >> +It is currently not possible to restrict some file-related actions >> +accessible through these syscall families: > > When using syscall to refer to system call (not the function syscall(2)), > we use the extended form "system call". Ok > >> +.BR chdir (2), >> +.BR truncate (2), >> +.BR stat (2), >> +.BR flock (2), >> +.BR chmod (2), >> +.BR chown (2), >> +.BR setxattr (2), >> +.BR utime (2), >> +.BR ioctl (2), >> +.BR fcntl (2), >> +.BR access (2). >> +Future Landlock evolutions will enable to restrict them. >> +.SH EXAMPLES > I'd prefer a complete example with a main function, if you can come up > with such one. If not, this will be ok. I think it is clearer to not to use a full main to explain these basic steps. A full working example is linked though. > > >> +We first need to create the ruleset that will contain our rules. >> +For this example, >> +the ruleset will contain rules that only allow read actions, >> +but write actions will be denied. >> +The ruleset then needs to handle both of these kind of actions. >> +See below for the description of filesystem actions. >> +.PP >> +.in +4n >> +.EX >> +int ruleset_fd; >> +struct landlock_ruleset_attr ruleset_attr = { >> + .handled_access_fs = >> + LANDLOCK_ACCESS_FS_EXECUTE | >> + LANDLOCK_ACCESS_FS_WRITE_FILE | >> + LANDLOCK_ACCESS_FS_READ_FILE | >> + LANDLOCK_ACCESS_FS_READ_DIR | >> + LANDLOCK_ACCESS_FS_REMOVE_DIR | >> + LANDLOCK_ACCESS_FS_REMOVE_FILE | >> + LANDLOCK_ACCESS_FS_MAKE_CHAR | >> + LANDLOCK_ACCESS_FS_MAKE_DIR | >> + LANDLOCK_ACCESS_FS_MAKE_REG | >> + LANDLOCK_ACCESS_FS_MAKE_SOCK | >> + LANDLOCK_ACCESS_FS_MAKE_FIFO | >> + LANDLOCK_ACCESS_FS_MAKE_BLOCK | >> + LANDLOCK_ACCESS_FS_MAKE_SYM, >> +}; >> + >> +ruleset_fd = landlock_create_ruleset(&ruleset_attr, >> sizeof(ruleset_attr), 0); >> +if (ruleset_fd < 0) { >> + perror("Failed to create a ruleset"); >> + return 1; >> +} >> +.EE >> +.in >> +.PP >> +We can now add a new rule to this ruleset thanks to the returned file >> +descriptor referring to this ruleset. >> +The rule will only allow reading the file hierarchy >> +.IR /usr . Why ".IR" is correct here? >> +Without another rule, write actions would then be denied by the ruleset. >> +To add >> +.IR /usr >> +to the ruleset, we open it with the >> +.IR O_PATH >> +flag and fill the >> +.IR "struct landlock_path_beneath_attr" >> +with this file descriptor. >> +.PP >> +.in +4n >> +.EX >> +int err; >> +struct landlock_path_beneath_attr path_beneath = { >> + .allowed_access = >> + LANDLOCK_ACCESS_FS_EXECUTE | >> + LANDLOCK_ACCESS_FS_READ_FILE | >> + LANDLOCK_ACCESS_FS_READ_DIR, >> +}; >> + >> +path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); >> +if (path_beneath.parent_fd < 0) { >> + perror("Failed to open file"); >> + close(ruleset_fd); >> + return 1; >> +} >> +err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, >> + &path_beneath, 0); >> +close(path_beneath.parent_fd); >> +if (err) { >> + perror("Failed to update ruleset"); >> + close(ruleset_fd); >> + return 1; >> +} >> +.EE >> +.in >> +.PP >> +We now have a ruleset with one rule allowing read access to >> +.IR /usr >> +while denying all other handled accesses for the filesystem. >> +The next step is to restrict the current thread from gaining more >> +privileges >> +(e.g., thanks to a set-user-ID binary). >> +.PP >> +.in +4n >> +.EX >> +if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { >> + perror("Failed to restrict privileges"); >> + close(ruleset_fd); >> + return 1; >> +} >> +.EE >> +.in >> +.PP >> +The current thread is now ready to sandbox itself with the ruleset. >> +.PP >> +.in +4n >> +.EX >> +if (landlock_restrict_self(ruleset_fd, 0)) { >> + perror("Failed to enforce ruleset"); >> + close(ruleset_fd); >> + return 1; >> +} >> +close(ruleset_fd); >> +.EE >> +.in >> +.PP >> +If the >> +.BR landlock_restrict_self (2) >> +system call succeeds, the current thread is now restricted and this >> policy >> +will be enforced on all its subsequently created children as well. >> +Once a thread is landlocked, there is no way to remove its security >> policy; >> +only adding more restrictions is allowed. >> +These threads are now in a new Landlock domain, // merge of their >> parent one /J/ >> +(if any) with the new ruleset. >> +.PP >> +Full working code can be found in >> +.UR >> https://git.kernel.org\:/pub\:/scm\:/linux\:/kernel\:/git\:/stable\:/linux.git\:/tree\:/samples\:/landlock\:/sandboxer.c >> >> +.UE >> +.SH SEE ALSO >> +.BR landlock_create_ruleset (2), >> +.BR landlock_add_rule (2), >> +.BR landlock_restrict_self (2) >> +.PP >> +.UR https://landlock.io\:/ >> +.UE >> > >
On 7/30/21 2:15 PM, Mickaël Salaün wrote: > > On 29/07/2021 16:56, Alejandro Colomar (man-pages) wrote: >> Hi Mickaël, >> >> On 7/12/21 5:57 PM, Mickaël Salaün wrote: >>> From: Mickaël Salaün <mic@linux.microsoft.com> >>> >>> From the user point of view, Landlock is a set of system calls enabling >>> to build and enforce a set of access-control rules. A ruleset can be >>> created with landlock_create_ruleset(2), populated with >>> landlock_add_rule(2) and enforced with landlock_restrict_self(2). This >>> man page gives an overview of the whole mechanism. Details of these >>> system calls are documented in their respective man pages. >>> >>> This is an adaptation of >>> https://www.kernel.org/doc/html/v5.13/userspace-api/landlock.html >>> >>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> >>> Link: https://lore.kernel.org/r/20210712155745.831580-2-mic@digikod.net >> >> Please see some comments below, mostly about formatting. >> The text looks good to me. > > Thanks for the review. > >> >> Thanks, >> >> Alex >> >>> --- >>> >>> Changes since v1: >>> * Replace all ".I" with ".IR", except when used for titles. >> >> Sorry, but I actually prefer the opposite: Use .I unless you really need >> .IR > > When do we really need .IR? Isn't `.I "foo bar"` the same as `.IR foo > bar`? What do you use roman for? > > Where can we find these preferences? The best I found was > https://www.man7.org/linux/man-pages/man7/groff_man.7.html but it > doesn't explain what to use. The current man pages seems to use both > interchangeably. I was going to point you to groff_man(7), but you're right that it doesn't explain it really well for someone new to groff. Maybe some examples would help, but then the manual page would grow too much, so a bit of testing may be better than trying to have an extensive manual page. So when to use each, and when any can fit: .IR can do anything that .I can do. It's a "superset" of .I in terms of output (ignoring that the input to get such output is different). But .I is simpler and more readable when wanting .I behavior, so let's use .I for .I, and .IR only when roman is needed. I means italics (which in the terminal is underscored, but ok); R means roman (i.e., normal text) For the following examples, I'll use uppercase to mean italics. .I transforms everything to the right of it into italics, respecting spaces. Therefore, .I doesn't require you to use quotes. If you want two (or one) separate words in italics, you can use: .I hello world which will print: HELLO WORLD .IR on the other hand, alternates roman and bold breaking at spaces (which are not translated into the output). Example: .IR hello beautiful world which will print: HELLObeautifulWORLD This is usually used when formatting a word that is followed by puntuation, as normally you don't want puntuation to be formatted, so you'll typically see (especially at the end of a sentence): .IR size_t . which will print: SIZE_T. (the period is not formatted) You could use .IR (but don't) to imitate .I: .IR hello which will print: HELLO In the example above, as we didn't specify a roman part, it is just as an .I When you need spaces to be respected with .IR, you need quotes: .IR hello "beautiful world" HELLObeautiful world This is useful for formatting names consisting of two words next to punctuation: .IR "hello world" . HELLO WORLD. (the period is not in italics) I hope this was helpful :) Cheers, Alex But, let's use .I CC: Branden > >> >> If there was a misunderstanding about this, I'm sorry. >> >>> * Append punctuation to ".IR" and ".BR" when it makes sense (requested >>> by Alejandro Colomar). >>> * Cut lines according to the semantic newline rules (requested by >>> Alejandro Colomar). >>> * Remove roman style from ".TP" section titles (requested by Alejandro >>> Colomar). >>> * Add comma after "i.e." and "e.g.". >>> * Move the example in a new EXAMPLES section. >>> * Improve title. >>> * Explain the LSM acronym at first use. >>> --- >>> man7/landlock.7 | 356 ++++++++++++++++++++++++++++++++++++++++++++++++ >>> 1 file changed, 356 insertions(+) >>> create mode 100644 man7/landlock.7 >>> >>> diff --git a/man7/landlock.7 b/man7/landlock.7 >>> new file mode 100644 >>> index 000000000000..c89f5b1cabb6 >>> --- /dev/null >>> +++ b/man7/landlock.7 >>> @@ -0,0 +1,356 @@ >>> +.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> >>> +.\" Copyright © 2019-2020 ANSSI >>> +.\" Copyright © 2021 Microsoft Corporation >>> +.\" >>> +.\" %%%LICENSE_START(VERBATIM) >>> +.\" Permission is granted to make and distribute verbatim copies of this >>> +.