Linux's Landlock Sandboxed Apps Could Remove Restrictions On Itself

Written by Michael Larabel in Linux Security on 28 July 2024 at 06:39 AM EDT. 39 Comments
LINUX SECURITY
Merged back in 2021 for Linux 5.13 was Landlock as a means of unprivileged application sandboxing. The Landlock Linux security module has continued to be improved since but it turns out there's been a big hole within this security module since its introduction... The possibility for apps to drop restrictions on itself.

For apps that have access to the fork() and keyctl() system calls, it turns out it's been possible to get rid of all Landlock restrictions on the sandboxed application itself. This has existed going back to the code merged in 2021 within the bits for setting up the security framework and credential management for this means of unprivileged access control.

Landlock issue


But the good news is Google engineer Jann Horn has now dealt with this issue of locking track of Landlock restrictions within the "cred_transfer" code. The fix was merged this weekend into Linux 6.11 Git and it's marked for back-porting to all the still-maintained kernel series over the past three years.

Jann Horn explains in the patch fixing the security issue:
"When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.

This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself.

Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.)"

The fix was merged ahead of Linux 6.11-rc1 due out later today. Look for this Landlock fix coming to the stable Linux kernel series over the coming days.
39 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Rustls Multi-Threaded Performance Is Battering OpenSSL
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience
KDE Starts December By Landing A Number Of New Features