From 0257e772999218348bf1186cb855faa00f9b2489 Mon Sep 17 00:00:00 2001
From: Kailun Qin <kailun.qin@intel.com>
Date: Mon, 2 Aug 2021 11:01:33 -0400
Subject: [PATCH] specs-go/config: add Landlock LSM support

Linux kernel 5.13 adds support for Landlock Linux Security Module (LSM).
This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.

https://github.com/opencontainers/runtime-spec/issues/1110

Signed-off-by: Kailun Qin <kailun.qin@intel.com>
---
 config.md          | 71 +++++++++++++++++++++++++++++++++++++++++++--
 specs-go/config.go | 72 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+), 2 deletions(-)

diff --git a/config.md b/config.md
index 0e08d152f..893fd3ef3 100644
--- a/config.md
+++ b/config.md
@@ -211,7 +211,14 @@ For Linux-based systems, the `process` object supports the following process-spe
     This is a per-process setting, where as [`disableOOMKiller`](config-linux.md#memory) is scoped for a memory cgroup.
     For more information on how these two settings work together, see [the memory cgroup documentation section 10. OOM Contol][cgroup-v1-memory_2].
 * **`selinuxLabel`** (string, OPTIONAL) specifies the SELinux label for the process.
-    For more information about SELinux, see  [SELinux documentation][selinux].
+    For more information about SELinux, see [SELinux documentation][selinux].
+* **`landlock`** (object, OPTIONAL) specifies the Landlock unprivileged access control settings for the container process.
+    For more information about Landlock, see [Landlock documentation][landlock].
+    `landlock` contains the following properties:
+
+    * **`ruleset`** (object, OPTIONAL) the `ruleset` field identifies a set of rules (i.e., actions on objects) that need to be handled (i.e., restricted).
+    * **`rules`** (array of objects, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset
+    * **`abi`** (object, OPTIONAL) the `abi` field defines the specific Landlock ABI version.
 
 ### <a name="configUser" />User
 
@@ -253,6 +260,65 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
     ],
     "apparmorProfile": "acme_secure_profile",
     "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
+    "landlock": {
+        "ruleset": {
+            "handledAcessFS": [
+                "LANDLOCK_ACCESS_FS_EXECUTE",
+                "LANDLOCK_ACCESS_FS_WRITE_FILE",
+                "LANDLOCK_ACCESS_FS_READ_FILE",
+                "LANDLOCK_ACCESS_FS_READ_DIR",
+                "LANDLOCK_ACCESS_FS_REMOVE_DIR",
+                "LANDLOCK_ACCESS_FS_REMOVE_FILE",
+                "LANDLOCK_ACCESS_FS_MAKE_CHAR",
+                "LANDLOCK_ACCESS_FS_MAKE_DIR",
+                "LANDLOCK_ACCESS_FS_MAKE_REG",
+                "LANDLOCK_ACCESS_FS_MAKE_SOCK",
+                "LANDLOCK_ACCESS_FS_MAKE_FIFO",
+                "LANDLOCK_ACCESS_FS_MAKE_BLOCK",
+                "LANDLOCK_ACCESS_FS_MAKE_SYM"
+            ]
+        },
+        "rules": [
+            {
+                "type": "path_beneath",
+                "restrictPaths": {
+                    "allowedAccess": [
+                        "LANDLOCK_ACCESS_FS_EXECUTE",
+                        "LANDLOCK_ACCESS_FS_READ_FILE",
+                        "LANDLOCK_ACCESS_FS_READ_DIR"
+                    ],
+                    "paths": [
+                        "/usr",
+                        "/bin"
+                    ]
+                }
+            },
+            {
+                "type": "path_beneath",
+                "restrictPaths": {
+                    "allowedAccess": [
+                        "LANDLOCK_ACCESS_FS_EXECUTE",
+                        "LANDLOCK_ACCESS_FS_WRITE_FILE",
+                        "LANDLOCK_ACCESS_FS_READ_FILE",
+                        "LANDLOCK_ACCESS_FS_READ_DIR",
+                        "LANDLOCK_ACCESS_FS_REMOVE_DIR",
+                        "LANDLOCK_ACCESS_FS_REMOVE_FILE",
+                        "LANDLOCK_ACCESS_FS_MAKE_CHAR",
+                        "LANDLOCK_ACCESS_FS_MAKE_DIR",
+                        "LANDLOCK_ACCESS_FS_MAKE_REG",
+                        "LANDLOCK_ACCESS_FS_MAKE_SOCK",
+                        "LANDLOCK_ACCESS_FS_MAKE_FIFO",
+                        "LANDLOCK_ACCESS_FS_MAKE_BLOCK",
+                        "LANDLOCK_ACCESS_FS_MAKE_SYM"
+                    ],
+                    "paths": [
+                        "/tmp"
+                    ]
+                }
+            },
+        ],
+        "abi": "v1"
+    },
     "noNewPrivileges": true,
     "capabilities": {
         "bounding": [
@@ -958,7 +1024,8 @@ Here is a full example `config.json` for reference.
 
