[PATCH man 2/3] landlock.7: Move over documentation for ABI version 6

public inbox for linux-man@vger.kernel.org
 help / color / mirror / Atom feed

From: "Günther Noack" <gnoack@google.com>
To: Alejandro Colomar <alx@kernel.org>
Cc: linux-man@vger.kernel.org, linux-security-module@vger.kernel.org,
	"Günther Noack" <gnoack@google.com>,
	"Mickaël Salaün" <mic@digikod.net>,
	"Tahera Fahimi" <fahimitahera@gmail.com>,
	"Tanya Agarwal" <tanyaagarwal25699@gmail.com>
Subject: [PATCH man 2/3] landlock.7: Move over documentation for ABI version 6
Date: Fri, 24 Jan 2025 16:37:09 +0000	[thread overview]
Message-ID: <20250124163709.168805-3-gnoack@google.com> (raw)
In-Reply-To: <20250124154445.162841-1-gnoack@google.com>

With this ABI version, Landlock can restrict outgoing interactions with
higher-privileged Landlock domains through Abstract Unix Domain sockets and
signals.

Cc: Mickaël Salaün <mic@digikod.net>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Cc: Tanya Agarwal <tanyaagarwal25699@gmail.com>
Signed-off-by: Günther Noack <gnoack@google.com>
---
 man/man7/landlock.7 | 69 ++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 11f76b072..30dbac73d 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -248,7 +248,8 @@ This access right is available since the fifth version of the Landlock ABI.
 .SS Network flags
 These flags enable to restrict a sandboxed process
 to a set of network actions.
-This is supported since the Landlock ABI version 4.
+.P
+This is supported since Landlock ABI version 4.
 .P
 The following access rights apply to TCP port numbers:
 .TP
@@ -258,6 +259,24 @@ Bind a TCP socket to a local port.
 .B LANDLOCK_ACCESS_NET_CONNECT_TCP
 Connect an active TCP socket to a remote port.
 .\"
+.SS Scope flags
+These flags enable to isolate a sandboxed process from a set of IPC actions.
+Setting a flag for a ruleset will isolate the Landlock domain
+to forbid connections to resources outside the domain.
+.P
+This is supported since Landlock ABI version 6.
+.P
+The following scopes exist:
+.TP
+.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+Restrict a sandboxed process from connecting to an abstract UNIX socket
+created by a process outside the related Landlock domain
+(e.g., a parent domain or a non-sandboxed process).
+.TP
+.B LANDLOCK_SCOPE_SIGNAL
+Restrict a sandboxed process from sending a signal
+to another process outside the domain.
+.\"
 .SS Layers of file path access rights
 Each time a thread enforces a ruleset on itself,
 it updates its Landlock domain with a new layer of policy.
@@ -334,6 +353,51 @@ and related syscalls on a target process,
 a sandboxed process should have a subset of the target process rules,
 which means the tracee must be in a sub-domain of the tracer.
 .\"
+.SS IPC scoping
+Similar to the implicit
+.BR "Ptrace restrictions" ,
+we may want to further restrict interactions between sandboxes.
+Each Landlock domain can be explicitly scoped for a set of actions
+by specifying it on a ruleset.
+For example, if a sandboxed process should not be able to
+.BR connect (2)
+to a non-sandboxed process through abstract
+.BR unix (7)
+sockets,
+we can specify such a restriction with
+.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET .
+Moreover, if a sandboxed process should not be able
+to send a signal to a non-sandboxed process,
+we can specify this restriction with
+.BR LANDLOCK_SCOPE_SIGNAL .
+.P
+A sandboxed process can connect to a non-sandboxed process
+when its domain is not scoped.
+If a process's domain is scoped,
+it can only connect to sockets created by processes in the same scope.
+Moreover,
+If a process is scoped to send signal to a non-scoped process,
+it can only send signals to processes in the same scope.
+.P
+A connected datagram socket behaves like a stream socket
+when its domain is scoped,
+meaning if the domain is scoped after the socket is connected,
+it can still
+.BR send (2)
+data just like a stream socket.
+However, in the same scenario,
+a non-connected datagram socket cannot send data (with
+.BR sendto (2))
+outside its scope.
+.P
+A process with a scoped domain can inherit a socket
+created by a non-scoped process.
+The process cannot connect to this socket since it has a scoped domain.
+.P
+IPC scoping does not support exceptions, so if a domain is scoped,
+no rules can be added to allow access to resources or processes
+outside of the scope.
+.\"
 .SS Truncating files
 The operations covered by
 .B LANDLOCK_ACCESS_FS_WRITE_FILE
@@ -413,6 +477,9 @@ _	_	_
 \^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
 _	_	_
 5	6.10	LANDLOCK_ACCESS_FS_IOCTL_DEV
+_	_	_
+6	6.12	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+\^	\^	LANDLOCK_SCOPE_SIGNAL
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version
-- 
2.48.1.262.g85cc9f2d1e-goog

next prev parent reply	other threads:[~2025-01-24 16:37 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20250124154445.162841-1-gnoack@google.com>
     [not found] ` <20250124154445.162841-2-gnoack@google.com>
2025-01-24 15:59   ` [PATCH 2/2] landlock: Clarify IPC scoping documentation Günther Noack
2025-02-02 12:51     ` Alejandro Colomar
2025-02-26 20:52       ` Günther Noack
2025-02-26 21:21         ` Alejandro Colomar
2025-02-11 15:20     ` Mickaël Salaün
2025-01-24 16:37 ` [PATCH man 1/3] landlock.7: Update description of Landlock rules Günther Noack
2025-01-24 16:37 ` Günther Noack [this message]
2025-01-24 16:37 ` [PATCH man 3/3] landlock.7: Update wording in line with kernel side proposal Günther Noack
2025-02-11 15:17 ` [PATCH 1/2] landlock: Minor typo and grammar fixes in IPC scoping documentation Mickaël Salaün
2025-02-11 15:27   ` Alejandro Colomar
2025-02-11 15:53     ` Mickaël Salaün
2025-02-11 16:13       ` Alejandro Colomar
2025-02-11 18:08         ` G. Branden Robinson
2025-02-12 15:15           ` Alejandro Colomar
2025-02-11 19:24         ` Mickaël Salaün
2025-02-12 15:06           ` Alejandro Colomar
2025-02-26 20:24             ` Günther Noack
2025-02-26 20:57               ` Alejandro Colomar
2025-02-26 21:38                 ` Günther Noack
2025-02-26 21:51                   ` Alejandro Colomar

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:11f76b07 dfblob:30dbac73 )
 OR (
bs:"[PATCH man 2/3] landlock.7: Move over documentation for ABI version 6" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250124163709.168805-3-gnoack@google.com \
    --to=gnoack@google.com \
    --cc=alx@kernel.org \
    --cc=fahimitahera@gmail.com \
    --cc=linux-man@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=tanyaagarwal25699@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox