grounzero · June 10, 2024 15:14 · Jun 10, 2024 · Jun 10, 2024 · Jun 10, 2024 · Jun 10, 2024
diff --git a/readme.md b/readme.md
@@ -1,10 +1,10 @@
-## Landlock: unprivileged access control
+# Landlock: unprivileged access control
 
 The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.
 
 This gist will test whether landlock is enabled on your Linux system.
 
-# Test Landlock:
+## Test Landlock:
 
 1) Install the necessary development tools:
 
@@ -24,7 +24,7 @@ gcc -o landlock_test landlock-test.c
 
 If everything is set up correctly, the program should output `Landlock enabled`.
 
-# Enable Landlock:
+## Enable Landlock:
 
 To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration.
 

diff --git a/readme.md b/readme.md
@@ -4,6 +4,8 @@ The goal of Landlock is to enable to restrict ambient rights (e.g. global filesy
 
 This gist will test whether landlock is enabled on your Linux system.
 
+# Test Landlock:
+
 1) Install the necessary development tools:
 
 ```sh

diff --git a/readme.md b/readme.md
@@ -4,54 +4,53 @@ The goal of Landlock is to enable to restrict ambient rights (e.g. global filesy
 
 This gist will test whether landlock is enabled on your Linux system.
 
-### Steps to Test Landlock
-
-Install the necessary development tools:
+1) Install the necessary development tools:
 
 ```sh
 apk update
 apk add build-base linux-headers
 ```
-**Compile the Program**:
+2) Compile the Program:
 
 ```sh
 gcc -o landlock_test landlock-test.c
 ```
 
-**Run the Program**:
+3) Run the Program:
 
 `./landlock_test`
 
 If everything is set up correctly, the program should output `Landlock enabled`.
 
+# Enable Landlock:
+
 To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration.
 
 To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration. Here’s how you can do it:
 
-Edit the GRUB Configuration:
-Open the GRUB configuration file:
+1) Open the GRUB configuration file:
 
 ```sh
 nano /etc/default/grub
 
 ```
-Add the lsm Parameter:
+2) Add the lsm Parameter:
 
 Find the line starting with `GRUB_CMDLINE_LINUX_DEFAULT` and modify it to include `lsm=landlock,....` It should look something like this:
 
 ```sh
 GRUB_CMDLINE_LINUX_DEFAULT="quiet lsm=landlock,lockdown,yama,integrity,apparmor"
 ```
 
-# Update GRUB:
+3) Update GRUB:
 
 Update the GRUB configuration:
 
 ```sh
 update-grub
 ```
 
-# Reboot the System:
+4) Reboot the System:
 
 ```sh
 reboot

diff --git a/readme.md b/readme.md
@@ -6,7 +6,7 @@ This gist will test whether landlock is enabled on your Linux system.
 
 ### Steps to Test Landlock
 
-1. **Install Development Tools**: Inside the container, install the necessary development tools:
+Install the necessary development tools:
 
 ```sh
 apk update
@@ -37,7 +37,7 @@ nano /etc/default/grub
 ```
 Add the lsm Parameter:
 
-Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT and modify it to include lsm=landlock,.... It should look something like this:
+Find the line starting with `GRUB_CMDLINE_LINUX_DEFAULT` and modify it to include `lsm=landlock,....` It should look something like this:
 
 ```sh
 GRUB_CMDLINE_LINUX_DEFAULT="quiet lsm=landlock,lockdown,yama,integrity,apparmor"
@@ -53,9 +53,6 @@ update-grub
 
 # Reboot the System:
 
-Reboot the system to apply the changes:
-
-
 ```sh
 reboot
 ```
@@ -65,4 +62,5 @@ After rebooting, verify that Landlock is enabled by checking the kernel logs:
 ```sh
 dmesg | grep landlock || journalctl -kb -g landlock
 ```
+
 For more details, refer to the [Landlock documentation](https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration).
diff --git a/landlock-test.c b/landlock-test.c
@@ -0,0 +1,51 @@
+#define _GNU_SOURCE
+#include <linux/landlock.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/syscall.h>
+
+#ifndef __NR_landlock_create_ruleset
+#define __NR_landlock_create_ruleset 444
+#endif
+
+#ifndef __NR_landlock_add_rule
+#define __NR_landlock_add_rule 445
+#endif
+
+#ifndef __NR_landlock_restrict_self
+#define __NR_landlock_restrict_self 446
+#endif
+
+int main() {
+ struct landlock_ruleset_attr ruleset_attr = {
+ .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE |
+ LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_READ_DIR
+ };
+
+ int ruleset_fd = syscall(__NR_landlock_create_ruleset, &ruleset_attr, sizeof(ruleset_attr), 0);
+ if (ruleset_fd < 0) {
+ perror("landlock_create_ruleset");
+ exit(EXIT_FAILURE);
+ }
+
+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
+ perror("prctl");
+ close(ruleset_fd);
+ exit(EXIT_FAILURE);
+ }
+
+ if (syscall(__NR_landlock_restrict_self, ruleset_fd, 0) < 0) {
+ perror("landlock_restrict_self");
+ close(ruleset_fd);
+ exit(EXIT_FAILURE);
+ }
+
+ close(ruleset_fd);
+ printf("Landlock enabled\n");
+ return 0;
+}
diff --git a/readme.md b/readme.md
@@ -0,0 +1,68 @@
+## Landlock: unprivileged access control
+
+The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock is a stackable LSM, it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.
+
+This gist will test whether landlock is enabled on your Linux system.
+
+### Steps to Test Landlock
+
+1. **Install Development Tools**: Inside the container, install the necessary development tools:
+
+```sh
+apk update
+apk add build-base linux-headers
+```
+**Compile the Program**:
+
+```sh
+gcc -o landlock_test landlock-test.c
+```
+
+**Run the Program**:
+
+`./landlock_test`
+
+If everything is set up correctly, the program should output `Landlock enabled`.
+
+To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration.
+
+To enable Landlock at boot time, you need to modify the lsm parameter in your boot loader configuration. Here’s how you can do it:
+
+Edit the GRUB Configuration:
+Open the GRUB configuration file:
+
+```sh
+nano /etc/default/grub
+
+```
+Add the lsm Parameter:
+
+Find the line starting with GRUB_CMDLINE_LINUX_DEFAULT and modify it to include lsm=landlock,.... It should look something like this:
+
+```sh
+GRUB_CMDLINE_LINUX_DEFAULT="quiet lsm=landlock,lockdown,yama,integrity,apparmor"
+```
+
+# Update GRUB:
+
+Update the GRUB configuration:
+
+```sh
+update-grub
+```
+
+# Reboot the System:
+
+Reboot the system to apply the changes:
+
+
+```sh
+reboot
+```
+
+After rebooting, verify that Landlock is enabled by checking the kernel logs:
+
+```sh
+dmesg | grep landlock || journalctl -kb -g landlock
+```
+For more details, refer to the [Landlock documentation](https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration).
No results found