start: Add Landlock restrictions to monitor

stgraber · mihalicyn · commit eef9081977d9 · 2025-08-28T13:08:24.000+02:00
Signed-off-by: Stéphane Graber <stgraber@stgraber.org> (cherry picked from commit 4787190)
diff --git a/src/lxc/start.c b/src/lxc/start.c
@@ -6,6 +6,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
+#include <linux/landlock.h>
 #include <poll.h>
 #include <pthread.h>
 #include <signal.h>
@@ -67,6 +68,34 @@
 #include "strlcpy.h"
 #endif
 
+#ifndef landlock_create_ruleset
+static inline int
+landlock_create_ruleset(const struct landlock_ruleset_attr *const attr,
+			const size_t size, const __u32 flags)
+{
+	return syscall(__NR_landlock_create_ruleset, attr, size, flags);
+}
+#endif
+
+#ifndef landlock_restrict_self
+static inline int landlock_restrict_self(const int ruleset_fd,
+					 const __u32 flags)
+{
+	return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
+}
+#endif
+
+#ifndef landlock_add_rule
+static inline int landlock_add_rule(const int ruleset_fd,
+				    const enum landlock_rule_type rule_type,
+				    const void *const rule_attr,
+				    const __u32 flags)
+{
+	return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type, rule_attr,
+		       flags);
+}
+#endif
+
 lxc_log_define(start, lxc);
 
 extern void mod_all_rdeps(struct lxc_container *c, bool inc);
@@ -75,6 +104,125 @@ static int lxc_rmdir_onedev_wrapper(void *data);
 static void lxc_destroy_container_on_signal(struct lxc_handler *handler,
 					    const char *name);
 
+static int lxc_mainloop_protect(void)
+{
+	int err;
+
+	// Detect the supported Landlock ABI.
+	int abi;
+	abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
+	if (abi < 0) {
+		// Landlock not supported.
+		SYSERROR("Landlock not supported on system");
+		return -1;
+	}
+
+	struct landlock_ruleset_attr ruleset_attr = {
+		.handled_access_fs =
+			LANDLOCK_ACCESS_FS_WRITE_FILE |
+			LANDLOCK_ACCESS_FS_READ_FILE |
+			LANDLOCK_ACCESS_FS_TRUNCATE,
+	};
+
+	// Define a new ruleset.
+	int ruleset_fd;
+
+	ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
+	if (ruleset_fd < 0) {
+		// Failed to create ruleset.
+		SYSERROR("Failed to create landlock ruleset");
+		return -1;
+	}
+
+	// Allow /sys/fs/cgroup write access.
+	struct landlock_path_beneath_attr path_beneath = {
+		.allowed_access =
+		    LANDLOCK_ACCESS_FS_READ_FILE |
+		    LANDLOCK_ACCESS_FS_WRITE_FILE,
+	};
+
+	path_beneath.parent_fd = open("/sys/fs/cgroup", O_PATH | O_CLOEXEC);
+	if (path_beneath.parent_fd < 0) {
+		SYSERROR("Failed to open /sys/fs/cgroup");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0);
+	close(path_beneath.parent_fd);
+	if (err) {
+		SYSERROR("Failed to update ruleset");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	// Allow /proc write access.
+	path_beneath.parent_fd = open("/proc", O_PATH | O_CLOEXEC);
+	if (path_beneath.parent_fd < 0) {
+		SYSERROR("Failed to open /proc");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0);
+	close(path_beneath.parent_fd);
+	if (err) {
+		SYSERROR("Failed to update ruleset");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	// Allow /dev/ptmx write access.
+	path_beneath.parent_fd = open("/dev/ptmx", O_PATH | O_CLOEXEC);
+	if (path_beneath.parent_fd < 0) {
+		SYSERROR("Failed to open /dev/ptmx");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0);
+	close(path_beneath.parent_fd);
+	if (err) {
+		SYSERROR("Failed to update ruleset");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	// Allow /dev/pts write access.
+	path_beneath.parent_fd = open("/dev/pts", O_PATH | O_CLOEXEC);
+	if (path_beneath.parent_fd < 0) {
+		SYSERROR("Failed to open /dev/pts");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, &path_beneath, 0);
+	close(path_beneath.parent_fd);
+	if (err) {
+		SYSERROR("Failed to update ruleset");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	// Prevent getting more privileges.
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
+		SYSERROR("Failed to restrict monitor privileges");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	// Apply the Landlock restrictions.
+	if (landlock_restrict_self(ruleset_fd, 0)) {
+		SYSERROR("Failed to enforce Landlock ruleset");
+		close(ruleset_fd);
+		return -1;
+	}
+
+	close(ruleset_fd);
+
+	return 0;
+}
+
 static void print_top_failing_dir(const char *path)
 {
 	__do_free char *copy = NULL;
@@ -574,9 +722,18 @@ int lxc_set_state(const char *name, struct lxc_handler *handler,
 
 void *lxc_handler_mainloop_thread_fn(void *arg)
 {
+	int ret;
 	struct lxc_async_descr *descr = arg;
 
-	return INT_TO_PTR(lxc_mainloop(descr, -1));
+	ret = lxc_mainloop_protect();
+	if (ret < 0) {
+		ERROR("Failed to protect the monitor process");
+		goto out;
+	}
+
+	ret = lxc_mainloop(descr, -1);
+out:
+	return INT_TO_PTR(ret);
 }
 
 int lxc_handler_mainloop(struct lxc_async_descr *descr, struct lxc_handler *handler)
@@ -585,6 +742,15 @@ int lxc_handler_mainloop(struct lxc_async_descr *descr, struct lxc_handler *hand
 	int ret;
 	pthread_t thread;
 
+	/* Skip protection if a seccomp proxy is setup. */
+	if (!handler || !handler->conf || handler->conf->seccomp.notifier.proxy_fd > 0) {
+		/* Landlock not supported when seccomp notify is in use. */
+		SYSERROR("Skipping Landlock due to seccomp notify");
+
+		/* We don't need to use thread then */
+		return lxc_mainloop(descr, -1);
+	}
+
 	ret = pthread_create(&thread, NULL, lxc_handler_mainloop_thread_fn, (void *)descr);
 	if (ret) {
 		return log_error_errno(-1, ret,
