| From: |
| Tahera Fahimi <fahimitahera-AT-gmail.com> |
| To: |
| mic-AT-digikod.net, gnoack-AT-google.com, paul-AT-paul-moore.com, jmorris-AT-namei.org, serge-AT-hallyn.com, linux-security-module-AT-vger.kernel.org, linux-kernel-AT-vger.kernel.org, bjorn3_gh-AT-protonmail.com, jannh-AT-google.com, outreachy-AT-lists.linux.dev, netdev-AT-vger.kernel.org |
| Subject: |
| [PATCH v7 0/4] Landlock: Abstract Unix Socket Scoping Support |
| Date: |
| Wed, 17 Jul 2024 22:15:18 -0600 |
| Message-ID: |
| <cover.1721269836.git.fahimitahera@gmail.com> |
| Cc: |
| Tahera Fahimi <fahimitahera-AT-gmail.com> |
| Archive-link: |
| Article |
This patch series adds scoping mechanism for abstract unix sockets.
Closes: https://github.com/landlock-lsm/linux/issues/7
Problem
=======
Abstract unix sockets are used for local inter-process communications
independent of the filesystem. Currently, a sandboxed process can
connect to a socket outside of the sandboxed environment, since Landlock
has no restriction for connecting to an abstract socket address(see more
details in [1,2]). Access to such sockets for a sandboxed process should
be scoped the same way ptrace is limited.
[1] https://lore.kernel.org/all/20231023.ahphah4Wii4v@digikod...
[2] https://lore.kernel.org/all/20231102.MaeWaepav8nu@digikod...
Solution
========
To solve this issue, we extend the user space interface by adding a new
"scoped" field to Landlock ruleset attribute structure. This field can
contains different rights to restrict different functionalities. For
abstract unix sockets, we introduce
"LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" field to specify that a ruleset
will deny any connection from within the sandbox domain to its parent
(i.e. any parent sandbox or non-sandbox processes).
Example
=======
Starting a listening socket with socat(1):
socat abstract-listen:mysocket -
Starting a sandboxed shell from $HOME with samples/landlock/sandboxer:
LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash
If we try to connect to the listening socket, the connection would be
refused.
socat - abstract-connect:mysocket --> fails
Notes of Implementation
=======================
* Using the "scoped" field provides enough compatibility and flexibility
to extend the scoping mechanism for other IPCs(e.g. signals).
* To access the domain of a socket, we use its credentials of the file's FD
which point to the credentials of the process that created the socket.
(see more details in [3]). Cases where the process using the socket has
a different domain than the process created it are covered in the
unix_sock_special_cases test.
[3] https://lore.kernel.org/outreachy/Zmi8Ydz4Z6tYtpY1@tahera...
Thanks to Mickaël Salaün and Paul Moore for guiding me through this
implementation.
Previous Versions
=================
v6: https://lore.kernel.org/all/Zn32CYZiu7pY+rdI@tahera-OptiP...
and https://lore.kernel.org/all/Zn32KKIJrY7Zi51K@tahera-OptiP...
v5: https://lore.kernel.org/all/ZnSZnhGBiprI6FRk@tahera-OptiP...
v4: https://lore.kernel.org/all/ZnNcE3ph2SWi1qmd@tahera-OptiP...
v3: https://lore.kernel.org/all/ZmJJ7lZdQuQop7e5@tahera-OptiP...
v2: https://lore.kernel.org/all/ZgX5TRTrSDPrJFfF@tahera-OptiP...
v1: https://lore.kernel.org/all/ZgXN5fi6A1YQKiAQ@tahera-OptiP...
Tahera Fahimi (4):
Landlock: Add abstract unix socket connect restriction
selftests/landlock: Abstract unix socket restriction tests
samples/landlock: Support abstract unix socket restriction
documentation/landlock: Adding scoping mechanism documentation
Documentation/userspace-api/landlock.rst | 23 +-
include/uapi/linux/landlock.h | 29 +
samples/landlock/sandboxer.c | 25 +-
security/landlock/limits.h | 3 +
security/landlock/ruleset.c | 7 +-
security/landlock/ruleset.h | 23 +-
security/landlock/syscalls.c | 14 +-
security/landlock/task.c | 112 +++
tools/testing/selftests/landlock/base_test.c | 2 +-
.../testing/selftests/landlock/ptrace_test.c | 867 ++++++++++++++++++
10 files changed, 1088 insertions(+), 17 deletions(-)
--
2.34.1
