From: "Mickaël Salaün" <mic@digikod.net>
To: Tingmao Wang <m@maowtm.org>
Cc: "Günther Noack" <gnoack@google.com>,
"Demi Marie Obenour" <demiobenour@gmail.com>,
"Alyssa Ross" <hi@alyssa.is>, "Jann Horn" <jannh@google.com>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
"Justin Suess" <utilityemal77@gmail.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 1/6] landlock: Add LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET scope bit to uAPI
Date: Thu, 29 Jan 2026 22:27:08 +0100 [thread overview]
Message-ID: <20260129.Gie0HaenguiG@digikod.net> (raw)
In-Reply-To: <88f914eb2024fa1fffe219e34c33a835b31730b8.1767115163.git.m@maowtm.org>
On Tue, Dec 30, 2025 at 05:20:19PM +0000, Tingmao Wang wrote:
> Add the new scope bit to the uAPI header, add documentation, and bump ABI
> version to 8.
This patch and the next one should be fold together. If a new UAPI is
added, it should come with the kernel implementation.
>
> This documentation edit specifically calls out the security implications of
> not restricting sockets.
>
> Fix some minor cosmetic issue in landlock.h around the changed lines as
> well.
>
> Signed-off-by: Tingmao Wang <m@maowtm.org>
> ---
>
> Changes in v2:
> - Fix grammar
>
> Note that in the code block in "Defining and enforcing a security policy"
> the switch case currently jumps from 5 to 7. This should be fixed by
> https://lore.kernel.org/all/20251216210248.4150777-1-samasth.norway.ananda@oracle.com/
>
> Documentation/userspace-api/landlock.rst | 37 ++++++++++++++++---
> include/uapi/linux/landlock.h | 8 +++-
> security/landlock/limits.h | 2 +-
> security/landlock/syscalls.c | 2 +-
> tools/testing/selftests/landlock/base_test.c | 2 +-
> .../testing/selftests/landlock/scoped_test.c | 2 +-
> 6 files changed, 42 insertions(+), 11 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 1d0c2c15c22e..5620a2be1091 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -83,7 +83,8 @@ to be explicit about the denied-by-default access rights.
> LANDLOCK_ACCESS_NET_CONNECT_TCP,
> .scoped =
> LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
> - LANDLOCK_SCOPE_SIGNAL,
> + LANDLOCK_SCOPE_SIGNAL |
> + LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET,
> };
>
> Because we may not know which kernel version an application will be executed
> @@ -127,6 +128,10 @@ version, and only use the available subset of access rights:
> /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
> ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
> LANDLOCK_SCOPE_SIGNAL);
> + __attribute__((fallthrough));
> + case 7:
> + /* Removes LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET for ABI < 8 */
> + ruleset_attr.scoped &= ~LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
> }
>
> This enables the creation of an inclusive ruleset that will contain our rules.
> @@ -328,10 +333,15 @@ The operations which can be scoped are:
> This limits the sending of signals to target processes which run within the
> same or a nested Landlock domain.
>
> -``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``
> - This limits the set of abstract :manpage:`unix(7)` sockets to which we can
> - :manpage:`connect(2)` to socket addresses which were created by a process in
> - the same or a nested Landlock domain.
> +``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` and ``LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET``
> + This limits the set of :manpage:`unix(7)` sockets to which we can
> + :manpage:`connect(2)` to socket addresses which were created by a
> + process in the same or a nested Landlock domain.
> + ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` applies to abstract sockets,
> + and ``LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET`` applies to pathname
> + sockets.
The following part is not needed:
> Even though pathname sockets are represented in the
> + filesystem, Landlock filesystem rules do not currently control access
> + to them.
>
> A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
> it were doing an implicit :manpage:`connect(2)` and will be blocked if the
> @@ -604,6 +614,23 @@ Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``,
> sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst
> for more details on audit.
>
> +Pathname UNIX socket (ABI < 8)
> +------------------------------
> +
> +Starting with the Landlock ABI version 8, it is possible to restrict
> +connections to a pathname (non-abstract) :manpage:`unix(7)` socket by
> +setting ``LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET`` to the ``scoped`` ruleset
> +attribute. This works the same way as the abstract socket scoping.
> +
> +This allows sandboxing applications using only Landlock to protect against
> +bypasses relying on connecting to Unix sockets of other services running
> +under the same user. These services typically assume that any process
> +capable of connecting to a local Unix socket, or connecting with the
> +expected user credentials, is trusted. Without this protection, sandbox
> +escapes may be possible, especially when running in a standard desktop
> +environment, such as by using systemd-run, or sockets exposed by other
> +common applications.
> +
> .. _kernel_support:
>
> Kernel support
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index f030adc462ee..590c6d4171a0 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -364,10 +364,14 @@ struct landlock_net_port_attr {
> * related Landlock domain (e.g., a parent domain or a non-sandboxed process).
> * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal
> * to another process outside the domain.
> + * - %LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET: Restrict a sandboxed process from
> + * connecting to a pathname UNIX socket created by a process outside the
> + * related Landlock domain.
