No support for Landlock in EasyOS?

Moderator: BarryK

Post Reply
Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

No support for Landlock in EasyOS?

Post by Chrysolite Azalea »

Hello everyone! I've tested EasyOS recently, and I wonder, why does EasyOS lack Landlock support? It does support seccomp... but not Landlock? That seems strange to me. (Landlock was added in the 5.13 kernel version)

Attachments
Screenshot_2023-02-12_23-40-45.jpg
Screenshot_2023-02-12_23-40-45.jpg (134.52 KiB) Viewed 1534 times
Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

Re: Landlock

Post by Chrysolite Azalea »

P.S. I have used this sandboxer in order to test it, although I have slightly modified it in order to simplify compiling it.

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: No support for Landlock in EasyOS?

Post by BarryK »

Yes, the kernel config:

Code: Select all

# CONFIG_SECURITY_LANDLOCK is not set

I haven't enabled it because I don't know anything about it.

Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them.

Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

Re: No support for Landlock in EasyOS?

Post by Chrysolite Azalea »

BarryK wrote: Mon Feb 13, 2023 4:18 pm

Yes, the kernel config:

Code: Select all

# CONFIG_SECURITY_LANDLOCK is not set

I haven't enabled it because I don't know anything about it.

Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them.

But Landlock is supposed to be used by user's apps (specifically, unprivileged apps), not by system components (they can always use privileged things like namespaces and mandatory access control)?

Chrysolite Azalea
Posts: 30
Joined: Sat Oct 23, 2021 6:17 pm
Been thanked: 5 times

Re: No support for Landlock in EasyOS?

Post by Chrysolite Azalea »

BarryK wrote: Mon Feb 13, 2023 4:18 pm

I haven't enabled it because I don't know anything about it.

Landlock is an unprivileged file access self-restriction feature. It allows apps to define which files/directories they are allowed to access, and all access to any files/directories not mentioned in the ruleset would be denied. It's like seccomp, but for file system access.

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: No support for Landlock in EasyOS?

Post by BarryK »

I don't think that any of the apps used in Easy make use of Landlock.
So, what apps do use it?
Or more to the point, what apps use it that would be good to have in easyOS?

dimkr
Posts: 2426
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1203 times

Re: No support for Landlock in EasyOS?

Post by dimkr »

@BarryK woof-CE includes an optional, Landlock-based sandbox for applications running as spot since https://github.com/puppylinux-woof-CE/woof-CE/pull/3419. For example, my browser runs as spot, but when I press CTRL+O and try to navigate to /root, I can't, and this doesn't change if I chmod 777 /root or even chown spot:spot /root. woof-CE runs PulseAudio, PipeWire and Xwayland as spot, and X.Org can optionally run as spot, too. The latter is notorious for its security issues, and they propagate to Xwayland often, making Landlock very useful in a community distro without a security team, many processes that run as root, and users that don't like to update their old (= vulnerable) software.

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: No support for Landlock in EasyOS?

Post by BarryK »

dimkr wrote: Thu Feb 23, 2023 4:42 pm

@BarryK woof-CE includes an optional, Landlock-based sandbox for applications running as spot since https://github.com/puppylinux-woof-CE/woof-CE/pull/3419. For example, my browser runs as spot, but when I press CTRL+O and try to navigate to /root, I can't, and this doesn't change if I chmod 777 /root or even chown spot:spot /root. woof-CE runs PulseAudio, PipeWire and Xwayland as spot, and X.Org can optionally run as spot, too. The latter is notorious for its security issues, and they propagate to Xwayland often, making Landlock very useful in a community distro without a security team, many processes that run as root, and users that don't like to update their old (= vulnerable) software.

Thanks for the info, that is very interesting. You have convinced me to enable landlock in next kernel compile.

Raj
Posts: 8
Joined: Fri Aug 14, 2020 11:33 am

Re: No support for Landlock in EasyOS?

