Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mount namespaces to linux sandbox #45

Merged
merged 19 commits into from
Sep 28, 2023
Merged

Add mount namespaces to linux sandbox #45

merged 19 commits into from
Sep 28, 2023

Conversation

cd-work
Copy link
Collaborator

@cd-work cd-work commented Sep 25, 2023

This patch adds optional mount namespaces to the linux sandbox to
allow for filesystem isolation on systems without landlock support.

Filesystem isolation now requires either landlock OR namespace creation
to be successful in order for the sandbox creation to be successful.

Landlock will be layered on top of the mount namespace if both are
available.

While landlock automatically resolves symlink access, mount namespaces
do not. So to allow access to /usr/lib through /lib, it is now
necessary to allow both /lib AND /usr/lib.

@cd-work
Copy link
Collaborator Author

cd-work commented Sep 25, 2023

Landlock will be layered on top of the mount namespace if both are
available.

This will probably have implications that are more complicated than one might anticipate. The mount namespace resolves symlinks for example and bind mounts the actual directories instead, this would mean that with landlock you'd have to now give permissions for the symlink directory rather than the symlink target (since it's not a symlink anymore).

While I don't think this is a big issue for our usecase, it definitely feels somewhat concerning.

I've also confirmed that we cannot enforce landlock before the mount namespace without further changes. But it's probably worth testing if this works when allowing read/write access to our /tmp/birdcage-root root location (and what implications this has on access permissions).

Worst-case we certainly could enforce an "either-or" policy, where mount namespaces are only used when landlock fails. Though this would somewhat invalidate the purpose of their introduction.

@cd-work
Move namespace filter to separate module
0749f5a
@cd-work
Add mount namespaces to linux sandbox
231e2cd 
This patch adds optional mount namespaces to the linux sandbox to
allow for filesystem isolation on systems without landlock support.

Filesystem isolation now requires either landlock OR namespace creation
to be successful in order for the sandbox creation to be successful.

Landlock will be layered on top of the mount namespace if both are
available.

While landlock automatically resolves symlink access, mount namespaces
do not. So to allow access to `/usr/lib` through `/lib`, it is now
necessary to allow both `/lib` AND `/usr/lib`.
@cd-work
Require namespace tests to succeed
36030bb
@cd-work
Disable landlock layering
3931129 
This disables landlock if namespace isolation was successful, since they
can do everything landlock can. Since the mount namespace provides a
"fake" version of the root directory, landlock's restrictions on top of
these could have unexpected effects.
@cd-work
Fix empty root directories in mount namespace
9e98f7a 
This fixes an issue where previous sandbox's root directories created
for bind mounts would be available in new sandboxes as empty
directories.

While this doesn't cause any security issues, it causes tests to fail
and would likely be unexpected by consumers.
cd-work
cd-work commented Sep 26, 2023
View reviewed changes
tests/exec.rs Outdated Show resolved Hide resolved
@cd-work cd-work marked this pull request as ready for review September 26, 2023 22:03
kylewillmon
kylewillmon requested changes Sep 27, 2023
View reviewed changes
src/linux/mod.rs Outdated Show resolved Hide resolved
src/linux/namespaces.rs Show resolved Hide resolved
src/linux/namespaces.rs Show resolved Hide resolved
src/linux/namespaces.rs Outdated Show resolved Hide resolved
src/linux/namespaces.rs Outdated Show resolved Hide resolved
src/linux/namespaces.rs Outdated Show resolved Hide resolved
tests/fs_without_landlock.rs Show resolved Hide resolved
kylewillmon
kylewillmon approved these changes Sep 28, 2023
View reviewed changes
src/linux/namespaces.rs Outdated Show resolved Hide resolved
@cd-work cd-work merged commit f6c3be6 into main Sep 28, 2023
11 checks passed
@cd-work cd-work deleted the mount_namespaces branch September 28, 2023 21:28
@l0kod
Copy link

l0kod commented Oct 2, 2023
edited
Loading

Landlock will be layered on top of the mount namespace if both are
available.

This will probably have implications that are more complicated than one might anticipate. The mount namespace resolves symlinks for example and bind mounts the actual directories instead, this would mean that with landlock you'd have to now give permissions for the symlink directory rather than the symlink target (since it's not a symlink anymore).

FYI, Landlock (kernel code and interface) only handles file descriptors. Dereferencing symlink or not is the choice of user space, and in this case I guess the rust-landlock's PathFd helper. It would be easy to pass a file descriptor to the symlink instead.

I've also confirmed that we cannot enforce landlock before the mount namespace without further changes. But it's probably worth testing if this works when allowing read/write access to our /tmp/birdcage-root root location (and what implications this has on access permissions).

Once sandboxed, a process cannot change the filesystem topology (which would enable it to escape the sandbox).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kylewillmon kylewillmon kylewillmon approved these changes

Assignees

@cd-work cd-work

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cd-work @l0kod @kylewillmon