OpenBSD unveil(2) like function on Linux using Landlock (starting from Linux >= 5.13). Rewritten largely based on gonack's landlockjail
Important: This is experimental software. DO NOT depend on it for security.
See OpenBSD unveil(2) for details. Like unveil(2), llunveil(2) allows a process to submit a set of paths and permissions that it is allowed to access, then deny access to all files and directories that it didn't submit later. The API of llunveil
is like unveil
. But with a major difference.
- Filesystem protection is activated upon calling
unveil(NULL, NULL)
Instead of activating upon calling the unveil function. Protections have to be commited in llunveil for them to take effect. For example:
#define LLUNVEIL_USE_UNVEIL // create a macro called `unveil`. Prevent conflict
#include <llunveil.h>
...
unveil("/home/user/", "r");
// Not activated until calling unveil(NULL, NULL);
assert(fopen("/tmp/some_text.txt", "r") != NULL);
unveil(NULL, NULL); // activate!
assert(fopen("/tmp/some_text.txt", "r") == NULL);
You need a C11 compatible compiler. And be on Linux >= 5.13 (for the syscall numbers). And CMake for build generation.
mkdir build
cmake ..
make -j
lljail
is a completely rewritten application based on landlockjail
that launches a program with restricted file access.
marty@zack ~/D/l/build> ./lljail -r /usr -rx /usr/lib -rx /usr/lib64 -rx /lib64 -rx /bin -r /tmp -- /bin/bash
bash: /etc/bash.bashrc: Permission denied
bash: /home/marty/.bashrc: Permission denied
bash-5.1$ # We see permission denied because we didn't allow access to /etc and ~ in lljail
bash-5.1$ # Likewise we can't write to /tmp
bash-5.1$ echo Hello World > /tmp/asd
bash: /tmp/asd: Permission denied
bash-5.1$ exit
marty@zack ~/D/l/build> ./lljail -r /usr -rx /usr/lib -rx /usr/lib64 -rx /lib64 -rx /bin -rwc /tmp -r /etc -r $HOME -rw /dev -- /bin/bash
[marty@zack build]$ # Now BASH has full access to the folders. And we gave _write_ and _create_ permission to /tmp.
[marty@zack build]$ echo Hello World > /tmp/asd # Now this works
[marty@zack build]$ cat /tmp/asd
Hello World
[marty@zack build]$ # But we still can't execute anything in /usr/local/bin
[marty@zack build]$ /usr/local/bin/example
bash: /usr/local/bin/example: Permission denied
- Make unit tests
- Ensure same behaviour as OpenBSD's
- Remove debug error prints
- Proper
errno