Empty / deny-all ruleset

[lanodan]

Maybe I missed something and there's a better way, but it seems like you can't create an empty ruleset or restrict to an empty one to deny all (further) access.

Doesn't works with an fd of 0 and not aware of a magic value for fd which could instead work:

landlock_restrict_self(0, 0)            = -1 EBADFD (File descriptor in bad state)

And creating an empty ruleset:

landlock_create_ruleset({handled_access_fs=0, handled_access_net=0, scoped=0}, 24, 0) = -1 ENOMSG (No message of desired type)

landlock_create_ruleset(NULL, 0, 0)     = -1 EFAULT (Bad address)

(strace output, tested on Linux 6.12.31)

By the way at least 2 cases where an empty ruleset can make sense:

• Programs which only processes base/inherited accesses (environment variables, arguments, stdin/stdout/stderr, passed fds, …). Filters inside of pipelines or as child process being probably the most sensitive of those.
• Programs which are done configuring & setting up and shouldn't access further files (rather typical of long-lived user & system programs like dæmons)

[rusty-snake]

First off, this is not a support forum.

Doesn't works with an fd of 0

If your FILENO_STDIN is a landlock ruleset, it works. But this is very unlikely.

landlock_create_ruleset({handled_access_fs=0, handled_access_net=0, scoped=0}, 24, 0)

This means you do not want to restrict filesystem, network, scopes. Landlock detects that you are likely doing something wrong and errors.

deny all (further) access

This can break at any time when landlock gets new restrictions. Landlock is design with back/forward compatibility. Therefore you must declared the highest supported version you know/want.

Programs which only processes base/inherited accesses (environment variables, arguments, stdin/stdout/stderr, passed fds, …). Filters inside of pipelines or as child process being probably the most sensitive of those.

seccomp

[lanodan]

First off, this is not a support forum.

Yeah, I mean this as like feature request for say LANDLOCK_ACCESS_FS_NONE (or denying read/write/execute given landlock design) with possibility of saying no or pointing elsewhere for a comparable access-control feature.

[rusty-snake]

Yeah, I mean this as like feature request for say LANDLOCK_ACCESS_FS_NONE (or denying read/write/execute given landlock design)

How you this look like?

1. landlock_create_ruleset: I do not want this ruleset to handle any filesystem access.
2. landlock_enforce --> enforcing nothing as nothing is handled.

---

Empty ruleset

There are two kinds of empty. No rules (landlock_rule_add) and "nothing handled" (landlock_create_ruleset).

If you create a ruleset that handles all access_fs up to ABI 5 and add no rules. What is missing in the kernel api?

landlock_create_ruleset({handled_access_fs=LANDLOCK_ACCESS_FS_EXECUTE|LANDLOCK_ACCESS_FS_WRITE_FILE|LANDLOCK_ACCESS_FS_READ_FILE|...|LANDLOCK_ACCESS_FS_IOCTL_DEV, ...}, ...)

deny-all ruleset

What would be "all"? See forward/backward compatibility.

[l0kod]

Yeah, I mean this as like feature request for say LANDLOCK_ACCESS_FS_NONE (or denying read/write/execute given landlock design) with possibility of saying no or pointing elsewhere for a comparable access-control feature.

It's not possible to deny any potential kind of access because we first need to specify what these access would be and then implement the related restrictions in the kernel. However, as explained in the previous comment, it's easy to deny all supported access by creating a ruleset that handles all filesystem accesses known by Landlock (for a specific ABI). I think that's what you're looking for.

To say it another way, a rule is an exception to the deny-by-default ruleset's handled access rights. So, creating a ruleset (without rule) that handles all/most access rights would mean that all these access rights will be denied to the sandboxed process.

An important point to keep in mind is that you may not know on which kernel your program will be executed, which means that you should first check the currently supported access rights. This can be done by querying the ABI version and filling the handled access rights accordingly. Please take a look at this example to see how to properly do it with LANDLOCK_CREATE_RULESET_VERSION.