libcontainer: add support for Landlock

This patch introduces Landlock Linux Security Module (LSM) support in
runc, which was landed in Linux kernel 5.13.

This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.

runtime-spec: opencontainers/runtime-spec#1111

Fixes opencontainers#2859

Co-authored-by: Zheao Li <[email protected]>
Signed-off-by: Kailun Qin <[email protected]>

Author: kailun-qin

go.mod

@@ -31,8 +31,11 @@ require (
 	google.golang.org/protobuf v1.36.0
 )
 
+require kernel.org/pub/linux/libs/security/libcap/psx v1.2.51 // indirect
+
 require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
+	github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 )

go.sum

@@ -35,6 +35,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946 h1:RRTOwBnwZR4a3IMyPq1uchxJcrLKWF4NTCHB2fbvo5Y=
+github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
@@ -86,6 +88,7 @@ golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -102,3 +105,5 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.51 h1:VXVXjnTUsA9zeHIolNb6moSXZavDe1pD8Q0lPXZEOwc=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.51/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=

libcontainer/configs/config.go

@@ -85,6 +85,56 @@ type Syscall struct {
 	Args     []*Arg `json:"args"`
 }
 
+// Landlock specifies the Landlock unprivileged access control settings for the container process.
+type Landlock struct {
+	Ruleset           *Ruleset `json:"ruleset"`
+	Rules             *Rules   `json:"rules"`
+	DisableBestEffort bool     `json:"disableBestEffort"`
+}
+
+// Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled in Landlock.
+type Ruleset struct {
+	HandledAccessFS AccessFS `json:"handledAccessFS"`
+}
+
+// Rules represents the security policies (i.e., actions allowed on objects) in Landlock.
+type Rules struct {
+	PathBeneath []*RulePathBeneath `json:"pathBeneath"`
+}
+
+// RulePathBeneath defines the file-hierarchy typed rule that grants the access rights specified by
+// `AllowedAccess` to the file hierarchies under the given `Paths` in Landlock.
+type RulePathBeneath struct {
+	AllowedAccess AccessFS `json:"allowedAccess"`
+	Paths         []string `json:"paths"`
+}
+
+// AccessFS is taken upon ruleset and rule setup in Landlock.
+type AccessFS uint64
+
+// Landlock access rights for FS.
+//
+// Please see the full documentation at
+// https://www.kernel.org/doc/html/latest/userspace-api/landlock.html#access-rights.
+const (
+	Execute    AccessFS = (1 << 0)
+	WriteFile  AccessFS = (1 << 1)
+	ReadFile   AccessFS = (1 << 2)
+	ReadDir    AccessFS = (1 << 3)
+	RemoveDir  AccessFS = (1 << 4)
+	RemoveFile AccessFS = (1 << 5)
+	MakeChar   AccessFS = (1 << 6)
+	MakeDir    AccessFS = (1 << 7)
+	MakeReg    AccessFS = (1 << 8)
+	MakeSock   AccessFS = (1 << 9)
+	MakeFifo   AccessFS = (1 << 10)
+	MakeBlock  AccessFS = (1 << 11)
+	MakeSym    AccessFS = (1 << 12)
+)
+
+// TODO Windows. Many of these fields should be factored out into those parts
+// which are common across platforms, and those which are platform specific.
+
 // Config defines configuration options for executing a process inside a contained environment.
 type Config struct {
 	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
@@ -225,6 +275,9 @@ type Config struct {
 
 	// IOPriority is the container's I/O priority.
 	IOPriority *IOPriority `json:"io_priority,omitempty"`
+	// Landlock specifies the Landlock unprivileged access control settings for the container process.
+	// `noNewPrivileges` must be enabled to use Landlock.
+	Landlock *Landlock `json:"landlock,omitempty"`
 }
 
 // Scheduler is based on the Linux sched_setattr(2) syscall.