Post by Raj »

OS - easyOS 5.1.1

Thanks @dimkr & @BarryK - now I can access /root.
Is there anyway I can access /mnt/sdb1 or /mnt/sda1 - /mnt/sdc1/ being easyOS boot usb-drive.

Thanks.

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: No support for Landlock in EasyOS?

Post by BarryK »

Raj wrote: Wed Mar 22, 2023 2:04 pm

OS - easyOS 5.1.1

Thanks @dimkr & @BarryK - now I can access /root.
Is there anyway I can access /mnt/sdb1 or /mnt/sda1 - /mnt/sdc1/ being easyOS boot usb-drive.

Thanks.

I don't understand what you are doing.
What does "now I can access /root" mean?

dimkr
Posts: 2426
Joined: Wed Dec 30, 2020 6:14 pm
Has thanked: 53 times
Been thanked: 1203 times

Re: No support for Landlock in EasyOS?

Post by dimkr »

Enabling Landlock support in the kernel doesn't do anything unless an application uses the Landlock API to restrict itself.

Raj
Posts: 8
Joined: Fri Aug 14, 2020 11:33 am

Re: No support for Landlock in EasyOS?

Post by Raj »

@BarryK – apologies for not expressing myself well.

Essentially I’d like to save files downloaded using web browser (Chromium, Brave or Firefox) to usb drive/stick directly.

Previously, I could (I think prior to version 3.5 – I can’t remember) do just that but the Browser supplied was Palemoon – which was not working well with the website where I was downloading the files! At or about the same time as Firefox was introduced, the security framework was tightened, so I could connect to the websites but could only download the files to user spot’s folder which was on RAM.

When @dimkr commented on this thread that it would be great if chown and chmod can make /root accessible to the browser. I thought it would be good idea to check if I can access the usb drive using same technique, so I tried accessing /root partition in version 5.1.1 before and after applying chown and chmod commands – and it worked! However it doesn’t work when I try on the usb drive (/mnt/sdb1).

So is it somehow possible to save the downloaded files directly on the usb drive?

@dimkr thanks for sharing Landlock technique – which I don’t fully understand!
@BarryK – thanks for Puppy and Easy OS. I really appreciate your efforts.

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: No support for Landlock in EasyOS?

Post by BarryK »

@Raj
Firefox and Chromium run as a non-root user, restricting where can save to.
Ditto if run in a container.

However, you can run them as the root user, then can save anywhere.

Easy 5.1.1 has Chromium builtin, and you will see two executables, /usr/bin/chromium and /usr/bin/chromium.bin
Open a terminal and run this:

Code: Select all

# chromium.bin

and Chromium will run as root.

Raj
Posts: 8
Joined: Fri Aug 14, 2020 11:33 am

Re: No support for Landlock in EasyOS?

Post by Raj »

Thanks for the swift reply @BarryK

I tried and here's what I get

Code: Select all

# cd /usr/bin/
# chromium.bin 
[14764:14764:0325/190721.681700:ERROR:zygote_host_impl_linux.cc(100)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
# 

I'm afraid I don't understand the response: how I can modify chromium.bin to run the web browser as root. Please help/advise.

BTW - I tried running chromium - which fired up the browser, but alas couldn't access the usb drive (/mnt/sdc1).

Thanks,
Raj

Raj
Posts: 8
Joined: Fri Aug 14, 2020 11:33 am

Re: No support for Landlock in EasyOS?

Post by Raj »

@BarryK
ok - after some searching the forum and internet, I think I figured it out.

Just append --no-sandbox to the command seems to work:

Code: Select all

# /usr/bin/chromium.bin --no-sandbox

Is that correct?

Thanks,
Raj

User avatar
BarryK
Posts: 2705
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: No support for Landlock in EasyOS?

Post by BarryK »

yeah, i forgot, with chromium you need that "--no-sandbox"

Raj
Posts: 8
Joined: Fri Aug 14, 2020 11:33 am

Re: No support for Landlock in EasyOS?

Post by Raj »

Thank you Barry :thumbup:

Post Reply

Return to “EasyOS”