From patchwork Wed Feb 26 21:18:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13993223 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34DC62571A7 for ; Wed, 26 Feb 2025 21:19:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740604747; cv=none; b=fNAAx2OkfF52//cDI2W1RqbLpC/+xlG6h21ypLi7GAofqHrxzBM9/8AO6ujR8PM7YAXQR4gPVE1TFeXPCQ8luhoGrJtIBkvEfv1KQvdD10+UOSEQqZvAULpn/5VtatI16fK/f3dlmjM+BuHoltZLUtmDQY4hfQOcspFZaq/6K90= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740604747; c=relaxed/simple; bh=LNhj+DGxktTxB8FdmUWwYvohBv0qL5MVFkUsGguvOds=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=if8Mho9JzE5qgQsY8ImAWVEgrq15fe4jgMC7YBEnDgvKdtVgyiUOtU+Af2k4MHzpzBFZtONRipZ0nkKiKKIHvN4sSEoPIZcH+FlNJTzA+4A4k/QH55fxkq6AzGjLk1kJepFjbgLPxbJoCiRQzTLYbM3/Pjf02Udk9FICB6uK2YQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=a7mbj0e0; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="a7mbj0e0" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-5da15447991so134773a12.3 for ; Wed, 26 Feb 2025 13:19:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740604744; x=1741209544; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=duUSxcKBjL1V2Dc8BDWLklM2H+W6u03EYfGKcvUPxI4=; b=a7mbj0e0x3wPnZxyXBbg90QJ4zh4HzM/nlbK+f0LGFLVBKbKjw3GYl9cJE8yAXD//W BWPaMVnChiGobmYJasvMyJ0SKxpxvhrY8BWGXv6W9V5EjBN65HIECiFlzi01Slxgux+V zts8pyHsQt1U1+QYqfRJUeKm2k/AmK9WIfOLDZlYoRMBdIs3CjBCzYykqyeOwC3hjg8r +1fXBxoPcKkyNsmM7MTNv2LEzYmq/bIVtgdvf8SoUOrclXc/sfuWXk8f8ujw2PFhOZB/ ebgkbNXmtbTV/h9oCg8aEdQOU2G4DE0Dygjc/8k77ENbs0ANrUwvebkqnN2BC+4slq8m KOpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740604744; x=1741209544; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=duUSxcKBjL1V2Dc8BDWLklM2H+W6u03EYfGKcvUPxI4=; b=VKu822h6WLmFwRufkRM0HtAKMdYyoCGMzkPbCqllsVeOIqpmUImBkWt6L/judyxbLb CTYNpwD5kUNXfd8QTXlmAAlhGtd8o9LFwCiR1jq86/Eta56z+Fh9fUJKLM8D3Im5z3SV Hq34pX5fGYznJrcYmManTKN0+qCpoN1nBUJ5fZvnfOw8aaTC5SHJnF6R+/6oEzwNtgsj s8ZWagTA/8funPK9EVHFHMDPgKTOb5r38W5pmevXmfU11LhttwKS6V1PSSlCdwmSZcWL b01NZei63/YwZgEOGdUodAIk1sGmJSvT+6FHcVUgw0HarlM50rJKLyWzun2fak+fpSAD JHgA== X-Forwarded-Encrypted: i=1; AJvYcCUNyH92qruFSVUpP5+0a4qDhQzsSg7GhSbNWo00Y9gI2NMxsNm8VZ/pd/OxkGWZAtXL54dOODfavp8Mfex+UxvVsTt8x9I=@vger.kernel.org X-Gm-Message-State: AOJu0Yyx/WmdF1/yq+kn8aGEiyRRYdKlF3rvfoMFdpvLpPUKH0dYTYpx R4+/E0HaDnvdzT/FoCrd8rnBl35Gi98oKAa32tgFqhTM5cOYczuzhoJMyl+GasIQ/b3+meeVj3k 8bg== X-Google-Smtp-Source: AGHT+IHXpHdqdH6Dco/NCDzY1hE8mnVJMoMXwcWuu5mJ6JTz/XtU3cTHMgAzaIvPF9M2oSa24BBCtyIXmpY= X-Received: from edbio9.prod.google.com ([2002:a05:6402:2189:b0:5dd:a70d:303a]) (user=gnoack job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:5d5:b0:5e4:be64:b576 with SMTP id 4fb4d7f45d1cf-5e4be64b76dmr2204593a12.1.1740604744548; Wed, 26 Feb 2025 13:19:04 -0800 (PST) Date: Wed, 26 Feb 2025 22:18:16 +0100 In-Reply-To: <20250226211814.31420-2-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250226211814.31420-2-gnoack@google.com> X-Mailer: git-send-email 2.48.1.711.g2feabab25a-goog Message-ID: <20250226211814.31420-4-gnoack@google.com> Subject: [PATCH v2 1/1] landlock: Clarify IPC scoping documentation From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: " =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= " , Tahera Fahimi , Alejandro Colomar Cc: " =?utf-8?q?G=C3=BCnther_Noack?