2 unstable releases

0.2.0 Jan 30, 2023
0.1.0 Apr 14, 2021

#165 in Unix APIs

Download history 47/week @ 2023-01-31 123/week @ 2023-02-07 76/week @ 2023-02-14 90/week @ 2023-02-21 68/week @ 2023-02-28 80/week @ 2023-03-07 70/week @ 2023-03-14 70/week @ 2023-03-21 165/week @ 2023-03-28 131/week @ 2023-04-04 113/week @ 2023-04-11 114/week @ 2023-04-18 104/week @ 2023-04-25 126/week @ 2023-05-02 131/week @ 2023-05-09 46/week @ 2023-05-16

428 downloads per month
Used in birdcage

MIT/Apache

86KB
1.5K SLoC

Rust Landlock library

Landlock is a security feature available since Linux 5.13. The goal is to enable to restrict ambient rights (e.g., global filesystem access) for a set of processes by creating safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs, unexpected or malicious behaviors in applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. More information about Landlock can be found in the official website.

This Rust crate provides a safe abstraction for the Landlock system calls along with some helpers. See the Rust Landlock API documentation.

Minimum Supported Rust Version (MSRV): 1.63


lib.rs:

Landlock is a security feature available since Linux 5.13. The goal is to enable to restrict ambient rights (e.g., global filesystem access) for a set of processes by creating safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs, unexpected or malicious behaviors in applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves. More information about Landlock can be found in the official website.

This crate provides a safe abstraction for the Landlock system calls, along with some helpers.

Use cases

This crate is especially useful for built-in application sandboxing:

  • Parser hardening (e.g., archive tools, file format conversion, renderers).
  • (Part of) applications with limited file renaming or linking needs (e.g., some system or network services).
  • Applications dealing with different levels of confidentiality (e.g., web browser, email server).

Examples

A simple example can be found with the [path_beneath_rules()] helper. More complex examples can be found with the Ruleset documentation and the sandboxer example.

Current limitations

This crate exposes the Landlock features available as of Linux 5.19 and then inherits some kernel limitations that will be addressed with future kernel releases (e.g., arbitrary mounts are always denied).

Compatibility

Types defined in this crate are designed to enable the strictest Landlock configuration for the given kernel on which the program runs. In the default best-effort mode, [Ruleset] will determine compatibility with the intersection of the currently running kernel's features and those required by the caller. This way, callers can distinguish between Landlock compatibility issues inherent to the current system (e.g., file names that don't exist) and misconfiguration that should be fixed in the program (e.g., empty or inconsistent access rights). [RulesetError] identifies such kind of errors.

With set_best_effort(), users of the crate may identify which Landlock features are deemed required and which features may be downgraded to use lower security on systems where they can't be enforced. It is discouraged to compare the system's provided Landlock ABI version directly, as it is difficult to track detailed ABI differences which are handled thanks to the [Compatible] trait.

To make it easier to migrate to a new version of this library, we use the builder pattern and designed objects to require the minimal set of method arguments. Most enum are marked as non_exhaustive to enable backward-compatible evolutions.

Test strategy

Developers should test their sandboxed applications with a kernel that supports all requested Landlock features and check that [RulesetCreated::restrict_self()] returns a status matching Ok(RestrictionStatus { ruleset: RulesetStatus::FullyEnforced, no_new_privs: true, }) to make sure everything works as expected in an enforced sandbox. However, applications should only check that no error is returned (i.e. Ok(_)) and optionally log and inform users that the application is not fully sandboxed because of missing features from the running kernel.

Dependencies

~0.5–1MB
~24K SLoC