-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: Add landlock file restriction #486
base: master
Are you sure you want to change the base?
Conversation
This binary uses |
By the way, your patch results to a code that doesn't even compile, this is not a good sign at all. |
I guess it misses a check for the header files (e.g. Suricata). |
29050ef
to
7239ef0
Compare
Hi, Thanks for the reply, sorry I indeed missed to add checks for the header files |
It should be also optional as presence of the headers should not automatically mean that the support should be compiled in. |
I'd suggest to enable sandboxing whenever possible to protect users. This could be an enabled-by-default configuration though, but I'm not sure this complexity is worth it because Landlock support must not break anything anyway. |
Sorry I didn't saw this interface before the PR, I'll read more about getspnam_r to see if a more fine tuned ruleset is feasible as it will be more restrictive than a read-only access to the whole filesystem. |
7239ef0
to
ce01d8e
Compare
1a71a67
to
f98caca
Compare
e95ec8a
to
1175413
Compare
Hi, I will not be available for the next 3 weeks. |
1175413
to
98c56a2
Compare
Hi, sorry it took far more than 3 weeks for me to reply. I've change the Landlock rule to enforce a read-only access to the whole filesystem as suggested by @ldv-alt . The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me but I didn't test it.
98c56a2
to
84eb5c0
Compare
This patch adds a minimalist Landlock support to PAM which restricts the SUID unix_chkpwd binary to a readonly access to the whole filesystem. The goal here is to provide security in depth limiting access to the few resources this program needs limiting uncontrolled privileged access to the system. The patch should evolve to support finer restrictions on other PAM modules/binaries. * libpam/include/security/pam_sandbox.h: Add a minimalist Landlock file restriction function. * modules/pam_unix/unix_chkpwd.c: Add a read-only access restriction to the filesystem using Landlock. Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
56a7d11
to
36c1f46
Compare
This patch adds a minimalist Landlock support to PAM which restricts the
SUID unix_chkpwd binary to a strict readonly access to /etc/shadow. The
goal here is to provide security in depth limiting access to the few
resources this program needs limiting uncontrolled privileged access to
the system.
The patch should evolve to support finer restrictions on other PAM
modules/binaries.