libcontainer/landlock/config.go

@@ -0,0 +1,31 @@
+package landlock
+
+import (
+	"fmt"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+var accessFSs = map[string]configs.AccessFS{
+	"execute":     configs.Execute,
+	"write_file":  configs.WriteFile,
+	"read_file":   configs.ReadFile,
+	"read_dir":    configs.ReadDir,
+	"remove_dir":  configs.RemoveDir,
+	"remove_file": configs.RemoveFile,
+	"make_char":   configs.MakeChar,
+	"make_dir":    configs.MakeDir,
+	"make_reg":    configs.MakeReg,
+	"make_sock":   configs.MakeSock,
+	"make_fifo":   configs.MakeFifo,
+	"make_block":  configs.MakeBlock,
+	"make_sym":    configs.MakeSym,
+}
+
+// ConvertStringToAccessFS converts a string into a Landlock access right.
+func ConvertStringToAccessFS(in string) (configs.AccessFS, error) {
+	if access, ok := accessFSs[in]; ok {
+		return access, nil
+	}
+	return 0, fmt.Errorf("string %s is not a valid access right for landlock", in)
+}

libcontainer/landlock/landlock_linux.go

@@ -0,0 +1,67 @@
+// +build linux
+
+package landlock
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/landlock-lsm/go-landlock/landlock"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+// Initialize Landlock unprivileged access control for the container process
+// based on the given settings.
+// The specified `ruleset` identifies a set of rules (i.e., actions on objects)
+// that need to be handled (i.e., restricted) by Landlock. And if no `rule`
+// explicitly allow them, they should then be forbidden.
+// The `disableBestEffort` input gives control over whether the best-effort
+// security approach should be applied for Landlock access rights.
+func InitLandlock(config *configs.Landlock) error {
+	if config == nil {
+		return errors.New("cannot initialize Landlock - nil config passed")
+	}
+
+	var llConfig landlock.Config
+
+	ruleset := getAccess(config.Ruleset.HandledAccessFS)
+	// Panic on error when constructing the Landlock configuration using invalid config values.
+	if config.DisableBestEffort {
+		llConfig = landlock.MustConfig(ruleset)
+	} else {
+		llConfig = landlock.MustConfig(ruleset).BestEffort()
+	}
+
+	if err := llConfig.RestrictPaths(
+		getPathAccesses(config.Rules)...,
+	); err != nil {
+		return fmt.Errorf("Could not restrict paths: %v", err)
+	}
+
+	return nil
+}
+
+// Convert Libcontainer AccessFS to go-landlock AccessFSSet.
+func getAccess(access configs.AccessFS) landlock.AccessFSSet {
+	return landlock.AccessFSSet(access)
+}
+
+// Convert Libcontainer RulePathBeneath to go-landlock PathOpt.
+func getPathAccess(rule *configs.RulePathBeneath) landlock.PathOpt {
+	return landlock.PathAccess(
+		getAccess(rule.AllowedAccess),
+		rule.Paths...)
+}
+
+// Convert Libcontainer Rules to an array of go-landlock PathOpt.
+func getPathAccesses(rules *configs.Rules) []landlock.PathOpt {
+	pathAccesses := []landlock.PathOpt{}
+
+	for _, rule := range rules.PathBeneath {
+		opt := getPathAccess(rule)
+		pathAccesses = append(pathAccesses, opt)
+	}
+
+	return pathAccesses
+}

libcontainer/landlock/landlock_unsupported.go

@@ -0,0 +1,19 @@
+// +build !linux
+
+package landlock
+
+import (
+	"errors"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+var ErrLandlockNotSupported = errors.New("land: config provided but Landlock not supported")
+
+// InitLandlock does nothing because Landlock is not supported.
+func InitSLandlock(config *configs.Landlock) error {
+	if config != nil {
+		return ErrLandlockNotSupported
+	}
+	return nil
+}

libcontainer/setns_init_linux.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/keys"
+	"github.com/opencontainers/runc/libcontainer/landlock"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/runc/libcontainer/utils"
@@ -116,6 +117,12 @@ func (l *linuxSetnsInit) Init() error {
 	if err != nil {
 		return err
 	}
+	// `noNewPrivileges` must be enabled to use Landlock.
+	if l.config.Config.Landlock != nil && l.config.NoNewPrivileges {
+		if err := landlock.InitLandlock(l.config.Config.Landlock); err != nil {
+			return fmt.Errorf("unable to init Landlock: %w", err)
+		}
+	}
 	// Set seccomp as close to execve as possible, so as few syscalls take
 	// place afterward (reducing the amount of syscalls that users need to
 	// enable in their seccomp profiles).

libcontainer/specconv/spec_linux.go

@@ -18,6 +18,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runc/libcontainer/internal/userns"
+	"github.com/opencontainers/runc/libcontainer/landlock"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -556,6 +557,14 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 			ioPriority := *spec.Process.IOPriority
 			config.IOPriority = &ioPriority
 		}
+		if spec.Process.Landlock != nil {
+			landlock, err := SetupLandlock(spec.Process.Landlock)
+			if err != nil {
+				return nil, err
+			}
+			config.Landlock = landlock
+		}
+
 	}
 	createHooks(spec, config)
 	config.Version = specs.Version
@@ -1135,6 +1144,55 @@ func parseMountOptions(options []string) *configs.Mount {
 	return &m
 }
 
+func SetupLandlock(ll *specs.Landlock) (*configs.Landlock, error) {
+	if ll == nil {
+		return nil, nil
+	}
+
+	// No ruleset specified, assume landlock disabled.
+	if ll.Ruleset == nil || len(ll.Ruleset.HandledAccessFS) == 0 {
+		return nil, nil
+	}
+
+	newConfig := &configs.Landlock{
+		Ruleset: new(configs.Ruleset),
+		Rules: &configs.Rules{
+			PathBeneath: []*configs.RulePathBeneath{},
+		},
+		DisableBestEffort: ll.DisableBestEffort,
+	}
+
+	for _, access := range ll.Ruleset.HandledAccessFS {
+		newAccessFs, err := landlock.ConvertStringToAccessFS(string(access))
+		if err != nil {
+			return nil, err
+		}
+		newConfig.Ruleset.HandledAccessFS |= newAccessFs
+	}
+
+	// Loop through all Landlock path beneath rule blocks and convert them to libcontainer format.
+	for _, rulePath := range ll.Rules.PathBeneath {
+		if len(rulePath.AllowedAccess) > 0 {
+			newRule := configs.RulePathBeneath{
+				AllowedAccess: 0,
+				Paths:         rulePath.Paths,
+			}
+
+			for _, access := range rulePath.AllowedAccess {
+				newAllowedAccess, err := landlock.ConvertStringToAccessFS(string(access))
+				if err != nil {
+					return nil, err
+				}
+				newRule.AllowedAccess |= newAllowedAccess
+			}
+
+			newConfig.Rules.PathBeneath = append(newConfig.Rules.PathBeneath, &newRule)
+		}
+	}
+
+	return newConfig, nil
+}
+
 func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	if config == nil {
 		return nil, nil

libcontainer/standard_init_linux.go

@@ -14,6 +14,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/keys"
+	"github.com/opencontainers/runc/libcontainer/landlock"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/runc/libcontainer/utils"
@@ -267,6 +268,13 @@ func (l *linuxStandardInit) Init() error {
 	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
 	_ = l.fifoFile.Close()
 
+	// `noNewPrivileges` must be enabled to use Landlock.
+	if l.config.Config.Landlock != nil && l.config.NoNewPrivileges {
+		if err := landlock.InitLandlock(l.config.Config.Landlock); err != nil {
+			return fmt.Errorf("unable to init Landlock: %w", err)
+		}
+	}
+
 	s := l.config.SpecState
 	s.Pid = unix.Getpid()
 	s.Status = specs.StateCreated