nicolast / landlock-hs Goto Github PK
View Code? Open in Web Editor NEWHaskell bindings for the Linux Landlock API
Home Page: https://hackage.haskell.org/package/landlock
License: BSD 3-Clause "New" or "Revised" License
Haskell bindings for the Linux Landlock API
Home Page: https://hackage.haskell.org/package/landlock
License: BSD 3-Clause "New" or "Revised" License
Extend README.md
with some sample code, and execute it as part of the test-suite.
For some reason, the API documentation as hosted on Hackage doesn't include all docs. As an example, the constructors of AccessFsFlag
don't have their associated docstrings. However, a local render of the docs (either as-is, or using --haddock-for-hackage
, then unpacking the resulting tarball and opening the HTML pages) included the desired information.
In Linux, security contexts and related things are kept per-thread by the kernel, even though users (and POSIX) expect many of them to be per-process. As an example, when one calls setuid(...)
, one expects the whole process, including all its threads (some the application author may not even know to exist) to now run as the new UID, not only the thread performing the syscall.
Within Glibc and other libc's, there's code in place to make setuid
, setgid
and other calls to behave as expected/required: instead of simply invoking the syscall in the calling thread, the syscall is invoked in all threads of the process, through a bunch of highly tricky code involving signals and whatnot. This is known as the setxid
issue.
The Landlock API has the very same problem with landlock_restrict_self
(and its prerequisite prctl(PR_SET_NO_NEW_PRIVS, ...)
): the restrictions are applied only to the thread invoking landlock_restrict_self
, not all pre-existing threads in a process. Hence, even after invoking landlock_restrict_self
, some other threads would still be able to access files etc. which were supposed to be restricted.
The Glibc machinery to run some syscall in all threads is not exposed, and can hence not be repurposed. There's a library, libpsx
, part of libcap
(which struggles from the exact same setxid
problem) which provides a user-facing API to run some syscalls in all pre-existing threads, relying on some linker functionality to hook into pthread_create
. However, when attempting to use libpsx
with a GHC Haskell program, things don't work out, potentially due to how libpsx
and the GHC RTS interact, or maybe some bug(s) in the RTS, not expecting some function calls to be interrupted by SIGSYS
.
In Golang, the syscall.AllThreadsSyscall
function was added to invoke some syscall in all OS threads managed by the Go runtime. If GHC were to have a similar feature, the setxid
problem of landlock_restrict_self
could be fixed trivially (assuming no OS threads were created using other means).
Alternatively, if Glibc gets built-in bindings for landlock_restrict_self
which uses the setxid
functionality under the hood, we could use this instead of invoking the syscall directly.
For now, this issue is documented in the API docs, and the library will throw an exception when using landlock
with the threaded RTS.
See https://github.com/NicolasT/landlock-hs/blob/f22b7e4450991f7cdbec37271f56550c1d747b10/test/ThreadedScenario.hs for a scenario exposing the issue (when using the threaded RTS).
See also a related article by Kazu Yamamoto at https://kazu-yamamoto.hatenablog.jp/entry/2020/12/04/141308.
See: golang/go#1435
See: https://ewontfix.com/17/
See: https://sites.google.com/site/fullycapable/who-ordered-libpsx
See: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/psx
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.