= " , Tanya Agarwal , linux-security-module@vger.kernel.org, Daniel Burgener * Clarify terminology * Stop mixing the unix(7) and signal(7) aspects in the explanation. Terminology: * The *IPC Scope* of a Landlock domain is that Landlock domain and its nested domains. * An *operation* (e.g., signaling, connecting to abstract UDS) is said to be *scoped within a domain* when the flag for that operation was set at ruleset creation time. This means that for the purpose of this operation, only processes within the domain's IPC scope are reachable. Signed-off-by: Günther Noack --- Documentation/userspace-api/landlock.rst | 45 ++++++++++++------------ 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index ad587f53fe41..4832b16deedb 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -317,33 +317,32 @@ IPC scoping ----------- Similar to the implicit `Ptrace restrictions`_, we may want to further restrict -interactions between sandboxes. Each Landlock domain can be explicitly scoped -for a set of actions by specifying it on a ruleset. For example, if a -sandboxed process should not be able to :manpage:`connect(2)` to a -non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can -specify such a restriction with ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``. -Moreover, if a sandboxed process should not be able to send a signal to a -non-sandboxed process, we can specify this restriction with -``LANDLOCK_SCOPE_SIGNAL``. +interactions between sandboxes. Therefore, at ruleset creation time, each +Landlock domain can restrict the scope for certain operations, so that these +operations can only reach out to processes within the same Landlock domain or in +a nested Landlock domain (the "scope"). -A sandboxed process can connect to a non-sandboxed process when its domain is -not scoped. If a process's domain is scoped, it can only connect to sockets -created by processes in the same scope. -Moreover, if a process is scoped to send signal to a non-scoped process, it can -only send signals to processes in the same scope. +The operations which can be scoped are: -A connected datagram socket behaves like a stream socket when its domain is -scoped, meaning if the domain is scoped after the socket is connected, it can -still :manpage:`send(2)` data just like a stream socket. However, in the same -scenario, a non-connected datagram socket cannot send data (with -:manpage:`sendto(2)`) outside its scope. +``LANDLOCK_SCOPE_SIGNAL`` + This limits the sending of signals to target processes which run within the + same or a nested Landlock domain. -A process with a scoped domain can inherit a socket created by a non-scoped -process. The process cannot connect to this socket since it has a scoped -domain. +``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` + This limits the set of abstract :manpage:`unix(7)` sockets to which we can + :manpage:`connect(2)` to socket addresses which were created by a process in + the same or a nested Landlock domain. -IPC scoping does not support exceptions, so if a domain is scoped, no rules can -be added to allow access to resources or processes outside of the scope. + A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if + it were doing an implicit :manpage:`connect(2)` and will be blocked if the + remote end does not stem from the same or a nested Landlock domain. + + A :manpage:`sendto(2)` on a socket which was previously connected will not + be restricted. This works for both datagram and stream sockets. + +IPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)`. +If an operation is scoped within a domain, no rules can be added to allow access +to resources or processes outside of the scope. Truncating files ---------------- From patchwork Wed Feb 26 21:29:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13993228 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 450A1224249 for ; Wed, 26 Feb 2025 