From patchwork Tue Aug 6 18:10:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13755217 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2153712C499; Tue, 6 Aug 2024 18:11:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967880; cv=none; b=Gcc7x4LUOwTwK6WIHXJaXt0pYlFK3HW/orPR1WNrXGe3phj4JPITEIcHxofqa0mPYtmasr8b5DoGG9SthsOr6QcvL1dmnC7UvoQImGAoOOqs7n9p9t0NOIIl9hOtxydNdSawxCgW4VEe29NpoC3WunYOgPPcM3vFYFGhlCt6tvY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967880; c=relaxed/simple; bh=Tgz4rG0gdNZOi7Ceze4G3izUyhOrU5qXIBDASb3Kk/U=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Uww840kvyBcK18/bqOPxf70vQQxCyOox4/o9Frhr3rRdlamXlrOTnHjh+apu3MauZauqWPkLPoktYE+nacQrBFu8oG6W48107uMl7t8R49h5DCxjUSJXiQjCQDIGXpW9pUsvQkv0Rs0kUuihZm2eg7k5wtHHVKwGFI/SB4OnNXU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Wb0T1u6X; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Wb0T1u6X" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2cb5787b4a5so639369a91.2; Tue, 06 Aug 2024 11:11:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722967878; x=1723572678; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fhkqFYwnINAcfquZFJ6nqQu+rI21VoQBsZtsC0iWGgg=; b=Wb0T1u6Xpmi2LDX6FyLJFfVfV4jCR+9JUIusVT8ZiUObBefnKJVgFGxBRnPSPplJEC 9nxPvr9Xp7xArbaWbQQyQrZ03ZYW4mxqK+oIfLGypvP/Rdm+E6DlZ7TochDf8OtRcf1S M57RnoXLaTfI6fNlDiapwcWVh+yeKL98ahrMkd+ds16yAJ6BcDO2HvY2llfELQis8BoB a5J9i+IN0QGw3HVF0OwktUKjvA1Elh514u7Z3WOC+8QoFXXRVwe6wQnrvzBerE29o2vD 9XmFQx/ksqLzYNTnZHy34b8Ys3FBDzrEksSqmRRKj9VlRt2PEdR9DB6PVmuQT9IlYXGG ZpGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722967878; x=1723572678; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fhkqFYwnINAcfquZFJ6nqQu+rI21VoQBsZtsC0iWGgg=; b=GrmVgzEYIT1nqkuCMjlbAquCDsxbrgqRtTmNnTwv3pPh9zN/Fj0X9z+g4lnKhxbefP y6agWQcpQcRqPGgpGsX29QPSqgyMGQyiqrKfArE4WDJ23xVvcKX+3jcTXHSHUM4BTwwp f+mkHu4YnFUP1viB5eVRHUVDfBmH5Nmd0Z2h09FCmRmeokGQK6kCtjfwkUTjubsOaC4C +WqrJauVJo+SUW+8CpsL7/a0rk68YQxXCwxgeZnpIkZ2XlVpmpA2rKCCkOHKJLhrOaAm 3brU9Im8WtjgyTlQHSQSRvG6rxyx5LyiDUKykr8X6EzY8QrKquRL0EMVuFvkQ8kOGVlP nj0g== X-Forwarded-Encrypted: i=1; AJvYcCXRZuGFCVbXXsxBtlP3+cxwfXMHr0GEJ9UvlwfmXsAGsoBRrMIenNxfzjWc9WfIxih5XY7VLdnPbz4M8jcIYUVUTNSzd72vnMrKyPi4o17h1BSeJAOVqajJghpG6pAX6rTAAEgimg0TYg3ekWJsVlIvuS2sRLD4weGK6+LM3fJGUDysYEXhtwDzDu0V X-Gm-Message-State: AOJu0Yz7vNgXHIK/ByKdks53TOJMM6xrjX2GRVMl5WbEYHr4sT9cmk5l Ny0ytNN4GeBZAb8HCsSyzUNu9LS9IC3cOpKwUeNbDeBh7hIEA8ST X-Google-Smtp-Source: AGHT+IG76IuTNr6BsP8RmeCPZaai/4NOu4kgq/HwMYShzLvUbPgoG8kPSvG2wBDihpM3klD8MA89cQ== X-Received: by 2002:a17:90a:8a18:b0:2cf:2bf6:b030 with SMTP id 98e67ed59e1d1-2cff952d1fcmr15848502a91.33.1722967878333; Tue, 06 Aug 2024 11:11:18 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2cfdc45b51esm12829504a91.32.2024.08.06.11.11.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 11:11:17 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v2 1/4] Landlock: Add signal control Date: Tue, 6 Aug 2024 12:10:40 -0600 Message-Id: <49557e48c1904d2966b8aa563215d2e1733dad95.1722966592.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Currently, a sandbox process is not restricted to send a signal (e.g. SIGKILL) to a process outside of the sandbox environment. Ability to sending a signal for a sandboxed process should be scoped the same way abstract unix sockets are scoped. Therefore, we extend "scoped" field in a ruleset with "LANDLOCK_SCOPED_SIGNAL" to specify that a ruleset will deny sending any signal from within a sandbox process to its parent(i.e. any parent sandbox or non-sandboxed procsses). Signed-off-by: Tahera Fahimi --- Chenges in versions: V2: * Remove signal_is_scoped function * Applying reviews of V1 V1: * Introducing LANDLOCK_SCOPE_SIGNAL * Adding two hooks, hook_task_kill and hook_file_send_sigiotask for signal scoping. --- include/uapi/linux/landlock.h | 3 +++ security/landlock/limits.h | 2 +- security/landlock/task.c | 43 +++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index ab31e9f53e55..a65fdb507d39 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -292,8 +292,11 @@ struct landlock_net_port_attr { * from connecting to an abstract unix socket created by a process * outside the related Landlock domain (e.g. a parent domain or a * non-sandboxed process). + * - %LANDLOCK_SCOPED_SIGNAL: Restrict a sandboxed process from sending a signal + * to another process outside sandbox domain. */ /* clang-format off */ #define LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET (1ULL << 0) +#define LANDLOCK_SCOPED_SIGNAL (1ULL << 1) /* clang-format on*/ #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/limits.h b/security/landlock/limits.h index eb01d0fb2165..fa28f9236407 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -26,7 +26,7 @@ #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1) #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET) -#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET +#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPED_SIGNAL #define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1) #define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE) /* clang-format on */ diff --git a/security/landlock/task.c b/security/landlock/task.c index 7e8579ebae83..a73cff27bb91 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -261,11 +261,54 @@ static int hook_unix_may_send(struct socket *const sock, return -EPERM; } +static int hook_task_kill(struct task_struct *const p, + struct kernel_siginfo *const info, const int sig, + const struct cred *const cred) +{ + bool is_scoped; + const struct landlock_ruleset *target_dom; + + /* rcu is already locked */ + target_dom = landlock_get_task_domain(p); + if (cred) + /* dealing with USB IO */ + is_scoped = domain_IPC_scope(landlock_cred(cred)->domain, + target_dom, + LANDLOCK_SCOPED_SIGNAL); + else + is_scoped = domain_IPC_scope(landlock_get_current_domain(), + target_dom, + LANDLOCK_SCOPED_SIGNAL); + if (is_scoped) + return 0; + + return -EPERM; +} + +static int hook_file_send_sigiotask(struct task_struct *tsk, + struct fown_struct *fown, int signum) +{ + bool is_scoped; + const struct landlock_ruleset *dom, *target_dom; + struct task_struct *result = get_pid_task(fown->pid, fown->pid_type); + + /* rcu is already locked! */ + dom = landlock_get_task_domain(result); + target_dom = landlock_get_task_domain(tsk); + is_scoped = domain_IPC_scope(dom, target_dom, LANDLOCK_SCOPED_SIGNAL); + put_task_struct(result); + if (is_scoped) + return 0; + return -EPERM; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme), LSM_HOOK_INIT(unix_stream_connect, hook_unix_stream_connect), LSM_HOOK_INIT(unix_may_send, hook_unix_may_send), + LSM_HOOK_INIT(task_kill, hook_task_kill), + LSM_HOOK_INIT(file_send_sigiotask, hook_file_send_sigiotask), }; __init void landlock_add_task_hooks(void) From patchwork Tue Aug 6 18:10:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13755218 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60E4483CC7; Tue, 6 Aug 2024 18:11:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967882; cv=none; b=IQ/WUhK/zXBoMvOMQNOtSLG3snEmFqtacIUXAYh4xECF9Ryu3k84vFqaPiHdHYlgxsKNfb2kkXxYXg7FAdnYdJCTloXS6BAmmjDa7Wd0h7Djiyqp4eCRoS0sSQqR/UKt46f9HtVEb9hBRiBZnvQu/9O1e6FpHfacDf5O/DAzWic= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967882; c=relaxed/simple; bh=OL8YDt9ckh5mt14xDgUvpKYnO8xoVA5eiX3ktYKrBwg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=tfRAwds+p5t1PVCtdXQ4Ig9/OoFq9q6JW+C0HykZRIvm5pVPWcxRSn9Ap0j62SYcqZ0Qum9kpdt9DKgw/2yfp+wxyFKWUFVV8+Zd5IYNGW5okGsp/fLay0pd/oJqDZry69i3B+1V4/sWH6SiUqjSNz0ZYa9qlKE+AYmqNrxc9W0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Guc0ThCb; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Guc0ThCb" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-2cb57e25387so690357a91.3; Tue, 06 Aug 2024 11:11:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722967880; x=1723572680; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1m33RcWxdO0nPOjLkO6+czI4OXLdEbwvOpCuSkjhK1I=; b=Guc0ThCbdip7TmBxw6EhQbBGCo2GHd+LD4UQJ7Eb1dzHCQdUYARwl++TuiuhnkyEWv yNWgSJQqeXehPI5paeSn1DVXmK+F5/jMKZclL+vVNXoiBcCRvZOKwUFT8X9XmpvELWt+ KZrAF15sKlq/Cex5LHvZUaOsS6Inh1TqEhRj85oKVlaV/5qOODvISwGVTb7RpcWHDjeS +jBl4jcGwIrW30T+3EDVK9m8A0yT/Vz88kaba4qkxQkwzWkd8YMUnRqJNlP7rkH7zzsS k/V9TQwej8O7/ZbvRm6vjBgDb1bTQPrh4Ubl4n51ZwvBqApQSoY5UNJHDBcTXdubEpXo 1Syg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722967880; x=1723572680; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1m33RcWxdO0nPOjLkO6+czI4OXLdEbwvOpCuSkjhK1I=; b=PGVQlH94G6q3bnF5MXWK5+f+aH42R6L8EJLOQSbqpiYA7T4G4eRjOhMFqXeqBr7BSO 61bF2gC86tOs8Oj1+UCSSKWG8JUB/SnZCygcwBp8y0uMKZ8Hb91pAO8J+VLCQjj1NiAj 3xdDG1K8JdiP4SagCfnfLe+8tbxl7iUHH37SpZqEy7tiqwigWHsbfiwOcmJN6voIH9yH g00Zj8xy95ckZ1QdtV/44Fw9V+9KleQJ77ZtmMghAeEJZKFeRAcQ4OuonBz5Mu7Mcj7w TBosD7Nt/ZPhl7P7/ft1L7B5tEVDKkWaE52URXOMSHrPJs2sOpsok3h/+6z7NuS5O/ki 7HMA== X-Forwarded-Encrypted: i=1; AJvYcCU/6QyFviLt+NQLa4rG5aJ8b6cSCmiZI171sszmMVOOOMJrAOULBuP/zJRjzsv0yf+Ga0X5u6coQGoa5Qsz2vJrV+49tG3Q8TvzAn4Xf45AKSKenrQewLwKTTUbTX2WT0deLX0B0ENyISsflD6JR2DXChLufWQnefE5kKmuSKORpI1hhyt0YDoo4aXV X-Gm-Message-State: AOJu0Yw6UwTxXXF4W618AuCrBbbWwr47lae2BYALZ2DfDMLCAI9ktX+S YH3L79bVjMWjMQbr0Yg/3HeObLMK3fl239MRcRlVONJPdp6rkUas X-Google-Smtp-Source: AGHT+IEGenzYlt3InIG6GjJXqL6gzeoVJJlv0EHbALzZdfiNd16vaiBKs7i7E7zW2R/WfazNUE5HQA== X-Received: by 2002:a17:90b:50cf:b0:2cf:cc0d:96cc with SMTP id 98e67ed59e1d1-2cff9413dcemr18564083a91.9.1722967879444; Tue, 06 Aug 2024 11:11:19 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2cfdc45b51esm12829504a91.32.2024.08.06.11.11.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 11:11:18 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v2 2/4] selftest/Landlock: Signal restriction tests Date: Tue, 6 Aug 2024 12:10:41 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch expands Landlock ABI version 6 by providing tests for signal scoping mechanism. Base on kill(2), if the signal is 0, no signal will be sent, but the permission of a process to send a signal will be checked. Likewise, this test consider one signal for each signal category. Signed-off-by: Tahera Fahimi --- Chnages in versions: V2: * Moving tests from ptrace_test.c to scoped_signal_test.c * Remove debugging statements. * Covering all basic restriction scenarios by sending 0 as signal V1: * Expanding Landlock ABI version 6 by providing basic tests for four signals to test signal scoping mechanism. --- tools/testing/selftests/landlock/base_test.c | 2 +- .../selftests/landlock/scoped_signal_test.c | 303 ++++++++++++++++++ 2 files changed, 304 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/landlock/scoped_signal_test.c diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 3c1e9f35b531..52b00472a487 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(5, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(6, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c new file mode 100644 index 000000000000..133b1c8edf49 --- /dev/null +++ b/tools/testing/selftests/landlock/scoped_signal_test.c @@ -0,0 +1,303 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - Signal Scoping + * + * Copyright © 2017-2020 Mickaël Salaün + * Copyright © 2019-2020 ANSSI + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "common.h" + +static sig_atomic_t signaled; + +static void create_signal_domain(struct __test_metadata *const _metadata) +{ + int ruleset_fd; + const struct landlock_ruleset_attr ruleset_attr = { + .scoped = LANDLOCK_SCOPED_SIGNAL, + }; + + ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + EXPECT_LE(0, ruleset_fd) + { + TH_LOG("Failed to create a ruleset: %s", strerror(errno)); + } + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); +} + +static void scope_signal_handler(int sig, siginfo_t *info, void *ucontext) +{ + if (sig == SIGHUP || sig == SIGURG || sig == SIGTSTP || + sig == SIGTRAP || sig == SIGUSR1) { + signaled = 1; + } +} + +/* clang-format off */ +FIXTURE(signal_scoping) {}; +/* clang-format on */ + +FIXTURE_VARIANT(signal_scoping) +{ + const int sig; + const bool domain_both; + const bool domain_parent; + const bool domain_child; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_without_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = false, + .domain_parent = false, + .domain_child = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_child_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = false, + .domain_parent = false, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_with_parent_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = false, + .domain_parent = true, + .domain_child = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_sibling_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = false, + .domain_parent = true, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_sibling_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = true, + .domain_parent = false, + .domain_child = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_nested_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = true, + .domain_parent = false, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_with_nested_and_parent_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = true, + .domain_parent = true, + .domain_child = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_forked_domain) { + /* clang-format on */ + .sig = 0, + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +/* Default Action: Terminate*/ +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_forked_domain_SIGHUP) { + /* clang-format on */ + .sig = SIGHUP, + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_with_forked_domain_SIGHUP) { + /* clang-format on */ + .sig = SIGHUP, + .domain_both = false, + .domain_parent = true, + .domain_child = false, +}; + +/* Default Action: Ignore*/ +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_forked_domain_SIGURG) { + /* clang-format on */ + .sig = SIGURG, + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_with_forked_domain_SIGURG) { + /* clang-format on */ + .sig = SIGURG, + .domain_both = false, + .domain_parent = true, + .domain_child = false, +}; + +/* Default Action: Stop*/ +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_forked_domain_SIGTSTP) { + /* clang-format on */ + .sig = SIGTSTP, + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_with_forked_domain_SIGTSTP) { + /* clang-format