diff options
| author | Mickaël Salaün <mic@digikod.net> | 2022-05-13 13:27:43 +0200 |
|---|---|---|
| committer | Mickaël Salaün <mic@digikod.net> | 2022-05-23 13:28:03 +0200 |
| commit | 5e469829baa1b1320e843adf3631edef1d6d2cf2 (patch) | |
| tree | 8c4653e05e14544ba2d3e17200de495269427303 | |
| parent | 9e0c76b9f1faac0a8ea4b42e2f844ea26106f140 (diff) | |
| download | nf-5e469829baa1b1320e843adf3631edef1d6d2cf2.tar.gz | |
landlock: Explain how to support Landlock
Let's help users by documenting how to enable and check for Landlock in
the kernel and the running system. The userspace-api section may not be
the best place for this but it still makes sense to put all the user
documentation at the same place.
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220513112743.156414-1-mic@digikod.net
Reviewed-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | Documentation/userspace-api/landlock.rst | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 7b4fe621813227..b8ea5949396481 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -1,7 +1,7 @@ .. SPDX-License-Identifier: GPL-2.0 .. Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net> .. Copyright © 2019-2020 ANSSI -.. Copyright © 2021 Microsoft Corporation +.. Copyright © 2021-2022 Microsoft Corporation ===================================== Landlock: unprivileged access control @@ -18,6 +18,13 @@ is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. +We can quickly make sure that Landlock is enabled in the running system by +looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep +landlock || journalctl -kg landlock`` . Developers can also easily check for +Landlock support with a :ref:`related system call <landlock_abi_versions>`. If +Landlock is not currently supported, we need to :ref:`configure the kernel +appropriately <kernel_support>`. + Landlock rules ============== @@ -264,6 +271,8 @@ users, and because they may use different kernel versions, it is strongly encouraged to follow a best-effort security approach by checking the Landlock ABI version at runtime and only enforcing the supported features. +.. _landlock_abi_versions: + Landlock ABI versions --------------------- @@ -388,6 +397,24 @@ Starting with the Landlock ABI version 2, it is now possible to securely control renaming and linking thanks to the new `LANDLOCK_ACCESS_FS_REFER` access right. +.. _kernel_support: + +Kernel support +============== + +Landlock was first introduced in Linux 5.13 but it must be configured at build +time with `CONFIG_SECURITY_LANDLOCK=y`. Landlock must also be enabled at boot +time as the other security modules. The list of security modules enabled by +default is set with `CONFIG_LSM`. The kernel configuration should then +contains `CONFIG_LSM=landlock,[...]` with `[...]` as the list of other +potentially useful security modules for the running system (see the +`CONFIG_LSM` help). + +If the running kernel doesn't have `landlock` in `CONFIG_LSM`, then we can +still enable it by adding ``lsm=landlock,[...]`` to +Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader +configuration. + Questions and answers ===================== |