21:29:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740605372; cv=none; b=PQdaImIMxJvqpLIcvxWvGPiVwsXX+7mGVaQTfBXIIsxWiAmIM0igwsa4oTNzMlL9vVqKvw34ucNSba8d8v/LNfhjpQpxuhLvHjkd7K1y2HbLNd1A+oPFJ4lqfYKXFKFikawNnrejKgSo1RpZJkYj97wzB8l9Nz+iJlvZtmb/NWM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740605372; c=relaxed/simple; bh=dy2LKUz/GxpxiCCDBHlVEmbv1QTK7+/AxNjG8sKT0ZM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=MCbR34ZZl/uTVDT81AcRR3ymVculkpP0FeHcFLIMQZ+HhwDTWd8+Nj2HorNLorTkns1eRGC30RpFjw0szpWIjaIYWrpnnLzpcJHTMn+VhnwuwaE7oRoowImrJPz8u68VbLAXOVVz8hgavifWlOqX+7GY9WI72F6xTjiSD6GZkCY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=js0PpPeO; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="js0PpPeO" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-5e073b9cf96so162090a12.0 for ; Wed, 26 Feb 2025 13:29:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740605368; x=1741210168; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=BdSfiiQ1rm6J5OqRayCRokLGR7zPXC5FGXMW8iNKpAk=; b=js0PpPeO6oQTr/EBPkwFwD91FjKNqyf7ZvQ/BEpZ5HMZgXjd0nEOOb0C+Bphl7ErEw DFbK9ViuunnuUO15ULugNgdbKVErZQ+58++umP8HbLGYIcgzGtF9tOXicWs9b8x4Ct+q KjDlqYMGLIz42S6pa9ngIMWsIe6hgc7W7i1Yhw3KrAo/kjDcyy34Lk/I8NL4XPudI5GM jXihFMG7XqsNq9HgyF031jn6P27be2PMT3L2+j8QtDkAIj9/0TZicqbCYan+eYL09DRv v2K9ZDrnDKUVNDdMITcqPx4Uu33GFkThBr5US/F9uDHou/VafNG7JMC1/KKWQrMK5xJD 2DGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740605368; x=1741210168; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=BdSfiiQ1rm6J5OqRayCRokLGR7zPXC5FGXMW8iNKpAk=; b=b2YqDDotMp4/3Xu7maYk8GS0R8eMZYuYDRwjn0o7Zpr68Yjl2od+cdTRZbF1C5B1X3 bpnXeVysj7+UF6yTG+ThAxYPxgRkN1g3mCFsT4li8KpcTs6J8rdmzdeS30KoD7lGRDcv Fb7lLSpq4PcdT93AOFlEexEPtKnogHvxBisj9WtkBJnCvSeWW4earucsuyCuyWV/QIQb tbQfGSKHipvLUaLdZyaE4sWDZhHj4XiceMiGZfahbjpEt8REzolsNzV5UiuZ1BTMzB/V KAv42zTuOE7UL3jgt64SLLFDgY5PZ2pQdJ9MKICzMewxJGdDEGDNrQ6Xfm6MMlOVJUws XGqQ== X-Forwarded-Encrypted: i=1; AJvYcCVuvaPQfCZWMY0nQIpPb40J4oUmgTYlQ6EEC9DhBZ3bAcbKClGHOgOEgpfwsyNuG4/RdHtoBBql7fovfTKrYuvXW2d7YKA=@vger.kernel.org X-Gm-Message-State: AOJu0YzIt4NZavB0eI8vESgIDm0e7F5IZB6525yjS/2QzWk6UkXV21uR 8bR/0xBid7dZB+0FEk67pd3cUuWch9S3Ae976WuqZ1+55qINuBvty0jaruVkbAVPUVv1sFdnE/a EfA== X-Google-Smtp-Source: AGHT+IGyYmfSNl2oe2Ir5W73U5eZqbZctDfv7S5RlHdB8m5KMvbjvfPGovW3/KAElEiWC7NaVDZXy/tfL6k= X-Received: from edrl1.prod.google.com ([2002:aa7:c3c1:0:b0:5dc:d090:1b21]) (user=gnoack job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:518f:b0:5e4:9edc:a779 with SMTP id 4fb4d7f45d1cf-5e4a0d71cadmr6145630a12.13.1740605368782; Wed, 26 Feb 2025 13:29:28 -0800 (PST) Date: Wed, 26 Feb 2025 22:29:11 +0100 In-Reply-To: <20250226211814.31420-2-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250226211814.31420-2-gnoack@google.com> X-Mailer: git-send-email 2.48.1.711.g2feabab25a-goog Message-ID: <20250226212911.34502-3-gnoack@google.com> Subject: [PATCH v2 2/3] landlock.7: Move over documentation for ABI version 6 From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: Alejandro Colomar , " =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= " , Tahera Fahimi Cc: " =?utf-8?q?G=C3=BCnther_Noack?