From patchwork Thu Jul 18 04:15:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13736020 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 863161E520; Thu, 18 Jul 2024 04:15:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276151; cv=none; b=CM79d97X8urIs58TlUi5ZGcnCr6WMN2JrqqtDfUJwcNwz1HTqGtVcLU+3YMapr8cSXNMRu+2Y3/YufowS64PIPkmWW+qbZxiQpMkr+BR41Y28zPMVh+OmsHjGxEvKrtoghLNtfF7Rgw3k3idpkv6dSqx9HeJJN1XzVMy94gpyGg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276151; c=relaxed/simple; bh=QZsBQu2+ZOULhLORd0HOsY1lkGTtwIs1aRgh5oxidJs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=kqPeI8lUI9edt+tLUfifDcjXQQtaUNCf3vTicst4vNsl2pl+wlUuCf0shR2xwgfdnJrpjIHDSNoKCn5Z5OHushcBgdKLwNqD+x6tHoDIxdyqPrdDbLV86oa/7C3NQcR0qFwSmXrv0lnWZjyQfBuQb/h8sFEnELUNa3otq7dUgcU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RfJdhaoJ; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RfJdhaoJ" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1fbfb7cdb54so3231095ad.2; Wed, 17 Jul 2024 21:15:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721276149; x=1721880949; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9Rvnx0iLLDz0SXxKhw8U6japHLNXczTiOeG//E2Ws8c=; b=RfJdhaoJE02s3v9v/Cq24sT4Dm3ygmrv3FV4PxMpzIFL61VyawgXWg0J/kiXTdzTCt Z7XsrblOeeErnOqT7kF7SmP5jJUyAjDlgRvAShu34qkmb7e+MsejJxEA9CB76t0EMQJD D7T2r3P7IYN56IMSF280fV/XnYzLRfzZC5fkF78dB/rzgEanB+yQx/J5Aqf1D2QyzwHD 3jzYlJbf/Foa3cfJbcxhpDjU7ya1EEEktn05YxjvDGZJBxjLpZ0EnLibW86X/G+SHbQG h4V0FOlTOh/6FBQ5ednsrDqjxB4ccP7DEg9fTqajgEvV+lrNVJmq8VR7EcBefMFiBVdB csMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721276149; x=1721880949; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9Rvnx0iLLDz0SXxKhw8U6japHLNXczTiOeG//E2Ws8c=; b=c4F/lVcf9G5qhZyy010gcZEWKGhFpsNykpl6Q/VIQKr+ayaHbv0+6Kns8pDDUJajI9 kY/DqiL7tBfVbDlYFmUlByG+Zws+OJiXnWA0IVVRBEOpGPUw42LpEmKxiVpKje0JTlgJ gQtrkX6kaLwhRBLhk/8GFZ9hGP9WtIWljqv7sexEajF2IanZ+jOmqkOJu29mO1vfwx21 oxVlPGDb00ejTlEAvKY4E33Dd5/CIN/4N13LecjRN6SubuWeFPZlaK/Dpdctw06VkMfh 2RdXZAbox6ox/68zlP0Jch49/zYinudlSiqxlVVUQR6G9/yLh657OlfjfqrvafUiAr4o LRsA== X-Forwarded-Encrypted: i=1; AJvYcCUcus9VT/smp6b8folJABpC5eOp8K9CSNMZFgiif4x4X6Zin5Jagnj10ZkiSqlNsYt2v+hmOmOOskHGQ6VdiCkbIb9f48qvcnpY0SN62GqXNfH12PH4WQ5QOE+3zbaghMVgFGtxLHoqcV82NZBn2/RJe3/G874wQlDyPNeybHqs1YGEXgUAo8eb1rUl X-Gm-Message-State: AOJu0Yx/byZbMFpCk19T5gPNafU94gbWDhHRqMz4h3wfQEpWGSgSirbU qgQttFh0Tr2AavAsMy8Xoze8KUWYVYZpp0IrimxFzO5K10qgoZJs X-Google-Smtp-Source: AGHT+IFMyO1WrArghfmYPlJfxtrXHBx0wmu9FCeMWeocrfk9zIdfJsumAlzR2ySq9yVAse54KGZdCA== X-Received: by 2002:a17:902:fa0c:b0:1f7:1528:7b8a with SMTP id d9443c01a7336-1fc4e6887d3mr25270485ad.41.1721276148759; Wed, 17 Jul 2024 21:15:48 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fc0bc38dc0sm83152785ad.215.2024.07.17.21.15.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jul 2024 21:15:47 -0700 (PDT) From: Tahera Fahimi To: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, outreachy@lists.linux.dev, netdev@vger.kernel.org Cc: Tahera Fahimi Subject: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction Date: Wed, 17 Jul 2024 22:15:19 -0600 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The patch introduces a new "scoped" attribute to the landlock_ruleset_attr that can specify "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" to scope abstract unix sockets from connecting to a process outside of the same landlock domain. This patch implement two hooks, "unix_stream_connect" and "unix_may_send" to enforce this restriction. Signed-off-by: Tahera Fahimi ------- v7: - Using socket's file credentials for both connected(STREAM) and non-connected(DGRAM) sockets. - Adding "domain_sock_scope" instead of the domain scoping mechanism used in ptrace ensures that if a server's domain is accessible from the client's domain (where the client is more privileged than the server), the client can connect to the server in all edge cases. - Removing debug codes. v6: - Removing curr_ruleset from landlock_hierarchy, and switching back to use the same domain scoping as ptrace. - code clean up. v5: - Renaming "LANDLOCK_*_ACCESS_SCOPE" to "LANDLOCK_*_SCOPE" - Adding curr_ruleset to hierarachy_ruleset structure to have access from landlock_hierarchy to its respective landlock_ruleset. - Using curr_ruleset to check if a domain is scoped while walking in the hierarchy of domains. - Modifying inline comments. V4: - Rebased on Günther's Patch: https://lore.kernel.org/all/20240610082115.1693267-1-gnoack@google.com/ so there is no need for "LANDLOCK_SHIFT_ACCESS_SCOPE", then it is removed. - Adding get_scope_accesses function to check all scoped access masks in a ruleset. - Using file's FD credentials instead of credentials stored in peer_cred for datagram sockets. (see discussion in [1]) - Modifying inline comments. V3: - Improving commit description. - Introducing "scoped" attribute to landlock_ruleset_attr for IPC scoping purpose, and adding related functions. - Changing structure of ruleset based on "scoped". - Removing rcu lock and using unix_sk lock instead. - Introducing scoping for datagram sockets in unix_may_send. V2: - Removing wrapper functions [1]https://lore.kernel.org/outreachy/Zmi8Ydz4Z6tYtpY1@tahera-OptiPlex-5000/T/#m8cdf33180d86c7ec22932e2eb4ef7dd4fc94c792 ------- Signed-off-by: Tahera Fahimi --- include/uapi/linux/landlock.h | 29 +++++++++ security/landlock/limits.h | 3 + security/landlock/ruleset.c | 7 ++- security/landlock/ruleset.h | 23 ++++++- security/landlock/syscalls.c | 14 +++-- security/landlock/task.c | 112 ++++++++++++++++++++++++++++++++++ 6 files changed, 181 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 68625e728f43..9cd881673434 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -37,6 +37,12 @@ struct landlock_ruleset_attr { * rule explicitly allow them. */ __u64 handled_access_net; + /** + * @scoped: Bitmask of scopes (cf. `Scope flags`_) + * restricting a Landlock domain from accessing outside + * resources(e.g. IPCs). + */ + __u64 scoped; }; /* @@ -266,4 +272,27 @@ struct landlock_net_port_attr { #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0) #define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1) /* clang-format on */ + +/** + * DOC: scope + * + * .scoped attribute handles a set of restrictions on kernel IPCs through + * the following flags. + * + * Scope flags + * ~~~~~~~~~~~ + * + * These flags enable to restrict a sandboxed process from a set of IPC + * actions. Setting a flag for a ruleset will isolate the Landlock domain + * to forbid connections to resources outside the domain. + * + * IPCs with scoped actions: + * - %LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process + * from connecting to an abstract unix socket created by a process + * outside the related Landlock domain (e.g. a parent domain or a + * non-sandboxed process). + */ +/* clang-format off */ +#define LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET (1ULL << 0) +/* clang-format on*/ #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 4eb643077a2a..eb01d0fb2165 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -26,6 +26,9 @@ #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1) #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET) +#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET +#define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1) +#define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE) /* clang-format on */ #endif /* _SECURITY_LANDLOCK_LIMITS_H */ diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index 6ff232f58618..a93bdbf52fff 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -52,12 +52,13 @@ static struct landlock_ruleset *create_ruleset(const u32 num_layers) struct landlock_ruleset * landlock_create_ruleset(const access_mask_t fs_access_mask, - const access_mask_t net_access_mask) + const access_mask_t net_access_mask, + const access_mask_t scope_mask) { struct landlock_ruleset *new_ruleset; /* Informs about useless ruleset. */ - if (!fs_access_mask && !net_access_mask) + if (!fs_access_mask && !net_access_mask && !scope_mask) return ERR_PTR(-ENOMSG); new_ruleset = create_ruleset(1); if (IS_ERR(new_ruleset)) @@ -66,6 +67,8 @@ landlock_create_ruleset(const access_mask_t fs_access_mask, landlock_add_fs_access_mask(new_ruleset, fs_access_mask, 0); if (net_access_mask) landlock_add_net_access_mask(new_ruleset, net_access_mask, 0); + if (scope_mask) + landlock_add_scope_mask(new_ruleset, scope_mask, 0); return new_ruleset; } diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 0f1b5b4c8f6b..c749fa0b3ecd 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -35,6 +35,8 @@ typedef u16 access_mask_t; static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); /* Makes sure all network access rights can be stored. */ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET); +/* Makes sure all scoped rights can be stored*/ +static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE); /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); @@ -42,6 +44,7 @@ static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); struct access_masks { access_mask_t fs : LANDLOCK_NUM_ACCESS_FS; access_mask_t net : LANDLOCK_NUM_ACCESS_NET; + access_mask_t scoped : LANDLOCK_NUM_SCOPE; }; typedef u16 layer_mask_t; @@ -233,7 +236,8 @@ struct landlock_ruleset { struct landlock_ruleset * landlock_create_ruleset(const access_mask_t access_mask_fs, - const access_mask_t access_mask_net); + const access_mask_t access_mask_net, + const access_mask_t scope_mask); void landlock_put_ruleset(struct landlock_ruleset *const ruleset); void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); @@ -280,6 +284,16 @@ landlock_add_net_access_mask(struct landlock_ruleset *const ruleset, ruleset->access_masks[layer_level].net |= net_mask; } +static inline void +landlock_add_scope_mask(struct landlock_ruleset *const ruleset, + const access_mask_t scope_mask, const u16 layer_level) +{ + access_mask_t scoped_mask = scope_mask & LANDLOCK_MASK_SCOPE; + + WARN_ON_ONCE(scope_mask != scoped_mask); + ruleset->access_masks[layer_level].scoped |= scoped_mask; +} + static inline access_mask_t landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset, const u16 layer_level) @@ -303,6 +317,13 @@ landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset, return ruleset->access_masks[layer_level].net; } +static