[PATCH 0/6] Landlock: Implement scope control for pathname Unix sockets
Tingmao Wang
m at maowtm.org
Sun Dec 28 12:45:39 UTC 2025
This patch series extend the existing abstract Unix socket scoping to
pathname (i.e. normal file-based) sockets as well, by adding a new scope
bit LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET that works the same as
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, except that restricts pathname Unix
sockets. This means that a sandboxed process with this scope enabled will
not be able to connect to Unix sockets created outside the sandbox via the
filesystem.
There is a future plan [1] for allowing specific sockets based on FS
hierarchy, but this series is only determining access based on domain
parent-child relationship. There is currently no way to allow specific
(outside the Landlock domain) Unix sockets, and none of the existing
Landlock filesystem controls apply to socket connect().
With this series, we can now properly protect against things like the the
following (while only relying on Landlock):
(running under tmux)
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb ~# LL_FS_RO=/ LL_FS_RW= ./sandboxer bash
Executing the sandboxed command...
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
cat: /tmp/hi: No such file or directory
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb:/# tmux new-window 'echo hi > /tmp/hi'
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
hi
The above but with Unix socket scoping enabled (both pathname and abstract
sockets) - the sandboxed shell can now no longer talk to tmux due to the
socket being created from outside the Landlock sandbox:
(running under tmux)
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb ~# LL_FS_RO=/ LL_FS_RW= LL_SCOPED=u:a ./sandboxer bash
Executing the sandboxed command...
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
cat: /tmp/hi: No such file or directory
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb:/# tmux new-window 'echo hi > /tmp/hi'
error connecting to /tmp/tmux-0/default (Operation not permitted)
root at 6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
cat: /tmp/hi: No such file or directory
Tmux is just one example. In a standard systemd session, `systemd-run
--user` can also be used (--user will run the command in the user's
session, without requiring any root privileges), and likely a lot more if
running in a desktop environment with many popular applications. This
change therefore makes it possible to create sandboxes without relying on
additional mechanisms like seccomp to protect against such issues.
These kind of issues was originally discussed on here (I took the idea for
systemd-run from Demi):
https://spectrum-os.org/lists/archives/spectrum-devel/00256266-26db-40cf-8f5b-f7c7064084c2@gmail.com/
Demo with socat + sandboxer:
Outside:
socat unix-listen:/foo.sock,fork -
Sandbox with pathname socket scope bit:
root at 6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED=u /sandboxer socat -d2 unix:/foo.sock -
Executing the sandboxed command...
2025/12/27 20:28:54 socat[1227] E UNIX-CLIENT: /foo.sock: Operation not permitted
2025/12/27 20:28:54 socat[1227] N exit(1)
Sandbox without pathname socket scope bit:
root at 6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED= /sandboxer socat -d2 unix:/foo.sock -
Executing the sandboxed command...
2025/12/27 20:29:22 socat[1250] N successfully connected from local address AF=1 "(7\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xB0\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xC3\xAE\xAE\xAE\xAE"
...
Sandbox with only abstract socket scope bit:
root at 6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED=a /sandboxer socat -d2 unix:/foo.sock -
Executing the sandboxed command...
2025/12/27 20:29:26 socat[1259] N successfully connected from local address AF=1 "\0\0\0\0\0\0\0\0\0"
...
Sendmsg/recvmsg - outside:
socat unix-recvfrom:/datagram.sock -
Sandbox with pathname socket scope bit:
root at 6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED=u /sandboxer socat -d2 unix-sendto:/datagram.sock -
Executing the sandboxed command...
...
2025/12/27 20:33:04 socat[1446] N starting data transfer loop with FDs [5,5] and [0,1]
123
2025/12/27 20:33:05 socat[1446] E sendto(5, 0x55d260d8f000, 4, 0, AF=1 "/datagram.sock", 16): Operation not permitted
2025/12/27 20:33:05 socat[1446] N exit(1)
[1]: https://github.com/landlock-lsm/linux/issues/36
Closes: https://github.com/landlock-lsm/linux/issues/51
Tingmao Wang (6):
landlock: Add LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET scope bit to uAPI
landlock: Implement LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
samples/landlock: Support LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
selftests/landlock: Support pathname socket path in set_unix_address
selftests/landlock: Repurpose scoped_abstract_unix_test.c for pathname
sockets too.
selftests/landlock: Add pathname socket variants for more tests
Documentation/userspace-api/landlock.rst | 37 +-
include/uapi/linux/landlock.h | 8 +-
samples/landlock/sandboxer.c | 23 +-
security/landlock/audit.c | 4 +
security/landlock/audit.h | 1 +
security/landlock/limits.h | 2 +-
security/landlock/syscalls.c | 2 +-
security/landlock/task.c | 74 +-
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/common.h | 33 +-
tools/testing/selftests/landlock/net_test.c | 2 +-
.../selftests/landlock/scoped_signal_test.c | 2 +-
.../testing/selftests/landlock/scoped_test.c | 2 +-
...bstract_unix_test.c => scoped_unix_test.c} | 855 ++++++++++++------
14 files changed, 752 insertions(+), 295 deletions(-)
rename tools/testing/selftests/landlock/{scoped_abstract_unix_test.c => scoped_unix_test.c} (51%)
base-commit: 161db1810f3625e97ab414908dbcf4b2ab73c309
prerequisite-patch-id: 4eaf9fc84a1911a86c8a5db5a48e1e30dd13988f # https://lore.kernel.org/all/cover.1766885035.git.m@maowtm.org/
prerequisite-patch-id: b0750cf8e20fbd1b39b0836da7a980a9592a461b
prerequisite-patch-id: 4b6d65083f8b677c5dd249eb28625c152f5e91ab
prerequisite-patch-id: 2558c06992f9a689b11f05ae26acf26b7d56fa28
prerequisite-patch-id: 87beca2ee8cb7fc774ebff8449817e98fb849efa
--
2.52.0
More information about the Linux-security-module-archive
mailing list