\" manual provided the copyright notice and this permission notice are >>> +.\" preserved on all copies. >>> +.\" >>> +.\" Permission is granted to copy and distribute modified versions of >>> this >>> +.\" manual under the conditions for verbatim copying, provided that the >>> +.\" entire resulting derived work is distributed under the terms of a >>> +.\" permission notice identical to this one. >>> +.\" >>> +.\" Since the Linux kernel and libraries are constantly changing, this >>> +.\" manual page may be incorrect or out-of-date. The author(s) >>> assume no >>> +.\" responsibility for errors or omissions, or for damages resulting >>> from >>> +.\" the use of the information contained herein. The author(s) may not >>> +.\" have taken the same level of care in the production of this manual, >>> +.\" which is licensed free of charge, as they might when working >>> +.\" professionally. >>> +.\" >>> +.\" Formatted or processed versions of this manual, if unaccompanied by >>> +.\" the source, must acknowledge the copyright and authors of this work. >>> +.\" %%%LICENSE_END >>> +.\" >>> +.TH LANDLOCK 7 2021-06-27 Linux "Linux Programmer's Manual" >>> +.SH NAME >>> +Landlock \- unprivileged access-control >>> +.SH DESCRIPTION >>> +Landlock is an access-control system that enables any processes to // >>> securely /J/ > > Why adding a line break here? This line is 75 columns as stated by the > documentation: https://man7.org/linux/man-pages/man7/man-pages.7.html > I guess it helps for semantic newlines, right? If so, what are the rules? > >> >> I'll add some line breaks [//] and line joins [/J/] through the email. >> >>> +restrict themselves and their future children. >>> +Because Landlock is a stackable Linux Security Module (LSM), >>> +it makes possible to create safe security sandboxes as new security >>> layers >> >> suggested wfix: "it makes it possible" or "it is possible"? > > Ok > >> >>> +in addition to the existing system-wide access-controls. >>> +This kind of sandbox is expected to help mitigate // the security >>> impact of /J/ > +bugs, // and unexpected or malicious behaviors in >>> applications. >> >> See line-break fixes above. > > Ok > >> >>> +.PP >>> +A Landlock security policy is a set of access rights >>> +(e.g., open a file in read-only, make a directory, etc.) >>> +tied to a file hierarchy. >>> +Such policy can be configured and enforced by processes for themselves >>> +using three system calls: >>> +.IP \(bu 2 >>> +.BR landlock_create_ruleset (2) >>> +creates a new ruleset; >>> +.IP \(bu >>> +.BR landlock_add_rule (2) >>> +adds a new rule to a ruleset; >>> +.IP \(bu >>> +.BR landlock_restrict_self (2) >>> +enforces a ruleset on the calling thread. >>> +.PP >>> +To be able to use these system calls, >>> +the running kernel must support Landlock and // it must be enabled at >>> boot /J/ >>> +time. >> >> See line-break fixes above > > Ok > >> >>> +.\" >>> +.SS Landlock rules >>> +A Landlock rule describes an action on an object. >>> +An object is currently a file hierarchy, >>> +and the related filesystem actions are defined with access rights (see >>> +.BR landlock_add_rule (2)). >>> +A set of rules is aggregated in a ruleset, // which can /J/ >>> +then restrict the thread enforcing it, // and its future children. >> >> See line-break fixes above. > > Ok > >> >>> +.\" >>> +.SS Filesystem actions >>> +These flags enable to restrict a sandboxed process to a // set of >>> actions on /J/ >>> +files and directories. > +Files or directories opened before the >>> sandboxing // are not subject >> to these /J/ >>> +restrictions. >> >> See line-break fixes above. > > Ok > >> >>> +See >>> +.BR landlock_add_rule (2) >>> +and >>> +.BR landlock_create_ruleset (2) >>> +for more context. >>> +.PP >>> +A file can only receive these access rights: >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_EXECUTE >>> +Execute a file. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_WRITE_FILE >>> +Open a file with write access. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_READ_FILE >>> +Open a file with read access. >>> +.PP >>> +A directory can receive access rights related to files or directories. >>> +The following access right is applied to the directory itself, >>> +and the directories beneath it: >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_READ_DIR >>> +Open a directory or list its content. >>> +.PP >>> +However, >>> +the following access rights only apply to the content of a directory, >>> +not the directory itself: >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_REMOVE_DIR >>> +Remove an empty directory or rename one. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_REMOVE_FILE >>> +Unlink (or rename) a file. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_CHAR >>> +Create (or rename or link) a character device. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_DIR >>> +Create (or rename) a directory. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_REG >>> +Create (or rename or link) a regular file. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_SOCK >>> +Create (or rename or link) a UNIX domain socket. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_FIFO >>> +Create (or rename or link) a named pipe. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_BLOCK >>> +Create (or rename or link) a block device. >>> +.TP >>> +.B LANDLOCK_ACCESS_FS_MAKE_SYM >>> +Create (or rename or link) a symbolic link. >>> +.\" >>> +.SS Layers of file path access rights >>> +Each time a thread enforces a ruleset on itself, // it updates its >>> Landlock /J/ >> >> See line-break fixes above > > Ok > >> >>> +domain with a new layer of policy. >>> +Indeed, this complementary policy is composed with the potentially other >>> +rulesets already restricting this thread. >>> +A sandboxed thread can then safely add more constraints to itself with a >>> +new enforced ruleset. >>> +.PP >>> +One policy layer grants access to a file path // if at least one of >>> its rules /J/ >>> +encountered on the path grants the access. >>> +A sandboxed thread can only access a file path // if all its enforced >>> policy /J/ >>> +layers grant the access // as well as all the other system access >>> controls >>> +(e.g., filesystem DAC, other LSM policies, etc.). >> >> See line-break fixes above. > > Ok > >> >>> +.\" >>> +.SS Bind mounts and OverlayFS >>> +Landlock enables restricting access to file hierarchies, >>> +which means that these access rights can be propagated with bind mounts >>> +(cf. >>> +.BR mount_namespaces (7)) >>> +but not with OverlayFS. >>> +.PP >>> +A bind mount mirrors a source file hierarchy to a destination. >>> +The destination hierarchy is then composed of the exact same files, >>> +on which Landlock rules can be tied, // either via the source or the /J/ >>> +destination path. >>> +These rules restrict access when they are encountered on a path, >>> +which means that they can restrict access to // multiple file >>> hierarchies at /J/ >>> +the same time, >>> +whether these hierarchies are the result of bind mounts or not. >> >> >> See line-break fixes above. > > Ok > >> >>> +.PP >>> +An OverlayFS mount point consists of upper and lower layers. >>> +These layers are combined in a merge directory, result of the mount >>> point. >>> +This merge hierarchy may include files from the upper and lower layers, >>> +but modifications performed on the merge hierarchy // only reflects >>> on the /J/ >> >> s/reflects/reflect/ > > Ok > >> >>> +upper layer. >>> +From a Landlock policy point of view, >>> +each OverlayFS layers and merge hierarchies are standalone and contains >>> +their own set of files and directories, >>> +which is different from bind mounts. >> >> >> Incorrect mix of singular and plural, I think. > > Is it OK with s/contains/contain/? > >> >>> +A policy restricting an OverlayFS layer will not restrict the resulted >>> +merged hierarchy, and vice versa. >>> +Landlock users should then only think about file hierarchies they >>> want to >>> +allow access to, regardless of the underlying filesystem. >>> +.\" >>> +.SS Inheritance >>> +Every new thread resulting from a >>> +.BR clone (2) >>> +inherits Landlock domain restrictions from its parent. >>> +This is similar to the >>> +.BR seccomp (2) >>> +inheritance or any other LSM dealing with task's >> >> Not sure: >> >> s/task/a task/ >> or >> s/task's/tasks'/ > > I'll take "tasks'". > >> >>> +.BR credentials (7). >>> +For instance, one process's thread may apply Landlock rules to itself, >> >> s/process's/process'/ > > As pointed out by Branden, this is correct. > >> >>> +but they will not be automatically applied to other sibling threads >>> +(unlike POSIX thread credential changes, cf. >>> +.BR nptl (7)). >>> +.PP >>> +When a thread sandboxes itself, // we have the guarantee that the >>> related /J/ >>> +security policy // will stay enforced on all this thread's descendants. >>> +This allows creating standalone and modular security policies // per /J/ >>> +application, >>> +which will automatically be composed between themselves // according >>> to their /J/ >>> +runtime parent policies. >>> +.