libcontainer: add support for Landlock

This patch introduces Landlock Linux Security Module (LSM) support in
runc, which was landed in Linux kernel 5.13.

This allows unprivileged processes to create safe security sandboxes
that can securely restrict the ambient rights (e.g. global filesystem
access) for themselves.

runtime-spec: opencontainers/runtime-spec#1111

Fixes opencontainers#2859

Co-authored-by: Zheao Li <[email protected]>
Signed-off-by: Kailun Qin <[email protected]>
Signed-off-by: Manjusaka <[email protected]>

Author: kailun-qin

go.mod

@@ -33,6 +33,8 @@ require (
 
 require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
+	github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.51 // indirect
 )

go.sum

@@ -35,6 +35,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946 h1:RRTOwBnwZR4a3IMyPq1uchxJcrLKWF4NTCHB2fbvo5Y=
+github.com/landlock-lsm/go-landlock v0.0.0-20210828133255-ec6c6b87a946/go.mod h1:wjznJ04q4Tvsbx3vkzfmgfEOe6w5dSGlXFa+xbSl9X8=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
@@ -86,6 +88,7 @@ golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -102,3 +105,5 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.51 h1:VXVXjnTUsA9zeHIolNb6moSXZavDe1pD8Q0lPXZEOwc=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.51/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=

libcontainer/configs/config.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 
+	"github.com/landlock-lsm/go-landlock/landlock"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
@@ -85,6 +86,33 @@ type Syscall struct {
 	Args     []*Arg `json:"args"`
 }
 
+// Landlock specifies the Landlock unprivileged access control settings for the container process.
+type Landlock struct {
+	Ruleset           *Ruleset `json:"ruleset"`
+	Rules             *Rules   `json:"rules"`
+	DisableBestEffort bool     `json:"disableBestEffort"`
+}
+
+// Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled in Landlock.
+type Ruleset struct {
+	HandledAccessFS landlock.AccessFSSet `json:"handledAccessFS"`
+}
+
+// Rules represents the security policies (i.e., actions allowed on objects) in Landlock.
+type Rules struct {
+	PathBeneath []*RulePathBeneath `json:"pathBeneath"`
+}
+
+// RulePathBeneath defines the file-hierarchy typed rule that grants the access rights specified by
+// AllowedAccess to the file hierarchies under the given Paths in Landlock.
+type RulePathBeneath struct {
+	AllowedAccess landlock.AccessFSSet `json:"allowedAccess"`
+	Paths         []string             `json:"paths"`
+}
+
+// TODO Windows. Many of these fields should be factored out into those parts
+// which are common across platforms, and those which are platform specific.
+
 // Config defines configuration options for executing a process inside a contained environment.
 type Config struct {
 	// NoPivotRoot will use MS_MOVE and a chroot to jail the process into the container's rootfs
@@ -225,6 +253,9 @@ type Config struct {
 
 	// IOPriority is the container's I/O priority.
 	IOPriority *IOPriority `json:"io_priority,omitempty"`
+	// Landlock specifies the Landlock unprivileged access control settings for the container process.
+	// NoNewPrivileges must be enabled to use Landlock.
+	Landlock *Landlock `json:"landlock,omitempty"`
 }
 
 // Scheduler is based on the Linux sched_setattr(2) syscall.

libcontainer/landlock/config.go

@@ -0,0 +1,35 @@
+package landlock
+
+import (
+	"fmt"
+
+	"github.com/landlock-lsm/go-landlock/landlock"
+	ll "github.com/landlock-lsm/go-landlock/landlock/syscall"
+)
+
+var accessFSSets = map[string]landlock.AccessFSSet{
+	"execute":     ll.AccessFSExecute,
+	"write_file":  ll.AccessFSWriteFile,
+	"read_file":   ll.AccessFSReadFile,
+	"read_dir":    ll.AccessFSReadDir,
+	"remove_dir":  ll.AccessFSRemoveDir,
+	"remove_file": ll.AccessFSRemoveFile,
+	"make_char":   ll.AccessFSMakeChar,
+	"make_dir":    ll.AccessFSMakeDir,
+	"make_reg":    ll.AccessFSMakeReg,
+	"make_sock":   ll.AccessFSMakeSock,
+	"make_fifo":   ll.AccessFSMakeFifo,
+	"make_block":  ll.AccessFSMakeBlock,
+	"make_sym":    ll.AccessFSMakeSym,
+}
+
+// ConvertStringToAccessFSSet converts a string into a go-landlock AccessFSSet
+// access right.
+// This gives more explicit control over the mapping between the permitted
+// values in the spec and the ones supported in go-landlock library.
+func ConvertStringToAccessFSSet(in string) (landlock.AccessFSSet, error) {
+	if access, ok := accessFSSets[in]; ok {
+		return access, nil
+	}
+	return 0, fmt.Errorf("string %s is not a valid access right for landlock", in)
+}

libcontainer/landlock/landlock.go

@@ -0,0 +1,58 @@
+package landlock
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/landlock-lsm/go-landlock/landlock"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+// Initialize Landlock unprivileged access control for the container process
+// based on the given settings.
+// The specified `ruleset` identifies a set of rules (i.e., actions on objects)
+// that need to be handled (i.e., restricted) by Landlock. And if no `rule`
+// explicitly allow them, they should then be forbidden.
+// The `disableBestEffort` input gives control over whether the best-effort
+// security approach should be applied for Landlock access rights.
+func InitLandlock(config *configs.Landlock) error {
+	if config == nil {
+		return errors.New("cannot initialize Landlock - nil config passed")
+	}
+
+	ruleset := config.Ruleset.HandledAccessFS
+	llConfig, err := landlock.NewConfig(ruleset)
+	if err != nil {
+		return fmt.Errorf("could not create ruleset: %w", err)
+	}
+
+	if !config.DisableBestEffort {
+		*llConfig = llConfig.BestEffort()
+	}
+
+	if err := llConfig.RestrictPaths(
+		pathAccesses(config.Rules)...,
+	); err != nil {
+		return fmt.Errorf("could not restrict paths: %w", err)
+	}
+
+	return nil
+}
+
+// Convert Libcontainer RulePathBeneath to go-landlock PathOpt.
+func pathAccess(rule *configs.RulePathBeneath) landlock.PathOpt {
+	return landlock.PathAccess(rule.AllowedAccess, rule.Paths...)
+}
+
+// Convert Libcontainer Rules to an array of go-landlock PathOpt.
+func pathAccesses(rules *configs.Rules) []landlock.PathOpt {
+	pathAccesses := []landlock.PathOpt{}
+
+	for _, rule := range rules.PathBeneath {
+		opt := pathAccess(rule)
+		pathAccesses = append(pathAccesses, opt)
+	}
+
+	return pathAccesses
+}

libcontainer/setns_init_linux.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runc/libcontainer/keys"
+	"github.com/opencontainers/runc/libcontainer/landlock"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	"github.com/opencontainers/runc/libcontainer/system"
 	"github.com/opencontainers/runc/libcontainer/utils"
@@ -116,6 +117,12 @@ func (l *linuxSetnsInit) Init() error {
 	if err != nil {
 		return err
 	}
+	// `noNewPrivileges` must be enabled to use Landlock.
+	if l.config.Config.Landlock != nil && l.config.NoNewPrivileges {
+		if err := landlock.InitLandlock(l.config.Config.Landlock); err != nil {
+			return fmt.Errorf("unable to init Landlock: %w", err)
+		}
+	}
 	// Set seccomp as close to execve as possible, so as few syscalls take
 	// place afterward (reducing the amount of syscalls that users need to
 	// enable in their seccomp profiles).

libcontainer/specconv/spec_linux.go

@@ -18,6 +18,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runc/libcontainer/internal/userns"
+	"github.com/opencontainers/runc/libcontainer/landlock"
 	"github.com/opencontainers/runc/libcontainer/seccomp"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -556,6 +557,19 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 			ioPriority := *spec.Process.IOPriority
 			config.IOPriority = &ioPriority
 		}
+		if spec.Process.Landlock != nil {
+			landlock, err := SetupLandlock(spec.Process.Landlock)
+			if err != nil {
+				return nil, err
+			}
+			config.Landlock = landlock
+		}
+
+		landlock, err := SetupLandlock(spec.Process.Landlock)
+		if err != nil {
+			return nil, err
+		}
+		config.Landlock = landlock
 	}
 	createHooks(spec, config)
 	config.Version = specs.Version
@@ -1135,6 +1149,55 @@ func parseMountOptions(options []string) *configs.Mount {
 	return &m
 }
 
+func SetupLandlock(ll *specs.Landlock) (*configs.Landlock, error) {
+	if ll == nil {
+		return nil, nil
+	}
+
+	// No ruleset specified, assume landlock disabled.
+	if ll.Ruleset == nil || len(ll.Ruleset.HandledAccessFS) == 0 {
+		return nil, nil
+	}
+
+	newConfig := &configs.Landlock{
+		Ruleset: new(configs.Ruleset),
+		Rules: &configs.Rules{
+			PathBeneath: []*configs.RulePathBeneath{},
+		},
+		DisableBestEffort: ll.DisableBestEffort,
+	}
+
+	for _, access := range ll.Ruleset.HandledAccessFS {
+		newAccessFS, err := landlock.ConvertStringToAccessFSSet(string(access))
+		if err != nil {
+			return nil, err
+		}
+		newConfig.Ruleset.HandledAccessFS |= newAccessFS
+	}
+
+	// Loop through all Landlock path beneath rule blocks and convert them to libcontainer format.
+	for _, rulePath := range ll.Rules.PathBeneath {
+		if len(rulePath.AllowedAccess) > 0 {
+			newRule := configs.RulePathBeneath{
+				AllowedAccess: 0,
+				Paths:         rulePath.Paths,
+			}
+
+			for _, access := range rulePath.AllowedAccess {
+				newAllowedAccess, err := landlock.ConvertStringToAccessFSSet(string(access))
+				if err != nil {
+					return nil, err
+				}
+				newRule.AllowedAccess |= newAllowedAccess
+			}
+
+			newConfig.Rules.PathBeneath = append(newConfig.Rules.PathBeneath, &newRule)
+		}
+	}
+
+	return newConfig, nil
+}
+
 func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 	if config == nil {
 		return nil, nil