security: Add landlock file restriction #486
Conversation
|
This binary uses |
|
By the way, your patch results to a code that doesn't even compile, this is not a good sign at all. |
|
I guess it misses a check for the header files (e.g. Suricata). |
nbouchinet-anssi
force-pushed
the
landlock
branch
from
29050ef
to
7239ef0
Compare
Hi, Thanks for the reply, sorry I indeed missed to add checks for the header files |
It should be also optional as presence of the headers should not automatically mean that the support should be compiled in. |
I'd suggest to enable sandboxing whenever possible to protect users. This could be an enabled-by-default configuration though, but I'm not sure this complexity is worth it because Landlock support must not break anything anyway. |
Sorry I didn't saw this interface before the PR, I'll read more about getspnam_r to see if a more fine tuned ruleset is feasible as it will be more restrictive than a read-only access to the whole filesystem. |
nbouchinet-anssi
force-pushed
the
landlock
branch
from
7239ef0
to
ce01d8e
Compare
nbouchinet-anssi
force-pushed
the
landlock
branch
2 times, most recently
from
1a71a67
to
f98caca
Compare
nbouchinet-anssi
force-pushed
the
landlock
branch
2 times, most recently
from
e95ec8a
to
1175413
Compare
|
Hi, I will not be available for the next 3 weeks. |
nbouchinet-anssi
force-pushed
the
landlock
branch
from
1175413
to
98c56a2
Compare
|
Hi, sorry it took far more than 3 weeks for me to reply. I've change the Landlock rule to enforce a read-only access to the whole filesystem as suggested by @ldv-alt . The |
nbouchinet-anssi
force-pushed
the
landlock
branch
from
98c56a2
to
84eb5c0
Compare
This patch adds a minimalist Landlock support to PAM which restricts the SUID unix_chkpwd binary to a readonly access to the whole filesystem. The goal here is to provide security in depth limiting access to the few resources this program needs limiting uncontrolled privileged access to the system. The patch should evolve to support finer restrictions on other PAM modules/binaries. * libpam/include/security/pam_sandbox.h: Add a minimalist Landlock file restriction function. * modules/pam_unix/unix_chkpwd.c: Add a read-only access restriction to the filesystem using Landlock. Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
nbouchinet-anssi
force-pushed
the
landlock
branch
from
56a7d11
to
36c1f46
Compare
This patch adds a minimalist Landlock support to PAM which restricts the
SUID unix_chkpwd binary to a strict readonly access to /etc/shadow. The
goal here is to provide security in depth limiting access to the few
resources this program needs limiting uncontrolled privileged access to
the system.
The patch should evolve to support finer restrictions on other PAM
modules/binaries.