\" >>> +.SS Ptrace restrictions >>> +A sandboxed process has less privileges than a non-sandboxed process and >>> +must then be subject to additional restrictions // when manipulating >>> another /J/ >>> +process. >>> +To be allowed to use >>> +.BR ptrace (2) >>> +and related syscalls on a target process, >>> +a sandboxed process should have a subset of the target process rules, >>> +which means the tracee must be in a sub-domain of the tracer. >>> +.SH VERSIONS >>> +Landlock was added in Linux 5.13. >>> +.SH NOTES >>> +Landlock is enabled by CONFIG_SECURITY_LANDLOCK. >> >> .BR CONFIG_SECURITY_LANDLOCK . > > Ok > >> >>> +The >>> +.IR lsm=lsm1,...,lsmN >> >> s/.IR/.I/ > > Ok > >> >>> +command line parameter controls the sequence of the initialization of >>> +Linux Security Modules. >>> +It must contain the string >>> +.IR landlock >> >> s/.IR/.I > > Ok > >> >>> +to enable Landlock. >>> +If the command line parameter is not specified, >>> +the initialization falls back to the value of the deprecated >>> +.IR security= >> >> s/.IR/.I/ > > Ok > >> >>> +command line parameter and further to the value of CONFIG_LSM. >>> +We can check that Landlock is enabled by looking for >>> +.IR "landlock: Up and running." >> >> s/.IR/.I/ > > Ok > >> >>> +in kernel logs. >>> +.PP >>> +It is currently not possible to restrict some file-related actions >>> +accessible through these syscall families: >> >> When using syscall to refer to system call (not the function syscall(2)), >> we use the extended form "system call". > > Ok > >> >>> +.BR chdir (2), >>> +.BR truncate (2), >>> +.BR stat (2), >>> +.BR flock (2), >>> +.BR chmod (2), >>> +.BR chown (2), >>> +.BR setxattr (2), >>> +.BR utime (2), >>> +.BR ioctl (2), >>> +.BR fcntl (2), >>> +.BR access (2). >>> +Future Landlock evolutions will enable to restrict them. >>> +.SH EXAMPLES >> I'd prefer a complete example with a main function, if you can come up >> with such one. If not, this will be ok. > > I think it is clearer to not to use a full main to explain these basic > steps. A full working example is linked though. > >> >> >>> +We first need to create the ruleset that will contain our rules. >>> +For this example, >>> +the ruleset will contain rules that only allow read actions, >>> +but write actions will be denied. >>> +The ruleset then needs to handle both of these kind of actions. >>> +See below for the description of filesystem actions. >>> +.PP >>> +.in +4n >>> +.EX >>> +int ruleset_fd; >>> +struct landlock_ruleset_attr ruleset_attr = { >>> + .handled_access_fs = >>> + LANDLOCK_ACCESS_FS_EXECUTE | >>> + LANDLOCK_ACCESS_FS_WRITE_FILE | >>> + LANDLOCK_ACCESS_FS_READ_FILE | >>> + LANDLOCK_ACCESS_FS_READ_DIR | >>> + LANDLOCK_ACCESS_FS_REMOVE_DIR | >>> + LANDLOCK_ACCESS_FS_REMOVE_FILE | >>> + LANDLOCK_ACCESS_FS_MAKE_CHAR | >>> + LANDLOCK_ACCESS_FS_MAKE_DIR | >>> + LANDLOCK_ACCESS_FS_MAKE_REG | >>> + LANDLOCK_ACCESS_FS_MAKE_SOCK | >>> + LANDLOCK_ACCESS_FS_MAKE_FIFO | >>> + LANDLOCK_ACCESS_FS_MAKE_BLOCK | >>> + LANDLOCK_ACCESS_FS_MAKE_SYM, >>> +}; >>> + >>> +ruleset_fd = landlock_create_ruleset(&ruleset_attr, >>> sizeof(ruleset_attr), 0); >>> +if (ruleset_fd < 0) { >>> + perror("Failed to create a ruleset"); >>> + return 1; >>> +} >>> +.EE >>> +.in >>> +.PP >>> +We can now add a new rule to this ruleset thanks to the returned file >>> +descriptor referring to this ruleset. >>> +The rule will only allow reading the file hierarchy >>> +.IR /usr . > > Why ".IR" is correct here? > > >>> +Without another rule, write actions would then be denied by the ruleset. >>> +To add >>> +.IR /usr >>> +to the ruleset, we open it with the >>> +.IR O_PATH >>> +flag and fill the >>> +.IR "struct landlock_path_beneath_attr" >>> +with this file descriptor. >>> +.PP >>> +.in +4n >>> +.EX >>> +int err; >>> +struct landlock_path_beneath_attr path_beneath = { >>> + .allowed_access = >>> + LANDLOCK_ACCESS_FS_EXECUTE | >>> + LANDLOCK_ACCESS_FS_READ_FILE | >>> + LANDLOCK_ACCESS_FS_READ_DIR, >>> +}; >>> + >>> +path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); >>> +if (path_beneath.parent_fd < 0) { >>> + perror("Failed to open file"); >>> + close(ruleset_fd); >>> + return 1; >>> +} >>> +err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, >>> + &path_beneath, 0); >>> +close(path_beneath.parent_fd); >>> +if (err) { >>> + perror("Failed to update ruleset"); >>> + close(ruleset_fd); >>> + return 1; >>> +} >>> +.EE >>> +.in >>> +.PP >>> +We now have a ruleset with one rule allowing read access to >>> +.IR /usr >>> +while denying all other handled accesses for the filesystem. >>> +The next step is to restrict the current thread from gaining more >>> +privileges >>> +(e.g., thanks to a set-user-ID binary). >>> +.PP >>> +.in +4n >>> +.EX >>> +if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { >>> + perror("Failed to restrict privileges"); >>> + close(ruleset_fd); >>> + return 1; >>> +} >>> +.EE >>> +.in >>> +.PP >>> +The current thread is now ready to sandbox itself with the ruleset. >>> +.PP >>> +.in +4n >>> +.EX >>> +if (landlock_restrict_self(ruleset_fd, 0)) { >>> + perror("Failed to enforce ruleset"); >>> + close(ruleset_fd); >>> + return 1; >>> +} >>> +close(ruleset_fd); >>> +.EE >>> +.in >>> +.PP >>> +If the >>> +.BR landlock_restrict_self (2) >>> +system call succeeds, the current thread is now restricted and this >>> policy >>> +will be enforced on all its subsequently created children as well. >>> +Once a thread is landlocked, there is no way to remove its security >>> policy; >>> +only adding more restrictions is allowed. >>> +These threads are now in a new Landlock domain, // merge of their >>> parent one /J/ >>> +(if any) with the new ruleset. >>> +.PP >>> +Full working code can be found in >>> +.UR >>> https://git.kernel.org\:/pub\:/scm\:/linux\:/kernel\:/git\:/stable\:/linux.git\:/tree\:/samples\:/landlock\:/sandboxer.c >>> >>> +.UE >>> +.SH SEE ALSO >>> +.BR landlock_create_ruleset (2), >>> +.BR landlock_add_rule (2), >>> +.BR landlock_restrict_self (2) >>> +.PP >>> +.UR https://landlock.io\:/ >>> +.UE >>> >> >>
Hi Mickaël, On 7/30/21 2:41 PM, Alejandro Colomar (man-pages) wrote: [...] > > > > I hope this was helpful :) > > Cheers, > > Alex > > > > > But, let's use .I I hit send too soon. Let's continue. As for current usage, yes, there are many uses of .IR to mean .I, but for new code, we're only using .I (or .B) when possible. > > > CC: Branden > >> >>> >>> If there was a misunderstanding about this, I'm sorry. >>> >>>> * Append punctuation to ".IR" and ".BR" when it makes sense (requested >>>> by Alejandro Colomar). >>>> * Cut lines according to the semantic newline rules (requested by >>>> Alejandro Colomar). >>>> * Remove roman style from ".TP" section titles (requested by Alejandro >>>> Colomar). >>>> * Add comma after "i.e." and "e.g.". >>>> * Move the example in a new EXAMPLES section. >>>> * Improve title. >>>> * Explain the LSM acronym at first use. >>>> --- >>>> man7/landlock.7 | 356 >>>> ++++++++++++++++++++++++++++++++++++++++++++++++ >>>> 1 file changed, 356 insertions(+) >>>> create mode 100644 man7/landlock.7 >>>> >>>> diff --git a/man7/landlock.7 b/man7/landlock.7 >>>> new file mode 100644 >>>> index 000000000000..c89f5b1cabb6 >>>> --- /dev/null >>>> +++ b/man7/landlock.7 >>>> @@ -0,0 +1,356 @@ >>>> +.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> >>>> +.\" Copyright © 2019-2020 ANSSI >>>> +.\" Copyright © 2021 Microsoft Corporation >>>> +.\" >>>> +.\" %%%LICENSE_START(VERBATIM) >>>> +.\" Permission is granted to make and distribute verbatim copies of >>>> this >>>> +.\" manual provided the copyright notice and this permission notice >>>> are >>>> +.\" preserved on all copies. >>>> +.\" >>>> +.\" Permission is granted to copy and distribute modified versions of >>>> this >>>> +.\" manual under the conditions for verbatim copying, provided that >>>> the >>>> +.\" entire resulting derived work is distributed under the terms of a >>>> +.\" permission notice identical to this one. >>>> +.\" >>>> +.\" Since the Linux kernel and libraries are constantly changing, this >>>> +.\" manual page may be incorrect or out-of-date. The author(s) >>>> assume no >>>> +.\" responsibility for errors or omissions, or for damages resulting >>>> from >>>> +.\" the use of the information contained herein. The author(s) may >>>> not >>>> +.\" have taken the same level of care in the production of this >>>> manual, >>>> +.\" which is licensed free of charge, as they might when working >>>> +.\" professionally. >>>> +.\" >>>> +.\" Formatted or processed versions of this manual, if >>>> unaccompanied by >>>> +.\" the source, must acknowledge the copyright and authors of this >>>> work. >>>> +.\" %%%LICENSE_END >>>> +.