No support for Landlock in EasyOS?

[Chrysolite Azalea]

Hello everyone! I've tested EasyOS recently, and I wonder, why does EasyOS lack Landlock support? It does support seccomp... but not Landlock? That seems strange to me. (Landlock was added in the 5.13 kernel version)

[Chrysolite Azalea]

P.S. I have used this sandboxer in order to test it, although I have slightly modified it in order to simplify compiling it.

[BarryK]

Yes, the kernel config:

Code: Select all

# CONFIG_SECURITY_LANDLOCK is not set

I haven't enabled it because I don't know anything about it.

Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them.

[Chrysolite Azalea]

Yes, the kernel config:

Code: Select all

# CONFIG_SECURITY_LANDLOCK is not set

I haven't enabled it because I don't know anything about it.

Even if I did know what it does, I tend not to enable extra kernel security features unless I actually will use them.

But Landlock is supposed to be used by user's apps (specifically, unprivileged apps), not by system components (they can always use privileged things like namespaces and mandatory access control)?

[Chrysolite Azalea]

I haven't enabled it because I don't know anything about it.

Landlock is an unprivileged file access self-restriction feature. It allows apps to define which files/directories they are allowed to access, and all access to any files/directories not mentioned in the ruleset would be denied. It's like seccomp, but for file system access.

[BarryK]

I don't think that any of the apps used in Easy make use of Landlock.
So, what apps do use it?
Or more to the point, what apps use it that would be good to have in easyOS?

[dimkr]

@BarryK woof-CE includes an optional, Landlock-based sandbox for applications running as spot since https://github.com/puppylinux-woof-CE/woof-CE/pull/3419. For example, my browser runs as spot, but when I press CTRL+O and try to navigate to /root, I can't, and this doesn't change if I chmod 777 /root or even chown spot:spot /root. woof-CE runs PulseAudio, PipeWire and Xwayland as spot, and X.Org can optionally run as spot, too. The latter is notorious for its security issues, and they propagate to Xwayland often, making Landlock very useful in a community distro without a security team, many processes that run as root, and users that don't like to update their old (= vulnerable) software.

[BarryK]

@BarryK woof-CE includes an optional, Landlock-based sandbox for applications running as spot since https://github.com/puppylinux-woof-CE/woof-CE/pull/3419. For example, my browser runs as spot, but when I press CTRL+O and try to navigate to /root, I can't, and this doesn't change if I chmod 777 /root or even chown spot:spot /root. woof-CE runs PulseAudio, PipeWire and Xwayland as spot, and X.Org can optionally run as spot, too. The latter is notorious for its security issues, and they propagate to Xwayland often, making Landlock very useful in a community distro without a security team, many processes that run as root, and users that don't like to update their old (= vulnerable) software.

Thanks for the info, that is very interesting. You have convinced me to enable landlock in next kernel compile.

[Raj]

OS - easyOS 5.1.1

Thanks @dimkr & @BarryK - now I can access /root.
Is there anyway I can access /mnt/sdb1 or /mnt/sda1 - /mnt/sdc1/ being easyOS boot usb-drive.

Thanks.

[BarryK]

OS - easyOS 5.1.1

Thanks @dimkr & @BarryK - now I can access /root.
Is there anyway I can access /mnt/sdb1 or /mnt/sda1 - /mnt/sdc1/ being easyOS boot usb-drive.

Thanks.

I don't understand what you are doing.
What does "now I can access /root" mean?

[dimkr]

Enabling Landlock support in the kernel doesn't do anything unless an application uses the Landlock API to restrict itself.

[Raj]

@BarryK – apologies for not expressing myself well.

Essentially I’d like to save files downloaded using web browser (Chromium, Brave or Firefox) to usb drive/stick directly.

Previously, I could (I think prior to version 3.5 – I can’t remember) do just that but the Browser supplied was Palemoon – which was not working well with the website where I was downloading the files! At or about the same time as Firefox was introduced, the security framework was tightened, so I could connect to the websites but could only download the files to user spot’s folder which was on RAM.

When @dimkr commented on this thread that it would be great if chown and chmod can make /root accessible to the browser. I thought it would be good idea to check if I can access the usb drive using same technique, so I tried accessing /root partition in version 5.1.1 before and after applying chown and chmod commands – and it worked! However it doesn’t work when I try on the usb drive (/mnt/sdb1).

So is it somehow possible to save the downloaded files directly on the usb drive?

@dimkr thanks for sharing Landlock technique – which I don’t fully understand!
@BarryK – thanks for Puppy and Easy OS. I really appreciate your efforts.

[BarryK]

@Raj
Firefox and Chromium run as a non-root user, restricting where can save to.
Ditto if run in a container.

However, you can run them as the root user, then can save anywhere.

Easy 5.1.1 has Chromium builtin, and you will see two executables, /usr/bin/chromium and /usr/bin/chromium.bin
Open a terminal and run this:

Code: Select all

# chromium.bin

and Chromium will run as root.

[Raj]

Thanks for the swift reply @BarryK

I tried and here's what I get

Code: Select all

# cd /usr/bin/
# chromium.bin 
[14764:14764:0325/190721.681700:ERROR:zygote_host_impl_linux.cc(100)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
# 

I'm afraid I don't understand the response: how I can modify chromium.bin to run the web browser as root. Please help/advise.

BTW - I tried running chromium - which fired up the browser, but alas couldn't access the usb drive (/mnt/sdc1).

Thanks,
Raj

[Raj]

@BarryK
ok - after some searching the forum and internet, I think I figured it out.

Just append --no-sandbox to the command seems to work:

Code: Select all

# /usr/bin/chromium.bin --no-sandbox

Is that correct?

Thanks,
Raj

[BarryK]

yeah, i forgot, with chromium you need that "--no-sandbox"

[Raj]

Thank you Barry