Clone ruleset - Githubissues

landlock-lsm / linux

Linux kernel - See Landlock issues

https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/

Other

33 stars 9 forks source link

Clone ruleset #25

Closed l0kod closed 3 months ago

l0kod commented 4 months ago

When building several similar sandboxes, it would be convenient to be able to duplicate a ruleset instead of creating it again. Duplicating the ruleset's file descriptor works but we get just get another reference to the same ruleset. Cloning a ruleset would enable us to factor out the common properties of rulesets or pass it to another process (without the risk that this ruleset get more rules).

Because the landlock_add_rule()'s goal is to modify a ruleset, we could add a new LANDLOCK_ADD_RULE_CLONE flag to first copy the ruleset (if there are more than one reference to it) and then add the new rule, if any.

This interface could also be used to set the ruleset read-only with another flag (e.g. LANDLOCK_ADD_RULE_SEAL).

About naming, here are some proposals: clone (close to the FICLONE semantic), copy, or duplicate (close to the dup() syscall)?

Cc @nbouchinet-anssi

nbouchinet-anssi commented 4 months ago

I'll work on it, can you assign me to the issue ?

l0kod commented 4 months ago

Similar need: landlock-lsm/rust-landlock#38

nbouchinet-anssi commented 3 months ago

Cloning a ruleset would be convenient in case of ruleset refining after enforcement.

In order to achieve such a ruleset refining with the current Landlock API, the original ruleset contents and restrictions have to be maintained aside (i.e. an array of structure containing paths and their restrictions). Once the task want to refines it restrictions, it can evict it from the maintained array, build back a ruleset and enforce it.

Maintaining such a data structure is cumbersome and the ability to clone a ruleset would help.

However this is also due to Landlocks inability to refine a ruleset (it's not possible to remove a path associated and its restrictions from a ruleset).

Another approach would be to authorize the eviction or the negation of a rule already allowed in the ruleset.

It would also be great to be able to authorize itself access to a path and beneath but not one specific file or directory below it, without knowing every resources it can contain.

With those approach (ruleset refining and rule negation) a clone feature would not be necessary, at least for this usecase.

nbouchinet-anssi commented 3 months ago

The ability to set a ruleset in read-only would independently be great.

nbouchinet-anssi commented 3 months ago

I've opened another issue about rule deny listing, I'll will split the read-only ruleset in it own issue, I think you can close this one if your ok with it.