Hello everyone! I've tested EasyOS recently, and I wonder, why does EasyOS lack Landlock support? It does support seccomp... but not Landlock? That seems strange to me. (Landlock was added in the 5.13 kernel version)
No support for Landlock in EasyOS?
Moderator: BarryK
-
- Posts: 30
- Joined: Sat Oct 23, 2021 6:17 pm
- Been thanked: 5 times
No support for Landlock in EasyOS?
- Attachments
-
- Screenshot_2023-02-12_23-40-45.jpg (134.52 KiB) Viewed 1534 times
-
- Posts: 30
- Joined: Sat Oct 23, 2021 6:17 pm
- Been thanked: 5 times
Re: Landlock
P.S. I have used this sandboxer in order to test it, although I have slightly modified it in order to simplify compiling it.
Re: No support for Landlock in EasyOS?
Yes, the kernel config:
Code: Select all
# CONFIG_SECURITY_LANDLOCK is not set
I haven't enabled it because I don't know anything about it.
Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them.
-
- Posts: 30
- Joined: Sat Oct 23, 2021 6:17 pm
- Been thanked: 5 times
Re: No support for Landlock in EasyOS?
BarryK wrote: Mon Feb 13, 2023 4:18 pmYes, the kernel config:
Code: Select all
# CONFIG_SECURITY_LANDLOCK is not set
I haven't enabled it because I don't know anything about it.
Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them.
But Landlock is supposed to be used by user's apps (specifically, unprivileged apps), not by system components (they can always use privileged things like namespaces and mandatory access control)?
-
- Posts: 30
- Joined: Sat Oct 23, 2021 6:17 pm
- Been thanked: 5 times
Re: No support for Landlock in EasyOS?
Landlock is an unprivileged file access self-restriction feature. It allows apps to define which files/directories they are allowed to access, and all access to any files/directories not mentioned in the ruleset would be denied. It's like seccomp, but for file system access.
Re: No support for Landlock in EasyOS?
I don't think that any of the apps used in Easy make use of Landlock.
So, what apps do use it?
Or more to the point, what apps use it that would be good to have in easyOS?
-
- Posts: 2426
- Joined: Wed Dec 30, 2020 6:14 pm
- Has thanked: 53 times
- Been thanked: 1203 times
Re: No support for Landlock in EasyOS?
@BarryK woof-CE includes an optional, Landlock-based sandbox for applications running as spot since https://github.com/puppylinux-woof-CE/woof-CE/pull/3419. For example, my browser runs as spot, but when I press CTRL+O and try to navigate to /root, I can't, and this doesn't change if I chmod 777 /root
or even chown spot:spot /root
. woof-CE runs PulseAudio, PipeWire and Xwayland as spot, and X.Org can optionally run as spot, too. The latter is notorious for its security issues, and they propagate to Xwayland often, making Landlock very useful in a community distro without a security team, many processes that run as root, and users that don't like to update their old (= vulnerable) software.
Re: No support for Landlock in EasyOS?
dimkr wrote: Thu Feb 23, 2023 4:42 pm@BarryK woof-CE includes an optional, Landlock-based sandbox for applications running as spot since https://github.com/puppylinux-woof-CE/woof-CE/pull/3419. For example, my browser runs as spot, but when I press CTRL+O and try to navigate to /root, I can't, and this doesn't change if I
chmod 777 /root
or evenchown spot:spot /root
. woof-CE runs PulseAudio, PipeWire and Xwayland as spot, and X.Org can optionally run as spot, too. The latter is notorious for its security issues, and they propagate to Xwayland often, making Landlock very useful in a community distro without a security team, many processes that run as root, and users that don't like to update their old (= vulnerable) software.
Thanks for the info, that is very interesting. You have convinced me to enable landlock in next kernel compile.
Re: No support for Landlock in EasyOS?
Raj wrote: Wed Mar 22, 2023 2:04 pmOS - easyOS 5.1.1
Thanks @dimkr & @BarryK - now I can access /root.
Is there anyway I can access /mnt/sdb1 or /mnt/sda1 - /mnt/sdc1/ being easyOS boot usb-drive.Thanks.
I don't understand what you are doing.
What does "now I can access /root" mean?
-
- Posts: 2426
- Joined: Wed Dec 30, 2020 6:14 pm
- Has thanked: 53 times
- Been thanked: 1203 times
Re: No support for Landlock in EasyOS?
Enabling Landlock support in the kernel doesn't do anything unless an application uses the Landlock API to restrict itself.
Re: No support for Landlock in EasyOS?
@BarryK – apologies for not expressing myself well.
Essentially I’d like to save files downloaded using web browser (Chromium, Brave or Firefox) to usb drive/stick directly.
Previously, I could (I think prior to version 3.5 – I can’t remember) do just that but the Browser supplied was Palemoon – which was not working well with the website where I was downloading the files! At or about the same time as Firefox was introduced, the security framework was tightened, so I could connect to the websites but could only download the files to user spot’s folder which was on RAM.
When @dimkr commented on this thread that it would be great if chown and chmod can make /root accessible to the browser. I thought it would be good idea to check if I can access the usb drive using same technique, so I tried accessing /root partition in version 5.1.1 before and after applying chown and chmod commands – and it worked! However it doesn’t work when I try on the usb drive (/mnt/sdb1).
So is it somehow possible to save the downloaded files directly on the usb drive?
@dimkr thanks for sharing Landlock technique – which I don’t fully understand!
@BarryK – thanks for Puppy and Easy OS. I really appreciate your efforts.
Re: No support for Landlock in EasyOS?
@Raj
Firefox and Chromium run as a non-root user, restricting where can save to.
Ditto if run in a container.
However, you can run them as the root user, then can save anywhere.
Easy 5.1.1 has Chromium builtin, and you will see two executables, /usr/bin/chromium and /usr/bin/chromium.bin
Open a terminal and run this:
Code: Select all
# chromium.bin
and Chromium will run as root.
Re: No support for Landlock in EasyOS?
Thanks for the swift reply @BarryK
I tried and here's what I get
Code: Select all
# cd /usr/bin/
# chromium.bin
[14764:14764:0325/190721.681700:ERROR:zygote_host_impl_linux.cc(100)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
#
I'm afraid I don't understand the response: how I can modify chromium.bin to run the web browser as root. Please help/advise.
BTW - I tried running chromium - which fired up the browser, but alas couldn't access the usb drive (/mnt/sdc1).
Thanks,
Raj
Re: No support for Landlock in EasyOS?
@BarryK
ok - after some searching the forum and internet, I think I figured it out.
Just append --no-sandbox to the command seems to work:
Code: Select all
# /usr/bin/chromium.bin --no-sandbox
Is that correct?
Thanks,
Raj