on */ + .sig = SIGTSTP, + .domain_both = false, + .domain_parent = true, + .domain_child = false, +}; + +/* Default Action: Coredump*/ +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_forked_domain_SIGTRAP) { + /* clang-format on */ + .sig = SIGTRAP, + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, allow_with_forked_domain_SIGTRAP) { + /* clang-format on */ + .sig = SIGTRAP, + .domain_both = false, + .domain_parent = true, + .domain_child = false, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(signal_scoping, deny_with_forked_domain_SIGUSR1) { + /* clang-format on */ + .sig = SIGUSR1, + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +FIXTURE_SETUP(signal_scoping) +{ +} + +FIXTURE_TEARDOWN(signal_scoping) +{ +} + +TEST_F(signal_scoping, test_signal) +{ + pid_t child; + pid_t parent = getpid(); + int status; + bool can_signal; + int pipe_parent[2]; + struct sigaction action = { + .sa_sigaction = scope_signal_handler, + .sa_flags = SA_SIGINFO, + + }; + + can_signal = !variant->domain_child; + + if (variant->sig > 0) + ASSERT_LE(0, sigaction(variant->sig, &action, NULL)); + + if (variant->domain_both) { + create_signal_domain(_metadata); + if (!__test_passed(_metadata)) + /* Aborts before forking. */ + return; + } + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + char buf_child; + int err; + + ASSERT_EQ(0, close(pipe_parent[1])); + if (variant->domain_child) + create_signal_domain(_metadata); + + /* Waits for the parent to be in a domain, if any. */ + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); + + err = kill(parent, variant->sig); + if (can_signal) { + ASSERT_EQ(0, err); + } else { + ASSERT_EQ(-1, err); + ASSERT_EQ(EPERM, errno); + } + /* no matter of the domain, a process should be able to send + * a signal to itself. + */ + ASSERT_EQ(0, raise(variant->sig)); + if (variant->sig > 0) + ASSERT_EQ(1, signaled); + _exit(_metadata->exit_code); + return; + } + ASSERT_EQ(0, close(pipe_parent[0])); + if (variant->domain_parent) + create_signal_domain(_metadata); + + /* Signals that the parent is in a domain, if any. */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + + if (can_signal && variant->sig > 0) { + ASSERT_EQ(-1, pause()); + ASSERT_EQ(EINTR, errno); + ASSERT_EQ(1, signaled); + } else { + ASSERT_EQ(0, signaled); + } + + ASSERT_EQ(child, waitpid(child, &status, 0)); + + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + +TEST_HARNESS_MAIN From patchwork Tue Aug 6 18:10:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13755219 Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7711078C8B; Tue, 6 Aug 2024 18:11:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967883; cv=none; b=lHSUZRv/fgLXt89xWH+PVEinIZqYwzDGA7UZ6NajiKlGhk/Hxh08crKukC2oqTuYpKXDoPAupy731O7yP2ZoYmYvT2lvHpvRCHzkYGzTxH/O6rsTsQJKvgQaVy2Jp4fSGtPsU0H26O54EIzkeZFydcTi0aQjQiBzLOdXEIfQb+8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967883; c=relaxed/simple; bh=n4/dqbrwVslhyK/HTd08bHNcZ8Y8wPwXJ9K9yx1yxas=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=GVz+Hgd8CvaezjxW0j6aRIKcaFlplc/yQ5fKyUwmupVAKExJAj6W708aeEbGl9+JUluEgttm6kHV64QDVMvCJ5iw9jZBm1fgHGEXVXzNy98r3FoVj5g86B5TqLCLguoWtyxG/8Ujozo6cGNnSU+EGORxDVtXNXVmrwiXRxLAkeo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CvKqtmSX; arc=none smtp.client-ip=209.85.216.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CvKqtmSX" Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2cb4b7fef4aso708311a91.0; Tue, 06 Aug 2024 11:11:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722967881; x=1723572681; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BEZkK4aC6TuYoJdjdgVGJfF2fqj8l2qjt8Waj8faY9E=; b=CvKqtmSXpWxWXxQ4+2Krey3+ZcfKkiSM9J9xfCN57B/3+PVsi54AwyLQNx6LrHQjVm qVJroDkWcMljU0UQca0fW+hwwpY9w5qB8iLNAMgFLWQuv0tCjfMar0ogNBlWi60Y8tn8 YprDYhAyNLHZTVh0upac5PebOufQiHdzsOGe+4gSw4N4naw/tUD3khotVuwEM+uTNdW5 6CpZzCCdsLlxX/DY1uhqXyfc0yQOxq7kMd3Kwut/7zVj81XZZsWI8Ib8f8hKpylixEj0 ifKVWTpw2Ff5OGAHLPxrVUA/ITHiyTuZMdUVt3fn4BFZ8y0TZQ1OtEynH6baWmXq0+Rw A/ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722967881; x=1723572681; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BEZkK4aC6TuYoJdjdgVGJfF2fqj8l2qjt8Waj8faY9E=; b=wY4zpMBMhn43P4sEYPqtruDd/raCNdSOkbT6qL994qsYmgwz6gq0l392nfYFPH0GMq 6oQveQnH3Y1Q5WzDNAfi1alsMEiwyGjXBzHGh2hzH/evqIjxUlJfxf1gYq549Ozy0IZM WK+lSyNS6qQ2WZNvB6LrfFuReppsFQYekp0srVziLPk9NRQHEa+YX6KrpVjscUYJYVp3 JyIsoMbato7UKsTfosHmyZnBKbiywsVvT9tavatL/wf9WrezpS3CwkGfTKkJ8yb7RWlG hMqRRbHaocAK00V1Y9YYKQZhEarZbGcsKhA8OUndgA+LeFe8o5+8W15vDmgNpJr+cnPG ChZg== X-Forwarded-Encrypted: i=1; AJvYcCU0cMQ+BTRA7xxU6P+u2q97PqXjTndq1ZnBkuRDdlPFvRS9r4/YTs0L0RzY+0mpSKtb112eTLw63KOb2LLMbYq0pdVavUd8wb82ldxIIz3clseH7c0wkNnX/TWU5ZKLxJ+wRYH3LR7Dcc3FZVXw1bcyTV3CU3cfEzFH90x0psplBFDg+7WCbaizMd1w X-Gm-Message-State: AOJu0YzyDfFj3hhP0QDEn5F/GOhm4VsVYoCzqSw51tD+kEE1iygs8+aw grVHZ6iycuEQlmTtpvNMQDAZ4wKY/WG/W758Rq8Tvl7NV0K2SLDX X-Google-Smtp-Source: AGHT+IFp4JhvBq+3jfMNtSfpN+1rDjfve0u0OglfBB7FNWXmGTaZh1UuxmojRVX4EBP5p89W5q94xA== X-Received: by 2002:a17:90b:38c:b0:2cf:2ab6:a134 with SMTP id 98e67ed59e1d1-2cff952becbmr18435616a91.32.1722967880615; Tue, 06 Aug 2024 11:11:20 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2cfdc45b51esm12829504a91.32.2024.08.06.11.11.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 11:11:20 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v2 3/4] sample/Landlock: Support signal scoping restriction Date: Tue, 6 Aug 2024 12:10:42 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 A sandboxer can receive the character "s" as input from the environment variable LL_SCOPE to restrict itself from sending a signal to a process outside its scoped domain. Example ======= Create a sandboxed shell and pass the character "s" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="s" ./sandboxer /bin/bash Try to send a SIGTRAP to a process with process ID through: kill -SIGTRAP The sandboxed process should not be able to send the signal. Signed-off-by: Tahera Fahimi --- samples/landlock/sandboxer.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 98132fd823ad..c3123f3ee8eb 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -193,7 +193,8 @@ static bool check_ruleset_scope(const char *const env_var, bool ret = true; char *env_type_scope, *env_type_scope_next, *ipc_scoping_name; - ruleset_attr->scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + ruleset_attr->scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL); env_type_scope = getenv(env_var); /* scoping is not supported by the user */ if (!env_type_scope) @@ -207,6 +208,8 @@ static bool check_ruleset_scope(const char *const env_var, if (strcmp("a", ipc_scoping_name) == 0) { ruleset_attr->scoped |= LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + } else if (strcmp("s", ipc_scoping_name) == 0) { + ruleset_attr->scoped |= LANDLOCK_SCOPED_SIGNAL; } else { fprintf(stderr, "Unsupported scoping \"%s\"\n", ipc_scoping_name); @@ -258,7 +261,8 @@ int main(const int argc, char *const argv[], char *const *const envp) .handled_access_fs = access_fs_rw, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, - .scoped = LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET, + .scoped = LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL, }; if (argc < 2) { @@ -295,7 +299,7 @@ int main(const int argc, char *const argv[], char *const *const envp) "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " "%s=\"9418\" " "%s=\"80:443\" " - "%s=\"a\" " + "%s=\"a:s\" " "%s bash -i\n\n", ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME, ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]); @@ -369,7 +373,8 @@ int main(const int argc, char *const argv[], char *const *const envp) __attribute__((fallthrough)); case 5: /* Removes LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET for ABI < 6 */ - ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + ruleset_attr.scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL); fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " From patchwork Tue Aug 6 18:10:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13755220 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C4F679B87; Tue, 6 Aug 2024 18:11:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967884; cv=none; b=VD5uy+yjCb8Fi6r+e8x2rV3ItHf0y42Zhc3yR/X6klPcJKb1GSdVcT38P285s/6lxLn/2B6RuFAL0zWwbO1UVO8FuAlTIeI2ZgsVaigRUgrLAXWMfSCi98MBi7x2L7H09rx46ynaCPLpWqFH+sXV7SFj7NuNkcihNF9xPMywZ9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722967884; c=relaxed/simple; bh=q9QLkZ/H/j6QTqNueNb0kSZDd/RQJbs+z7t4FIClwzo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=VS9Gq1xKpSmAZ1q7iRX0lIezHfJ21NZzRum5Q7EFteUOxyDG6voVtEMb7GuJgNKRgk4y5Zc2YJ5D/KpuyinKHVrc/Yo9eSZgChCQ1b0cmAvEc7KBl+NEJZ86Erk0Xgme+MaJd/BsLVSajxyZFRxO/rfzVlx3uHWxIXNw2IsPoDU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=erkTNNf5; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="erkTNNf5" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-2cd5e3c27c5so651247a91.3; Tue, 06 Aug 2024 11:11:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722967882; x=1723572682; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3VrsPTsD55P11qoYiWXSWqA/RANzLdJrHm5M8EK/YZ0=; b=erkTNNf5e3OPpMpZByd0s44hWUWBs0Nrg0Uay5xKL+I01ZMC7pcD2hZZvvTvE74G/y 1ZOcvti4WXLVYagKJIkCweUOpeY/B+6ry6BbW1gC/4jdG9mtZUoaJOpGx59Y30B2cu+C ldSeI+Oc3Lzl3hUq6xm4egwZBk1F3tHXBpAdF5UXR2cMHZbGSgmEJy2NbD3xHpm3U1vg EgSkAYmr+HT4Dc4vp1Q58j6yMLt8Tenc0PUaUnPYc6NL5r8IPd8AT3OS8OWDIAzQCJ/I T9qg8nnLU4BgbBX7LQ4RAkbRx0/hsiv4dGJAxgCA1Wo/0RGLxQLylEdk8owXlrUkDCqj NSuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722967882; x=1723572682; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3VrsPTsD55P11qoYiWXSWqA/RANzLdJrHm5M8EK/YZ0=; b=sAZJbX5oCTP3tpbYjclzRboERdeGB0d69HczsWyID0J3EkNrT5oAmV8xDCvN5iN9fi CUr30Dku+2TWL6jWMFlZGVTktlLRUt9phb2wZDqB+Uf7H1Qpih1j6GzKqhsls7Jn7PrV N68VHKfb776Jq5glctCKVmSyMWxTwdO3z6sWuOHvm/kmA12ZpXHTjKnkhjtw9oqA7y0W GPBo0FzQRbSXlcdsDYsOMZfvCf+sUJ7hQsciBSEINscTkjnrDW9z7MEAC0OgQiaeGYl0 20BPfy2idGGf2/85vJVLWeqQUdCMNYDJQ3Mn3zlyRWqwm5yM7+ahnOViTAyfGJjDFjXE mMuw== X-Forwarded-Encrypted: i=1; AJvYcCUC0/6cXp4EHCoVJOpMNED76iggL8L0k3W+pYsrVKMRIqsO35H9S3EwXgV7sw0+NA8ulEL+9A9/1QYZndc=@vger.kernel.org, AJvYcCUFWyJZIXStBnV5P+btixTbVf04GI0j3LmkjsfUDxZ9hO9urKLxlfAdam7IJgebuGVyKuNsaqua@vger.kernel.org, AJvYcCV8JDqgKHPvTl0AOu2yetfrPcqYWmWJL1t7JjHjbmJufqpGGiEo2qoMnklA5VFcSvZI9wwI7sMPg+HotG3GSi1/0qhgIsdg@vger.kernel.org X-Gm-Message-State: AOJu0Ywel59CIy1khLlwLAvlaE9g6KtzyU+8OQJYB1ZR6tMz2Ki/ZdKJ UMAh9Ewsz2nZVHG8OtI4M9xnHorP8WM2Fj1W3mWa6FFVNmmSIOHC X-Google-Smtp-Source: AGHT+IGiT+hmqoEULYz2BBGUi4Gw+UHaG5Qkj+LXdSF6TXcbaZb0t8t/rendJeJxdT7efNmVye4TAg== X-Received: by 2002:a17:90b:4016:b0:2c8:8a5:c1b9 with SMTP id 98e67ed59e1d1-2cff94143f4mr15769258a91.13.1722967881560; Tue, 06 Aug 2024 11:11:21 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2cfdc45b51esm12829504a91.32.2024.08.06.11.11.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 Aug 2024 11:11:21 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v2 4/4] Landlock: Document LANDLOCK_SCOPED_SIGNAL Date: Tue, 6 Aug 2024 12:10:43 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Improving Landlock ABI version 6 to support signal scoping with LANDLOCK_SCOPED_SIGNAL. Signed-off-by: Tahera Fahimi --- Documentation/userspace-api/landlock.rst | 27 ++++++++++++++---------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 01bd62dc6bb1..1923abfd2007 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: July 2024 +:Date: August 2024 The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock @@ -82,7 +82,8 @@ to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, .scoped = - LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET, + LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL, }; Because we may not know on which kernel version an application will be @@ -123,7 +124,8 @@ version, and only use the available subset of access rights: ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; case 5: /* Removes LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET for ABI < 6 */ - ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + ruleset_attr.scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL); } This enables to create an inclusive ruleset that will contain our rules. @@ -319,11 +321,14 @@ interactions between sandboxes. Each Landlock domain can be explicitly scoped for a set of actions by specifying it on a ruleset. For example, if a sandboxed process should not be able to :manpage:`connect(2)` to a non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can specify such restriction -with ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``. +with ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``. Moreover, if a sandboxed process +should not be able to send a signal to a non-sandboxed process, we can specify +this restriction with ``LANDLOCK_SCOPED_SIGNAL``. -A sandboxed process can connect to a non-sandboxed process when its domain is -not scoped. If a process's domain is scoped, it can only connect to processes in -the same scoped domain. +A sandboxed process can access to a non-sandboxed process when its domain is +not scoped. If a process's domain is scoped, it can only access to processes in +the same scoped domain. For example, If a process is scoped to send signal to +other processes, it can only send signals to processes in the same scoped domain. IPC scoping does not support Landlock rules, so if a domain is scoped, no rules can be added to allow accessing to a resource outside of the scoped domain. @@ -563,12 +568,12 @@ earlier ABI. Starting with the Landlock ABI version 5, it is possible to restrict the use of :manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right. -Abstract Unix sockets Restriction (ABI < 6) --------------------------------------------- +Abstract Unix sockets and Signal Restriction (ABI < 6) +------------------------------------------------------- With ABI version 6, it is possible to restrict connection to an abstract Unix socket -through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``, thanks to the ``scoped`` ruleset -attribute. +through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET`` and sending signal through +``LANDLOCK_SCOPED_SIGNAL``, thanks to the ``scoped`` ruleset attribute. .. _kernel_support: