Add sandboxing with Landlock #184
Conversation
p7zip handles a lot of archive formats, each bringing complexity and extending its attack surface. Landlock is a Linux security sandboxing mechanism which helps limit the impact of bug exploitation. These modifications enable to use Landlock following a best-effort appoach: if Landlock is available on the running system, then it will be used to sandbox p7zip, otherwise nothing will change. By default, all console commands (7z, 7za and 7zr) reading archives will create a sandbox which denies basic file-system accesses (e.g. read, create or write to files). All other commands (b, h, i, t) are untouched. FIXME: For now, only basic use of list (l) and extracts (e, x) commands is working and tested. The sandbox is enforced when calling COpenCallbackConsole::Open_setTotal(), which seems to be the more generic place for this purpose. When extracting an archive, a new helper called GetOutputBaseDir() is used to add security exception to the sandbox so that it will be allowed to create files in the output directory. Signed-off-by: Mickaël Salaün <[email protected]>
|
This is a work-in-progress, but I'd like some feedback before continuing and rebasing on the p7zip21.07 branch. For now, only basic use of list (l) and extracts (e, x) commands is working and tested. |
|
I'd also like to create a more consistent Ruleset class, but it is enough to test for now. |
|
In case a draft PR doesn't sent notifications, ping @jinfeihan57. |
|
I don't konw much about Landlock.How much will this affect efficiency? |
The performance impact will only be for the I can do some benchmark but I encourage you to do so and share your methodology. Sandboxing could be optional (e.g. depending on a command argument or a build option), but I would suggest to create a new command argument to (optionally) disable sandboxing, making p7zip protects its users by default. |
p7zip handles a lot of archive formats, each bringing complexity and extending
its attack surface. Landlock is a Linux security sandboxing mechanism which
helps limit the impact of bug exploitation. These modifications enable to use
Landlock following a best-effort appoach: if Landlock is available on the
running system, then it will be used to sandbox p7zip, otherwise nothing will
change.
By default, all console commands (7z, 7za and 7zr) reading archives will create
a sandbox which denies basic file-system accesses (e.g. read, create or write
to files). All other commands (b, h, i, t) are untouched.
The sandbox is enforced when calling COpenCallbackConsole::Open_setTotal(),
which seems to be the more generic place for this purpose.
When extracting an archive, a new helper called GetOutputBaseDir() is used to
add security exception to the sandbox so that it will be allowed to create
files in the output directory.
See https://docs.kernel.org/userspace-api/landlock.html for the kernel UAPI
documentation.