Linux's Landlock Sandboxed Apps Could Remove Restrictions On Itself
([Linux Security] 5 Hours Ago
Landlock Bug)
- Reference: 0001481875
- News link: https://www.phoronix.com/news/Landlock-Restrictions-Bug-Fixed
- Source link:
Merged back in 2021 for Linux 5.13 was [1]Landlock as a means of unprivileged application sandboxing . The [2]Landlock Linux security module has continued to be improved since but it turns out there's been a big hole within this security module since its introduction... The possibility for apps to drop restrictions on itself.
For apps that have access to the fork() and keyctl() system calls, it turns out it's been possible to get rid of all Landlock restrictions on the sandboxed application itself. This has existed going back to the code merged in 2021 within the bits for setting up the security framework and credential management for this means of unprivileged access control.
But the good news is Google engineer Jann Horn has now dealt with this issue of locking track of Landlock restrictions within the "cred_transfer" code. The fix was merged this weekend into Linux 6.11 Git and it's marked for back-porting to all the still-maintained kernel series over the past three years.
Jann Horn explains in [3]the patch fixing the security issue:
"When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.
This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself.
Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.)"
The fix was [4]merged ahead of Linux 6.11-rc1 due out later today. Look for this Landlock fix coming to the stable Linux kernel series over the coming days.
[1] https://www.phoronix.com/news/Linux-5.13-Landlock-Lands
[2] https://www.phoronix.com/search/Landlock
[3] https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/commit/?h=next&id=39705a6c29f8a2b93cf5b99528a55366c50014d1
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=86b405ad8d0d2994a7ffbacb8fcf83be8afb952c
For apps that have access to the fork() and keyctl() system calls, it turns out it's been possible to get rid of all Landlock restrictions on the sandboxed application itself. This has existed going back to the code merged in 2021 within the bits for setting up the security framework and credential management for this means of unprivileged access control.
But the good news is Google engineer Jann Horn has now dealt with this issue of locking track of Landlock restrictions within the "cred_transfer" code. The fix was merged this weekend into Linux 6.11 Git and it's marked for back-porting to all the still-maintained kernel series over the past three years.
Jann Horn explains in [3]the patch fixing the security issue:
"When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.
This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself.
Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.)"
The fix was [4]merged ahead of Linux 6.11-rc1 due out later today. Look for this Landlock fix coming to the stable Linux kernel series over the coming days.
[1] https://www.phoronix.com/news/Linux-5.13-Landlock-Lands
[2] https://www.phoronix.com/search/Landlock
[3] https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/commit/?h=next&id=39705a6c29f8a2b93cf5b99528a55366c50014d1
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=86b405ad8d0d2994a7ffbacb8fcf83be8afb952c
varikonniemi