landlock: Explain how to support Landlock
Let's help users by documenting how to enable and check for Landlock in the kernel and the running system. The userspace-api section may not be the best place for this but it still makes sense to put all the user documentation at the same place. Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220513112743.156414-1-mic@digikod.net Reviewed-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
9e0c76b9f1
commit
5e469829ba
|
@ -1,7 +1,7 @@
|
|||
.. SPDX-License-Identifier: GPL-2.0
|
||||
.. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
|
||||
.. Copyright © 2019-2020 ANSSI
|
||||
.. Copyright © 2021 Microsoft Corporation
|
||||
.. Copyright © 2021-2022 Microsoft Corporation
|
||||
|
||||
=====================================
|
||||
Landlock: unprivileged access control
|
||||
|
@ -18,6 +18,13 @@ is expected to help mitigate the security impact of bugs or
|
|||
unexpected/malicious behaviors in user space applications. Landlock empowers
|
||||
any process, including unprivileged ones, to securely restrict themselves.
|
||||
|
||||
We can quickly make sure that Landlock is enabled in the running system by
|
||||
looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep
|
||||
landlock || journalctl -kg landlock`` . Developers can also easily check for
|
||||
Landlock support with a :ref:`related system call <landlock_abi_versions>`. If
|
||||
Landlock is not currently supported, we need to :ref:`configure the kernel
|
||||
appropriately <kernel_support>`.
|
||||
|
||||
Landlock rules
|
||||
==============
|
||||
|
||||
|
@ -264,6 +271,8 @@ users, and because they may use different kernel versions, it is strongly
|
|||
encouraged to follow a best-effort security approach by checking the Landlock
|
||||
ABI version at runtime and only enforcing the supported features.
|
||||
|
||||
.. _landlock_abi_versions:
|
||||
|
||||
Landlock ABI versions
|
||||
---------------------
|
||||
|
||||
|
@ -388,6 +397,24 @@ Starting with the Landlock ABI version 2, it is now possible to securely
|
|||
control renaming and linking thanks to the new `LANDLOCK_ACCESS_FS_REFER`
|
||||
access right.
|
||||
|
||||
.. _kernel_support:
|
||||
|
||||
Kernel support
|
||||
==============
|
||||
|
||||
Landlock was first introduced in Linux 5.13 but it must be configured at build
|
||||
time with `CONFIG_SECURITY_LANDLOCK=y`. Landlock must also be enabled at boot
|
||||
time as the other security modules. The list of security modules enabled by
|
||||
default is set with `CONFIG_LSM`. The kernel configuration should then
|
||||
contains `CONFIG_LSM=landlock,[...]` with `[...]` as the list of other
|
||||
potentially useful security modules for the running system (see the
|
||||
`CONFIG_LSM` help).
|
||||
|
||||
If the running kernel doesn't have `landlock` in `CONFIG_LSM`, then we can
|
||||
still enable it by adding ``lsm=landlock,[...]`` to
|
||||
Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
|
||||
configuration.
|
||||
|
||||
Questions and answers
|
||||
=====================
|
||||
|
||||
|
|
Loading…
Reference in New Issue