landlock: Document LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Introduce LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET as an IPC scoping
mechanism available since Landlock ABI version 6. Update ruleset_attr,
Landlock ABI version, and access rights code blocks based on that.

Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
Link: https://lore.kernel.org/r/ac75151861724c19ed62b500cfe497612d9a6607.1725494372.git.fahimitahera@gmail.com
[mic: Improve commit message and documentation, add a missing
fallthrough, reformat to 80 columns, improve some wording]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Tahera Fahimi and committed by

Mickaël Salaün 2 years ago dba40c77 369b48b4

+42 -2

1 changed file

expand all

Documentation

userspace-api

landlock.rst

+42 -2

Documentation/userspace-api/landlock.rst

··· 8 8 ===================================== 9 9 10 10 :Author: Mickaël Salaün 11 - :Date: July 2024 11 + :Date: September 2024 12 12 13 13 The goal of Landlock is to enable to restrict ambient rights (e.g. global 14 14 filesystem or network access) for a set of processes. Because Landlock ··· 81 81 .handled_access_net = 82 82 LANDLOCK_ACCESS_NET_BIND_TCP | 83 83 LANDLOCK_ACCESS_NET_CONNECT_TCP, 84 + .scoped = 85 + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, 84 86 }; 85 87 86 88 Because we may not know on which kernel version an application will be ··· 121 119 case 4: 122 120 /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ 123 121 ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; 122 + __attribute__((fallthrough)); 123 + case 5: 124 + /* Removes LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET for ABI < 6 */ 125 + ruleset_attr.scoped &= ~LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET; 124 126 } 125 127 126 128 This enables to create an inclusive ruleset that will contain our rules. ··· 312 306 process, a sandboxed process should have a subset of the target process rules, 313 307 which means the tracee must be in a sub-domain of the tracer. 314 308 309 + IPC scoping 310 + ----------- 311 + 312 + Similar to the implicit `Ptrace restrictions`_, we may want to further restrict 313 + interactions between sandboxes. Each Landlock domain can be explicitly scoped 314 + for a set of actions by specifying it on a ruleset. For example, if a 315 + sandboxed process should not be able to :manpage:`connect(2)` to a 316 + non-sandboxed process through abstract :manpage:`unix(7)` sockets, we can 317 + specify such restriction with ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``. 318 + 319 + A sandboxed process can connect to a non-sandboxed process when its domain is 320 + not scoped. If a process's domain is scoped, it can only connect to sockets 321 + created by processes in the same scope. 322 + 323 + A connected datagram socket behaves like a stream socket when its domain is 324 + scoped, meaning if the domain is scoped after the socket is connected , it can 325 + still :manpage:`send(2)` data just like a stream socket. However, in the same 326 + scenario, a non-connected datagram socket cannot send data (with 327 + :manpage:`sendto(2)`) outside its scope. 328 + 329 + A process with a scoped domain can inherit a socket created by a non-scoped 330 + process. The process cannot connect to this socket since it has a scoped 331 + domain. 332 + 333 + IPC scoping does not support exceptions, so if a domain is scoped, no rules can 334 + be added to allow access to resources or processes outside of the scope. 335 + 315 336 Truncating files 316 337 ---------------- 317 338 ··· 437 404 ------------- 438 405 439 406 .. kernel-doc:: include/uapi/linux/landlock.h 440 - :identifiers: fs_access net_access 407 + :identifiers: fs_access net_access scope 441 408 442 409 Creating a new ruleset 443 410 ---------------------- ··· 573 540 574 541 Starting with the Landlock ABI version 5, it is possible to restrict the use of 575 542 :manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right. 543 + 544 + Abstract UNIX socket scoping (ABI < 6) 545 + -------------------------------------- 546 + 547 + Starting with the Landlock ABI version 6, it is possible to restrict 548 + connections to an abstract :manpage:`unix(7)` socket by setting 549 + ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute. 576 550 577 551 .. _kernel_support: 578 552