Support Landlock LSM

[BoardzMaster]

What is the problem you're trying to solve

Adding Landlock support in containerd.
Landlock is a stackable LSM providing unprivileged access control for a set of processes.
It was merged in mainline Linux 5.13. Its author Mickaël Salaün @l0kod, https://landlock.io/.
I suppose Landlock will bring better sandboxing with unprivileged features and improve container security.

Describe the solution you'd like

Now Landlock's integration works (for runtime-spec and runc) have been in progress for some time:

1. Proposal: add Landlock LSM support opencontainers/runtime-spec#1110
2. Support Landlock LSM? opencontainers/runc#2859, libcontainer: add support for Landlock opencontainers/runc#3194

Containerd Landlock implementation depends on runtime-spec --> runc solutions, so it's just a start. I'm going to show my point of view on architecture a bit later.

Additional context

No response

[BoardzMaster]

For Containerd Landlock integration I suggest the next steps:

1. Adding to ctr additional command for loading a standalone Landlock profile JSON file which must correspond to runtime-spec OCI specification like in: specs-go/config: add Landlock LSM support opencontainers/runtime-spec#1111

Example of LandlockProfile.json

Command example: cli.stringFlag { Name: "Landlock-profile" Usage: "enable Landlock with a custom profile },

Notes: Landlock profile could be parsed into runtime-spec Spec.Process structure and passed to runc.

2. Landlock integration into containerd CRI plugin ( for Kubernetes or any other orchestrator support).

Notes: Adding generateLandlockSpecOpts() function which could be used by containerSpecOprt() one in /cri/server/container_create_linux.go

     CreateContainer() ------>RUNC
                  |
                  --->containerSpecOpt()
                                     |
                                     ---> generateLandlockSpecOpts()

There are also several questions that pop up:

1. Landlock isEnable() function?
   Before applying Landlock policy there should be checking whether the host has been configured to support Landlock.

2. Containerd Landlock default profile necessity?
   In the case of AppArmor support in containerd there is default AppArmor profile creation and loading. Do we need a default Landlock profile in a case when the host supports Landlock LSM?

Colleagues, please share your comments and opinions.
I'm going to prepare the PoC patch for further discussion ASAP.

[BoardzMaster]

Dear colleagues, @l0kod, @gnoack!
Please take a look at the issue and related MR #6120
Looking forward to your opinion and comments!

[github-actions]

This issue is stale because it has been open 90 days with no activity. This issue will be closed in 7 days unless new comments are made or the stale label is removed.

[github-actions]

This issue was closed because it has been stalled for 7 days with no activity.