Introduce Landlock isolation support #816

n0toose · 2024-11-30T22:24:40Z

Leaving this here for now, the most important design problem with this is how Landlock does not allow whitelisting files if they are not created. (So, we'd have to force the user to use a directory for that instead.)

We also need to avoid "parsing" the same --file-mapping inputs twice, as well as not use OnceLock for enforcing the whitelist when the kernel is actually being loaded. UhyveVm::new is called in a new thread because Landlock enforces the restrictions for the entire process and its children. We're not testing if the sandbox is applied correctly yet.

See: https://docs.kernel.org/userspace-api/landlock.html

Fixes #766

n0toose · 2024-12-01T15:23:47Z

Depends on #814.

n0toose · 2024-12-18T13:17:21Z

The change incorporates some changes from #844.

Ported from hermit-os#816, fixes a regression introduced by hermit-os/kernel#1529, which modified the Hermit kernel so that it uses absolute paths instead of relative ones.

n0toose · 2025-01-05T13:55:42Z

This PR includes work that was split into separate PRs, #844 and #852, which should probably be merged first. This PR relies on hermit-os/kernel#1529. It includes some changes to our tests that reflect the changes made in hermit-os/kernel#1529.

Ported from #816, fixes a regression introduced by hermit-os/kernel#1529, which modified the Hermit kernel so that it uses absolute paths instead of relative ones.

tests/common.rs

tests/fs-test.rs

src/isolation/landlock.rs

src/vm.rs

tests/fs-test.rs

tests/multicore.rs

src/isolation/landlock.rs

Landlock is a stackable Linux Security Module that lets Uhyve restrict its own capabilities (specifically: access to the filesystem) before loading untrusted code (here: machine images, which we consider to be "black boxes"). The Landlock module is present in newer releases of modern Linux distributions. Uhyve's interaction with Landlock is managed by the class `UhyveLandlockWrapper`. After Uhyve "collects" all paths it requires to function, it enforces Landlock _before_ the image is loaded in `UhyveVm::load_kernel`. We determine whether a file or a directory is present at a path to: - whitelist a non-existent file's parent directory, see get_parent_directory. UhyveFileMap continues to protect the parent directory. - set the right permissions for paths instead of letting the crate "dynamically" remove directory access rights for files, because that causes breakage when using strict file isolation mode or CompatLevel::HardRequirement (see determine_ruleset). Additional integration tests were added to check for Landlock-specific cases, as well as unit tests of the Landlock component (which also increase coverage of UhyveFileMap). Uhyve's Landlock functionality is disabled on non-Linux hosts, as Landlock is never present on non-Linux hosts. Otherwise, it is enabled by default ("CompatLevel::BestEffort", plus the requirement that a version of Landlock (all ABIs) has to be present on the system. This goes up against Landlock's author's opinion of taking advantage of existing sandboxing features "opportunistically", depending on what is actually available on the operating system. What we chose instead is to prevent execution unless if the user explicitly opts-out using `--file-isolation none`). For now, we rely on the serial_test crate to not break filesystem tests. Such tests should be run in separate, newly created processes, but that was left for later. For now, `--file-isolation strict`'s functionality is ensured by checking against `cargo run` for now in the CI. We check whether Landlock was already enabled once before, which should be useful when using Uhyve as a library. If that is the case, Uhyve returns an error, as it (probably) cannot function in conjuction with an existing set of enforced Landlock rulesets. As soon as a Landlock ruleset is enforced, it cannot be "relaxed".

n0toose changed the title ~~introduce Landlock isolation support~~ Introduce Landlock isolation support Nov 30, 2024

n0toose marked this pull request as draft November 30, 2024 22:24

n0toose force-pushed the sandbox-landlock branch from fcfa50c to c61742d Compare December 1, 2024 13:06

This comment was marked as outdated.

Sign in to view

n0toose mentioned this pull request Dec 17, 2024

Port virtiofsd's filesystem-related security mechanisms #843

Open

4 tasks

n0toose force-pushed the sandbox-landlock branch from c61742d to ae44e0d Compare December 18, 2024 13:11

This comment was marked as outdated.

Sign in to view

n0toose marked this pull request as ready for review January 3, 2025 13:05

This comment was marked as outdated.

Sign in to view

mkroening requested a review from jounathaen January 3, 2025 13:11

mkroening assigned jounathaen Jan 3, 2025

n0toose mentioned this pull request Jan 5, 2025

Introduce tempfile improvements #852

Merged

n0toose force-pushed the sandbox-landlock branch 3 times, most recently from 20f56b7 to c045ed7 Compare January 10, 2025 19:28

n0toose commented Jan 10, 2025

View reviewed changes

tests/common.rs Show resolved Hide resolved

n0toose commented Jan 10, 2025

View reviewed changes

tests/fs-test.rs Outdated Show resolved Hide resolved

This comment was marked as outdated.

Sign in to view

jounathaen force-pushed the sandbox-landlock branch from f96d9c7 to a7d0e7a Compare January 28, 2025 12:30

This comment was marked as outdated.

Sign in to view

n0toose mentioned this pull request Feb 5, 2025

Implement read-only file system parameter #896

Open