\" >>>> +.TH LANDLOCK 7 2021-06-27 Linux "Linux Programmer's Manual" >>>> +.SH NAME >>>> +Landlock \- unprivileged access-control >>>> +.SH DESCRIPTION >>>> +Landlock is an access-control system that enables any processes to // >>>> securely /J/ >> >> Why adding a line break here? This line is 75 columns as stated by the >> documentation: https://man7.org/linux/man-pages/man7/man-pages.7.html >> I guess it helps for semantic newlines, right? If so, what are the rules? Yes, they were because of semantic newlines. The "rules" are: Follow mainly "semantic newlines" style (forgetting about the line length), which will give you a text that (mostly) fits into 75 or 80 columns. If after doing that there are some lines that exceed the 75 or 80 column right margin, consider fixing that line by breaking it at a different point or maybe breaking it further. The 80 column limit is a hard limit (I can't read anything past the 80 col), while the 75 limit is a bit softer (that's for allowing quotes in reviews) (if fitting a line into col 75 would break it in a weird way, don't do it). If I didn't explain myself enough, please tell me. >>>> +upper layer. >>>> +From a Landlock policy point of view, >>>> +each OverlayFS layers and merge hierarchies are standalone and >>>> contains >>>> +their own set of files and directories, >>>> +which is different from bind mounts. >>> >>> >>> Incorrect mix of singular and plural, I think. >> >> Is it OK with s/contains/contain/? I think so. >> >>> >>>> +A policy restricting an OverlayFS layer will not restrict the resulted >>>> +merged hierarchy, and vice versa. >>>> +Landlock users should then only think about file hierarchies they >>>> want to >>>> +allow access to, regardless of the underlying filesystem. >>>> +.\" >>>> +.SS Inheritance >>>> +Every new thread resulting from a >>>> +.BR clone (2) >>>> +inherits Landlock domain restrictions from its parent. >>>> +This is similar to the >>>> +.BR seccomp (2) >>>> +inheritance or any other LSM dealing with task's >>> >>> Not sure: >>> >>> s/task/a task/ >>> or >>> s/task's/tasks'/ >> >> I'll take "tasks'". Okay. >> >>> >>>> +.BR credentials (7). >>>> +For instance, one process's thread may apply Landlock rules to itself, >>> >>> s/process's/process'/ >> >> As pointed out by Branden, this is correct. That's right. :) >> >>> >>>> +.BR chdir (2), >>>> +.BR truncate (2), >>>> +.BR stat (2), >>>> +.BR flock (2), >>>> +.BR chmod (2), >>>> +.BR chown (2), >>>> +.BR setxattr (2), >>>> +.BR utime (2), >>>> +.BR ioctl (2), >>>> +.BR fcntl (2), >>>> +.BR access (2). >>>> +Future Landlock evolutions will enable to restrict them. >>>> +.SH EXAMPLES >>> I'd prefer a complete example with a main function, if you can come up >>> with such one. If not, this will be ok. >> >> I think it is clearer to not to use a full main to explain these basic >> steps. A full working example is linked though. Ahh sorry, I didn't see the link. I'll have a look at it. >> >>> >>> >>>> +We first need to create the ruleset that will contain our rules. >>>> +For this example, >>>> +the ruleset will contain rules that only allow read actions, >>>> +but write actions will be denied. >>>> +The ruleset then needs to handle both of these kind of actions. >>>> +See below for the description of filesystem actions. >>>> +.PP >>>> +.in +4n >>>> +.EX >>>> +int ruleset_fd; >>>> +struct landlock_ruleset_attr ruleset_attr = { >>>> + .handled_access_fs = >>>> + LANDLOCK_ACCESS_FS_EXECUTE | >>>> + LANDLOCK_ACCESS_FS_WRITE_FILE | >>>> + LANDLOCK_ACCESS_FS_READ_FILE | >>>> + LANDLOCK_ACCESS_FS_READ_DIR | >>>> + LANDLOCK_ACCESS_FS_REMOVE_DIR | >>>> + LANDLOCK_ACCESS_FS_REMOVE_FILE | >>>> + LANDLOCK_ACCESS_FS_MAKE_CHAR | >>>> + LANDLOCK_ACCESS_FS_MAKE_DIR | >>>> + LANDLOCK_ACCESS_FS_MAKE_REG | >>>> + LANDLOCK_ACCESS_FS_MAKE_SOCK | >>>> + LANDLOCK_ACCESS_FS_MAKE_FIFO | >>>> + LANDLOCK_ACCESS_FS_MAKE_BLOCK | >>>> + LANDLOCK_ACCESS_FS_MAKE_SYM, >>>> +}; >>>> + >>>> +ruleset_fd = landlock_create_ruleset(&ruleset_attr, >>>> sizeof(ruleset_attr), 0); >>>> +if (ruleset_fd < 0) { >>>> + perror("Failed to create a ruleset"); >>>> + return 1; >>>> +} >>>> +.EE >>>> +.in >>>> +.PP >>>> +We can now add a new rule to this ruleset thanks to the returned file >>>> +descriptor referring to this ruleset. >>>> +The rule will only allow reading the file hierarchy >>>> +.IR /usr . >> >> Why ".IR" is correct here? "/usr" needs to be formatted, but "." not. [ .I /usr . ] Would add a space: /usr . So we need a solution that formats only part of a space-separated token; that's what .IR does. I hope the last email explained that well. Thanks, Alex
Thanks Alejandro for the detailed explanations, that's useful! On 30/07/2021 14:59, Alejandro Colomar (man-pages) wrote: > Hi Mickaël, > > On 7/30/21 2:41 PM, Alejandro Colomar (man-pages) wrote: > [...] >> >> >> >> I hope this was helpful :) >> >> Cheers, >> >> Alex >> >> >> >> >> But, let's use .I > > I hit send too soon. Let's continue. > > As for current usage, yes, there are many uses of .IR to mean .I, but > for new code, we're only using .I (or .B) when possible. > >> >> >> CC: Branden >> >>> >>>> >>>> If there was a misunderstanding about this, I'm sorry. >>>> >>>>> * Append punctuation to ".IR" and ".BR" when it makes sense (requested >>>>> by Alejandro Colomar). >>>>> * Cut lines according to the semantic newline rules (requested by >>>>> Alejandro Colomar). >>>>> * Remove roman style from ".TP" section titles (requested by Alejandro >>>>> Colomar). >>>>> * Add comma after "i.e." and "e.g.". >>>>> * Move the example in a new EXAMPLES section. >>>>> * Improve title. >>>>> * Explain the LSM acronym at first use. >>>>> --- >>>>> man7/landlock.7 | 356 >>>>> ++++++++++++++++++++++++++++++++++++++++++++++++ >>>>> 1 file changed, 356 insertions(+) >>>>> create mode 100644 man7/landlock.7 >>>>> >>>>> diff --git a/man7/landlock.7 b/man7/landlock.7 >>>>> new file mode 100644 >>>>> index 000000000000..c89f5b1cabb6 >>>>> --- /dev/null >>>>> +++ b/man7/landlock.7 >>>>> @@ -0,0 +1,356 @@ >>>>> +.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> >>>>> +.\" Copyright © 2019-2020 ANSSI >>>>> +.\" Copyright © 2021 Microsoft Corporation >>>>> +.\" >>>>> +.\" %%%LICENSE_START(VERBATIM) >>>>> +.\" Permission is granted to make and distribute verbatim copies >>>>> of this >>>>> +.\" manual provided the copyright notice and this permission >>>>> notice are >>>>> +.\" preserved on all copies. >>>>> +.\" >>>>> +.\" Permission is granted to copy and distribute modified versions of >>>>> this >>>>> +.\" manual under the conditions for verbatim copying, provided >>>>> that the >>>>> +.\" entire resulting derived work is distributed under the terms of a >>>>> +.\" permission notice identical to this one. >>>>> +.\" >>>>> +.\" Since the Linux kernel and libraries are constantly changing, >>>>> this >>>>> +.\" manual page may be incorrect or out-of-date. The author(s) >>>>> assume no >>>>> +.\" responsibility for errors or omissions, or for damages resulting >>>>> from >>>>> +.\" the use of the information contained herein. The author(s) >>>>> may not >>>>> +.\" have taken the same level of care in the production of this >>>>> manual, >>>>> +.\" which is licensed free of charge, as they might when working >>>>> +.\" professionally. >>>>> +.\" >>>>> +.\" Formatted or processed versions of this manual, if >>>>> unaccompanied by >>>>> +.\" the source, must acknowledge the copyright and authors of this >>>>> work. >>>>> +.\" %%%LICENSE_END >>>>> +.\" >>>>> +.TH LANDLOCK 7 2021-06-27 Linux "Linux Programmer's Manual" >>>>> +.SH NAME >>>>> +Landlock \- unprivileged access-control >>>>> +.SH DESCRIPTION >>>>> +Landlock is an access-control system that enables any processes to // >>>>> securely /J/ >>> >>> Why adding a line break here? This line is 75 columns as stated by the >>> documentation: https://man7.org/linux/man-pages/man7/man-pages.7.html >>> I guess it helps for semantic newlines, right? If so, what are the >>> rules? > > Yes, they were because of semantic newlines. > > The "rules" are: > > Follow mainly "semantic newlines" style (forgetting about the line > length), which will give you a text that (mostly) fits into 75 or 80 > columns. > > If after doing that there are some lines that exceed the 75 or 80 column > right margin, consider fixing that line by breaking it at a different > point or maybe breaking it further. The 80 column limit is a hard limit > (I can't read anything past the 80 col), while the 75 limit is a bit > softer (that's for allowing quotes in reviews) (if fitting a line into > col 75 would break it in a weird way, don't do it). > > If I didn't explain myself enough, please tell me. > >>>>> +upper layer. >>>>> +From a Landlock policy point of view, >>>>> +each OverlayFS layers and merge hierarchies are standalone and >>>>> contains >>>>> +their own set of files and directories, >>>>> +which is different from bind mounts. >>>> >>>> >>>> Incorrect mix of singular and plural, I think. >>> >> Is it OK with s/contains/contain/? > > I think so. > >>> >>>> >>>>> +A policy restricting an OverlayFS layer will not restrict the >>>>> resulted >>>>> +merged hierarchy, and vice versa. >>>>> +Landlock users should then only think about file hierarchies they >>>>> want to >>>>> +allow access to, regardless of the underlying filesystem. >>>>> +.