 [apparmor]: https://wiki.ubuntu.com/AppArmor
 [cgroup-v1-memory_2]: https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt
-[selinux]:http://selinuxproject.org/page/Main_Page
+[selinux]: http://selinuxproject.org/page/Main_Page
+[landlock]: https://landlock.io
 [no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
 [proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt
 [umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html
diff --git a/specs-go/config.go b/specs-go/config.go
index 6a7a91e55..cf5453928 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -58,8 +58,80 @@ type Process struct {
 	OOMScoreAdj *int `json:"oomScoreAdj,omitempty" platform:"linux"`
 	// SelinuxLabel specifies the selinux context that the container process is run as.
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
+	// Landlock specifies the Landlock unprivileged access control settings for the container process.
+	Landlock Landlock `json:"landlock,omitempty" platform:"linux"`
 }
 
+// Landlock specifies the Landlock unprivileged access control settings for the container process.
+type Landlock struct {
+	// Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled.
+	Ruleset LandlockRuleset `json:"ruleset,omitempty" platform:"linux"`
+	// Rules are the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
+	Rules []LandlockRule `json:"rules,omitempty" platform:"linux"`
+	// ABI is the specific Landlock ABI version.
+	ABI LandlockABIVersion `json:"abi,omitempty" platform:"linux"`
+}
+
+// LandlockRuleset identifies a set of rules (i.e., actions on objects) that need to be handled.
+type LandlockRuleset struct {
+	// HandledAccessFS is a list of actions that is handled by this ruleset and should then be
+	// forbidden if no rule explicitly allow them.
+	HandledAccessFS []LandlockFSAction `json:"handledAcessFS,omitempty" platform:"linux"`
+}
+
+// LandlockRule represents the security policies (i.e., actions allowed on objects) .
+type LandlockRule struct {
+	// Type is the Landlock rule type pointing to the rules to be added to an existing ruleset.
+	Type LandlockRuleType `json:"type,omitempty" platform:"linux"`
+	// RestrictPaths defines the file-hierarchy typed rule.
+	RestrictPaths LandlockRestrictPaths `json:"restrictPaths,omitempty" platform:"linux"`
+}
+
+// LandlockRestrictPaths defines the file-hierarchy typed rule that grants the access rights specified by
+// `AllowedAccess` to the file hierarchies under the given `Paths`.
+type LandlockRestrictPaths struct {
+	// AllowedAccess contains a list of allowed filesystem actions for the file hierarchies.
+	AllowedAccess []LandlockFSAction `json:"allowedAccess,omitempty" platform:"linux"`
+	// Paths are the files or parent directories of the file hierarchies to restrict.
+	Paths []string `json:"paths,omitempty" platform:"linux"`
+}
+
+// LandlockABIVersion used to identify the ABI level to use for Landlock.
+type LandlockABIVersion string
+
+// Define the supported Landlock ABI versions. There is currently only one supported Landlock ABI version.
+const (
+	V1 LandlockABIVersion = "v1"
+)
+
+// LandlockRuleType taken upon adding a new Landlock rule to a ruleset.
+type LandlockRuleType string
+
+// Define types for Landlock rules. There is currently only one Landlock rule type.
+const (
+	PathBeneath LandlockRuleType = "path_beneath"
+)
+
+// LandlockFSAction used to specify the FS actions that are handled by a ruleset or allowed by a rule.
+type LandlockFSAction string
+
+// Define actions on files and directories that Landlock can restrict a sandboxed process to.
+const (
+	FSActExecute    LandlockFSAction = "LANDLOCK_ACCESS_FS_EXECUTE"
+	FSActWriteFile  LandlockFSAction = "LANDLOCK_ACCESS_FS_WRITE_FILE"
+	FSActReadFile   LandlockFSAction = "LANDLOCK_ACCESS_FS_READ_FILE"
+	FSActReadDir    LandlockFSAction = "LANDLOCK_ACCESS_FS_READ_DIR"
+	FSActRemoveDir  LandlockFSAction = "LANDLOCK_ACCESS_FS_REMOVE_DIR"
+	FSActRemoveFile LandlockFSAction = "LANDLOCK_ACCESS_FS_REMOVE_FILE"
+	FSActMakeChar   LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_CHAR"
+	FSActMakeDir    LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_DIR"
+	FSActMakeReg    LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_REG"
+	FSActMakeSock   LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_SOCK"
+	FSActMakeFifo   LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_FIFO"
+	FSActMakeBlock  LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_BLOCK"
+	FSActMakeSym    LandlockFSAction = "LANDLOCK_ACCESS_FS_MAKE_SYM"
+)
+
 // LinuxCapabilities specifies the list of allowed capabilities that are kept for a process.
 // http://man7.org/linux/man-pages/man7/capabilities.7.html
 type LinuxCapabilities struct {