How to Safely Restrict Access to Files in a Programmatic Way with Landlock? - Mickaël Salaün, ANSSI Mandatory Access Control is implemented in four major LSMs. They either identify a file with its inode attribute (SELinux and Smack) or with its path (AppArmor and Tomoyo). This techniques share a common drawback: they cannot safely be used from an unprivileged context. One of Landlock's goal is to tackle this problem with a new hybrid way to identify a file from a user-defined security policy. After a brief recap of the main mechanisms used by Landlock (covered in LSS 2017), this talk highlight the constraints of applying an unprivileged access-control on files, what was the previous Landlock attempts, and how works the new way to programmatically describe a file access (cf. the eighth patch series of Landlock). We illustrate this with a demo of a dynamic access-control for end user. Finally, we discuss some drawbacks and how much it depends on the internal kernel implementation. About Mickaël Salaün Mickaël Salaün is a security researcher, software developer and open source enthusiast. He is mostly interested in Linux-based operating systems, especially from a security point of view. He works on system hardening and has built security sandboxes (e.g. StemJail) before hacking into the kernel on a new LSM called Landlock. He is currently employed by the French Network and Information Security Agency (ANSSI).