\" >>>>> +.SS Inheritance >>>>> +Every new thread resulting from a >>>>> +.BR clone (2) >>>>> +inherits Landlock domain restrictions from its parent. >>>>> +This is similar to the >>>>> +.BR seccomp (2) >>>>> +inheritance or any other LSM dealing with task's >>>> >>>> Not sure: >>>> >>>> s/task/a task/ >>>> or >>>> s/task's/tasks'/ >>> >>> I'll take "tasks'". > > Okay. > >>> >>>> >>>>> +.BR credentials (7). >>>>> +For instance, one process's thread may apply Landlock rules to >>>>> itself, >>>> >>>> s/process's/process'/ >>> >>> As pointed out by Branden, this is correct. > > That's right. :) > >>> >>>> >>>>> +.BR chdir (2), >>>>> +.BR truncate (2), >>>>> +.BR stat (2), >>>>> +.BR flock (2), >>>>> +.BR chmod (2), >>>>> +.BR chown (2), >>>>> +.BR setxattr (2), >>>>> +.BR utime (2), >>>>> +.BR ioctl (2), >>>>> +.BR fcntl (2), >>>>> +.BR access (2). >>>>> +Future Landlock evolutions will enable to restrict them. >>>>> +.SH EXAMPLES >>>> I'd prefer a complete example with a main function, if you can come up >>>> with such one. If not, this will be ok. >>> >>> I think it is clearer to not to use a full main to explain these basic >>> steps. A full working example is linked though. > > Ahh sorry, I didn't see the link. > I'll have a look at it. > >>> >>>> >>>> >>>>> +We first need to create the ruleset that will contain our rules. >>>>> +For this example, >>>>> +the ruleset will contain rules that only allow read actions, >>>>> +but write actions will be denied. >>>>> +The ruleset then needs to handle both of these kind of actions. >>>>> +See below for the description of filesystem actions. >>>>> +.PP >>>>> +.in +4n >>>>> +.EX >>>>> +int ruleset_fd; >>>>> +struct landlock_ruleset_attr ruleset_attr = { >>>>> + .handled_access_fs = >>>>> + LANDLOCK_ACCESS_FS_EXECUTE | >>>>> + LANDLOCK_ACCESS_FS_WRITE_FILE | >>>>> + LANDLOCK_ACCESS_FS_READ_FILE | >>>>> + LANDLOCK_ACCESS_FS_READ_DIR | >>>>> + LANDLOCK_ACCESS_FS_REMOVE_DIR | >>>>> + LANDLOCK_ACCESS_FS_REMOVE_FILE | >>>>> + LANDLOCK_ACCESS_FS_MAKE_CHAR | >>>>> + LANDLOCK_ACCESS_FS_MAKE_DIR | >>>>> + LANDLOCK_ACCESS_FS_MAKE_REG | >>>>> + LANDLOCK_ACCESS_FS_MAKE_SOCK | >>>>> + LANDLOCK_ACCESS_FS_MAKE_FIFO | >>>>> + LANDLOCK_ACCESS_FS_MAKE_BLOCK | >>>>> + LANDLOCK_ACCESS_FS_MAKE_SYM, >>>>> +}; >>>>> + >>>>> +ruleset_fd = landlock_create_ruleset(&ruleset_attr, >>>>> sizeof(ruleset_attr), 0); >>>>> +if (ruleset_fd < 0) { >>>>> + perror("Failed to create a ruleset"); >>>>> + return 1; >>>>> +} >>>>> +.EE >>>>> +.in >>>>> +.PP >>>>> +We can now add a new rule to this ruleset thanks to the returned file >>>>> +descriptor referring to this ruleset. >>>>> +The rule will only allow reading the file hierarchy >>>>> +.IR /usr . >>> >>> Why ".IR" is correct here? > > "/usr" needs to be formatted, but "." not. > > [ > .I /usr > . > ] > > Would add a space: /usr . > So we need a solution that formats only part of a space-separated token; > that's what .IR does. I hope the last email explained that well. > > Thanks, > > Alex > >
Hi, Mickaël! I'm going to rearrange your message to reply to it to put the shortest point first, as I am nervous of people tiring of my info dumps, especially with such an efflorescent CC list. At 2021-07-30T14:15:48+0200, Mickaël Salaün wrote: > >> +The rule will only allow reading the file hierarchy > >> +.IR /usr . > > Why ".IR" is correct here? Because you don't want a space or a line break in the output between "/usr" and the period. Line breaks in *roff input usually mean "insert a word break here".[1] [the long version] > When do we really need .IR? Isn't `.I "foo bar"` the same as `.IR foo > bar`? What do you use roman for? > > Where can we find these preferences? The best I found was > https://www.man7.org/linux/man-pages/man7/groff_man.7.html but it > doesn't explain what to use. The current man pages seems to use both > interchangeably. This is a good news/bad news situation for me. As the maintainer of that man page, I'm delighted to hear that you found it the best resource of its type. But that you came away still not knowing when or why to use .IR tells me I still have work to do. One of the things I did after the groff 1.22.4 release (December 2018) was to split groff_man(7) into two pages. The one you've linked is the terser reference for seasoned (perhaps salty) man page writers. Near the top of it you'll find this. This document presents the macros thematically; for those needing only a quick reference, the following table lists them alphabetically, with cross-references to appropriate subsections below. Man page authors and maintainers who are not already experienced groff users should consult groff_man_style(7), an expanded version of this document, for additional explanations and advice. It covers only those concepts required for man page document maintenance, and not the full breadth of the groff typesetting system. There, at <https://www.man7.org/linux/man-pages/man7/groff_man.7.html>, I'd direct you to the following. Font style macros The man macro package is limited in its font styling options, offering only bold (.B), italic (.I), and roman. Italic text is usually set underscored instead on terminal devices. The .SM and .SB macros set text in roman or bold, respectively, at a smaller point size; these differ visually from regular-sized roman or bold text only on typesetter devices. It is often necessary to set text in different styles without intervening space. The macros .BI, .BR, .IB, .IR, .RB, and .RI, where “B”, “I”, and “R” indicate bold, italic, and roman, respectively, set their odd- and even-numbered arguments in alternating styles, with no space separating them. [...] .I [text] Set text in italics. If the macro is given no arguments, the text of the next input line is set in italics. Use italics for file and path names, for environment variables, for enumeration or preprocessor constants in C, for variable (user-determined) portions of syntax synopses, for the first occurrence (only) of a technical concept being introduced, for names of works of software (including commands and functions, but excluding names of operating systems or their kernels), and anywhere a parameter requiring replacement by the user is encountered. An exception involves variable text in a context that is already marked up in italics, such as file or path names with variable components; in such cases, follow the convention of mathematical typography: set the file or path name in italics as usual but use roman for the variable part (see .IR and .RI below), and italics again in running roman text when referring to the variable material. [...] Note what is not prescribed for setting in bold or italics above: elements of “synopsis language” such as ellipses and brackets around options; proper names and adjectives; titles of anything other than works of literature or software; identifiers for standards documents or technical reports such as CSTR #54, RFC 1918, Unicode 13.0, or POSIX.1-2017; acronyms; and occurrences after the first of a technical term or piece of jargon. Again, the names of operating systems and their kernels are, by practically universal convention, set in roman. Be frugal with italics for emphasis, and particularly with bold. Brief runs of literal text, such as references to individual characters or short strings, including section and subsection headings of man pages, are suitable objects for quotation; see the \(lq, \(rq, \(oq, and \(cq escapes in subsection “Portability” below. Unlike the above font style macros, the font style alternation macros below accept only arguments on the same line as the macro call. Italic corrections are applied as appropriate. If space is required within one of the arguments, first consider whether the same result could be achieved with as much clarity by using the single-style macros on separate input lines. When it cannot, double-quote an argument containing embedded space characters. Setting all three different styles within a word presents challenges; it is possible with the \c and/or \f escapes, but see subsection “Portability” below for caveats. [...] .IR italic-text roman-text ... Set each argument in italics and roman, alternately. This is the first command of the .IR prologue . I'd appreciate feedback from anyone on how I can improve the above. > >> +upper layer. > >> +From a Landlock policy point of view, > >> +each OverlayFS layers and merge hierarchies are standalone and contains > >> +their own set of files and directories, > >> +which is different from bind mounts. > > > > > > Incorrect mix of singular and plural, I think. > > Is it OK with s/contains/contain/? That's correct, but you also need s/their/its/. A handy technique for resolving inflection/agreement problems in English is to drop phrases from the sentence in a way that preserves its structure; this usually makes clear what should be done. In this case, "... Each ... contains its own set." Native speakers screw this up even in simpler cases; e.g., *"The spaces in between leave room for you and I to grow." We get thrown by the conjunction "and", which makes the language organ in our brain think of plural number. But no native speaker ever commits the error *"Will you buy a hamburger for I?" unless for deliberate effect. (Though there is probably some hamlet in the West Midlands of England or something where this is standard. :-| ) Regards, Branden [1] "Usually." In roff terms, this generalization applies to text lines (not control lines; that is, lines starting with a control character) that do not end with the output line continuation escape sequence, '\c'.
Hi, Alex! At 2021-07-30T14:59:52+0200, Alejandro Colomar (man-pages) wrote: > Yes, they were because of semantic newlines. > > The "rules" are: > > Follow mainly "semantic newlines" style (forgetting about the line > length), which will give you a text that (mostly) fits into 75 or 80 > columns. > > If after doing that there are some lines that exceed the 75 or 80 > column right margin, consider fixing that line by breaking it at a > different point or maybe breaking it further. The 80 column limit is > a hard limit (I can't read anything past the 80 col), while the 75 > limit is a bit softer (that's for allowing quotes in reviews) (if > fitting a line into col 75 would break it in a weird way, don't do > it). > > If I didn't explain myself enough, please tell me. I'm a little puzzled by the above. Semantic newlines have little to do with the output line length in *roff systems. They arose due to a Bell Labs Unix Room practice, popularized by Brian Kernighan. Brandon Rhodes has a backgrounder on this[1]. Man pages tend to be really flexible with respect to output line length. This is one reason the groff man macros expose a user-settable LL register. The main limitations on line length are people using tbl(1) tables or disabling filling (with the .nf request or in .EX/.EE examples). Another limitation is that as lines get shorter, it becomes hard to set the page headers and footers without them overlapping. For the first two points there is not much the macro package can do; both tbl(1) and filling disablement leave the placement of line breaks in the hands of the document author, and they can abuse that power by "oversetting" a line; that is, making it longer than the configured line length. The third point is a problem the macro package can overcome with some effort, by measuring the lengths of the components that go into a header or footer an abbreviating them. This is not a theoretical concern; Erlang supplies some man pages with insanely long names[2], and you can see the problem in footers today on the man-pages site for any page groff ships, because Michael pulls from our Git repository (to my great relief, because I fix documentation errors and make other improvements all the time) and our version identifier has gotten crazily long because we're on the order of one thousand commits since the last release candidate, and gnulib's git-version-gen uses release tags, commit count since the tag, _and_ an abbreviated commit ID to generate the version string. For my tree right now that's "1.23.0.rc1.999-7ae6d". Here's a specimen of how that works out in a rendered page: <https://man7.org/linux/man-pages/man1/neqn.1.html> (scroll to the bottom). I've fixed the problem for long page names for the next groff release, but it involved some string-manipulation gymnastics[3]. I haven't yet factored those out into their own (private) macro which I can also call when preparing the page footer. Regards, Branden [1] https://rhodesmill.org/brandon/2012/one-sentence-per-line/ [2] CosNotifyChannelAdmin_StructuredProxyPushSupplier(3erl) [3] https://git.savannah.gnu.org/cgit/groff.git/commit/?id=b7f38e8a1d698e1078d7c215d08fde57d8e919b9
Hi Branden, Mickaël, On 7/31/21 1:39 AM, G. Branden Robinson wrote: > Hi, Mickaël! > > I'm going to rearrange your message to reply to it to put the shortest > point first, as I am nervous of people tiring of my info dumps, > especially with such an efflorescent CC list. > > At 2021-07-30T14:15:48+0200, Mickaël Salaün wrote: >>>> +The rule will only allow reading the file hierarchy >>>> +.IR /usr . >> >> Why ".IR" is correct here? > > Because you don't want a space or a line break in the output between > "/usr" and the period. > > Line breaks in *roff input usually mean "insert a word break here".[1] > > [the long version] >> When do we really need .IR? Isn't `.I "foo bar"` the same as `.IR foo >> bar`? What do you use roman for? >> >> Where can we find these preferences? The best I found was >> https://www.man7.org/linux/man-pages/man7/groff_man.7.html but it >> doesn't explain what to use. The current man pages seems to use both >> interchangeably. > > This is a good news/bad news situation for me. As the maintainer of > that man page, I'm delighted to hear that you found it the best resource > of its type. But that you came away still not knowing when or why to > use .IR tells me I still have work to do. > > One of the things I did after the groff 1.22.4 release (December 2018) > was to split groff_man(7) into two pages. The one you've linked is the > terser reference for seasoned (perhaps salty) man page writers. Near > the top of it you'll find this. > > This document presents the macros thematically; for those needing > only a quick reference, the following table lists them > alphabetically, with cross-references to appropriate subsections > below. > > Man page authors and maintainers who are not already experienced > groff users should consult groff_man_style(7), an expanded > version of this document, for additional explanations and advice. > It covers only those concepts required for man page document > maintenance, and not the full breadth of the groff typesetting > system. Hmmmm, I can't find that text on my Debian Sid (with a bit of experimental) groff_man(7). Not even in the SEE ALSO. SEE ALSO Groff: The GNU Implementation of troff, by Trent A. Fisher and Werner Lemberg, is the main groff documentation. You can browse it interactively with “info groff”. tbl(1), eqn(1), and refer(1) are preprocessors used with man pages. man(1) describes the man page formatter on your system. groff_mdoc(7) describes the groff version of the BSD‐origi‐ nated alternative macro package for man pages. groff(7), groff_char(7), man(7) groff 1.22.4 27 January 2021 GROFF_MAN(7) > > There, at <https://www.man7.org/linux/man-pages/man7/groff_man.7.html>, > I'd direct you to the following. > > Font style macros > The man macro package is limited in its font styling options, > offering only bold (.B), italic (.I), and roman. Italic text is > usually set underscored instead on terminal devices. The .SM and > .SB macros set text in roman or bold, respectively, at a smaller > point size; these differ visually from regular-sized roman or > bold text only on typesetter devices. It is often necessary to > set text in different styles without intervening space. The > macros .BI, .BR, .IB, .IR, .RB, and .RI, where “B”, “I”, and “R” > indicate bold, italic, and roman, respectively, set their odd- > and even-numbered arguments in alternating styles, with no space > separating them. > [...] > .I [text] > Set text in italics. If the macro is given no arguments, > the text of the next input line is set in italics. > > Use italics for file and path names, for environment > variables, for enumeration or preprocessor constants in C, > for variable (user-determined) portions of syntax > synopses, for the first occurrence (only) of a technical > concept being introduced, for names of works of software > (including commands and functions, but excluding names of > operating systems or their kernels), and anywhere a > parameter requiring replacement by the user is > encountered. An exception involves variable text in a > context that is already marked up in italics, such as file > or path names with variable components; in such cases, > follow the convention of mathematical typography: set the > file or path name in italics as usual but use roman for > the variable part (see .IR and .RI below), and italics > again in running roman text when referring to the variable > material. Re-reading this, we've been doing it wrong (as you pointed out in another thread) with macro names with variable part. I wasn't very convinced by the current usage of the man pages, but it was already current, so I just followed it :/ I'll try to follow this from now. > [...] > Note what is not prescribed for setting in bold or italics above: > elements of “synopsis language” such as ellipses and brackets > around options; proper names and adjectives; titles of anything > other than works of literature or software; identifiers for > standards documents or technical reports such as CSTR #54, > RFC 1918, Unicode 13.0, or POSIX.1-2017; acronyms; and > occurrences after the first of a technical term or piece of > jargon. Again, the names of operating systems and their kernels > are, by practically universal convention, set in roman. > > Be frugal with italics for emphasis, and particularly with bold. > Brief runs of literal text, such as references to individual > characters or short strings, including section and subsection > headings of man pages, are suitable objects for quotation; see > the \(lq, \(rq, \(oq, and \(cq escapes in subsection > “Portability” below. > > Unlike the above font style macros, the font style alternation > macros below accept only arguments on the same line as the macro > call. Italic corrections are applied as appropriate. If space > is required within one of the arguments, first consider whether > the same result could be achieved with as much clarity by using > the single-style macros on separate input lines. When it cannot, > double-quote an argument containing embedded space characters. > Setting all three different styles within a word presents > challenges; it is possible with the \c and/or \f escapes, but see > subsection “Portability” below for caveats. Ahh, I missed this text, as it was neither under .I nor .IR, and only had a fast read of the page. The 3rd paragraph hints that you should only use .IR when really needed, and use .I otherwise. But someone new to man-pages, who probably did never read this page (or read some specific paragraphs of it when needed), and found the extensive (and somewhat incorrect) usage of .IR in place of .I in the current man pages, might be confused by all of that inconsistency and hard-to-find (except by those who already know where it is (reference to Pirates of the Caribbean intended :) )) information. > [...] > .IR italic-text roman-text ... > Set each argument in italics and roman, alternately. > > This is the first command of the > .IR prologue . > > I'd appreciate feedback from anyone on how I can improve the above. I think it's great. But unless one reads the page with some time (and not only the bullets), one might think that the man page is incomplete. Maybe groff_man_style(7) is better suited for newbies, but I can't tell... I couldn't find it. > >>>> +upper layer. >>>> +From a Landlock policy point of view, >>>> +each OverlayFS layers and merge hierarchies are standalone and contains >>>> +their own set of files and directories, >>>> +which is different from bind mounts. >>> >>> >>> Incorrect mix of singular and plural, I think. >> >> Is it OK with s/contains/contain/? > > That's correct, but you also need s/their/its/. I'm not sure, but maybe (I always get confused by these things)?: [ each _of the_ OverlayFS layers and merge hierarchies _is_ standalone and _contains_ _its_ own set of files and directories, which is different from bind mounts. ] And still I'm not sure about the last "mounts". Without s/each/each of the/ we still have layers and hierarchies (plurals), which don't mix well with each (singular). Regards, Alex > > A handy technique for resolving inflection/agreement problems in English > is to drop phrases from the sentence in a way that preserves its > structure; this usually makes clear what should be done. > > In this case, "... Each ... contains its own set." > > Native speakers screw this up even in simpler cases; e.g., > > *"The spaces in between leave room for you and I to grow." > > We get thrown by the conjunction "and", which makes the language organ > in our brain think of plural number. But no native speaker ever commits > the error > > *"Will you buy a hamburger for I?" > > unless for deliberate effect. (Though there is probably some hamlet in > the West Midlands of England or something where this is standard. :-| ) > > Regards, > Branden > > [1] "Usually." In roff terms, this generalization applies to text lines > (not control lines; that is, lines starting with a control > character) that do not end with the output line continuation escape > sequence, '\c'. >
