From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 160E31E515 for ; Thu, 18 Jul 2024 04:15:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276149; cv=none; b=fY3DtlGL3oTzfD5mQzEsc4hfN0tHKvaPz3QRS+vIVI4IWMAHFfmXANSji52ySu+oGKlr4y69EFRIwhdDDjemrtr9UNV4JI/bN7xpRDWM96Eq1BbUdOD0HHlWe/8xS0XJ1BzGgaK+IUmgQZNrGNBqsJ+S4KuAr78N7OM2hwAXalA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276149; c=relaxed/simple; bh=xS9HzJ26eapCxsqG22ug07nWyykWP5myd8/Gi2rEkfs=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=LyEF+erlbvc1wnXOskPVGh6xr/D3+M6S8lABfMfZE1bjr0+CoInGgu0UBCLMAupkYUwxpygvHx6La8R4CSsOw/tlOs8pZeFu28RqDTq3Wd02QB5dA0thMMgMCQGk+kcmSAH6mXAz2AEt7vaebQeAp7r7Vs6R+4Kjj7Vfv5ERh+8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ia2iXgiw; arc=none smtp.client-ip=209.85.215.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ia2iXgiw" Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-75a6c290528so201717a12.1 for ; Wed, 17 Jul 2024 21:15:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721276147; x=1721880947; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=1xfBb1hnVWsV5Z8J/Lq5YU91WCxCZemS1KmpZKl+3DM=; b=ia2iXgiwK5skgo9KQa+G+GWoy28PLWhfaa3/RXLUMM6+i1kwdOhVJbkNotYNUMyCO9 nI3vVpOD0BI+MtVvfoF2GZqHGrM+B/H8TyN02/e/3GPoyb7BhgAb9nK/ebZWyIktt6JZ 8krrL+w/L8bWCKlndq4LZUCYDOqEJtuyy/PcP5xiWQrLMXK5igo5fy8KYOrlNuX7D0wf VXuOvVrTp0+vlAwuGs8B09ZW2juU8t7zUSSt0FniGB2Xed/jta2/wrDmOn3H1t13E9mS t1WFGcuCQtyfItpFMwWffR9S0TWNiB5cW2iW/4bCinmIoDBVIx79X6qPe42K+p+CB5UI jUCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721276147; x=1721880947; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1xfBb1hnVWsV5Z8J/Lq5YU91WCxCZemS1KmpZKl+3DM=; b=ASD4GMChH3u2ueoq2q5Jxrky4BwIVYwIDnQLNvfHFmCh3lsdfWm077Z70uOPom6F/g +UZqyMCQmtcCxdFGHBqobjQNXfD6N0jTzkqZfZoc7eu0qXuV7Bdl34iiGXCRXiVy7wbP 1MwmjylnOMGMpJVqPqOIONDhNLmGdiUqwMyVzqZOUmuQD6+UlkLEGG17TlVGH97AD9pW COpjRCBnIdLPEfP9bsgw0/LXcvWQScYjnzBYIiQNZWukUdfa3IhBKSYYp+DsaNg+2pNr 0hi2IJyOhaYK8jCEJqIcGc5sWPa4lcL77MIrNFhdUQ1sJQWgnMyyVpAXJ/U414PHfq91 35TQ== X-Forwarded-Encrypted: i=1; AJvYcCX76SQ7c9RrvrqN1TjSTDUc6wmCb4J8HHxfvaJeRPOICfarc+aHIvYQQbNIMpQDtpkhNMTfDnVV7/CxNhNidhsZri+vl/PDKG8o X-Gm-Message-State: AOJu0YxBlisxE6UP3KDBEiScyJ7Ec3zBq3T8J32KqxgS1uKFrNDapOrm ENPp+R9wyfzh5kYEaPibsrobWmz96muYZ5L+1O+uEJ7eQeHJyhsW X-Google-Smtp-Source: AGHT+IESaYhpfV02sqOsiWtMIHrOjSqm0AcrATEmKLVT9QNkCxeByy3igBQsB6Kqh7pEJw5O6a//Jg== X-Received: by 2002:a05:6a20:9147:b0:1c2:8bcf:a38e with SMTP id adf61e73a8af0-1c3fdd338ddmr4456730637.37.1721276147082; Wed, 17 Jul 2024 21:15:47 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fc0bc38dc0sm83152785ad.215.2024.07.17.21.15.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jul 2024 21:15:46 -0700 (PDT) From: Tahera Fahimi To: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, outreachy@lists.linux.dev, netdev@vger.kernel.org Cc: Tahera Fahimi Subject: [PATCH v7 0/4] Landlock: Abstract Unix Socket Scoping Support Date: Wed, 17 Jul 2024 22:15:18 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: outreachy@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch series adds scoping mechanism for abstract unix sockets. Closes: https://github.com/landlock-lsm/linux/issues/7 Problem ======= Abstract unix sockets are used for local inter-process