[PATCH v3 6/6] Landlock: Document LANDLOCK_SCOPED_SIGNAL
Tahera Fahimi
fahimitahera at gmail.com
Thu Aug 15 21:07:00 UTC 2024
On Thu, Aug 15, 2024 at 12:29:25PM -0600, Tahera Fahimi wrote:
> Improving Landlock ABI version 6 to support signal scoping
> with LANDLOCK_SCOPED_SIGNAL.
>
> Signed-off-by: Tahera Fahimi <fahimitahera at gmail.com>
> ---
> v3:
> - update date
> ---
> Documentation/userspace-api/landlock.rst | 25 +++++++++++++++++-------
> 1 file changed, 18 insertions(+), 7 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 0582f93bd952..01e4d50851af 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -8,7 +8,7 @@ Landlock: unprivileged access control
> =====================================
>
> :Author: Mickaël Salaün
> -:Date: July 2024
> +:Date: August 2024
>
> The goal of Landlock is to enable to restrict ambient rights (e.g. global
> filesystem or network access) for a set of processes. Because Landlock
> @@ -82,7 +82,8 @@ to be explicit about the denied-by-default access rights.
> LANDLOCK_ACCESS_NET_BIND_TCP |
> LANDLOCK_ACCESS_NET_CONNECT_TCP,
> .scoped =
> - LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET,
> + LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET |
> + LANDLOCK_SCOPED_SIGNAL,
> };
>
> Because we may not know on which kernel version an application will be
> @@ -123,7 +124,8 @@ version, and only use the available subset of access rights:
> ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
> case 5:
> /* Removes LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET for ABI < 6 */
> - ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET;
> + ruleset_attr.scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET |
> + LANDLOCK_SCOPED_SIGNAL);
> }
>
> This enables to create an inclusive ruleset that will contain our rules.
> @@ -319,11 +321,15 @@ interactions between sandboxes. Each Landlock domain can be explicitly scoped
> for a set of actions by specifying it on a ruleset. For example, if a sandboxed
> process should not be able to :manpage:`connect(2)` to a non-sandboxed process
> through abstract :manpage:`unix(7)` sockets, we can specify such restriction
> -with ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``.
> +with ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``. Moreover, if a sandboxed process
> +should not be able to send a signal to a non-sandboxed process, we can specify
> +this restriction with ``LANDLOCK_SCOPED_SIGNAL``.
>
> A sandboxed process can connect to a non-sandboxed process when its domain is
> not scoped. If a process's domain is scoped, it can only connect to sockets
> -created by processes in the same scoped domain.
> +created by processes in the same scoped domain. Moreover, If a process is
> +scoped to send signal to a non-scoped process, it can only send signals to
> +processes in the same scoped domain.
>
> IPC scoping does not support Landlock rules, so if a domain is scoped, no rules
> can be added to allow accessing to a resource outside of the scoped domain.
> @@ -563,12 +569,17 @@ earlier ABI.
> Starting with the Landlock ABI version 5, it is possible to restrict the use of
> :manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.
>
> +<<<<<<< current
> Abstract UNIX sockets Restriction (ABI < 6)
> --------------------------------------------
> +=======
> +Abstract Unix sockets and Signal Restriction (ABI < 6)
> +-------------------------------------------------------
> +>>>>>>> patched
Sorry about this part. I will correct it.
> With ABI version 6, it is possible to restrict connection to an abstract Unix socket
> -through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``, thanks to the ``scoped`` ruleset
> -attribute.
> +through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET`` and sending signal through
> +``LANDLOCK_SCOPED_SIGNAL``, thanks to the ``scoped`` ruleset attribute.
>
> .. _kernel_support:
>
> --
> 2.34.1
>
More information about the Linux-security-module-archive
mailing list