specs-go/config: add Landlock LSM support

Linux kernel 5.13 adds support for Landlock Linux Security Module (LSM).
This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.

opencontainers#1110

Signed-off-by: Kailun Qin <[email protected]>

config.md

@@ -211,7 +211,14 @@ For Linux-based systems, the `process` object supports the following process-spe
  This is a per-process setting, where as [`disableOOMKiller`](config-linux.md#memory) is scoped for a memory cgroup.
  For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
 * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
- For more information about SELinux, see [SELinux documentation][selinux].
+ For more information about SELinux, see [SELinux documentation][selinux].
+* **`landlock`** (object, OPTIONAL) specifies the Landlock unprivileged access control settings for the container process.
+ For more information about Landlock, see [Landlock documentation][landlock].
+ `landlock` contains the following properties:
+
+ * **`ruleset`** (object, OPTIONAL) the `ruleset` field identifies a set of rules (i.e., actions on objects) that need to be handled (i.e., restricted).
+ * **`rules`** (array of objects, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset
+ * **`abi`** (object, OPTIONAL) the `abi` field defines the specific Landlock ABI version.
 
 ### <a name="configUser" />User
 
@@ -253,6 +260,65 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
  ],
  "apparmorProfile": "acme_secure_profile",
  "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
+ "landlock": {
+ "ruleset": {
+ "handledAcessFS": [
+ "LANDLOCK_ACCESS_FS_EXECUTE",
+ "LANDLOCK_ACCESS_FS_WRITE_FILE",
+ "LANDLOCK_ACCESS_FS_READ_FILE",
+ "LANDLOCK_ACCESS_FS_READ_DIR",
+ "LANDLOCK_ACCESS_FS_REMOVE_DIR",
+ "LANDLOCK_ACCESS_FS_REMOVE_FILE",
+ "LANDLOCK_ACCESS_FS_MAKE_CHAR",
+ "LANDLOCK_ACCESS_FS_MAKE_DIR",
+ "LANDLOCK_ACCESS_FS_MAKE_REG",
+ "LANDLOCK_ACCESS_FS_MAKE_SOCK",
+ "LANDLOCK_ACCESS_FS_MAKE_FIFO",
+ "LANDLOCK_ACCESS_FS_MAKE_BLOCK",
+ "LANDLOCK_ACCESS_FS_MAKE_SYM"
+ ]
+ },
+ "rules": [
+ {
+ "type": "path_beneath",
+ "restrictPaths": {
+ "allowedAccess": [
+ "LANDLOCK_ACCESS_FS_EXECUTE",
+ "LANDLOCK_ACCESS_FS_READ_FILE",
+ "LANDLOCK_ACCESS_FS_READ_DIR"
+ ],
+ "paths": [
+ "/usr",
+ "/bin"
+ ]
+ }
+ },
+ {
+ "type": "path_beneath",
+ "restrictPaths": {
+ "allowedAccess": [
+ "LANDLOCK_ACCESS_FS_EXECUTE",
+ "LANDLOCK_ACCESS_FS_WRITE_FILE",
+ "LANDLOCK_ACCESS_FS_READ_FILE",
+ "LANDLOCK_ACCESS_FS_READ_DIR",
+ "LANDLOCK_ACCESS_FS_REMOVE_DIR",
+ "LANDLOCK_ACCESS_FS_REMOVE_FILE",
+ "LANDLOCK_ACCESS_FS_MAKE_CHAR",
+ "LANDLOCK_ACCESS_FS_MAKE_DIR",
+ "LANDLOCK_ACCESS_FS_MAKE_REG",
+ "LANDLOCK_ACCESS_FS_MAKE_SOCK",
+ "LANDLOCK_ACCESS_FS_MAKE_FIFO",
+ "LANDLOCK_ACCESS_FS_MAKE_BLOCK",
+ "LANDLOCK_ACCESS_FS_MAKE_SYM"
+ ],
+ "paths": [
+ "/tmp"
+ ]
+ }
+ },
+ ],
+ "abi": "v1"
+ },
  "noNewPrivileges": true,
  "capabilities": {
  "bounding": [
@@ -958,7 +1024,8 @@ Here is a full example `config.json` for reference.
 
