Skip to content

landlock-lsm/tuto-lighttpd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

config

config

 
 

solution

solution

 
 

web

web

 
 

.gitignore

.gitignore

 
 

How to sandbox an application with Landlock.pdf

How to sandbox an application with Landlock.pdf

 
 

README.md

README.md

 
 

Vagrantfile

Vagrantfile

 
 

getlink.sh

getlink.sh

 
 

landlock.h

landlock.h

 
 

sandboxer.c

sandboxer.c

 
 

setup.sh

setup.sh

 
 

vimrc

vimrc

 
 

vmlinuz-landlock-net

vmlinuz-landlock-net

 
 

Repository files navigation

Landlock tutorial to patch lighttpd

Network access-control is well covered by different kind of firewalls, but for some use cases it may be interesting to tie the semantic of an application instance and its configuration to a set of rules. For instance, only some processes of web browsers or web servers may legitimately be allowed to share data over the network, while other processes should be blocked. Linux provides some mechanisms to do so, including SELinux or AppArmor, but until now it has not been possible for applications to safely sandbox themselves.

Slides: How to sandbox an application with Landlock

Install tools

For this tutorial, we will use Vagrant to set up a dedicated virtual machine (VM). Run the following commands as root according to your Linux distribution.

Arch Linux

pacman -S vagrant libvirt base-devel dnsmasq
systemctl enable --now libvirtd.service

See the Arch Linux libvirt tutorial for more details.

Debian or Ubuntu

apt install --no-install-recommends vagrant qemu-utils ruby-libvirt ruby-dev libvirt-daemon-system qemu-system

See the Debian KVM tutorial for more details.

Fedora

dnf install vagrant qemu libvirt
systemctl enable --now virtnetworkd

Start the VM manager

Start libvirtd if needed:

systemctl start libvirtd.service

We then need to allow the developer (an unprivileged user) to use libvirt thanks to a dedicated group:

usermod -a -G libvirt <user>

This group update will take effect the next time the user logs in. Alternatively, the user can update a shell session with:

su $USER

Create and start the VM

As an unprivileged user, clone this repository:

git clone https://github.com/landlock-lsm/tuto-lighttpd
cd tuto-lighttpd

The Vagrant VM provisioning will install 3 vagrant plugins on the host system, other commands are executed in the VM. After plugins installation Vagrant will ask to execute the same command again to proceed the VM configuration:

vagrant up

A virbr network interface will be created. On most systems this should work as is, but otherwise we may need to allow inbound connections (and routing) from the loopback interface according to host's firewall rules.

Connect to the VM

vagrant ssh

Test the VM

On the VM, start the lighttpd service and check the logs:

sudo systemctl start lighttpd.service
sudo journalctl -fu lighttpd.service &
sudo tail -F /var/log/lighttpd/error.log &

Use the getlink.sh script to get the local website link:

/vagrant/getlink.sh

Visit the link with a web browser to validate that it works. This link may change each time the VM starts.

About

Landlock tutorial to patch lighttpd

landlock.io

Topics

linux security sandboxing landlock

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Contributors 2

  •  
  •  

Languages