| Message ID | 20250226212911.34502-4-gnoack@google.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | landlock: Clarify IPC scoping documentation | expand |
Hi, On Wed, Feb 26, 2025 at 10:29:12PM +0100, Günther Noack wrote: > * Clarify terminology > * Stop mixing the unix(7) and signal(7) aspects in the explanation. > > Terminology: > > * The *IPC Scope* of a Landlock domain is that Landlock domain and its > nested domains. > > * An *operation* (e.g., signaling, connecting to abstract UDS) is said to > be *scoped within a domain* when the flag for that operation was set at > ruleset creation time. This means that for the purpose of this > operation, only processes within the domain's IPC scope are reachable. > > Link: https://lore.kernel.org/all/20250226211814.31420-4-gnoack@google.com/ > Signed-off-by: Günther Noack <gnoack@google.com> > --- > man/man7/landlock.7 | 73 ++++++++++++++++++++++----------------------- > 1 file changed, 35 insertions(+), 38 deletions(-) > > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 > index 30dbac73d..42cd7286f 100644 > --- a/man/man7/landlock.7 > +++ b/man/man7/landlock.7 > @@ -357,46 +357,43 @@ which means the tracee must be in a sub-domain of the tracer. > Similar to the implicit > .BR "Ptrace restrictions" , > we may want to further restrict interactions between sandboxes. > -Each Landlock domain can be explicitly scoped for a set of actions > -by specifying it on a ruleset. > -For example, if a sandboxed process should not be able to > -.BR connect (2) > -to a non-sandboxed process through abstract > +Therefore, at ruleset creation time, > +each Landlock domain can restrict the scope for certain operations, > +so that these operations can only reach out to processes > +within the same Landlock domain or in a nested Landlock domain (the "scope"). > +.P > +The operations which can be scoped are: > +.P Redundant P before TP. > +.TP > +.B LANDLOCK_SCOPE_SIGNAL > +This limits the sending of signals to target processes > +which run within the same or a nested Landlock domain. > +.TP > +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET > +This limits the set of abstract > .BR unix (7) > -sockets, > -we can specify such a restriction with > -.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . > -Moreover, if a sandboxed process should not be able > -to send a signal to a non-sandboxed process, > -we can specify this restriction with > -.BR LANDLOCK_SCOPE_SIGNAL . > +sockets to which we can > +.BR connect (2) > +to socket addresses which were created > +by a process in the same or a nested Landlock domain. > +.IP > +A > +.BR sendto (2) > +on a non-connected datagram socket is treated as if it were doing an implicit > +.BR connect (2) > +and will be blocked if the remote end does not stem > +from the same or a nested Landlock domain. > +.IP > +A > +.BR sendto (2) > +on a socket which was previously connected will not be restricted. > +This works for both datagram and stream sockets. > .P > -A sandboxed process can connect to a non-sandboxed process > -when its domain is not scoped. > -If a process's domain is scoped, > -it can only connect to sockets created by processes in the same scope. > -Moreover, > -If a process is scoped to send signal to a non-scoped process, > -it can only send signals to processes in the same scope. > -.P > -A connected datagram socket behaves like a stream socket > -when its domain is scoped, > -meaning if the domain is scoped after the socket is connected, > -it can still > -.BR send (2) > -data just like a stream socket. > -However, in the same scenario, > -a non-connected datagram socket cannot send data (with > -.BR sendto (2)) > -outside its scope. > -.P > -A process with a scoped domain can inherit a socket This text seems to have been added in patch 2/3. Why is it being removed in the same set? Cheers, Alex > -created by a non-scoped process. > -The process cannot connect to this socket since it has a scoped domain. > -.P > -IPC scoping does not support exceptions, so if a domain is scoped, > -no rules can be added to allow access to resources or processes > -outside of the scope. > +IPC scoping does not support exceptions via > +.BR landlock_add_rule (2). > +If an operation is scoped within a domain, > +no rules can be added to allow access > +to resources or processes outside of the scope. > .\" > .SS Truncating files > The operations covered by > -- > 2.48.1.711.g2feabab25a-goog >
Hello Alejandro! On Fri, Feb 28, 2025 at 10:37:17PM +0100, Alejandro Colomar wrote: > On Wed, Feb 26, 2025 at 10:29:12PM +0100, Günther Noack wrote: > > * Clarify terminology > > * Stop mixing the unix(7) and signal(7) aspects in the explanation. > > > > Terminology: > > > > * The *IPC Scope* of a Landlock domain is that Landlock domain and its > > nested domains. > > > > * An *operation* (e.g., signaling, connecting to abstract UDS) is said to > > be *scoped within a domain* when the flag for that operation was set at > > ruleset creation time. This means that for the purpose of this > > operation, only processes within the domain's IPC scope are reachable. > > > > Link: https://lore.kernel.org/all/20250226211814.31420-4-gnoack@google.com/ > > Signed-off-by: Günther Noack <gnoack@google.com> > > --- > > man/man7/landlock.7 | 73 ++++++++++++++++++++++----------------------- > > 1 file changed, 35 insertions(+), 38 deletions(-) > > > > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 > > index 30dbac73d..42cd7286f 100644 > > --- a/man/man7/landlock.7 > > +++ b/man/man7/landlock.7 > > @@ -357,46 +357,43 @@ which means the tracee must be in a sub-domain of the tracer. > > Similar to the implicit > > .BR "Ptrace