 [apparmor]: https://wiki.ubuntu.com/AppArmor
 [cgroup-v1-memory_2]: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt
-[selinux]:http://selinuxproject.org/page/Main_Page
+[selinux]: http://selinuxproject.org/page/Main_Page
+[landlock]: https://landlock.io
 [no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
 [proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt
 [umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html

specs-go/config.go

@@ -58,8 +58,80 @@ type Process struct {
  OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
  // SelinuxLabel specifies the selinux context that the container process is run as.
  SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
+ // Landlock specifies the Landlock unprivileged access control settings for the container process.
+ Landlock Landlock `json:"landlock,omitempty" platform:"linux"`
 }
 
+// Landlock specifies the Landlock unprivileged access control settings for the container process.
+type Landlock struct {
+ // Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled.
+ Ruleset LandlockRuleset `json:"ruleset,omitempty" platform:"linux"`
+ // Rules are the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
+ Rules []LandlockRule `json:"rules,omitempty" platform:"linux"`
+ // ABI is the specific Landlock ABI version.
+ ABI LandlockABIVersion `json:"abi,omitempty" platform:"linux"`
+}
+
+// LandlockRuleset identifies a set of rules (i.e., actions on objects) that need to be handled.
+type LandlockRuleset struct {
+ // HandledAccessFS is a list of actions that is handled by this ruleset and should then be
+ // forbidden if no rule explicitly allow them.
+ HandledAccessFS []LandlockFSAction `json:"handledAcessFS,omitempty" platform:"linux"`
+}
+
+// LandlockRule represents the security policies (i.e., actions allowed on objects) .
+type LandlockRule struct {
+ // Type is the Landlock rule type pointing to the rules to be added to an existing ruleset.
+ Type LandlockRuleType `json:"type,omitempty" platform:"linux"`
+ // RestrictPaths defines the file-hierarchy typed rule.
+ RestrictPaths LandlockRestrictPaths `json:"restrictPaths,omitempty" platform:"linux"`
+}
+
+// LandlockRestrictPaths defines the file-hierarchy typed rule that grants the access rights specified by
+// `AllowedAccess` to the file hierarchies under the given `Paths`.
+type LandlockRestrictPaths struct {
+ // AllowedAccess contains a list of allowed filesystem actions for the file hierarchies.
+ AllowedAccess []LandlockFSAction `json:"allowedAccess,omitempty" platform:"linux"`
+ // Paths are the files or parent directories of the file hierarchies to restrict.
+ Paths []string `json:"paths,omitempty" platform:"linux"`
+}
+
+// LandlockABIVersion used to identify the ABI level to use for Landlock.
+type LandlockABIVersion string
+
+// Define the supported Landlock ABI versions. There is currently only one supported Landlock ABI version.
+const (
+ V1 LandlockABIVersion = "v1"
+)
+
+// LandlockRuleType taken upon adding a new Landlock rule to a ruleset.
+type LandlockRuleType string
+
+// Define types for Landlock rules. There is currently only one Landlock rule type.
+const (
+ PathBeneath LandlockRuleType = "path_beneath"
+)
+
+// LandlockFSAction used to specify the FS actions that are handled by a ruleset or allowed by a rule.
+type LandlockFSAction string
+
+// Define actions on files and directories that Landlock can restrict a sandboxed process to.
+const (
+ FSActExecute LandlockFSAction = "LANDLOCK_ACCESS_FS_EXECUTE"
+ FSActWriteFile LandlockFSAction = "LANDLOCK_ACCESS_FS_WRITE_FILE"
+ FSActReadFile LandlockFSAction = "LANDLOCK_ACCESS_FS_READ_FILE"
+ FSActReadDir LandlockFSAction = "LANDLOCK_ACCESS_FS_READ_DIR"
+ FSActRemoveDir LandlockFSAction = "LANDLOCK_ACCESS_FS_REMOVE_DIR"
+ FSActRemoveFile LandlockFSAction = "LANDLOCK_ACCESS_FS_REMOVE_FILE"
+ FSActMakeChar LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_CHAR"
+ FSActMakeDir LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_DIR"
+ FSActMakeReg LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_REG"
+ FSActMakeSock LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_SOCK"
+ FSActMakeFifo LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_FIFO"
+ FSActMakeBlock LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_BLOCK"
+ FSActMakeSym LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_SYM"
+)
+
 // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
 // http://man7.org/linux/man-pages/man7/capabilities.7.html
 type LinuxCapabilities struct {