From: "Günther Noack" <gnoack@google.com>
To: linux-security-module@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
"Tanya Agarwal" <tanyaagarwal25699@gmail.com>,
"Alejandro Colomar" <alx@kernel.org>,
linux-man@vger.kernel.org
Subject: Re: [PATCH 2/2] landlock: Clarify IPC scoping documentation
Date: Fri, 24 Jan 2025 16:59:29 +0100 [thread overview]
Message-ID: <Z5O44dxg8y-QZV62@google.com> (raw)
In-Reply-To: <20250124154445.162841-2-gnoack@google.com>
Hi!
This is an attempt to clarify the kernel documentation for Landlock's IPC
scoping support before I send the same wording to the man page list in troff
format.
(Adding Alejandro and the man-page list to get an early review on wording and
clarity.)
On Fri, Jan 24, 2025 at 03:44:45PM +0000, Günther Noack wrote:
> * Clarify terminology
> * Stop mixing the unix(7) and signal(7) aspects in the explanation.
>
> Terminology:
>
> * The *IPC Scope* of a Landlock domain is that Landlock domain and its
> nested domains.
> * An *operation* (e.g., signaling, connecting to abstract UDS) is said
> *to be scoped within a domain* when the flag for that operation was
> *set at ruleset creation time. This means that for the purpose of
> *this operation, only processes within the domain's IPC scope are
> *reachable.
>
> Cc: Mickaël Salaün <mic@digikod.net>
> Cc: Tahera Fahimi <fahimitahera@gmail.com>
> Cc: Tanya Agarwal <tanyaagarwal25699@gmail.com>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
> Documentation/userspace-api/landlock.rst | 53 ++++++++++++------------
> 1 file changed, 26 insertions(+), 27 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index ca8b325d53e5..6b80106d33de 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -317,33 +317,32 @@ IPC scoping
> -----------
>
> Similar to the implicit `Ptrace restrictions`_, we may want to further restrict
> -interactions between sandboxes. Each Landlock domain can be explicitly scoped
> -for a set of actions by specifying it on a ruleset. For example, if a
> -sandboxed process should not be able to :manpage:`connect(2)` to a
> -non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can
> -specify such a restriction with ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``.
> -Moreover, if a sandboxed process should not be able to send a signal to a
> -non-sandboxed process, we can specify this restriction with
> -``LANDLOCK_SCOPE_SIGNAL``.
> -
> -A sandboxed process can connect to a non-sandboxed process when its domain is
> -not scoped. If a process's domain is scoped, it can only connect to sockets
> -created by processes in the same scope.
> -Moreover, if a process is scoped to send signal to a non-scoped process, it can
> -only send signals to processes in the same scope.
> -
> -A connected datagram socket behaves like a stream socket when its domain is
> -scoped, meaning if the domain is scoped after the socket is connected, it can
> -still :manpage:`send(2)` data just like a stream socket. However, in the same
> -scenario, a non-connected datagram socket cannot send data (with
> -:manpage:`sendto(2)`) outside its scope.
> -
> -A process with a scoped domain can inherit a socket created by a non-scoped
> -process. The process cannot connect to this socket since it has a scoped
> -domain.
Tahera, Mickaël:
I suspect what was meant in this paragraph are Abstract Unix Domain Sockets of
the datagram type? -- the scenario where the process has an (unconnected) Unix
Datagram Socket and then can not call connect(2) or send(2) *on* it?
I removed this paragraph because I believe it's sufficiently covered in the
section that I wrote about Abstract Unix Domain Sockets below. If I'm
misunderstanding this, please let me know. :)
> -
> -IPC scoping does not support exceptions, so if a domain is scoped, no rules can
> -be added to allow access to resources or processes outside of the scope.
> +interactions between sandboxes. Therefore, at ruleset creation time, each
> +Landlock domain can restrict the scope for certain operations, so that these
> +operations can only reach out to processes within the same Landlock domain or in
> +a nested Landlock domain (the "scope").
> +
> +The operations which can be scoped are:
> +
> +``LANDLOCK_SCOPE_SIGNAL``
> + When set, this limits the sending of signals to target processes which run
> + within the same or a nested Landlock domain.
> +
> +``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``
> + When set, this limits the set of abstract :manpage:`unix(7)` sockets we can
> + :manpage:`connect(2)` to to socket addresses which were created by a process
> + in the same or a nested Landlock domain.
> +
> + A :manpage:`send(2)` on a non-connected datagram socket is treated like an
> + implicit :manpage:`connect(2)` and will be blocked when the remote end does
> + not stem from the same or a nested Landlock domain.
> +
> + A :manpage:`send(2)` on a socket which was previously connected will work.
> + This works for both datagram and stream sockets.
> +
> +IPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)`.
> +If an operation is scoped within a domain, no rules can be added to allow access
> +to resources or processes outside of the scope.
>
> Truncating files
> ----------------
> --
> 2.48.1.262.g85cc9f2d1e-goog
>
—Günther
next prev parent reply other threads:[~2025-01-24 15:59 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-24 15:44 [PATCH 1/2] landlock: Minor typo and grammar fixes in IPC scoping documentation Günther Noack
2025-01-24 15:44 ` [PATCH 2/2] landlock: Clarify " Günther Noack
2025-01-24 15:58 ` Daniel Burgener
2025-01-24 15:59 ` Günther Noack [this message]
2025-02-02 12:51 ` Alejandro Colomar
2025-02-26 20:52 ` Günther Noack
2025-02-26 21:21 ` Alejandro Colomar
2025-02-11 15:20 ` Mickaël Salaün
2025-01-24 16:37 ` [PATCH man 1/3] landlock.7: Update description of Landlock rules Günther Noack
2025-01-24 16:37 ` [PATCH man 2/3] landlock.7: Move over documentation for ABI version 6 Günther Noack
2025-01-24 16:37 ` [PATCH man 3/3] landlock.7: Update wording in line with kernel side proposal Günther Noack
2025-02-11 15:17 ` [PATCH 1/2] landlock: Minor typo and grammar fixes in IPC scoping documentation Mickaël Salaün
2025-02-11 15:27 ` Alejandro Colomar
2025-02-11 15:53 ` Mickaël Salaün
2025-02-11 16:13 ` Alejandro Colomar
2025-02-11 18:08 ` G. Branden Robinson
2025-02-12 15:15 ` Alejandro Colomar
2025-02-11 19:24 ` Mickaël Salaün
2025-02-12 15:06 ` Alejandro Colomar
2025-02-26 20:24 ` Günther Noack
2025-02-26 20:57 ` Alejandro Colomar
2025-02-26 21:38 ` Günther Noack
2025-02-26 21:51 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5O44dxg8y-QZV62@google.com \
--to=gnoack@google.com \
--cc=alx@kernel.org \
--cc=fahimitahera@gmail.com \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=tanyaagarwal25699@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).