= " , Tanya Agarwal , linux-security-module@vger.kernel.org, linux-man@vger.kernel.org, Daniel Burgener With this ABI version, Landlock can restrict outgoing interactions with higher-privileged Landlock domains through Abstract Unix Domain sockets and signals. Signed-off-by: Günther Noack --- man/man7/landlock.7 | 69 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 68 insertions(+), 1 deletion(-) diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index 11f76b072..30dbac73d 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -248,7 +248,8 @@ This access right is available since the fifth version of the Landlock ABI. .SS Network flags These flags enable to restrict a sandboxed process to a set of network actions. -This is supported since the Landlock ABI version 4. +.P +This is supported since Landlock ABI version 4. .P The following access rights apply to TCP port numbers: .TP @@ -258,6 +259,24 @@ Bind a TCP socket to a local port. .B LANDLOCK_ACCESS_NET_CONNECT_TCP Connect an active TCP socket to a remote port. .\" +.SS Scope flags +These flags enable to isolate a sandboxed process from a set of IPC actions. +Setting a flag for a ruleset will isolate the Landlock domain +to forbid connections to resources outside the domain. +.P +This is supported since Landlock ABI version 6. +.P +The following scopes exist: +.TP +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +Restrict a sandboxed process from connecting to an abstract UNIX socket +created by a process outside the related Landlock domain +(e.g., a parent domain or a non-sandboxed process). +.TP +.B LANDLOCK_SCOPE_SIGNAL +Restrict a sandboxed process from sending a signal +to another process outside the domain. +.\" .SS Layers of file path access rights Each time a thread enforces a ruleset on itself, it updates its Landlock domain with a new layer of policy. @@ -334,6 +353,51 @@ and related syscalls on a target process, a sandboxed process should have a subset of the target process rules, which means the tracee must be in a sub-domain of the tracer. .\" +.SS IPC scoping +Similar to the implicit +.BR "Ptrace restrictions" , +we may want to further restrict interactions between sandboxes. +Each Landlock domain can be explicitly scoped for a set of actions +by specifying it on a ruleset. +For example, if a sandboxed process should not be able to +.BR connect (2) +to a non-sandboxed process through abstract +.BR unix (7) +sockets, +we can specify such a restriction with +.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . +Moreover, if a sandboxed process should not be able +to send a signal to a non-sandboxed process, +we can specify this restriction with +.BR LANDLOCK_SCOPE_SIGNAL . +.P +A sandboxed process can connect to a non-sandboxed process +when its domain is not scoped. +If a process's domain is scoped, +it can only connect to sockets created by processes in the same scope. +Moreover, +If a process is scoped to send signal to a non-scoped process, +it can only send signals to processes in the same scope. +.P +A connected datagram socket behaves like a stream socket +when its domain is scoped, +meaning if the domain is scoped after the socket is connected, +it can still +.BR send (2) +data just like a stream socket. +However, in the same scenario, +a non-connected datagram socket cannot send data (with +.BR sendto (2)) +outside its scope. +.P +A process with a scoped domain can inherit a socket +created by a non-scoped process. +The process cannot connect to this socket since it has a scoped domain. +.P +IPC scoping does not support exceptions, so if a domain is scoped, +no rules can be added to allow access to resources or processes +outside of the scope. +.\" .SS Truncating files The operations covered by .B LANDLOCK_ACCESS_FS_WRITE_FILE @@ -413,6 +477,9 @@ _ _ _ \^ \^ LANDLOCK_ACCESS_NET_CONNECT_TCP _ _ _ 5 6.10 LANDLOCK_ACCESS_FS_IOCTL_DEV +_ _ _ +6 6.12 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +\^ \^ LANDLOCK_SCOPE_SIGNAL .TE .P Users should use the Landlock ABI version rather than the kernel version From patchwork Wed Feb 26 21:29:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13993229 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EFD425A32B for ; Wed, 26 Feb 2025 21:29:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740605374; cv=none; b=qp60rD8ahWECXic4064BpF2gjn8JIE/8eFHd1RkzaaLkNNpujQlFnRI/H7YCWv+swboHnJsxaJhGNUTbNUg2Rh/jPGTRn49g6gc3VfIfmJdGeZ7M0R9lKNSag6t2Y2JAQJzTL1h1afeTmTUFJQCeJX78Rx1L4fvShyX5XWFYu/I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740605374; c=relaxed/simple; bh=XXTwWlw1L9cwIcmTWNye83rNwNtDzGMGXdQYVArGHhc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YNoXQXXwXdp6447xyORd1RzVQq7GIDeC0Pp5dQqzocv+jZLrewQhbwqzaqvjdMcS7xvQIvLcZ0xuUoX1w5Jtj9rirZarSQNixeyPB+tMCnBQnaIBbD+O6cVKZoybdzX7jLbyYt1dSq6wRk/ml/0kYaErRu5nSmA/saSloq2SO0w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=XLUz3v5K; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="XLUz3v5K" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-5ded3946ff9so200519a12.3 for ; Wed, 26 Feb 2025 13:29:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740605371; x=1741210171; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=9nN4dXLnIhtrQjDRqDmg2MbFTVMB4VifRQCbR5CB0zc=; b=XLUz3v5KEP790Tj22vC7Q0utJQgMBtOnhWfN20SOlPIryD0VN5rrY8MGSAE9jKR1+7 ++CZsKXvPcakpEuzo6O5pMOoebbuEbBC0AuJVqRUvZmQIuwZ+IofF/WUrMj9UIMMUo1y HREHAe6tRT1HMrhzHZ+Jc6vqTTD6DQmjXo+EUSoNDHTSzkYmZxdhPUH6CNPR7d3vGlvM 8LVm4ys99Tt+GGZntC7COvTHmpgwvx9o0FJlsRD1PIurf6rlT3d+9meJ88yEmGsCoCBR xLC2DqaDn3TmcJXIBrA7XaDZcqx+A511awFUm3eAKhSSr9fRNoivV/u2DffvREtmvNjw h7PQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740605371; x=1741210171; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=9nN4dXLnIhtrQjDRqDmg2MbFTVMB4VifRQCbR5CB0zc=; b=hon8uxKqCdNtyjql5fOjMlvvGMEnFEDCl8Ev3ZenXRV3TqbZou02wwsIfGahS57ckH o9PlmkkXhlmxZ/DVAqYecJuDBveuKc2HseNSEC4WCNZzfknpBU5Y9ezC/TvtMF/YE+0l 2Ch+EFJkerNzv3V+psskgoUMExmfqhhPfSB5X6TTBLlVpIB9JtPHpwczvyOWRCV0Hp7W TpXC0LqMivjlexFlKoZDtLgBmgZB8X0IXbfM2MKpUIWs7eZ+CltcIsRyXp4/IevcmZVT p3VMdlbBxjxtubGItrnYEK0tSDkZpcQOObMnbLwKp6ojT96NHPI8+hsSJqc/sxjrVT7g E+mA== X-Forwarded-Encrypted: i=1; AJvYcCXsPGa8qxYFktW/LQ6p4OZg/5i4FmZG7iiINHLmq9JBXK2OBYgySIIma2MngwKLC7IJU9P8qqVBDIrZJNeJAXT5qukm06o=@vger.kernel.org X-Gm-Message-State: AOJu0YzGmhcOxDkNXcFnS3BHfMA9JL29rpcGfsukUH8aiUA1k6dCPBEU ugw2dVK3l0pyR69S4FeP434g4yR0I41JqnJyJXFS1zeeAiKd6xz51K3OMpkZTOXl2QCXQ3iODr8 93Q== X-Google-Smtp-Source: AGHT+IGv/GkWVe0gNZYe/hOcPG4QFSoRFwGh9MrB7hoq2kITgCM8++OEqBDA2m6G8muYjGs4XFfloqxeZ6w= X-Received: from edbew14.prod.google.com ([2002:a05:6402:538e:b0:5dc:8f78:6eb2]) (user=gnoack job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:26ce:b0:5de:d6c3:111a with SMTP id 4fb4d7f45d1cf-5e4a0d491e8mr5378253a12.3.1740605370922; Wed, 26 Feb 2025 13:29:30 -0800 (PST) Date: Wed, 26 Feb 2025 22:29:12 +0100 In-Reply-To: <20250226211814.31420-2-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250226211814.31420-2-gnoack@google.com> X-Mailer: git-send-email 2.48.1.711.g2feabab25a-goog Message-ID: <20250226212911.34502-4-gnoack@google.com> Subject: [PATCH v2 3/3] landlock.7: Clarify IPC scoping documentation in line with kernel side From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: Alejandro Colomar , " =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= " , Tahera Fahimi Cc: " =?utf-8?q?G=C3=BCnther_Noack?