restrictions" , > > we may want to further restrict interactions between sandboxes. > > -Each Landlock domain can be explicitly scoped for a set of actions > > -by specifying it on a ruleset. > > -For example, if a sandboxed process should not be able to > > -.BR connect (2) > > -to a non-sandboxed process through abstract > > +Therefore, at ruleset creation time, > > +each Landlock domain can restrict the scope for certain operations, > > +so that these operations can only reach out to processes > > +within the same Landlock domain or in a nested Landlock domain (the "scope"). > > +.P > > +The operations which can be scoped are: > > +.P > > Redundant P before TP. Thanks, done. > > [...] > > > > -A sandboxed process can connect to a non-sandboxed process > > -when its domain is not scoped. > > -If a process's domain is scoped, > > -it can only connect to sockets created by processes in the same scope. > > -Moreover, > > -If a process is scoped to send signal to a non-scoped process, > > -it can only send signals to processes in the same scope. > > -.P > > -A connected datagram socket behaves like a stream socket > > -when its domain is scoped, > > -meaning if the domain is scoped after the socket is connected, > > -it can still > > -.BR send (2) > > -data just like a stream socket. > > -However, in the same scenario, > > -a non-connected datagram socket cannot send data (with > > -.BR sendto (2)) > > -outside its scope. > > -.P > > -A process with a scoped domain can inherit a socket > > This text seems to have been added in patch 2/3. Why is it being > removed in the same set? I attempted to keep the "copy existing documentation" apart from the "rewrite" part, but this was maybe a mistake given that this results in throwaway corrections. Should I rather squash them instead? Thanks for the detailed review, —Günther
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index 30dbac73d..42cd7286f 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -357,46 +357,43 @@ which means the tracee must be in a sub-domain of the tracer. Similar to the implicit .BR "Ptrace restrictions" , we may want to further restrict interactions between sandboxes. -Each Landlock domain can be explicitly scoped for a set of actions -by specifying it on a ruleset. -For example, if a sandboxed process should not be able to -.BR connect (2) -to a non-sandboxed process through abstract +Therefore, at ruleset creation time, +each Landlock domain can restrict the scope for certain operations, +so that these operations can only reach out to processes +within the same Landlock domain or in a nested Landlock domain (the "scope"). +.P +The operations which can be scoped are: +.P +.TP +.B LANDLOCK_SCOPE_SIGNAL +This limits the sending of signals to target processes +which run within the same or a nested Landlock domain. +.TP +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +This limits the set of abstract .BR unix (7) -sockets, -we can specify such a restriction with -.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . -Moreover, if a sandboxed process should not be able -to send a signal to a non-sandboxed process, -we can specify this restriction with -.BR LANDLOCK_SCOPE_SIGNAL . +sockets to which we can +.BR connect (2) +to socket addresses which were created +by a process in the same or a nested Landlock domain. +.IP +A +.BR sendto (2) +on a non-connected datagram socket is treated as if it were doing an implicit +.BR connect (2) +and will be blocked if the remote end does not stem +from the same or a nested Landlock domain. +.IP +A +.BR sendto (2) +on a socket which was previously connected will not be restricted. +This works for both datagram and stream sockets. .P -A sandboxed process can connect to a non-sandboxed process -when its domain is not scoped. -If a process's domain is scoped, -it can only connect to sockets created by processes in the same scope. -Moreover, -If a process is scoped to send signal to a non-scoped process, -it can only send signals to processes in the same scope. -.P -A connected datagram socket behaves like a stream socket -when its domain is scoped, -meaning if the domain is scoped after the socket is connected, -it can still -.BR send (2) -data just like a stream socket. -However, in the same scenario, -a non-connected datagram socket cannot send data (with -.BR sendto (2)) -outside its scope. -.P -A process with a scoped domain can inherit a socket -created by a non-scoped process. -The process cannot connect to this socket since it has a scoped domain. -.P -IPC scoping does not support exceptions, so if a domain is scoped, -no rules can be added to allow access to resources or processes -outside of the scope. +IPC scoping does not support exceptions via +.BR landlock_add_rule (2). +If an operation is scoped within a domain, +no rules can be added to allow access +to resources or processes outside of the scope. .\" .SS Truncating files The operations covered by
* Clarify terminology * Stop mixing the unix(7) and signal(7) aspects in the explanation. Terminology: * The *IPC Scope* of a Landlock domain is that Landlock domain and its nested domains. * An *operation* (e.g., signaling, connecting to abstract UDS) is said to be *scoped within a domain* when the flag for that operation was set at ruleset creation time. This means that for the purpose of this operation, only processes within the domain's IPC scope are reachable. Link: https://lore.kernel.org/all/20250226211814.31420-4-gnoack@google.com/ Signed-off-by: Günther Noack <gnoack@google.com> --- man/man7/landlock.7 | 73 ++++++++++++++++++++++----------------------- 1 file changed, 35 insertions(+), 38 deletions(-)