Hi Branden, On 7/31/21 2:15 AM, G. Branden Robinson wrote: > Hi, Alex! > > At 2021-07-30T14:59:52+0200, Alejandro Colomar (man-pages) wrote: >> Yes, they were because of semantic newlines. >> >> The "rules" are: >> >> Follow mainly "semantic newlines" style (forgetting about the line >> length), which will give you a text that (mostly) fits into 75 or 80 >> columns. >> >> If after doing that there are some lines that exceed the 75 or 80 >> column right margin, consider fixing that line by breaking it at a >> different point or maybe breaking it further. The 80 column limit is >> a hard limit (I can't read anything past the 80 col), while the 75 >> limit is a bit softer (that's for allowing quotes in reviews) (if >> fitting a line into col 75 would break it in a weird way, don't do >> it). >> >> If I didn't explain myself enough, please tell me. > > I'm a little puzzled by the above. Semantic newlines have little to do > with the output line length in *roff systems. They arose due to a Bell > Labs Unix Room practice, popularized by Brian Kernighan. Brandon Rhodes > has a backgrounder on this[1]. > > Man pages tend to be really flexible with respect to output line length. > This is one reason the groff man macros expose a user-settable LL > register. The main limitations on line length are people using tbl(1) > tables or disabling filling (with the .nf request or in .EX/.EE > examples). Another limitation is that as lines get shorter, it becomes > hard to set the page headers and footers without them overlapping. > > For the first two points there is not much the macro package can do; > both tbl(1) and filling disablement leave the placement of line breaks > in the hands of the document author, and they can abuse that power by > "oversetting" a line; that is, making it longer than the configured line > length. > > The third point is a problem the macro package can overcome with some > effort, by measuring the lengths of the components that go into a header > or footer an abbreviating them. This is not a theoretical concern; > Erlang supplies some man pages with insanely long names[2], and you can > see the problem in footers today on the man-pages site for any page > groff ships, because Michael pulls from our Git repository (to my great > relief, because I fix documentation errors and make other improvements > all the time) and our version identifier has gotten crazily long because > we're on the order of one thousand commits since the last release > candidate, and gnulib's git-version-gen uses release tags, commit count > since the tag, _and_ an abbreviated commit ID to generate the version > string. For my tree right now that's "1.23.0.rc1.999-7ae6d". > > Here's a specimen of how that works out in a rendered page: > <https://man7.org/linux/man-pages/man1/neqn.1.html> (scroll to the > bottom). > > I've fixed the problem for long page names for the next groff release, > but it involved some string-manipulation gymnastics[3]. I haven't yet > factored those out into their own (private) macro which I can also call > when preparing the page footer. I think you misunderstood the context here. I meant all of that about input, i.e., the text of the patch itself, text to be added to a man page source text. What I meant is that when you break lines semantically (when writing a patch), and initially forget about the 80 (or 75) column right margin, most of the lines you write will already (as a side effect of breaking lines semantically) be within the 80 (or 75) right margin. For those that still don't fit into 80 characters after doing that, break further (or at some other point that may also break nicely semantically); otherwise, I won't see the text when editing the man page on my 80-col terminal. For those that still don't fit into 75 characters after doing that, consider breaking further, but only if doing so seems easy and lines break nicely. I can still see after line 75, and I can do some effort to scroll an email a few columns if needed (when many quotes move the text further to the right). So if the source code would break in a weird way because of forcing a 75 col right margin, please ignore that margin. I hope I was clear this time. BTW, thanks for your mail. It wasn't related to what I meant, but was interesting :=) Regards, Alex > > Regards, > Branden > > [1] https://rhodesmill.org/brandon/2012/one-sentence-per-line/ > [2] CosNotifyChannelAdmin_StructuredProxyPushSupplier(3erl) > [3] https://git.savannah.gnu.org/cgit/groff.git/commit/?id=b7f38e8a1d698e1078d7c215d08fde57d8e919b9 >
Hi, Alex, [man, that CC list makes me cringe--this is all style issues and groff release history, skip freely] At 2021-07-31T12:51:30+0200, Alejandro Colomar (man-pages) wrote: > Hi Branden, Mickaël, > > One of the things I did after the groff 1.22.4 release (December > > 2018) was to split groff_man(7) into two pages. The one you've > > linked is the terser reference for seasoned (perhaps salty) man page > > writers. Near the top of it you'll find this. [...] > Hmmmm, I can't find that text on my Debian Sid (with a bit of experimental) > groff_man(7). Not even in the SEE ALSO. That's because Debian is still shipping groff 1.22.4, even in unstable. That's not shocking; I think Colin Watson was hesitant to ship a release candidate and that was all the groff team had ready at the time. (I'm the most active developer but not the project lead or release manager; I've shied away from those responsibilities.) > Re-reading this, we've been doing it wrong (as you pointed out in > another thread) with macro names with variable part. I do think it is wise to have a markup distinction between constant and variable parts of C (or C preprocessor) symbol names. Admittedly, font style distinctions can get lost in terminal copy-and-paste, but we can't solve everything in plain text alone. > I wasn't very convinced by the current usage of the man pages, but it > was already current, so I just followed it :/ > > I'll try to follow this from now. The man-pages project has some style rules for visible output that are not in alignment with what groff does, but the only one that comes to mind is the style used for man page names (man-pages: bold; groff: italics). I have a plan for resolving that on the rendering end[1]. > Ahh, I missed this text, as it was neither under .I nor .IR, and only > had a fast read of the page. The 3rd paragraph hints that you should > only use .IR when really needed, and use .I otherwise. But someone > new to man-pages, who probably did never read this page (or read some > specific paragraphs of it when needed), and found the extensive (and > somewhat incorrect) usage of .IR in place of .I in the current man > pages, might be confused by all of that inconsistency and hard-to-find > (except by those who already know where it is (reference to Pirates of > the Caribbean intended :) )) information. Yes, it would really help if we (groff) could do a release. :-/ > > I'd appreciate feedback from anyone on how I can improve the above. > > I think it's great. But unless one reads the page with some time (and > not only the bullets), one might think that the man page is > incomplete. Maybe groff_man_style(7) is better suited for newbies, > but I can't tell... I couldn't find it. It's in groff Git and in the man-pages curated collection, <https://man7.org/linux/man-pages/man7/groff_man_style.7.html>. Michael apparently re-pulls from groff Git HEAD every time he does a man-pages release, which makes the groff man pages massively more up to date (by 2.5 years and counting) than what most distributions have. > I'm not sure, but maybe (I always get confused by these things)?: > > [ > each _of the_ OverlayFS layers and merge hierarchies _is_ standalone and > _contains_ > _its_ own set of files and directories, > which is different from bind mounts. > ] > > And still I'm not sure about the last "mounts". Yes, I think that's an improvement, and "bind mounts" could be made singular: "a bind mount". Regards, Branden [1] https://lists.gnu.org/archive/html/groff/2020-08/msg00068.html
diff --git a/man7/landlock.7 b/man7/landlock.7 new file mode 100644 index 000000000000..c89f5b1cabb6 --- /dev/null +++ b/man7/landlock.7 @@ -0,0 +1,356 @@ +.\" Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> +.\" Copyright © 2019-2020 ANSSI +.\" Copyright © 2021 Microsoft Corporation +.\" +.\" %%%LICENSE_START(VERBATIM) +.\" Permission is granted to make and distribute verbatim copies of this +.\" manual provided the copyright notice and this permission notice are +.\" preserved on all copies. +.\" +.\" Permission is granted to copy and distribute modified versions of this +.\" manual under the conditions for verbatim copying, provided that the +.\" entire resulting derived work is distributed under the terms of a +.\" permission notice identical to this one. +.\" +.\" Since the Linux kernel and libraries are constantly changing, this +.\" manual page may be incorrect or out-of-date. The author(s) assume no +.\" responsibility for errors or omissions, or for damages resulting from +.\" the use of the information contained herein. The author(s) may not +.\" have taken the same level of care in the production of this manual, +.\" which is licensed free of charge, as they might when working +.\" professionally. +.\" +.\" Formatted or processed versions of this manual, if unaccompanied by +.\" the source, must acknowledge the copyright and authors of this work. +.\" %%%LICENSE_END +.\" +.TH LANDLOCK 7 2021-06-27 Linux "Linux Programmer's Manual" +.SH NAME +Landlock \- unprivileged access-control +.SH DESCRIPTION +Landlock is an access-control system that enables any processes to securely +restrict themselves and their future children. +Because Landlock is a stackable Linux Security Module (LSM), +it makes possible to create safe security sandboxes as new security layers +in addition to the existing system-wide access-controls. +This kind of sandbox is expected to help mitigate the security impact of +bugs, and unexpected or malicious behaviors in applications. +.PP +A Landlock security policy is a set of access rights +(e.g., open a file in read-only, make a directory, etc.) +tied to a file hierarchy. +Such policy can be configured and enforced by processes for themselves +using three system calls: +.IP \(bu 2 +.BR landlock_create_ruleset (2) +creates a new ruleset; +.IP \(bu +.BR landlock_add_rule (2) +adds a new rule to a ruleset; +.IP \(bu +.BR landlock_restrict_self (2) +enforces a ruleset on the calling thread. +.PP +To be able to use these system calls, +the running kernel must support Landlock and it must be enabled at boot +time. +.\" +.SS Landlock rules +A Landlock rule describes an action on an object. +An object is currently a file hierarchy, +and the related filesystem actions are defined with access rights (see +.BR landlock_add_rule (2)). +A set of rules is aggregated in a ruleset, which can +then restrict the thread enforcing it, and its future children. +.\" +.SS Filesystem actions +These flags enable to restrict a sandboxed process to a set of actions on +files and directories. +Files or directories opened before the sandboxing are not subject to these +restrictions. +See +.BR landlock_add_rule (2) +and +.BR landlock_create_ruleset (2) +for more context. +.PP +A file can only receive these access rights: +.TP +.B LANDLOCK_ACCESS_FS_EXECUTE +Execute a file. +.TP +.B LANDLOCK_ACCESS_FS_WRITE_FILE +Open a file with write access. +.TP +.B LANDLOCK_ACCESS_FS_READ_FILE +Open a file with read access. +.PP +A directory can receive access rights related to files or directories. +The following access right is applied to the directory itself, +and the directories beneath it: +.TP +.B LANDLOCK_ACCESS_FS_READ_DIR +Open a directory or list its content. +.PP +However, +the following access rights only apply to the content of a directory, +not the directory itself: +.TP +.B LANDLOCK_ACCESS_FS_REMOVE_DIR +Remove an empty directory or rename one. +.TP +.B LANDLOCK_ACCESS_FS_REMOVE_FILE +Unlink (or rename) a file. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_CHAR +Create (or rename or link) a character device. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_DIR +Create (or rename) a directory. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_REG +Create (or rename or link) a regular file. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_SOCK +Create (or rename or link) a UNIX domain socket. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_FIFO +Create (or rename or link) a named pipe. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_BLOCK +Create (or rename or link) a block device. +.TP +.B LANDLOCK_ACCESS_FS_MAKE_SYM +Create (or rename or link) a symbolic link. +.\" +.SS Layers of file path access rights +Each time a thread enforces a ruleset on itself, it updates its Landlock +domain with a new layer of policy. +Indeed, this complementary policy is composed with the potentially other +rulesets already restricting this thread. +A sandboxed thread can then safely add more constraints to itself with a +new enforced ruleset. +.PP +One policy layer grants access to a file path if at least one of its rules +encountered on the path grants the access. +A sandboxed thread can only access a file path if all its enforced policy +layers grant the access as well as all the other system access controls +(e.g., filesystem DAC, other LSM policies, etc.). +.\" +.SS Bind mounts and OverlayFS +Landlock enables restricting access to file hierarchies, +which means that these access rights can be propagated with bind mounts +(cf. +.BR mount_namespaces (7)) +but not with OverlayFS. +.PP +A bind mount mirrors a source file hierarchy to a destination. +The destination hierarchy is then composed of the exact same files, +on which Landlock rules can be tied, either via the source or the +destination path. +These rules restrict access when they are encountered on a path, +which means that they can restrict access to multiple file hierarchies at +the same time, +whether these hierarchies are the result of bind mounts or not. +.PP +An OverlayFS mount point consists of upper and lower layers. +These layers are combined in a merge directory, result of the mount point. +This merge hierarchy may include files from the upper and lower layers, +but modifications performed on the merge hierarchy only reflects on the +upper layer. +From a Landlock policy point of view, +each OverlayFS layers and merge hierarchies are standalone and contains +their own set of files and directories, +which is different from bind mounts. +A policy restricting an OverlayFS layer will not restrict the resulted +merged hierarchy, and vice versa. +Landlock users should then only think about file hierarchies they want to +allow access to, regardless of the underlying filesystem. +.\" +.SS Inheritance +Every new thread resulting from a +.BR clone (2) +inherits Landlock domain restrictions from its parent. +This is similar to the +.BR seccomp (2) +inheritance or any other LSM dealing with task's +.BR credentials (7). +For instance, one process's thread may apply Landlock rules to itself, +but they will not be automatically applied to other sibling threads +(unlike POSIX thread credential changes, cf. +.BR nptl (7)). +.PP +When a thread sandboxes itself, we have the guarantee that the related +security policy will stay enforced on all this thread's descendants. +This allows creating standalone and modular security policies per +application, +which will automatically be composed between themselves according to their +runtime parent policies. +.\" +.SS Ptrace restrictions +A sandboxed process has less privileges than a non-sandboxed process and +must then be subject to additional restrictions when manipulating another +process. +To be allowed to use +.BR ptrace (2) +and related syscalls on a target process, +a sandboxed process should have a subset of the target process rules, +which means the tracee must be in a sub-domain of the tracer. +.SH VERSIONS +Landlock was added in Linux 5.13. +.SH NOTES +Landlock is enabled by CONFIG_SECURITY_LANDLOCK. +The +.IR lsm=lsm1,...,lsmN +command line parameter controls the sequence of the initialization of +Linux Security Modules. +It must contain the string +.IR landlock +to enable Landlock. +If the command line parameter is not specified, +the initialization falls back to the value of the deprecated +.IR security= +command line parameter and further to the value of CONFIG_LSM. +We can check that Landlock is enabled by looking for +.IR "landlock: Up and running." +in kernel logs. +.PP +It is currently not possible to restrict some file-related actions +accessible through these syscall families: +.BR chdir (2), +.BR truncate (2), +.BR stat (2), +.BR flock (2), +.BR chmod (2), +.BR chown (2), +.BR setxattr (2), +.BR utime (2), +.BR ioctl (2), +.BR fcntl (2), +.BR access (2). +Future Landlock evolutions will enable to restrict them. +.SH EXAMPLES +We first need to create the ruleset that will contain our rules. +For this example, +the ruleset will contain rules that only allow read actions, +but write actions will be denied. +The ruleset then needs to handle both of these kind of actions. +See below for the description of filesystem actions. +.PP +.in +4n +.EX +int ruleset_fd; +struct landlock_ruleset_attr ruleset_attr = { + .handled_access_fs = + LANDLOCK_ACCESS_FS_EXECUTE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_MAKE_CHAR | + LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_MAKE_SOCK | + LANDLOCK_ACCESS_FS_MAKE_FIFO | + LANDLOCK_ACCESS_FS_MAKE_BLOCK | + LANDLOCK_ACCESS_FS_MAKE_SYM, +}; + +ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); +if (ruleset_fd < 0) { + perror("Failed to create a ruleset"); + return 1; +} +.EE +.in +.PP +We can now add a new rule to this ruleset thanks to the returned file +descriptor referring to this ruleset. +The rule will only allow reading the file hierarchy +.IR /usr . +Without another rule, write actions would then be denied by the ruleset. +To add +.IR /usr +to the ruleset, we open it with the +.IR O_PATH +flag and fill the +.IR "struct landlock_path_beneath_attr" +with this file descriptor. +.PP +.in +4n +.EX +int err; +struct landlock_path_beneath_attr path_beneath = { + .allowed_access = + LANDLOCK_ACCESS_FS_EXECUTE | + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR, +}; + +path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); +if (path_beneath.parent_fd < 0) { + perror("Failed to open file"); + close(ruleset_fd); + return 1; +} +err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath, 0); +close(path_beneath.parent_fd); +if (err) { + perror("Failed to update ruleset"); + close(ruleset_fd); + return 1; +} +.EE +.in +.PP +We now have a ruleset with one rule allowing read access to +.IR /usr +while denying all other handled accesses for the filesystem. +The next step is to restrict the current thread from gaining more +privileges +(e.g., thanks to a set-user-ID binary). +.PP +.in +4n +.EX +if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("Failed to restrict privileges"); + close(ruleset_fd); + return 1; +} +.EE +.in +.PP +The current thread is now ready to sandbox itself with the ruleset. +.PP +.in +4n +.EX +if (landlock_restrict_self(ruleset_fd, 0)) { + perror("Failed to enforce ruleset"); + close(ruleset_fd); + return 1; +} +close(ruleset_fd); +.EE +.in +.PP +If the +.BR landlock_restrict_self (2) +system call succeeds, the current thread is now restricted and this policy +will be enforced on all its subsequently created children as well. +Once a thread is landlocked, there is no way to remove its security policy; +only adding more restrictions is allowed. +These threads are now in a new Landlock domain, merge of their parent one +(if any) with the new ruleset. +.PP +Full working code can be found in +.UR https://git.kernel.org\:/pub\:/scm\:/linux\:/kernel\:/git\:/stable\:/linux.git\:/tree\:/samples\:/landlock\:/sandboxer.c +.UE +.SH SEE ALSO +.BR landlock_create_ruleset (2), +.BR landlock_add_rule (2), +.BR landlock_restrict_self (2) +.PP +.UR https://landlock.io\:/ +.UE