> */
> /* clang-format off */
> #define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0)
> -#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
> -/* clang-format on*/
> +#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
> +#define LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET (1ULL << 2)
> +/* clang-format on */
>
> #endif /* _UAPI_LINUX_LANDLOCK_H */
> diff --git a/security/landlock/limits.h b/security/landlock/limits.h
> index 65b5ff051674..d653e14dba10 100644
> --- a/security/landlock/limits.h
> +++ b/security/landlock/limits.h
> @@ -27,7 +27,7 @@
> #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1)
> #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET)
>
> -#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_SIGNAL
> +#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
> #define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1)
> #define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE)
>
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 0116e9f93ffe..66fd196be85a 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -161,7 +161,7 @@ static const struct file_operations ruleset_fops = {
> * Documentation/userspace-api/landlock.rst should be updated to reflect the
> * UAPI change.
> */
> -const int landlock_abi_version = 7;
> +const int landlock_abi_version = 8;
>
> /**
> * sys_landlock_create_ruleset - Create a new ruleset
> diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
> index 7b69002239d7..f4b1a275d8d9 100644
> --- a/tools/testing/selftests/landlock/base_test.c
> +++ b/tools/testing/selftests/landlock/base_test.c
> @@ -76,7 +76,7 @@ TEST(abi_version)
> const struct landlock_ruleset_attr ruleset_attr = {
> .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
> };
> - ASSERT_EQ(7, landlock_create_ruleset(NULL, 0,
> + ASSERT_EQ(8, landlock_create_ruleset(NULL, 0,
> LANDLOCK_CREATE_RULESET_VERSION));
>
> ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
> diff --git a/tools/testing/selftests/landlock/scoped_test.c b/tools/testing/selftests/landlock/scoped_test.c
> index b90f76ed0d9c..7f83512a328d 100644
> --- a/tools/testing/selftests/landlock/scoped_test.c
> +++ b/tools/testing/selftests/landlock/scoped_test.c
> @@ -12,7 +12,7 @@
>
> #include "common.h"
>
> -#define ACCESS_LAST LANDLOCK_SCOPE_SIGNAL
> +#define ACCESS_LAST LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
>
> TEST(ruleset_with_unknown_scope)
> {
> --
> 2.52.0
>
next prev parent reply other threads:[~2026-01-29 21:27 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-30 17:20 [PATCH v2 0/6] Landlock: Implement scope control for pathname Unix sockets Tingmao Wang
2025-12-30 17:20 ` [PATCH v2 1/6] landlock: Add LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET scope bit to uAPI Tingmao Wang
2026-01-29 21:27 ` Mickaël Salaün [this message]
2025-12-30 17:20 ` [PATCH v2 2/6] landlock: Implement LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET Tingmao Wang
2026-01-29 21:27 ` Mickaël Salaün
2025-12-30 17:20 ` [PATCH v2 3/6] samples/landlock: Support LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET Tingmao Wang
2026-01-29 21:27 ` Mickaël Salaün
2026-01-31 17:48 ` Tingmao Wang
2026-02-02 20:14 ` Mickaël Salaün
2025-12-30 17:20 ` [PATCH v2 4/6] selftests/landlock: Support pathname socket path in set_unix_address Tingmao Wang
2025-12-30 17:20 ` [PATCH v2 5/6] selftests/landlock: Repurpose scoped_abstract_unix_test.c for pathname sockets too Tingmao Wang
2026-01-29 21:28 ` Mickaël Salaün
2026-02-02 0:06 ` Tingmao Wang
2025-12-30 17:20 ` [PATCH v2 6/6] selftests/landlock: Add pathname socket variants for more tests Tingmao Wang
2026-01-29 21:28 ` Mickaël Salaün
2025-12-30 23:16 ` [PATCH v2 0/6] Landlock: Implement scope control for pathname Unix sockets Günther Noack
2025-12-31 16:54 ` Demi Marie Obenour
2026-01-09 12:01 ` Mickaël Salaün
2026-01-31 17:41 ` Tingmao Wang
2026-02-02 20:32 ` Mickaël Salaün
2026-02-02 22:03 ` Justin Suess
2026-02-03 1:26 ` Tingmao Wang
2026-02-03 17:54 ` Günther Noack
2026-02-03 21:53 ` Tingmao Wang
2026-02-04 11:44 ` Günther Noack
2026-02-04 16:36 ` Justin Suess
2026-02-04 18:28 ` Mickaël Salaün
2026-02-05 15:22 ` Justin Suess
[not found] ` <44d216aa-9680-4cf5-bbf0-173869111212@gmail.com>
2026-02-05 19:15 ` Mickaël Salaün
2026-02-08 2:57 ` Tingmao Wang
2026-02-08 13:44 ` Günther Noack
2026-02-08 13:49 ` Günther Noack
2026-02-04 17:43 ` Mickaël Salaün
2026-02-05 8:02 ` Günther Noack
2026-02-05 10:27 ` Mickaël Salaün
2026-02-08 2:57 ` Tingmao Wang
2026-02-08 20:37 ` Günther Noack
2026-02-08 20:48 ` Tingmao Wang
2026-02-08 23:21 ` Günther Noack
2026-02-09 20:20 ` Mickaël Salaün
2026-02-04 17:39 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260129.Gie0HaenguiG@digikod.net \
--to=mic@digikod.net \
--cc=demiobenour@gmail.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=hi@alyssa.is \
--cc=jannh@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox