From patchwork Fri Sep 6 21:30:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13794775 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5AD8010A18; Fri, 6 Sep 2024 21:30:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658218; cv=none; b=WuCnl0kCXICSHSX16QU/Juk/eOSSWZF2g80yG08QmybwFin645pQ7bFkN2V68RnGAv6RX/AdE0J3TOMAK9MqZQqyCHEq8NOPuPnIll8XIAyV4h60D5KRWqya5htQ3dq/XciwBmq+A4G1KeMrlVLLwkQlcS9kWvDJJSDTIVVa8H8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658218; c=relaxed/simple; bh=K+Qxz45A+ZqPOXWVuq415afaze3pbu1zD+OP3kZ887g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Q5nBkR9BbTKOoLVch3nQlcjgtKSK4KbIIOHAxsVOz52hfDwkj/99P6VmwQYVzWOOONM8Yv8GFmCFz80I33PdityHk9f5cm1JfsALphn9789BrKsnfjSElLy6WP8YfbUukXKeB2xH89lhLMiNF+TuTKhWPLMnisHcPt9Rug+uy2k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ci1w1QEh; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ci1w1QEh" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2055a3f80a4so19649765ad.2; Fri, 06 Sep 2024 14:30:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725658217; x=1726263017; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZNTSuYvcE2rzLSfQuS2YWafJRc01WE85sQS6n5qwC5Q=; b=ci1w1QEhrFkcfudMJCePHzmkLRu4xiqEw7q6/zZZTuJberSCEjE/SqHLnlOk0WDA+t M2DiDKulF4DWBEfGTFBPUL21Q9l9QPMP00jpOF4bmqufLKfxQJjTTF2amDfHzlX6vEoV PpYkttcnvaLQjs+jS2210qpD0NN+zd1cRh3UZqwFm7qYq7VgMHQsM8EM4bZYHJjNTCiT BRVnqo4QGZJMDYe6NwjAew2vG2WwH/RaHpzTjOYQvlSHTRNPF43gGRcdVjMqA8Y2TKwM aq9xKOTjwOUt+O1UWoBmMCdrPq3IZI7uBbkXdIFu5z672WiSRxFOwLodcp+yeS0Dk32e CbCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725658217; x=1726263017; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZNTSuYvcE2rzLSfQuS2YWafJRc01WE85sQS6n5qwC5Q=; b=j44rEUtjvozgyzT1cbsrEslLWLvBjp2KnpIrGnvqTtaX2RP//0bK+z89D9/QlGEUFx 4nS5Qaspy4cfSpFAkoHcutoMpK8eyQCwLuak3vkBK0WZA5XAqj/w1T4Ktq/AxzhoESPy 2kxqat982xnRdPsE8JBRUqaTK8c3yS9lj+arpBC9HJD57zKjD9IjWEFIykd8qzg2eqIm jjIlLQKEU1thMk/HpJVI3Sw9rHJwshBV4Pwj3CCigt8/F8cbNFoqbwkCdIEFq6d3r4Tw QTnB16uIbjCTWiprh0k7fYbEZLutXsoOjtWIQhY9BAtlFUCZQywgUSAnWeSgdNuT+EAb Oq+A== X-Forwarded-Encrypted: i=1; AJvYcCUsEXGm3A4yW8zUgqOQC2GmeS8tTou5eQgsb3imEpjGwWaCy+A46gKb1UbRnlwxWiRmy+pz2CB+iyJjDkI2WlIdqMbCwIZS@vger.kernel.org, AJvYcCWNqWy/vBn7b4VNwBcXwU2+vI2H4Ees+DnJvdJKq55zDiLUqlEArvPolhpqjB4mIdznQocIPK1QvkwLDZo=@vger.kernel.org, AJvYcCWgQejHSA86EpfX7quJ4C50PglfuH0TmSaZ2Dc3fk4XMDEiWFoTjii6Aw25zGzoRMtn2YPYycHj@vger.kernel.org X-Gm-Message-State: AOJu0YzUVrNDX0r3YN1wi8MBF4UMJ0QS5xSWt6tetJ+6nS3/4eE24YhT G7IQ2bY1Sw9TjJSBo1NSZ0vOcUGz5HEI8pVenMkaMdYuIkMW0WKxfxsF4OWW X-Google-Smtp-Source: AGHT+IGLGFe3bBoUDYICYLnIDNAzUNx2k3gkrHKaRnE81r7MI60+PtIa2Khcq4/6/hovHQFWRcjSMQ== X-Received: by 2002:a17:902:db0e:b0:202:301f:36fd with SMTP id d9443c01a7336-206f051a7bamr45948335ad.18.1725658216656; Fri, 06 Sep 2024 14:30:16 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea67bd1sm47081065ad.247.2024.09.06.14.30.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 14:30:16 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v4 1/6] landlock: Add signal scoping control Date: Fri, 6 Sep 2024 15:30:03 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Currently, a sandbox process is not restricted to sending a signal (e.g. SIGKILL) to a process outside the sandbox environment. The ability to send a signal for a sandboxed process should be scoped the same way abstract UNIX sockets are scoped. Therefore, we extend the "scoped" field in a ruleset with "LANDLOCK_SCOPED_SIGNAL" to specify that a ruleset will deny sending any signal from within a sandbox process to its parent(i.e. any parent sandbox or non-sandboxed procsses). This patch adds two new hooks, "hook_file_set_fowner" and "hook_file_free_security", to set and release a pointer to the file owner's domain. This pointer, "fown_domain" in "landlock_file_security" will be used in "file_send_sigiotask" to check if the process can send a signal. Also, it updates the function "ruleset_with_unknown_scope", to support the scope mask of signal "LANDLOCK_SCOPED_SIGNAL". Signed-off-by: Tahera Fahimi --- Changes in versions: V4: * Merging file_send_sigiotask and task_kill patches into one. * Commit improvement. * Applying feedback of V3 on managing fown_domain pointer. V3: * Moving file_send_sigiotask to another patch. * Minor code refactoring. V2: * Remove signal_is_scoped function * Applying reviews of V1 V1: * Introducing LANDLOCK_SCOPE_SIGNAL * Adding two hooks, hook_task_kill and hook_file_send_sigiotask for signal scoping. --- include/uapi/linux/landlock.h | 3 + security/landlock/fs.c | 17 ++++++ security/landlock/fs.h | 6 ++ security/landlock/limits.h | 2 +- security/landlock/task.c | 59 +++++++++++++++++++ .../testing/selftests/landlock/scoped_test.c | 2 +- 6 files changed, 87 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index dfd48d722834..197da0c5c264 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -297,9 +297,12 @@ struct landlock_net_port_attr { * from connecting to an abstract unix socket created by a process * outside the related Landlock domain (e.g. a parent domain or a * non-sandboxed process). + * - %LANDLOCK_SCOPED_SIGNAL: Restrict a sandboxed process from sending + * a signal to another process outside sandbox domain. */ /* clang-format off */ #define LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET (1ULL << 0) +#define LANDLOCK_SCOPED_SIGNAL (1ULL << 1) /* clang-format on*/ #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 7877a64cc6b8..b1207f0a8cd4 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -1636,6 +1636,20 @@ static int hook_file_ioctl_compat(struct file *file, unsigned int cmd, return -EACCES; } +static void hook_file_set_fowner(struct file *file) +{ + write_lock_irq(&file->f_owner.lock); + landlock_put_ruleset_deferred(landlock_file(file)->fown_domain); + landlock_file(file)->fown_domain = landlock_get_current_domain(); + landlock_get_ruleset(landlock_file(file)->fown_domain); + write_unlock_irq(&file->f_owner.lock); +} + +static void hook_file_free_security(struct file *file) +{ + landlock_put_ruleset_deferred(landlock_file(file)->fown_domain); +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1660,6 +1674,9 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(file_truncate, hook_file_truncate), LSM_HOOK_INIT(file_ioctl, hook_file_ioctl), LSM_HOOK_INIT(file_ioctl_compat, hook_file_ioctl_compat), + + LSM_HOOK_INIT(file_set_fowner, hook_file_set_fowner), + LSM_HOOK_INIT(file_free_security, hook_file_free_security), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/fs.h b/security/landlock/fs.h index 488e4813680a..9a97f9285b90 100644 --- a/security/landlock/fs.h +++ b/security/landlock/fs.h @@ -52,6 +52,12 @@ struct landlock_file_security { * needed to authorize later operations on the open file. */ access_mask_t allowed_access; + /** + * @fown_domain: A pointer to a &landlock_ruleset of the process owns + * the file. This ruleset is protected by fowner_struct.lock same as + * pid, uid, euid fields in fown_struct. + */ + struct landlock_ruleset *fown_domain; }; /** diff --git a/security/landlock/limits.h b/security/landlock/limits.h index eb01d0fb2165..fa28f9236407 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -26,7 +26,7 @@ #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1) #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET) -#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET +#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPED_SIGNAL #define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1) #define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE) /* clang-format on */ diff --git a/security/landlock/task.c b/security/landlock/task.c index b9390445d242..a72a61e7e6c3 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -18,6 +18,7 @@ #include "common.h" #include "cred.h" +#include "fs.h" #include "ruleset.h" #include "setup.h" #include "task.h" @@ -242,11 +243,69 @@ static int hook_unix_may_send(struct socket *const sock, return 0; } +static int hook_task_kill(struct task_struct *const p, + struct kernel_siginfo *const info, const int sig, + const struct cred *const cred) +{ + bool is_scoped; + const struct landlock_ruleset *target_dom, *dom; + + dom = landlock_get_current_domain(); + rcu_read_lock(); + target_dom = landlock_get_task_domain(p); + if (cred) + /* dealing with USB IO */ + is_scoped = domain_is_scoped(landlock_cred(cred)->domain, + target_dom, + LANDLOCK_SCOPED_SIGNAL); + else + is_scoped = (!dom) ? false : + domain_is_scoped(dom, target_dom, + LANDLOCK_SCOPED_SIGNAL); + rcu_read_unlock(); + if (is_scoped) + return -EPERM; + + return 0; +} + +static int hook_file_send_sigiotask(struct task_struct *tsk, + struct fown_struct *fown, int signum) +{ + struct file *file; + bool is_scoped; + struct landlock_ruleset *dom; + + /* struct fown_struct is never outside the context of a struct file */ + file = container_of(fown, struct file, f_owner); + + read_lock_irq(&file->f_owner.lock); + dom = landlock_file(file)->fown_domain; + landlock_get_ruleset(dom); + read_unlock_irq(&file->f_owner.lock); + if (!dom) + goto out_unlock; + + rcu_read_lock(); + is_scoped = domain_is_scoped(dom, landlock_get_task_domain(tsk), + LANDLOCK_SCOPED_SIGNAL); + rcu_read_unlock(); + if (is_scoped) { + landlock_put_ruleset(dom); + return -EPERM; + } +out_unlock: + landlock_put_ruleset(dom); + return 0; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme), LSM_HOOK_INIT(unix_stream_connect, hook_unix_stream_connect), LSM_HOOK_INIT(unix_may_send, hook_unix_may_send), + LSM_HOOK_INIT(task_kill, hook_task_kill), + LSM_HOOK_INIT(file_send_sigiotask, hook_file_send_sigiotask), }; __init void landlock_add_task_hooks(void) diff --git a/tools/testing/selftests/landlock/scoped_test.c b/tools/testing/selftests/landlock/scoped_test.c index 36d7266de9dc..237f98369b25 100644 --- a/tools/testing/selftests/landlock/scoped_test.c +++ b/tools/testing/selftests/landlock/scoped_test.c @@ -12,7 +12,7 @@ #include "common.h" -#define ACCESS_LAST LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET +#define ACCESS_LAST LANDLOCK_SCOPED_SIGNAL TEST(ruleset_with_unknown_scope) { From patchwork Fri Sep 6 21:30:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13794776 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9696A1B85FA; Fri, 6 Sep 2024 21:30:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658220; cv=none; b=t38QQ2gBcNCNoJM7GoWaDGPSB6vrSeKIaAl0rhaDC8AzDoZy4aj8gIRXXGZOLp7s7FtsFkHSxqJP+SJ/uTO39xqLNpkHmbgMjr0hP9NSHaD0vuvC1Fdr38k3Ln3d40EWJf7seCezC7UXstzjY3n0A2BNM8/owayrMe2VbAvi3H4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658220; c=relaxed/simple; bh=+3GejC8fHZoPuCDOxc4GYCoeoABETLnFK0r5C8s/9TY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=PS5T6zxz+ZL/vIMoelCbRsS0hhgA3aN+icQ3WMXHlGfYER4qirifSLmnijRZ25O7cLr2jMvx+4TkYhkBk8nCg3zDSjE1WMrjcv5Ev41qAIegxAAWVbAAIwS8Wiw4xPbofouXi4vmAHhFAiXlQEsO0v6svsWRvo5iFHM8zAGPU5c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mY2PrUYM; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mY2PrUYM" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2059204f448so22866665ad.0; Fri, 06 Sep 2024 14:30:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725658218; x=1726263018; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Px9kUYGOkDiPrxrl12O1BhXK0JaB/ZwCDZNetTf6eAE=; b=mY2PrUYMDnLMj2oiPoKvM0x5PB1EsDPcZNMWyNYlsmv282wkqVg0lOs3sokK8JyrMs 8x8s02JarrLCdUzu/ob1jJHx6QowWU5zZVGe8K+QjyBY+mQ6T5ewE2Vy3DtIOJ57x7ni ZlIGbekqCJFTfoG3IPRduazukQkDUnQmSGyXwqfYCEPTW0s20VWaBiRVI1HwGVtAs7zh edo84OrXJ/lbqShHspAg/3CkVWpQ3skMlLa4qzyhNMtC4t7bOG+872UijLTkqyplXs0b R2d7+7O7EGkANJiHu3yjpapI1sv9sGBe6KHDaXGcCr9JPGXHLCk2uo31EttrINkAQEkp QE1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725658218; x=1726263018; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Px9kUYGOkDiPrxrl12O1BhXK0JaB/ZwCDZNetTf6eAE=; b=b4CqLPjFsQr3RyJX1Ln0Hk+yBhsKv6GTc9jaebthNWXZxb5MXRyOrNOPs0gvdOq6Ro 67D2T0B3jTJTxW2/qVkeKzpol1SCjxQgzagJTFdq4mWZDBge8KpsYMycD4E0VzUekKGP gQlWcxR6K1biNN2XC41JxryjrMqg6+8Ufdw5qBGoxCQfgPsP8xRDlNy9f2KEW035y2JM LQ6KTvc0b8HzQf+67q1J788OTBZNGMSz6R5Znn2uIUTTj0527/6weHLijA2WFRwGqWdT ajviD9cy4XJqcEuafT1d947Pf/ptgZIUGymvNPnIv+kHAqcpShOovsjMwpZyjm+uhMTR 3j6g== X-Forwarded-Encrypted: i=1; AJvYcCUw72OmYdfhqF9c9cBtd3UQp9A/8vfubOrz4iX1GaaJrq9ys6KYcN2FQ0GqzMkjAiXObOPUQXwn4KF02Hg=@vger.kernel.org, AJvYcCVmpMxqxO3RSKUoGU9J/tDgPicc2SwjUlbv89+yvWfPnaSTbY+T7E8qtWUw4+JBLZqFMJ5/9LkI@vger.kernel.org, AJvYcCXj5ZOlGwf0KWxrradHiDtXhKJWm2rZRhO6n/654HghAx+tWYVzTJi3c/7PBEBmm0Xtn7B8Yk6N4F93cQW/wB9H5TqoDvmp@vger.kernel.org X-Gm-Message-State: AOJu0YxqwWWU66+JzlA5G7yODbnCbhuEhPYObsNkU8p8vulOIoe+iJcd 9Btrg2NzcwP+PaszrwArkK2B0WPsCcyATbDbP6W/rAsjFgoWoUxb X-Google-Smtp-Source: AGHT+IGGt8W0J2UbunoEUWLDtpF2ThbmJPfKVMU0HnPXu6CQeI3givwDF6NiWdHYI5hjtmDFB8XDdA== X-Received: by 2002:a17:902:e80c:b0:206:c5cf:9727 with SMTP id d9443c01a7336-206f056f895mr40518755ad.31.1725658218067; Fri, 06 Sep 2024 14:30:18 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea67bd1sm47081065ad.247.2024.09.06.14.30.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 14:30:17 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v4 2/6] selftest/landlock: Signal restriction tests Date: Fri, 6 Sep 2024 15:30:04 -0600 Message-Id: <15dc202bb7f0a462ddeaa0c1cd630d2a7c6fa5c5.1725657728.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch expands Landlock ABI version 6 by providing tests for signal scoping mechanism. Base on kill(2), if the signal is 0, no signal will be sent, but the permission of a process to send a signal will be checked. Likewise, this test consider one signal for each signal category (SIGTRAP, SIGURG, SIGHUP, and SIGTSTP). Signed-off-by: Tahera Fahimi --- Changes in versions: V4: * Refactoring by providing two sets of tests, send_sig_to_parent to check simple case of sending signal with scoped and non-scoped domains, and check_access_signal to examine access to send a signal with various domains. V3: * Using generalized scoped domain creation "create_scoped_domain" V2: * Moving tests from ptrace_test.c to scoped_signal_test.c * Remove debugging statements. * Covering all basic restriction scenarios by sending 0 as signal V1: * Expanding Landlock ABI version 6 by providing basic tests for four signals to test signal scoping mechanism. --- .../selftests/landlock/scoped_signal_test.c | 225 ++++++++++++++++++ 1 file changed, 225 insertions(+) create mode 100644 tools/testing/selftests/landlock/scoped_signal_test.c diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c new file mode 100644 index 000000000000..8df027e22324 --- /dev/null +++ b/tools/testing/selftests/landlock/scoped_signal_test.c @@ -0,0 +1,225 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - Signal Scoping + * + * Copyright © 2024 Tahera Fahimi + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#include "common.h" +#include "scoped_common.h" + +/* This variable is used for handeling several signals. */ +static volatile sig_atomic_t is_signaled; + +/* clang-format off */ +FIXTURE(scoping_signals) {}; +/* clang-format on */ + +FIXTURE_VARIANT(scoping_signals) +{ + int sig; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_signals, sigtrap) { + /* clang-format on */ + .sig = SIGTRAP, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_signals, sigurg) { + /* clang-format on */ + .sig = SIGURG, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_signals, sighup) { + /* clang-format on */ + .sig = SIGHUP, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_signals, sigtstp) { + /* clang-format on */ + .sig = SIGTSTP, +}; + +FIXTURE_SETUP(scoping_signals) +{ + is_signaled = 0; +} + +FIXTURE_TEARDOWN(scoping_signals) +{ +} + +static void scope_signal_handler(int sig, siginfo_t *info, void *ucontext) +{ + if (sig == SIGTRAP || sig == SIGURG || sig == SIGHUP || sig == SIGTSTP) + is_signaled = 1; +} + +/* + * In this test, a child process sends a signal to parent before and + * after getting scoped. + */ +TEST_F(scoping_signals, send_sig_to_parent) +{ + pid_t child; + pid_t parent = getpid(); + int status; + struct sigaction action = { + .sa_sigaction = scope_signal_handler, + .sa_flags = SA_SIGINFO, + + }; + + ASSERT_LE(0, sigaction(variant->sig, &action, NULL)); + + /* The process should not have already been signaled. */ + EXPECT_EQ(0, is_signaled); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + int err; + + /* + * The child process can send signal to parent when + * domain is not scoped. + */ + err = kill(parent, variant->sig); + ASSERT_EQ(0, err); + + create_scoped_domain(_metadata, LANDLOCK_SCOPED_SIGNAL); + + /* + * The child process cannot send signal to the parent + * anymore. + */ + err = kill(parent, variant->sig); + ASSERT_EQ(-1, err); + ASSERT_EQ(EPERM, errno); + + /* + * No matter of the domain, a process should be able to + * send a signal to itself. + */ + ASSERT_EQ(0, is_signaled); + ASSERT_EQ(0, raise(variant->sig)); + ASSERT_EQ(1, is_signaled); + + _exit(_metadata->exit_code); + return; + } + + while (!is_signaled && !usleep(1)) + ; + ASSERT_EQ(1, is_signaled); + + ASSERT_EQ(child, waitpid(child, &status, 0)); + + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + +/* clang-format off */ +FIXTURE(scoped_domains) {}; +/* clang-format on */ + +#include "scoped_base_variants.h" + +FIXTURE_SETUP(scoped_domains) +{ +} + +FIXTURE_TEARDOWN(scoped_domains) +{ +} + +/* + * This test ensures that a scoped process cannot send signal out of + * scoped domain. + */ +TEST_F(scoped_domains, check_access_signal) +{ + pid_t child; + pid_t parent = getpid(); + int status; + bool can_signal_child, can_signal_parent; + int pipe_parent[2], pipe_child[2]; + int err; + char buf; + + can_signal_parent = !variant->domain_child; + can_signal_child = !variant->domain_parent; + + if (variant->domain_both) + create_scoped_domain(_metadata, LANDLOCK_SCOPED_SIGNAL); + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + ASSERT_EQ(0, close(pipe_child[0])); + ASSERT_EQ(0, close(pipe_parent[1])); + + if (variant->domain_child) + create_scoped_domain(_metadata, LANDLOCK_SCOPED_SIGNAL); + + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); + + /* Waits for the parent to send signals. */ + ASSERT_EQ(1, read(pipe_parent[0], &buf, 1)); + + err = kill(parent, 0); + if (can_signal_parent) { + ASSERT_EQ(0, err); + } else { + ASSERT_EQ(-1, err); + ASSERT_EQ(EPERM, errno); + } + /* + * No matter of the domain, a process should be able to + * send a signal to itself. + */ + ASSERT_EQ(0, raise(0)); + + _exit(_metadata->exit_code); + return; + } + ASSERT_EQ(0, close(pipe_parent[0])); + if (variant->domain_parent) + create_scoped_domain(_metadata, LANDLOCK_SCOPED_SIGNAL); + + ASSERT_EQ(1, read(pipe_child[0], &buf, 1)); + + err = kill(child, 0); + if (can_signal_child) { + ASSERT_EQ(0, err); + } else { + ASSERT_EQ(-1, err); + ASSERT_EQ(EPERM, errno); + } + ASSERT_EQ(0, raise(0)); + + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + ASSERT_EQ(child, waitpid(child, &status, 0)); + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + +TEST_HARNESS_MAIN From patchwork Fri Sep 6 21:30:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13794777 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE0B815AAC1; Fri, 6 Sep 2024 21:30:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658221; cv=none; b=H2dOb3mOK2w1ZUNPgUVaPbbFTZiyJsryW/DUy8WkBCKVsAHe1eCtMm3B6U6LCJyayjL0rp6xvy6HaI2wmKO56M8shlMZuvZu8TnZ3jd+P64G8fyojVTsA4Rh7d7YFionVCIOuMG2zmagwMmhDXt2fG6BuUjfbPh3hBWdyUws6d0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658221; c=relaxed/simple; bh=OQW6FWTTeP/odGH5xBbHF6QQMouh1FibutawAbL3TQ8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=D9AxCwV3YKzN9m94EyJ1XIZiJmgDkW5D0uRVlJR5gT/Z0Lvfrg5oiqRRIt06nvs1gP5nkmWVPlos+NuXYu4u6bEPWv3FeYHFxyr1Sg2PFfJyDa1DzI/n0HJRMnHXbTZchRiZX0oiWgS7UzRaRuNy3pQ1xE85Lpht79o1WQw9vJ0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kXTR9ZSv; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kXTR9ZSv" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1fee6435a34so23594425ad.0; Fri, 06 Sep 2024 14:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725658219; x=1726263019; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=u+RDbmLG5ftR+4D9+bzNx00wKA7Lfj8/VBn2Mhtp0TI=; b=kXTR9ZSvEiZYoXQ06OEoM98uBnkPb+Uj5mqZ341UGdaX6+4CiD+f7b4c0REB8JKDw0 uwbE+vu+Y2Ei7lbptpeHStp9apcuz8pNeYKkMzUcDnXbVAredg2ht+hT2xder75FzVKq Fg7+u5rERueZHeuyl6NOEczyY5wVfXodBDoIY98nSqPiIAYMYCitx5sZDxAmkUKrTkIP mLed14XGMFVwp5JzcGFU7xYGx6lLqmYoPBa5QhIWixwT9BkfWIonAy6J7uKez0GEFDfX gn0t6PRjgEz7YI1be3NS0SDO+4IL5Y7zuuQhmU/+rotuqxhb5GqyeWAjtytEvxqz5b+z Vckw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725658219; x=1726263019; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u+RDbmLG5ftR+4D9+bzNx00wKA7Lfj8/VBn2Mhtp0TI=; b=Utx1HcF7i9UqpvfBY1PZSRBokfwnXFhtXOmLhT4AqSfEuTB3tBIo2G7+vXgGY4JDtu KzvfkGX7MnbeoXpctLPuCW9mecMqqqeQqR4Jrlcw/GKvd6JswLNIo2oC/XfVf97tXCyV Fp2PJWTKC1Dz7jGTBE+o+FG6lIVVr7A/RepO53wgdNvsdaMKTqloEyDjlLwOaz1AFstV m+Yy1f0sWq1rwhnMA/Oza36MladLeQztaERj9igRyGnlqLzth5rRoi/xiuJMNm+EXbYT WVXS1HMNtCs9MCeL0PEekNhXpieXzeperMYjIwdAtmK0pGdsTIksOKC1tu3mL8jLvwzx H7OQ== X-Forwarded-Encrypted: i=1; AJvYcCUIMseWm3W9sRTUOWb1RjcKZyP5e9kmXwib5L4SoZS99MKYEXiOPbR020NUdLeGMdPk57aRHCs4pD/WFA4D5VjQdFmYNBBE@vger.kernel.org, AJvYcCWXedVLhrWapBcCkGZfna6jzec6zs1gAmsSE5ANnzSNAm47ZtTG1tf6coabiklQzwGeC+EY3+ukxKI7pk4=@vger.kernel.org, AJvYcCX/RljKTctrRDkqqTuH6uET6tz3j9BhCusTLQjKysmwFBF0HDUIzheMfO7wCbY8j7WFFAqbzK5x@vger.kernel.org X-Gm-Message-State: AOJu0YwIKx85CEEb8NaKrloSgtOAuXohI5vNI7foABChhAhxy5hr3EOQ ml5oULsj041EPpKDWZJ4mjn2KxZVkXeuoiDBrIbkvvOveu15Gd1ELU68mxm4 X-Google-Smtp-Source: AGHT+IGM3JZ+Lev8wxl9T4KEhEMpWi8iBiesB0op2Ql7krI1fjunce8/lAR3UJf1Cl6z4rgpt8lV0A== X-Received: by 2002:a17:903:41c9:b0:202:2cd5:2095 with SMTP id d9443c01a7336-206f04f6845mr41217845ad.18.1725658219131; Fri, 06 Sep 2024 14:30:19 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea67bd1sm47081065ad.247.2024.09.06.14.30.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 14:30:18 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v4 3/6] selftest/landlock: Add signal_scoping_threads test Date: Fri, 6 Sep 2024 15:30:05 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch expands the signal scoping tests with pthread_kill(3) It tests if an scoped thread can send signal to a process in the same scoped domain, or a non-sandboxed thread. Signed-off-by: Tahera Fahimi --- V4: * Code improvement, and removing sleep(3) from threads. * Commit improvement. --- .../selftests/landlock/scoped_signal_test.c | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c index 8df027e22324..c71fb83b7147 100644 --- a/tools/testing/selftests/landlock/scoped_signal_test.c +++ b/tools/testing/selftests/landlock/scoped_signal_test.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -222,4 +223,50 @@ TEST_F(scoped_domains, check_access_signal) _metadata->exit_code = KSFT_FAIL; } +static int thread_pipe[2]; + +enum thread_return { + THREAD_INVALID = 0, + THREAD_SUCCESS = 1, + THREAD_ERROR = 2, +}; + +void *thread_func(void *arg) +{ + char buf; + + if (read(thread_pipe[0], &buf, 1) != 1) + return (void *)THREAD_ERROR; + + return (void *)THREAD_SUCCESS; +} + +TEST(signal_scoping_threads) +{ + pthread_t no_sandbox_thread, scoped_thread; + enum thread_return ret = THREAD_INVALID; + + ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC)); + + ASSERT_EQ(0, + pthread_create(&no_sandbox_thread, NULL, thread_func, NULL)); + /* Restrict the domain after creating the first thread. */ + create_scoped_domain(_metadata, LANDLOCK_SCOPED_SIGNAL); + + ASSERT_EQ(EPERM, pthread_kill(no_sandbox_thread, 0)); + ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); + + ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL)); + ASSERT_EQ(0, pthread_kill(scoped_thread, 0)); + ASSERT_EQ(1, write(thread_pipe[1], ".", 1)); + + EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret)); + EXPECT_EQ(THREAD_SUCCESS, ret); + EXPECT_EQ(0, pthread_join(scoped_thread, (void **)&ret)); + EXPECT_EQ(THREAD_SUCCESS, ret); + + EXPECT_EQ(0, close(thread_pipe[0])); + EXPECT_EQ(0, close(thread_pipe[1])); +} + TEST_HARNESS_MAIN From patchwork Fri Sep 6 21:30:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13794778 Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E92F915B104; Fri, 6 Sep 2024 21:30:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658222; cv=none; b=KInvABlgcgZpFMUFsk6dwBrmoZMGweIdHwBPPy8lQA/qMlHmJwzq/RmnjiUi65bK/srvR0hBQQKYqGbT7PsIIEGeFroYnGnoeleqqJ2d4Gk4fASz9wOjBzCMtQF0PnGEk4RgC4MbK8wCL7Xc76MOVcYTF8xraKeU5vf7LtYZwiY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658222; c=relaxed/simple; bh=DkDtosDpUP9qC10sQxpAe2JKOgxIX1YdAxvK6AOUDM8=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nTGQxbiNE8y15xRH0bQ9DeryrPT+9DDUMQlv/vz5awObK0jOYwwIVtQZntptrT6xbgI2P34ThP1Ly8yfW6hBWCsGklgmyTaLIXXZaZ84lg4Dlobf5wkYgWTx+TyDSTzY8Ok5R1H43tuYts78Lei7jO3T2op9cR/+LyZdtQKn/wU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LzjQv+x5; arc=none smtp.client-ip=209.85.214.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LzjQv+x5" Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-2053616fa36so26893135ad.0; Fri, 06 Sep 2024 14:30:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725658220; x=1726263020; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hSMrmdZdyuZUqEvjpif0S/dw7Gi7efe1pBKKqJKf+wQ=; b=LzjQv+x5ND8w9p0k0HslsY20mUTAzvK0QvAtdeOErX1WKTFyodCgsel6HvER40kJPF KQEY2K6R3dgsD5vKk113BAj6nhZF3S3sO5r4x6527ArjmL6iEDzEXBbgehG3Bto1ftAH LB8L9vpEVAeUn+n7qbfrHxMb5INb96+5ug4NLc+nedzSSn+aGdQGh9/OqzL55Eg+NTCk g7hkx+FtfjKqi8J3A+VGWhUdMrjiTJBbDI5tK9eacnH1hXaY2deF5Va6Ej1oC0lX4p/1 ZMIzpWxiCIoBhYBf924wdAqeR0JQynpjjzvzYycCXmFMOEr4q6GzxNItPcCNI98R/FlS UdLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725658220; x=1726263020; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hSMrmdZdyuZUqEvjpif0S/dw7Gi7efe1pBKKqJKf+wQ=; b=oLu9/WyJFl39dmKT5D/c63RdGc6Ii1ZlwwmvmdqC0PfE15sSTMKGp9I+fyiJiO6N+T N4K+x4vFvKa7NZW21hXdWLpO5GnAAq6jriiCZO2ZhApCFrpjY1GQBJRE8ZwYg/PD23Oc AeGeiOnAZ77LObkRKKMO1ql6shdcwO41thc0pPKsoNZ16/JOkUPdxTBBilijmlQoYvzm W6HkP8qoBBdYi/fRQxl8yIMwY03EzcJXrl64FyKE6dKuftWe/UULDFijtv/DCp4mOnAj E+9Cp/jrsFfwIvGkjhJqfPTPcX0cKXfWcVf3+rvwPTcO/fnhwji/HaG/aNWeso/q966i qh5Q== X-Forwarded-Encrypted: i=1; AJvYcCUJ0zlVhmwvBOLtOZJKO8I2QXegLbqNGuemjqjATyZql4PJvgiKgyy6RIMxoVdTFapt1Cc/EOvXt483g8vAwHX+RK/X5hsd@vger.kernel.org, AJvYcCXrz9QQfzzLmG6akKApW+KkV6bdMg2AnKrtOYW1xv8AoUEiEoPEtpL0ecIOrSG1IfpCY8RimzOS6cy4sDU=@vger.kernel.org, AJvYcCXx0ba5C0SEi1XHUujWSx3RnFSvxHcaX3KsLtMYuZyfvFDFReH904TeWd3v7KZcw/CWdKRiN3Rd@vger.kernel.org X-Gm-Message-State: AOJu0YwvSx2ma/+Dy7vbmuhQLrVjnvLKtfXWD3lenCBX2qMi6ZLpG5pd CFg97o6QD+/Nfb+HLIxbBWs6CMieHa3jO+67nyeohDE+y1C7/p8A X-Google-Smtp-Source: AGHT+IHNHK2fwO3i887aEkZiDEJIPOt7RTzBl1gPJt8nik/cMuQj120cJOKWXrEnL+sIzBzwLJU8Dw== X-Received: by 2002:a17:903:2442:b0:201:e7c2:bd03 with SMTP id d9443c01a7336-2070a82ae4emr7633455ad.60.1725658220146; Fri, 06 Sep 2024 14:30:20 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea67bd1sm47081065ad.247.2024.09.06.14.30.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 14:30:19 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v4 4/6] selftest/landlock: Test file_send_sigiotask by sending out-of-bound message Date: Fri, 6 Sep 2024 15:30:06 -0600 Message-Id: <50daeed4d4f60d71e9564d0f24004a373fc5f7d5.1725657728.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 This patch adds a test to verify handling the signal scoping mechanism in file_send_sigiotask by triggering SIGURG through receiving an out-of-bound message in UNIX sockets. Signed-off-by: Tahera Fahimi --- V4: * Using pipe instead of Poll for synchronization. --- .../selftests/landlock/scoped_signal_test.c | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c index c71fb83b7147..630f3a515731 100644 --- a/tools/testing/selftests/landlock/scoped_signal_test.c +++ b/tools/testing/selftests/landlock/scoped_signal_test.c @@ -269,4 +269,103 @@ TEST(signal_scoping_threads) EXPECT_EQ(0, close(thread_pipe[1])); } +#define SOCKET_PATH "/tmp/unix_sock_test" + +const short backlog = 10; + +static volatile sig_atomic_t signal_received; + +static void handle_sigurg(int sig) +{ + if (sig == SIGURG) + signal_received = 1; + else + signal_received = -1; +} + +static int setup_signal_handler(int signal) +{ + struct sigaction sa; + + sa.sa_handler = handle_sigurg; + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_SIGINFO | SA_RESTART; + return sigaction(SIGURG, &sa, NULL); +} + +/* + * Sending an out of bound message will trigger the SIGURG signal + * through file_send_sigiotask. + */ +TEST(test_sigurg_socket) +{ + int sock_fd, recv_sock; + struct sockaddr_un addr, paddr; + socklen_t size; + char oob_buf, buffer; + int status; + int pipe_parent[2], pipe_child[2]; + pid_t child; + + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); + + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + snprintf(addr.sun_path, sizeof(addr.sun_path), "%s", SOCKET_PATH); + unlink(SOCKET_PATH); + size = sizeof(addr); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + oob_buf = '.'; + + ASSERT_EQ(0, close(pipe_parent[1])); + ASSERT_EQ(0, close(pipe_child[0])); + + sock_fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_NE(-1, sock_fd); + + ASSERT_EQ(1, read(pipe_parent[0], &buffer, 1)); + ASSERT_EQ(0, connect(sock_fd, &addr, sizeof(addr))); + + ASSERT_EQ(1, read(pipe_parent[0], &buffer, 1)); + ASSERT_NE(-1, send(sock_fd, &oob_buf, 1, MSG_OOB)); + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); + + EXPECT_EQ(0, close(sock_fd)); + + _exit(_metadata->exit_code); + return; + } + ASSERT_EQ(0, close(pipe_parent[0])); + ASSERT_EQ(0, close(pipe_child[1])); + + sock_fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_NE(-1, sock_fd); + ASSERT_EQ(0, bind(sock_fd, &addr, size)); + ASSERT_EQ(0, listen(sock_fd, backlog)); + + ASSERT_NE(-1, setup_signal_handler(SIGURG)); + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + recv_sock = accept(sock_fd, &paddr, &size); + ASSERT_NE(-1, recv_sock); + + create_scoped_domain(_metadata, LANDLOCK_SCOPED_SIGNAL); + + ASSERT_NE(-1, fcntl(recv_sock, F_SETOWN, getpid())); + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + ASSERT_EQ(1, read(pipe_child[0], &buffer, 1)); + ASSERT_EQ(1, recv(recv_sock, &oob_buf, 1, MSG_OOB)); + + ASSERT_EQ(1, signal_received); + EXPECT_EQ(0, close(sock_fd)); + EXPECT_EQ(0, close(recv_sock)); + ASSERT_EQ(child, waitpid(child, &status, 0)); + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + TEST_HARNESS_MAIN From patchwork Fri Sep 6 21:30:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13794779 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 081C715ADA1; Fri, 6 Sep 2024 21:30:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658223; cv=none; b=cckoaGHDsooxWPtQ9Boz9cVxXdiX/aOxkgTbNI6gDmmKdYuqsYLnEn0dt6q27zcc2qgBtpavZK1WAlW5gWicTnsRu7IMyyJK6MjWV1dF37w9N+MXgFnWggMlYSOhk4b1bVhGkPPdbHeMKkTz7xrt3CkwWMi5UA4QWkALTeYlnPY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658223; c=relaxed/simple; bh=5URkew6MTbSPjmDCxnZtF4ylhtAoZWs2zFXPZaqdC+k=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Zi+4LY+TCevYNCdQZGUzVxeRElqbFHAxcH9hG9qIpuEgik9Ikg3HoicfeQyKiKH3IvDYkaNE041s6xpFn7tzRyTp1mFPxQvgCfWVlL1kwAGeg0nVM7uYv77NIeoYrwGV+wCYkfMk9y/r2YNbPHDQRvOxfo1rtX+4vxMAdYn+UpA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Zs9haEUj; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Zs9haEUj" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-20551e2f1f8so25223275ad.2; Fri, 06 Sep 2024 14:30:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725658221; x=1726263021; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=eo09Uhc5A+uBAyAcs1Ht/DtBSMlFilRGw1wDCdIXuMU=; b=Zs9haEUjIGglJxR4fg8qeqhpdmhJ2l3L9jI3uId1ERu43e/is6SDEDQgrESX9Fvk65 w7MYfPBe0GZJCSu8/uT9ZXcju+Zb+MMQgA77NTE1Hj9RXW2UCFGztgt9nEWrTpgT89c+ UDe6Asb6IWiKGcLlVeXHiV8E6GxCpj83ZcwHufjpGzTjjH04yvrsEuz/zuhUVukmD7WK D667usn+8jfjEYTjVrB9vHLRVFL5b9oNpO+Rd/IuHTCYiyXHsxWHvl/Q0iVgEFmat433 qnUc1TQ29zIOqJ06y4bsMadTsFOat3f/ROt3e6mlaWanQ6haAqH5HY9keok2WAZLdM3x IOLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725658221; x=1726263021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eo09Uhc5A+uBAyAcs1Ht/DtBSMlFilRGw1wDCdIXuMU=; b=J593DZPGlrHu8fTBdCH6j96jd4FITrP8NyVikSekJH/eZ4MIuTurk5odcA4VYtRmuV 1JG0TVxMVIZfxHnT+cKv5PAl8Kbk1/AiOmrc7IGIkO1r9hMScz7EBc3IQIstUKrKMK1C LRQkZFavma2KPwDYAhgD5qoxXIplAck9NWw+c5FnOweBLRyH7Y/rWI8B23Xab/I1MQNG lGWDWUy6UQJSZaAKYeiT71B5T3ybBc4sgWAVexOu7LBQSfZWRPl3r7bLqesm/5aCmgo0 PH+B1HFZ9kAA0btjnOBcYmob5NxWGfBpGO9s5rfhSHfrgZFbotX73hHMprKmhyIRudww nU0Q== X-Forwarded-Encrypted: i=1; AJvYcCVj+TZiCx2ZZUj6QJirSjh+E42xLiKi8RThEeAilMW+XHnE89bEL/YWBRRsVNAaAhKRaf3yLtY/C5trSXEwxqkiA4ahVdQV@vger.kernel.org, AJvYcCVmoLtSNfZQHsARjA0V5uLnFvybl0R54gkvaJ0D7eKiAbt0MJj8Wh8I6ewZBX2vbErkdhYJxKqB1e9t1bI=@vger.kernel.org, AJvYcCWcePD4QUPzfIBwQZjaqHgVJveJ8tewNi2mQ7RAUvzpP8Oe25w9FCpZJOG3TDxiyiIsweGDRy9F@vger.kernel.org X-Gm-Message-State: AOJu0YwrpCLSflJEXLG8+mTbtsEu+Dy/fpiRPYep5X3joEzbd9ABGdW4 EaKXnKr4DsDShRlxkFUFS/FBq7lB/jnVu1+/4WzeuEYXD793wgMq X-Google-Smtp-Source: AGHT+IFHhd91sIx7FTtJWHA0Ayu/+5PDc1IaIfyUSpCenN3ZsXr9Gb/JEuPnWNZjlO9JhweP6OEElg== X-Received: by 2002:a17:902:d4c4:b0:206:f065:f45d with SMTP id d9443c01a7336-206f065f520mr43510585ad.31.1725658221188; Fri, 06 Sep 2024 14:30:21 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea67bd1sm47081065ad.247.2024.09.06.14.30.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 14:30:20 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v4 5/6] sample/landlock: Support sample for signal scoping restriction Date: Fri, 6 Sep 2024 15:30:07 -0600 Message-Id: <1f3f1992b2abeb8e5d7aa61b854e1b0721978b9a.1725657728.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 A sandboxer can receive the character "s" as input from the environment variable LL_SCOPE to restrict itself from sending a signal to a process outside its scoped domain. Example ======= Create a sandboxed shell and pass the character "s" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="s" ./sandboxer /bin/bash Try to send a SIGTRAP to a process with process ID through: kill -SIGTRAP The sandboxed process should not be able to send the signal. Signed-off-by: Tahera Fahimi --- v4: - Make it compatible with changes in abstract UNIX socket scoping sample v3: - Add a restrict approach on input of LL_SCOPED, so it only allows zero or one "s" to be the input. --- samples/landlock/sandboxer.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 18d072c23a23..618fbf70d38f 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -191,11 +191,13 @@ static bool check_ruleset_scope(const char *const env_var, struct landlock_ruleset_attr *ruleset_attr) { bool abstract_scoping = false; + bool signal_scoping = false; bool ret = true; char *env_type_scope, *env_type_scope_next, *ipc_scoping_name; /* scoping is not supported by Landlock ABI */ - if (!(ruleset_attr->scoped & LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET)) + if (!(ruleset_attr->scoped & + (LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPED_SIGNAL))) return ret; env_type_scope = getenv(env_var); @@ -212,6 +214,9 @@ static bool check_ruleset_scope(const char *const env_var, strsep(&env_type_scope_next, ENV_DELIMITER))) { if (strcmp("a", ipc_scoping_name) == 0 && !abstract_scoping) { abstract_scoping = true; + } else if (strcmp("s", ipc_scoping_name) == 0 && + !signal_scoping) { + signal_scoping = true; } else { fprintf(stderr, "Unsupported scoping \"%s\"\n", ipc_scoping_name); @@ -221,6 +226,8 @@ static bool check_ruleset_scope(const char *const env_var, } if (!abstract_scoping) ruleset_attr->scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + if (!signal_scoping) + ruleset_attr->scoped &= ~LANDLOCK_SCOPED_SIGNAL; out_free_name: free(env_type_scope); return ret; @@ -265,7 +272,8 @@ int main(const int argc, char *const argv[], char *const *const envp) .handled_access_fs = access_fs_rw, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, - .scoped = LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET, + .scoped = LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL, }; if (argc < 2) { @@ -302,7 +310,7 @@ int main(const int argc, char *const argv[], char *const *const envp) "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " "%s=\"9418\" " "%s=\"80:443\" " - "%s=\"a\" " + "%s=\"a:s\" " "%s bash -i\n\n", ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME, ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]); @@ -376,7 +384,8 @@ int main(const int argc, char *const argv[], char *const *const envp) __attribute__((fallthrough)); case 5: /* Removes LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET for ABI < 6 */ - ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + ruleset_attr.scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL); fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " From patchwork Fri Sep 6 21:30:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13794780 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 628B615C13D; Fri, 6 Sep 2024 21:30:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658225; cv=none; b=oRAcHu5BiEVwPeTS/yTVDZ6acupkdTgMXtey0P5+kOQvXagtTfpcIeEsXLxI6O7Ih9zVdl8hw7IKruxpHDseaGz4cXP6k8RRVwSFUOHHCE6/2BvnRbAqhwKvZyNzwA3GyxOes9QSJjvdMsMxPBZ2gWwa9VCuq5SmmQmDkHuF/Lk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725658225; c=relaxed/simple; bh=bElnKQofCAY+p/boD/vxtSPmvt2QWu/imirBWf3UgRo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=n1OAaJ3L549wHMGU6wEDYFGVW5Dz7wYPX1K+n3UZoXuFnes6Y/R1rUaTsUlhu9mzSQL4eW65ortBx7q1zdI5Ba88v3PjWrTnCTkd/ivxBrkBA+NtoBppX/R36vT0P+501G9fy3xQ1T0Cf+aGrfyZTToMojTsU8GGKwAjhB7ftd8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lj7nYvxm; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lj7nYvxm" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-2059204f448so22867005ad.0; Fri, 06 Sep 2024 14:30:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725658222; x=1726263022; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AK65wUPtnvGMD/yVvdcqm/At2jScfUF7HQejuo4N+EU=; b=lj7nYvxmBIOBR52ZSzJZzs2UfA4/rtx5ijkW5ZDuexaNtqlDS11xBu4cIjWtxpjtjB DyF/EnwY/jO5UpvjAF+7mCUMBVa5jbehrxfdrtZZNmpEEDxMQyaNEBttpQCn5w7+x6LW E16FF/sfTxSPrVYJIuWjBw3PK/UA90GN/W5DYZwjpV/Rj/KRi0F4TYxrj+jnzSHix9iD etUdHLwIykk58wQlwSsIQsu7G2ul3gqwIdAmvaOYWUFHHTTGnbVaOr4KQ7NOltqz2FDI oJfwmX73MYQ8vEJMx5xCGP++ixgqSZBLo4TpbdbzsG/pyPozmEwT8D6Oc60Lp7jvyDER bLRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725658222; x=1726263022; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AK65wUPtnvGMD/yVvdcqm/At2jScfUF7HQejuo4N+EU=; b=enw2/N42iZJGCo94Mzwy1PUClHhzKSLy7x7WdS3ubGl5XOsueUv5hTGc19dToLg+1W R0Jc5JBYwTM1vbAspfBSHTYbsXOGF0sa2RjOk5yzHZO00p/ZRYwQne9ridjhq6cItYAW ITBGkebqOKSHrDAMZvO5X7tbbJZ4YGgc4LybruEkDHZBlIYjFC3+cpMYAvoVakh2tBIJ VzSwqERlF7nlQr9Oo9SqYBZ0AiHaq8lUMfozAczOh+mmQBnog+0/q/WKKhYTXewmfmWu VQXNP5yAFaWCEEU/Tyry3PzLHksMi21xtRz7Od+hmUgcjI6upSJuwloRaUIvlsEpCN9R laOA== X-Forwarded-Encrypted: i=1; AJvYcCUbWIOOzSS2tnidt2rlwA27p11VyMPcti/sjJIRkODvepyQ19RZggcSN2c/OR/1G7/uUnCHxEzb@vger.kernel.org, AJvYcCWhXV9W7dJYUAa865PyjaKb5MtsUO9adwp13YL3UU/vTCeWvgXlej64GlBDdzP8PtWrfehEvIzmSODG8Yo=@vger.kernel.org, AJvYcCXj8JtolySTONd6eUB/79U8AXQs2JmmDs3EkureChAfY/tXWRvrov2xXHbEdOc3U5SJOXWcVnPx7C3QA1j5MsPDfIT7BxPR@vger.kernel.org X-Gm-Message-State: AOJu0YyKZgyxN80SgQm5RE8xOpoRDlv1NvoenPT/FaWXlD5JCjCXhqnZ eU1SaaD+Zs/ek5wUE4QrLGWwGe0zLEum6j5I7BMLJInOdp65grWZ X-Google-Smtp-Source: AGHT+IEDfS8XZHaSIjFR2D/Uhvuv/fnpxsuxJtjyzWagdGZHGaUqv1bNz5wGU4hHfQV4rxOlTWlsIw== X-Received: by 2002:a17:902:f788:b0:205:56e8:4a4b with SMTP id d9443c01a7336-206f04e1a86mr45554685ad.2.1725658222626; Fri, 06 Sep 2024 14:30:22 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-206aea67bd1sm47081065ad.247.2024.09.06.14.30.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2024 14:30:21 -0700 (PDT) From: Tahera Fahimi To: outreachy@lists.linux.dev Cc: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, netdev@vger.kernel.org, Tahera Fahimi Subject: [PATCH v4 6/6] landlock: Document LANDLOCK_SCOPED_SIGNAL Date: Fri, 6 Sep 2024 15:30:08 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Improving Landlock ABI version 6 to support signal scoping with LANDLOCK_SCOPED_SIGNAL. Signed-off-by: Tahera Fahimi --- v3: - update date --- Documentation/userspace-api/landlock.rst | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index c3b87755e98d..c694e9fe36fc 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -82,7 +82,8 @@ to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, .scoped = - LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET, + LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL, }; Because we may not know on which kernel version an application will be @@ -123,7 +124,8 @@ version, and only use the available subset of access rights: ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; case 5: /* Removes LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET for ABI < 6 */ - ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; + ruleset_attr.scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET | + LANDLOCK_SCOPED_SIGNAL); } This enables to create an inclusive ruleset that will contain our rules. @@ -320,11 +322,15 @@ explicitly scoped for a set of actions by specifying it on a ruleset. For example, if a sandboxed process should not be able to :manpage:`connect(2)` to a non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can specify such restriction with -``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``. +``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``. Moreover, if a sandboxed +process should not be able to send a signal to a non-sandboxed process, +we can specify this restriction with ``LANDLOCK_SCOPED_SIGNAL``. A sandboxed process can connect to a non-sandboxed process when its domain is not scoped. If a process's domain is scoped, it can only connect to sockets created by processes in the same scoped domain. +Moreover, If a process is scoped to send signal to a non-scoped process, +it can only send signals to processes in the same scoped domain. A connected datagram socket behaves like a stream socket when its domain is scoped, meaning if the domain is scoped after the socket is connected @@ -575,12 +581,14 @@ earlier ABI. Starting with the Landlock ABI version 5, it is possible to restrict the use of :manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right. -Abstract UNIX sockets Restriction (ABI < 6) --------------------------------------------- +Abstract Unix sockets and Signal Restriction (ABI < 6) +------------------------------------------------------- +<<<<<<< current With ABI version 6, it is possible to restrict connection to an abstract -Unix socket through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``, thanks to -the ``scoped`` ruleset attribute. +:manpage:`unix(7)` socket through +``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET`` and sending signal through +``LANDLOCK_SCOPED_SIGNAL``, thanks to the ``scoped`` ruleset attribute. .. _kernel_support: