Tier list of Linux security mechanisms
Linux has quite some security mechanisms. So let's look at some of them and rate them by usability and power.
File permissions
Every file has read/write/execute permissions for its owner, group, and others. This is usually expressed in octal: 755 means everyone can read and execute, but only the owner can write. 600 means everyone is blocked but the owner can read and write.
This system is pretty old and has served us well. For example, home directories are typically 700 to block access from other users. And system services can run as separate users so they cannot change the system or access users' home directories.
File permissions are simple and powerful. They are a foundational tool for any Linux user. However, they lack some of the flexibility of other items on the list.
A Tier
Capabilities
The root user has a lot of special permissions. For example, they can access any file or bind ports below 1024. At some point, the Linux community decided to divide this role into Capabilities to allow more granular access control.
However, the list of Capabilities is long and complicated. Regular users will hardly be able to understand which capabilities a process needs. Some Capabilities even allow privilege escalations.
Docker by default runs containers as root, but drops most capabilities. Running with a limited set of capabilities is better than running as root. But in practice, you rarely even need any capabilities. Just running as a regular user will work 99% of the time.
B Tier
seccomp
seccomp allows to filter which syscalls a process has access to. For me, this has much the same pros and cons as Capabilities: The list of syscalls is just too long and complicated.
On top of that, creating a seccomp filter is also complicated. bwrap wants a compiled cBPF program. Docker will take a JSON seccomp profile. Systemd has probably the most usable interface by providing presets like @system-service
.
B Tier
No new privileges
PR_SET_NO_NEW_PRIVS
blocks setuid (e.g. sudo) and a bunch of other privilege escalations. Highly recommended.
bwrap uses it unconditionally, in systemd it is implied by a bunch of settings, and Docker has an option to enable it.
S Tier
AppArmor / SELinux
These are effectively file permissions on steroids. Where file permissions only allow you to assign permissions for owner and group, these allow you to assign permissions for every binary individually. This means that every application can come with a specific AppArmor / SELinux profile that exactly lists the files it needs access to.
My impression is that very few applications come with AppArmor or SELinux profiles. Writing them is cumbersome, especially if they are not maintained along with the application itself.
I don't think these mechanisms are actively harmful. Maybe I am too harsh, but given the alternatives we will discuss later, I don't see any reason to use them.
C Tier
cgroups
So far we mainly looked at mechanisms to restrict file access and syscalls. Control Groups allow to restrict system resources (mostly CPU and memory). This is what resource control in systemd and Docker is build upon.
cgroups are a useful mechanism for servers, especially if you rent out computing time to others. For single users systems, they are much less relevant.
B Tier
Namespaces
Namespaces have fueled the container revolution of the past years, including Docker and Flatpak. Network and PID namespaces are useful, but the real star is mount namespaces, which allows to construct a separate file hierarchy for each process.
You can use this mechanism a lot like AppArmor / SELinux, but instead of blocking access to a file, you just don't include it in the hierarchy. In that case you still have to maintain the list of files that should be made available, which is quite complex to get right.
The other option is to use a completely separate file hierarchy that only shares some select data folders with the host system. This is easier, but also results in many redundant and potentially unpatched directory trees.
Despite the downsides, I really like how powerful this mechanism is while also being quite intuitive.
A Tier
Landlock
Landlock is yet another way to limit access to files, and was only added to the kernel in 5.13.
While it could be used to sandbox applications, I think we already have more than enough mechanisms for that (AppArmor, SELinux, mount namespaces). However, it could be interesting as a mechanism for processes to restrict themselves. Landlock was actually modelled after a BSD mechanism called pledge
, as in "I pledge to not ever access those files".
C Tier
polkit
A trend in recent years is to have services that can perform privileged actions, so that applications can talk to those services over dbus instead of having to perform the privileged actions themselves. On its own, this is just a security bypass. But the services in turn ask polkit whether an action should be allowed. polkit will then consult its configuration and either allow the request, deny the request, or ask the user to authorize the request by entering their password.
Polkit gives instant privilege escalation while having a voluptuous attack surface. That doesn't mean that it is insecure. But if I wanted to attack a Linux desktop system, this is where I would start.
Proponents of polkit argue that it gives much more flexibility. But polkit rules decide requests mainly based on group membership. I cannot see how polkit should make nuanced decisions based on this limited information.
The main benefit or polkit is that it allows to get the user into the loop. There is a good idea somewhere in here. But the current implementation is not that.
Unfortunately, polkit is a central part of most modern Linux desktops. I wish we had something else, but for now we are stuck with it.
D Tier
xdg-dbus-proxy
The Flatpak project realized that polkit is not sufficient and came up with an additional mechanism: They build xdg-dbus-proxy, a dbus proxy that filters which services are available. They then mount the proxy instead of the original socket in their mount namespace.
(Aside: This would not be necessary if dbus would use a separate socket for each service. Then you could use mount namespaces directly without a need for a proxy.)
As far as I understand, they do not do much work on this project because they want to move this functionality into dbus itself. However, the ticket was created in 2017 and there has not been much progress. So I am not really sure about the status.
C Tier
Summary
There you have it, this is my ranking of linux security mechanisms:
- S Tier: No new privileges (great!)
- A Tier: File permissions, Namespaces (tools for everyday use)
- B Tier: Capabilities, seccomp, cgroups (only for select occasions)
- C Tier: AppArmor / SELinux, Landlock, xdg-dbus-proxy (better options are available)
- D Tier: polkit (I would like to see this one replaced)
- F Tier: -