From: Tahera Fahimi <fahimitahera@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: outreachy@lists.linux.dev, gnoack@google.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com,
jannh@google.com, netdev@vger.kernel.org
Subject: Re: [PATCH v4 0/6] landlock: Signal scoping support
Date: Wed, 11 Sep 2024 18:15:24 -0600 [thread overview]
Message-ID: <ZuIynFIRt475uBP5@tahera-OptiPlex-5000> (raw)
In-Reply-To: <20240911.BieLu8DooJiw@digikod.net>
On Wed, Sep 11, 2024 at 08:17:04PM +0200, Mickaël Salaün wrote:
> We should also have the same tests as for scoped_vs_unscoped variants.
Hi,
Thanks for the review, I will add them soon.
> I renamed them from the abstract unix socket patch series, please take a
> look:
> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=next
Wonderful! Thank you :)
> I'll send more reviews tomorrow and I'll fix most of them in my -next
> branch (WIP), except for the hook_file_send_sigiotask tests and these
> scoped_vs_unscoped variants that you should resolve.
I will keep an eye on reviews. What parts of hook_file_send_sigiotask
would need changes?
> On Fri, Sep 06, 2024 at 03:30:02PM -0600, Tahera Fahimi wrote:
> > This patch series adds scoping mechanism for signals.
> > Closes: https://github.com/landlock-lsm/linux/issues/8
> >
> > Problem
> > =======
> >
> > A sandboxed process is currently not restricted from sending signals
> > (e.g. SIGKILL) to processes outside the sandbox since Landlock has no
> > restriction on signals(see more details in [1]).
> >
> > A simple way to apply this restriction would be to scope signals the
> > same way abstract unix sockets are restricted.
> >
> > [1]https://lore.kernel.org/all/20231023.ahphah4Wii4v@digikod.net/
> >
> > Solution
> > ========
> >
> > To solve this issue, we extend the "scoped" field in the Landlock
> > ruleset attribute structure by introducing "LANDLOCK_SCOPED_SIGNAL"
> > field to specify that a ruleset will deny sending any signals from
> > within the sandbox domain to its parent(i.e. any parent sandbox or
> > non-sandbox processes).
> >
> > Example
> > =======
> >
> > Create a sansboxed shell and pass the character "s" to LL_SCOPED:
> > LL_FD_RO=/ LL_FS_RW=. LL_SCOPED="s" ./sandboxer /bin/bash
> > Try to send a signal(like SIGTRAP) to a process ID <PID> through:
> > kill -SIGTRAP <PID>
> > The sandboxed process should not be able to send the signal.
> >
> > Previous Versions
> > =================
> > v3:https://lore.kernel.org/all/cover.1723680305.git.fahimitahera@gmail.com/
> > v2:https://lore.kernel.org/all/cover.1722966592.git.fahimitahera@gmail.com/
> > v1:https://lore.kernel.org/all/cover.1720203255.git.fahimitahera@gmail.com/
> >
> > Tahera Fahimi (6):
> > landlock: Add signal scoping control
> > selftest/landlock: Signal restriction tests
> > selftest/landlock: Add signal_scoping_threads test
> > selftest/landlock: Test file_send_sigiotask by sending out-of-bound
> > message
> > sample/landlock: Support sample for signal scoping restriction
> > landlock: Document LANDLOCK_SCOPED_SIGNAL
> >
> > Documentation/userspace-api/landlock.rst | 22 +-
> > include/uapi/linux/landlock.h | 3 +
> > samples/landlock/sandboxer.c | 17 +-
> > security/landlock/fs.c | 17 +
> > security/landlock/fs.h | 6 +
> > security/landlock/limits.h | 2 +-
> > security/landlock/task.c | 59 +++
> > .../selftests/landlock/scoped_signal_test.c | 371 ++++++++++++++++++
> > .../testing/selftests/landlock/scoped_test.c | 2 +-
> > 9 files changed, 486 insertions(+), 13 deletions(-)
> > create mode 100644 tools/testing/selftests/landlock/scoped_signal_test.c
> >
> > --
> > 2.34.1
> >
next prev parent reply other threads:[~2024-09-12 0:15 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-06 21:30 [PATCH v4 0/6] landlock: Signal scoping support Tahera Fahimi
2024-09-06 21:30 ` [PATCH v4 1/6] landlock: Add signal scoping control Tahera Fahimi
2024-09-13 15:07 ` Mickaël Salaün
2024-09-06 21:30 ` [PATCH v4 2/6] selftest/landlock: Signal restriction tests Tahera Fahimi
2024-09-06 21:30 ` [PATCH v4 3/6] selftest/landlock: Add signal_scoping_threads test Tahera Fahimi
2024-09-06 21:30 ` [PATCH v4 4/6] selftest/landlock: Test file_send_sigiotask by sending out-of-bound message Tahera Fahimi
2024-09-09 10:32 ` Mickaël Salaün
2024-09-06 21:30 ` [PATCH v4 5/6] sample/landlock: Support sample for signal scoping restriction Tahera Fahimi
2024-09-06 21:30 ` [PATCH v4 6/6] landlock: Document LANDLOCK_SCOPED_SIGNAL Tahera Fahimi
2024-09-13 15:07 ` Mickaël Salaün
2024-09-11 18:17 ` [PATCH v4 0/6] landlock: Signal scoping support Mickaël Salaün
2024-09-12 0:15 ` Tahera Fahimi [this message]
2024-09-12 12:51 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuIynFIRt475uBP5@tahera-OptiPlex-5000 \
--to=fahimitahera@gmail.com \
--cc=bjorn3_gh@protonmail.com \
--cc=gnoack@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=outreachy@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.