[RFC PATCH v1 0/3] Expose Landlock domain IDs via pidfd
Mickaël Salaün
mic at digikod.net
Fri Jan 31 16:34:44 UTC 2025
Hi,
Landlock enables users to create unprivileged nested security sandboxes
(i.e. domains). Each of these domains get a unique ID, which is used to
identify and compare different domains. With the audit support, these
IDs will be used in logs, but users also need a way to map these IDs to
processes and directly read domain IDs of arbitrary tasks.
pidfd is a reference to a task that enables users to interact with it
and read some of its properties with the PIDFD_GET_INFO IOCTL. This
patch series extend this interface with two new properties:
PIDFD_INFO_LANDLOCK_LAST_DOMAIN and PIDFD_INFO_LANDLOCK_FIRST_DOMAIN.
Being able to read tasks' domain IDs is useful for telemetry, debugging, and
tests. It enables users:
- to know if a task is well sandboxed;
- to know which tasks are part of the same sandbox;
- to map Landlock audit logs to running processes.
Furthermore, thanks to recvmsg(2)'s SCM_PIDFD, it is also possible to reliably
identify a peer's sandbox.
This patch series is based on the audit support patch series v5:
https://lore.kernel.org/all/20250108154338.1129069-1-mic@digikod.net/
I'll talk about this feature at FOSDEM:
https://fosdem.org/2025/schedule/event/fosdem-2025-6071-sandbox-ids-with-landlock/
Regards,
Mickaël Salaün (3):
landlock: Add landlock_read_domain_id()
pidfd: Extend PIDFD_GET_INFO with PIDFD_INFO_LANDLOCK_*_DOMAIN
samples/landlock: Print domain ID
fs/pidfs.c | 24 +++++++++++-
include/linux/landlock.h | 26 +++++++++++++
include/uapi/linux/pidfd.h | 4 ++
samples/landlock/sandboxer.c | 29 +++++++++++++-
security/landlock/Makefile | 12 ++++--
security/landlock/domain.c | 2 -
security/landlock/domain.h | 8 ++--
security/landlock/ruleset.c | 2 +
security/landlock/syscalls.c | 75 ++++++++++++++++++++++++++++++++++++
9 files changed, 169 insertions(+), 13 deletions(-)
create mode 100644 include/linux/landlock.h
base-commit: a4b76d5e6800121372b88c85628a7867a5fdc707
--
2.48.1
More information about the Linux-security-module-archive
mailing list