= " , Tanya Agarwal , linux-security-module@vger.kernel.org, linux-man@vger.kernel.org, Daniel Burgener * Clarify terminology * Stop mixing the unix(7) and signal(7) aspects in the explanation. Terminology: * The *IPC Scope* of a Landlock domain is that Landlock domain and its nested domains. * An *operation* (e.g., signaling, connecting to abstract UDS) is said to be *scoped within a domain* when the flag for that operation was set at ruleset creation time. This means that for the purpose of this operation, only processes within the domain's IPC scope are reachable. Link: https://lore.kernel.org/all/20250226211814.31420-4-gnoack@google.com/ Signed-off-by: Günther Noack --- man/man7/landlock.7 | 73 ++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 38 deletions(-) diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index 30dbac73d..42cd7286f 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -357,46 +357,43 @@ which means the tracee must be in a sub-domain of the tracer. Similar to the implicit .BR "Ptrace restrictions" , we may want to further restrict interactions between sandboxes. -Each Landlock domain can be explicitly scoped for a set of actions -by specifying it on a ruleset. -For example, if a sandboxed process should not be able to -.BR connect (2) -to a non-sandboxed process through abstract +Therefore, at ruleset creation time, +each Landlock domain can restrict the scope for certain operations, +so that these operations can only reach out to processes +within the same Landlock domain or in a nested Landlock domain (the "scope"). +.P +The operations which can be scoped are: +.P +.TP +.B LANDLOCK_SCOPE_SIGNAL +This limits the sending of signals to target processes +which run within the same or a nested Landlock domain. +.TP +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +This limits the set of abstract .BR unix (7) -sockets, -we can specify such a restriction with -.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . -Moreover, if a sandboxed process should not be able -to send a signal to a non-sandboxed process, -we can specify this restriction with -.BR LANDLOCK_SCOPE_SIGNAL . +sockets to which we can +.BR connect (2) +to socket addresses which were created +by a process in the same or a nested Landlock domain. +.IP +A +.BR sendto (2) +on a non-connected datagram socket is treated as if it were doing an implicit +.BR connect (2) +and will be blocked if the remote end does not stem +from the same or a nested Landlock domain. +.IP +A +.BR sendto (2) +on a socket which was previously connected will not be restricted. +This works for both datagram and stream sockets. .P -A sandboxed process can connect to a non-sandboxed process -when its domain is not scoped. -If a process's domain is scoped, -it can only connect to sockets created by processes in the same scope. -Moreover, -If a process is scoped to send signal to a non-scoped process, -it can only send signals to processes in the same scope. -.P -A connected datagram socket behaves like a stream socket -when its domain is scoped, -meaning if the domain is scoped after the socket is connected, -it can still -.BR send (2) -data just like a stream socket. -However, in the same scenario, -a non-connected datagram socket cannot send data (with -.BR sendto (2)) -outside its scope. -.P -A process with a scoped domain can inherit a socket -created by a non-scoped process. -The process cannot connect to this socket since it has a scoped domain. -.P -IPC scoping does not support exceptions, so if a domain is scoped, -no rules can be added to allow access to resources or processes -outside of the scope. +IPC scoping does not support exceptions via +.BR landlock_add_rule (2). +If an operation is scoped within a domain, +no rules can be added to allow access +to resources or processes outside of the scope. .\" .SS Truncating files The operations covered by