Re: [PATCH v11 0/8] Landlock: Add abstract UNIX socket restriction

["Mickaël Salaün" <mic@digikod.net>]

I have reworked a bit the patches, including the signal scoping ones,
and they are here:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next

This is based on a manual merge of some VFS changes and LSM changes
required for this patch series:
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/commit/?h=next&id=24dfe95e493086a99acf7df1ef23d9f21f8cdec7

My changes are explained in the "[mic: ...]" part of the commit
messages. Please send two last patch series, with this changes and reply
to it with your comments if any.

On Wed, Sep 04, 2024 at 06:13:54PM -0600, Tahera Fahimi wrote:
> This patch series adds scoping mechanism for abstract UNIX sockets.
> Closes: https://github.com/landlock-lsm/linux/issues/7
> 
> Problem
> =======
> 
> Abstract UNIX sockets are used for local inter-process communications
> independent of the filesystem. Currently, a sandboxed process can
> connect to a socket outside of the sandboxed environment, since Landlock
> has no restriction for connecting to an abstract socket address(see more
> details in [1,2]). Access to such sockets for a sandboxed process should
> be scoped the same way ptrace is limited.
> 
> [1] https://lore.kernel.org/all/20231023.ahphah4Wii4v@digikod.net/
> [2] https://lore.kernel.org/all/20231102.MaeWaepav8nu@digikod.net/
> 
> Solution
> ========
> 
> To solve this issue, we extend the user space interface by adding a new
> "scoped" field to Landlock ruleset attribute structure. This field can
> contains different rights to restrict different functionalities. For
> abstract UNIX sockets, we introduce
> "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" field to specify that a ruleset
> will deny any connection from within the sandbox domain to its parent
> (i.e. any parent sandbox or non-sandbox processes).
> 
> Example
> =======
> 
> Starting a listening socket with socat(1):
>         socat abstract-listen:mysocket -
> 
> Starting a sandboxed shell from $HOME with samples/landlock/sandboxer:
>         LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash
> 
> If we try to connect to the listening socket, the connection gets
> refused.
>         socat - abstract-connect:mysocket --> fails
> 
> 
> Notes of Implementation
> =======================
> 
> * Using the "scoped" field provides enough compatibility and flexibility
>   to extend the scoping mechanism for other IPCs(e.g. signals).
> 
> * To access the domain of a socket, we use its credentials of the file's
>   FD which point to the credentials of the process that created the
>   socket (see more details in [3]). Cases where the process using the
>   socket has a different domain than the process created it are covered
>   in the "outside_socket" test.
> 
> [3]https://lore.kernel.org/all/20240611.Pi8Iph7ootae@digikod.net/
> 
> Previous Versions
> =================
> v10:https://lore.kernel.org/all/cover.1724125513.git.fahimitahera@gmail.com/
> v9: https://lore.kernel.org/all/cover.1723615689.git.fahimitahera@gmail.com/
> v8: https://lore.kernel.org/all/cover.1722570749.git.fahimitahera@gmail.com/
> v7: https://lore.kernel.org/all/cover.1721269836.git.fahimitahera@gmail.com/
> v6: https://lore.kernel.org/all/Zn32CYZiu7pY+rdI@tahera-OptiPlex-5000/
> and https://lore.kernel.org/all/Zn32KKIJrY7Zi51K@tahera-OptiPlex-5000/
> v5: https://lore.kernel.org/all/ZnSZnhGBiprI6FRk@tahera-OptiPlex-5000/
> v4: https://lore.kernel.org/all/ZnNcE3ph2SWi1qmd@tahera-OptiPlex-5000/
> v3: https://lore.kernel.org/all/ZmJJ7lZdQuQop7e5@tahera-OptiPlex-5000/
> v2: https://lore.kernel.org/all/ZgX5TRTrSDPrJFfF@tahera-OptiPlex-5000/
> v1: https://lore.kernel.org/all/ZgXN5fi6A1YQKiAQ@tahera-OptiPlex-5000/
> 
> Tahera Fahimi (8):
>   Landlock: Add abstract UNIX socket restriction
>   selftests/landlock: Add test for handling unknown scope
>   selftests/landlock: Add abstract UNIX socket restriction tests
>   selftests/landlock: Add tests for UNIX sockets with any address
>     formats
>   selftests/landlock: Test connected vs non-connected datagram UNIX
>     socket
>   selftests/landlock: Restrict inherited datagram UNIX socket to connect
>   sample/landlock: Add support abstract UNIX socket restriction
>   Landlock: Document LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET and ABI
>     version
> 
>  Documentation/userspace-api/landlock.rst      |  45 +-
>  include/uapi/linux/landlock.h                 |  28 +
>  samples/landlock/sandboxer.c                  |  61 +-
>  security/landlock/limits.h                    |   3 +
>  security/landlock/ruleset.c                   |   7 +-
>  security/landlock/ruleset.h                   |  24 +-
>  security/landlock/syscalls.c                  |  17 +-
>  security/landlock/task.c                      | 136 +++
>  tools/testing/selftests/landlock/base_test.c  |   2 +-
>  tools/testing/selftests/landlock/common.h     |  38 +
>  tools/testing/selftests/landlock/net_test.c   |  31 +-
>  .../landlock/scoped_abstract_unix_test.c      | 993 ++++++++++++++++++
>  .../selftests/landlock/scoped_base_variants.h | 154 +++
>  .../selftests/landlock/scoped_common.h        |  28 +
>  .../scoped_multiple_domain_variants.h         | 154 +++
>  .../testing/selftests/landlock/scoped_test.c  |  33 +
>  16 files changed, 1709 insertions(+), 45 deletions(-)
>  create mode 100644 tools/testing/selftests/landlock/scoped_abstract_unix_test.c
>  create mode 100644 tools/testing/selftests/landlock/scoped_base_variants.h
>  create mode 100644 tools/testing/selftests/landlock/scoped_common.h
>  create mode 100644 tools/testing/selftests/landlock/scoped_multiple_domain_variants.h
>  create mode 100644 tools/testing/selftests/landlock/scoped_test.c
> 
> -- 
> 2.34.1
>