Skip to content

Instantly share code, notes, and snippets.

@grounzero

grounzero/landlock-test.c

Last active June 10, 2024 15:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save grounzero/b2f01122f5411a0defae55fc807cefb5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save grounzero/b2f01122f5411a0defae55fc807cefb5 to your computer and use it in GitHub Desktop.
Download ZIP
Landlock Test
Raw
readme.md

Landlock: unprivileged access control

The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.

This gist will test whether landlock is enabled on your Linux system.

Test Landlock:

  1. Install the necessary development tools:
apk update apk add build-base linux-headers
  1. Compile the Program:
gcc -o landlock_test landlock-test.c
  1. Run the Program:

./landlock_test

If everything is set up correctly, the program should output Landlock enabled.

Enable Landlock:

To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration.

To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration. Here’s how you can do it:

  1. Open the GRUB configuration file:
nano /etc/default/grub
  1. Add the lsm Parameter:

Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT and modify it to include lsm=landlock,.... It should look something like this:

GRUB_CMDLINE_LINUX_DEFAULT="quiet lsm=landlock,lockdown,yama,integrity,apparmor"
  1. Update GRUB:

Update the GRUB configuration:

update-grub
  1. Reboot the System:
reboot

After rebooting, verify that Landlock is enabled by checking the kernel logs:

dmesg | grep landlock || journalctl -kb -g landlock

For more details, refer to the Landlock documentation.

Raw
landlock-test.c
#define _GNU_SOURCE
#include <linux/landlock.h>
#include <sys/prctl.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/syscall.h>
#ifndef __NR_landlock_create_ruleset
#define __NR_landlock_create_ruleset 444
#endif
#ifndef __NR_landlock_add_rule
#define __NR_landlock_add_rule 445
#endif
#ifndef __NR_landlock_restrict_self
#define __NR_landlock_restrict_self 446
#endif
int main() {
struct landlock_ruleset_attr ruleset_attr = {
.handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
LANDLOCK_ACCESS_FS_WRITE_FILE |
LANDLOCK_ACCESS_FS_READ_FILE |
LANDLOCK_ACCESS_FS_READ_DIR
};
int ruleset_fd = syscall(__NR_landlock_create_ruleset, &ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
perror("landlock_create_ruleset");
exit(EXIT_FAILURE);
}
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
perror("prctl");
close(ruleset_fd);
exit(EXIT_FAILURE);
}
if (syscall(__NR_landlock_restrict_self, ruleset_fd, 0) < 0) {
perror("landlock_restrict_self");
close(ruleset_fd);
exit(EXIT_FAILURE);
}
close(ruleset_fd);
printf("Landlock enabled\n");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment