News: 0001481875

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Linux's Landlock Sandboxed Apps Could Remove Restrictions On Itself

([Linux Security] 5 Hours Ago Landlock Bug)


Merged back in 2021 for Linux 5.13 was [1]Landlock as a means of unprivileged application sandboxing . The [2]Landlock Linux security module has continued to be improved since but it turns out there's been a big hole within this security module since its introduction... The possibility for apps to drop restrictions on itself.

For apps that have access to the fork() and keyctl() system calls, it turns out it's been possible to get rid of all Landlock restrictions on the sandboxed application itself. This has existed going back to the code merged in 2021 within the bits for setting up the security framework and credential management for this means of unprivileged access control.

But the good news is Google engineer Jann Horn has now dealt with this issue of locking track of Landlock restrictions within the "cred_transfer" code. The fix was merged this weekend into Linux 6.11 Git and it's marked for back-porting to all the still-maintained kernel series over the past three years.

Jann Horn explains in [3]the patch fixing the security issue:

"When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.

This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself.

Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.)"

The fix was [4]merged ahead of Linux 6.11-rc1 due out later today. Look for this Landlock fix coming to the stable Linux kernel series over the coming days.



[1] https://www.phoronix.com/news/Linux-5.13-Landlock-Lands

[2] https://www.phoronix.com/search/Landlock

[3] https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/commit/?h=next&id=39705a6c29f8a2b93cf5b99528a55366c50014d1

[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=86b405ad8d0d2994a7ffbacb8fcf83be8afb952c



varikonniemi

ultimA

drastic

szymon_g

Brittle2

varikonniemi

Volta

oiaohm

oiaohm

Proposed Additions to the PDP-11 Instruction Set:

PI Punch Invalid
POPI Punch Operator Immediately
PVLC Punch Variable Length Card
RASC Read And Shred Card
RPM Read Programmers Mind
RSSC reduce speed, step carefully (for improved accuracy)
RTAB Rewind tape and break
RWDSK rewind disk
RWOC Read Writing On Card
SCRBL scribble to disk - faster than a write
SLC Search for Lost Chord
SPSW Scramble Program Status Word
SRSD Seek Record and Scar Disk
STROM Store in Read Only Memory
TDB Transfer and Drop Bit
WBT Water Binary Tree