landlock: Explain how to support Landlock

Let's help users by documenting how to enable and check for Landlock in
the kernel and the running system.  The userspace-api section may not be
the best place for this but it still makes sense to put all the user
documentation at the same place.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220513112743.156414-1-mic@digikod.net
Reviewed-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Mickaël Salaün 2022-05-13 13:27:43 +02:00
parent 9e0c76b9f1
commit 5e469829ba
No known key found for this signature in database
GPG Key ID: E5E3D0E88C82F6D2
1 changed files with 28 additions and 1 deletions

View File

@ -1,7 +1,7 @@
.. SPDX-License-Identifier: GPL-2.0
.. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
.. Copyright © 2019-2020 ANSSI
.. Copyright © 2021 Microsoft Corporation
.. Copyright © 2021-2022 Microsoft Corporation
=====================================
Landlock: unprivileged access control
@ -18,6 +18,13 @@ is expected to help mitigate the security impact of bugs or
unexpected/malicious behaviors in user space applications. Landlock empowers
any process, including unprivileged ones, to securely restrict themselves.
We can quickly make sure that Landlock is enabled in the running system by
looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep
landlock || journalctl -kg landlock`` . Developers can also easily check for
Landlock support with a :ref:`related system call <landlock_abi_versions>`. If
Landlock is not currently supported, we need to :ref:`configure the kernel
appropriately <kernel_support>`.
Landlock rules
==============
@ -264,6 +271,8 @@ users, and because they may use different kernel versions, it is strongly
encouraged to follow a best-effort security approach by checking the Landlock
ABI version at runtime and only enforcing the supported features.
.. _landlock_abi_versions:
Landlock ABI versions
---------------------
@ -388,6 +397,24 @@ Starting with the Landlock ABI version 2, it is now possible to securely
control renaming and linking thanks to the new `LANDLOCK_ACCESS_FS_REFER`
access right.
.. _kernel_support:
Kernel support
==============
Landlock was first introduced in Linux 5.13 but it must be configured at build
time with `CONFIG_SECURITY_LANDLOCK=y`. Landlock must also be enabled at boot
time as the other security modules. The list of security modules enabled by
default is set with `CONFIG_LSM`. The kernel configuration should then
contains `CONFIG_LSM=landlock,[...]` with `[...]` as the list of other
potentially useful security modules for the running system (see the
`CONFIG_LSM` help).
If the running kernel doesn't have `landlock` in `CONFIG_LSM`, then we can
still enable it by adding ``lsm=landlock,[...]`` to
Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
configuration.
Questions and answers
=====================