communications independent of the filesystem. Currently, a sandboxed process can connect to a socket outside of the sandboxed environment, since Landlock has no restriction for connecting to an abstract socket address(see more details in [1,2]). Access to such sockets for a sandboxed process should be scoped the same way ptrace is limited. [1] https://lore.kernel.org/all/20231023.ahphah4Wii4v@digikod.net/ [2] https://lore.kernel.org/all/20231102.MaeWaepav8nu@digikod.net/ Solution ======== To solve this issue, we extend the user space interface by adding a new "scoped" field to Landlock ruleset attribute structure. This field can contains different rights to restrict different functionalities. For abstract unix sockets, we introduce "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" field to specify that a ruleset will deny any connection from within the sandbox domain to its parent (i.e. any parent sandbox or non-sandbox processes). Example ======= Starting a listening socket with socat(1): socat abstract-listen:mysocket - Starting a sandboxed shell from $HOME with samples/landlock/sandboxer: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash If we try to connect to the listening socket, the connection would be refused. socat - abstract-connect:mysocket --> fails Notes of Implementation ======================= * Using the "scoped" field provides enough compatibility and flexibility to extend the scoping mechanism for other IPCs(e.g. signals). * To access the domain of a socket, we use its credentials of the file's FD which point to the credentials of the process that created the socket. (see more details in [3]). Cases where the process using the socket has a different domain than the process created it are covered in the unix_sock_special_cases test. [3] https://lore.kernel.org/outreachy/Zmi8Ydz4Z6tYtpY1@tahera-OptiPlex-5000/T/#m8cdf33180d86c7ec22932e2eb4ef7dd4fc94c792 Thanks to Mickaël Salaün and Paul Moore for guiding me through this implementation. Previous Versions ================= v6: https://lore.kernel.org/all/Zn32CYZiu7pY+rdI@tahera-OptiPlex-5000/ and https://lore.kernel.org/all/Zn32KKIJrY7Zi51K@tahera-OptiPlex-5000/ v5: https://lore.kernel.org/all/ZnSZnhGBiprI6FRk@tahera-OptiPlex-5000/ v4: https://lore.kernel.org/all/ZnNcE3ph2SWi1qmd@tahera-OptiPlex-5000/ v3: https://lore.kernel.org/all/ZmJJ7lZdQuQop7e5@tahera-OptiPlex-5000/ v2: https://lore.kernel.org/all/ZgX5TRTrSDPrJFfF@tahera-OptiPlex-5000/ v1: https://lore.kernel.org/all/ZgXN5fi6A1YQKiAQ@tahera-OptiPlex-5000/ Tahera Fahimi (4): Landlock: Add abstract unix socket connect restriction selftests/landlock: Abstract unix socket restriction tests samples/landlock: Support abstract unix socket restriction documentation/landlock: Adding scoping mechanism documentation Documentation/userspace-api/landlock.rst | 23 +- include/uapi/linux/landlock.h | 29 + samples/landlock/sandboxer.c | 25 +- security/landlock/limits.h | 3 + security/landlock/ruleset.c | 7 +- security/landlock/ruleset.h | 23 +- security/landlock/syscalls.c | 14 +- security/landlock/task.c | 112 +++ tools/testing/selftests/landlock/base_test.c | 2 +- .../testing/selftests/landlock/ptrace_test.c | 867 ++++++++++++++++++ 10 files changed, 1088 insertions(+), 17 deletions(-) -- 2.34.1