inline access_mask_t +landlock_get_scope_mask(const struct landlock_ruleset *const ruleset, + const u16 layer_level) +{ + return ruleset->access_masks[layer_level].scoped; +} + bool landlock_unmask_layers(const struct landlock_rule *const rule, const access_mask_t access_request, layer_mask_t (*const layer_masks)[], diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 03b470f5a85a..799a50f11d79 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -97,8 +97,9 @@ static void build_check_abi(void) */ ruleset_size = sizeof(ruleset_attr.handled_access_fs); ruleset_size += sizeof(ruleset_attr.handled_access_net); + ruleset_size += sizeof(ruleset_attr.scoped); BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size); - BUILD_BUG_ON(sizeof(ruleset_attr) != 16); + BUILD_BUG_ON(sizeof(ruleset_attr) != 24); path_beneath_size = sizeof(path_beneath_attr.allowed_access); path_beneath_size += sizeof(path_beneath_attr.parent_fd); @@ -149,7 +150,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 5 +#define LANDLOCK_ABI_VERSION 6 /** * sys_landlock_create_ruleset - Create a new ruleset @@ -170,7 +171,7 @@ static const struct file_operations ruleset_fops = { * Possible returned errors are: * * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; - * - %EINVAL: unknown @flags, or unknown access, or too small @size; + * - %EINVAL: unknown @flags, or unknown access, or uknown scope, or too small @size; * - %E2BIG or %EFAULT: @attr or @size inconsistencies; * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs. */ @@ -213,9 +214,14 @@ SYSCALL_DEFINE3(landlock_create_ruleset, LANDLOCK_MASK_ACCESS_NET) return -EINVAL; + /* Checks IPC scoping content (and 32-bits cast). */ + if ((ruleset_attr.scoped | LANDLOCK_MASK_SCOPE) != LANDLOCK_MASK_SCOPE) + return -EINVAL; + /* Checks arguments and transforms to kernel struct. */ ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs, - ruleset_attr.handled_access_net); + ruleset_attr.handled_access_net, + ruleset_attr.scoped); if (IS_ERR(ruleset)) return PTR_ERR(ruleset); diff --git a/security/landlock/task.c b/security/landlock/task.c index 849f5123610b..597d89e54aae 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -13,6 +13,8 @@ #include #include #include +#include +#include #include "common.h" #include "cred.h" @@ -108,9 +110,119 @@ static int hook_ptrace_traceme(struct task_struct *const parent) return task_ptrace(parent, current); } +static int walk_and_check(const struct landlock_ruleset *const child, + struct landlock_hierarchy **walker, int i, int j, + bool check) +{ + if (!child || i < 0) + return -1; + + while (i < j && *walker) { + if (check && landlock_get_scope_mask(child, j)) + return -1; + *walker = (*walker)->parent; + j--; + } + if (!*walker) + pr_warn_once("inconsistency in landlock hierarchy and layers"); + return j; +} + +/** + * domain_sock_scope - Checks if client domain is scoped in the same + * domain as server. + * + * @client: Connecting socket domain. + * @server: Listening socket domain. + * + * Checks if the @client domain is scoped, then the server should be + * in the same domain to connect. If not, @client can connect to @server. + */ +static bool domain_sock_scope(const struct landlock_ruleset *const client, + const struct landlock_ruleset *const server) +{ + size_t l1, l2; + int scope_layer; + struct landlock_hierarchy *cli_walker, *srv_walker; + + if (!client) + return true; + + l1 = client->num_layers - 1; + cli_walker = client->hierarchy; + if (server) { + l2 = server->num_layers - 1; + srv_walker = server->hierarchy; + } else + l2 = 0; + + if (l1 > l2) + scope_layer = walk_and_check(client, &cli_walker, l2, l1, true); + else if (l2 > l1) + scope_layer = + walk_and_check(server, &srv_walker, l1, l2, false); + else + scope_layer = l1; + + if (scope_layer == -1) + return false; + + while (scope_layer >= 0 && cli_walker) { + if (landlock_get_scope_mask(client, scope_layer) & + LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET) { + if (!server) + return false; + + if (srv_walker == cli_walker) + return true; + + return false; + } + cli_walker = cli_walker->parent; + srv_walker = srv_walker->parent; + scope_layer--; + } + return true; +} + +static bool sock_is_scoped(struct sock *const other) +{ + const struct landlock_ruleset *dom_other; + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + + /* the credentials will not change */ + lockdep_assert_held(&unix_sk(other)->lock); + dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain; + + /* other is scoped, they connect if they are in the same domain */ + return domain_sock_scope(dom, dom_other); +} + +static int hook_unix_stream_connect(struct sock *const sock, + struct sock *const other, + struct sock *const newsk) +{ + if (sock_is_scoped(other)) + return 0; + + return -EPERM; +} + +static int hook_unix_may_send(struct socket *const sock, + struct socket *const other) +{ + if (sock_is_scoped(other->sk)) + return 0; + + return -EPERM; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme), + LSM_HOOK_INIT(unix_stream_connect, hook_unix_stream_connect), + LSM_HOOK_INIT(unix_may_send, hook_unix_may_send), }; __init void landlock_add_task_hooks(void) From patchwork Thu Jul 18 04:15:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13736021 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E96E40C03; Thu, 18 Jul 2024 04:15:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276153; cv=none; b=SEwCvydMgeGwFoP8yDvUTZXq/fsqxfjmAgOt7ZcIirHOa27gyN2/N4o19IjsDJQIH9X/1SQ6mssr2cIAXlModGMJOOMV5y8XfNuJic0RxJjI1u3AtAQwxGF6ht6k8lLJQ5LcPTZ8mDPGPSZRmmqdu7E8JLWtfe425J0KnFQZ9V8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276153; c=relaxed/simple; bh=zpTIiq4Pd3CXcxbNiaiuVqSuXHu8A2JVd0vQeG/P4G4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=dchOvUimY5hpppV2Z+Z8Iy6rwWrTTRR6xet0G/EyARzQku1dxfxfgaHbeMUbaDcSQqq8IntpFrSdhpdSvo6GnWSsacjVVqLVbkGhok3gK6J8LE+6RTxwYud3dHN2gDfBWAGIM3zffX48nC1bIzosSUV30T27oJsqEcqGztSoofs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QR5q7KLO; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QR5q7KLO" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1fb4fa1bb34so2745325ad.0; Wed, 17 Jul 2024 21:15:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721276150; x=1721880950; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vAXNK6oh1OvquTYa3iIIGyC/+Yv8FreGS29ljKxYu/o=; b=QR5q7KLOZ9Gj8l8i1hJZ3gpohUYPqzcjJJz3P7LLnLzBLFKUEEc0Kel9lXwI7ejCxE 55uudry4rWW6trsKSBfdWRwRXVJ/1MRDa0crdBNXBg+PIkBi7vkRuWbKPR8+9RlKZmVL j/0B0FmvtA9Uw52k8b+pKv5XlRt37gwvmLvFZS4X/XcBcJs5JrDYbqZ/DUrgw8arA3ay Rf/gTpNcaT/viwDvihsrVyfDAue8oNe8mQ/qSORAS2ck0tqaHv/xEz89z+/QkqVt8x0e 8s8IsFzj9o+MkVKqnuzmMfsYJpc9hoyKQe6nQ4mPNz9nGbmrqjNhxTv+Dvr5MaP9BTSu IDKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721276150; x=1721880950; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vAXNK6oh1OvquTYa3iIIGyC/+Yv8FreGS29ljKxYu/o=; b=FyF0+Ds0DpzOu+dVu3U3FjBl3POcWsDniwQUS70pcKpwcW5xRsf0bYyB8YbBkHvGdr Ku9/5gvO752N1owP6ABMfQU3A4pcFRgBl1qWygi4q+wAHfpqu7XCGJJDI2Fk364mHcoX tFjgQrqH+BZf/a4rAV3Pl4P2fU6A3A1ukoLBTa3K+GOhKaTr0Xt/rNUAouzk6Vh+bASV kL67YZC6Yifo+SOc/GqHPmMclAZot1oOXgDQBn5bd9Y28/v58w3OMevxkh1jxFpR9tgG nDXVh/oYdK1x4zD12gVQs0BNyc/XjN5z25fegYMQw+D0ZJqFJ2s+NI3omkLyrU2yiqIA taIw== X-Forwarded-Encrypted: i=1; AJvYcCUCE+zHeFkASfKUNkz0Ji/PCAIHKVyzC/u9a/4VsCnfcKnNgV2dZ+luvz8ldmTIE1uvRj+d5byWK1MvDpgJ+dI82AvnXWKWIxiqIs6MQGmFmo2IbZ6na4MfevOXJ2YUnOOuf7gTz+1XkHjUAPGAMFA0mpksu3w9w29cQ9a4jtxjaCVZ8+/5F57mN/81 X-Gm-Message-State: AOJu0YwnZ1//7WTW6Q8M3aEmEZxmb7WA/MF1cjqsI6jCC8U32lxl7B/N zrl5h3v3H+9SWVExtkJR7bpv/uEKED77t5A3yIlGLcJIg4UFSIOG X-Google-Smtp-Source: AGHT+IG3Be9oGjUsd0OVWnkN6TyS+4rQC10fCrp1Jdh1/N06jf7z1t9oZkzBjdfnLH2UfwG7Y5jfFQ== X-Received: by 2002:a17:902:650e:b0:1fc:5d0e:a214 with SMTP id d9443c01a7336-1fc5d0ea54fmr10842065ad.21.1721276150330; Wed, 17 Jul 2024 21:15:50 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fc0bc38dc0sm83152785ad.215.2024.07.17.21.15.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jul 2024 21:15:49 -0700 (PDT) From: Tahera Fahimi To: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, outreachy@lists.linux.dev, netdev@vger.kernel.org Cc: Tahera Fahimi Subject: [PATCH v7 2/4] selftests/landlock: Abstract unix socket restriction tests Date: Wed, 17 Jul 2024 22:15:20 -0600 Message-Id: <121e8df376327d8039266db19e53b8ff994b8d74.1721269836.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The patch has three types of tests: 1) unix_socket: base tests the scoping mechanism for a landlocked process, same as the ptrace test. 2) optional_scoping: generates three processes with different domains and tests if a process with a non-scoped domain can connect to other processes. 3) unix_sock_special_cases: since the socket's creator credentials are used for scoping datagram sockets, this test examines the cases where the socket's credentials are different from the process using it. Signed-off-by: Tahera Fahimi Changes in versions: V7: - Introducing landlock ABI version 6. - Adding some edge test cases to optional_scoping test. - Using `enum` for different domains in optional_scoping tests. - Extend unix_sock_special_cases test cases for connected(SOCK_STREAM) sockets. - Modifying inline comments. V6: - Introducing optional_scoping test which ensures a sandboxed process with a non-scoped domain can still connect to another abstract unix socket(either sandboxed or non-sandboxed). - Introducing unix_sock_special_cases test which tests examines scenarios where the connecting sockets have different domain than the process using them. V4: - Introducing unix_socket to evaluate the basic scoping mechanism for abstract unix sockets. Signed-off-by: Tahera Fahimi --- tools/testing/selftests/landlock/base_test.c | 2 +- .../testing/selftests/landlock/ptrace_test.c | 867 ++++++++++++++++++ 2 files changed, 868 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 3c1e9f35b531..52b00472a487 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(5, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(6, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c index a19db4d0b3bd..e7dcefda8ce0 100644 --- a/tools/testing/selftests/landlock/ptrace_test.c +++ b/tools/testing/selftests/landlock/ptrace_test.c @@ -17,6 +17,10 @@ #include #include +#include +#include +#include + #include "common.h" /* Copied from security/yama/yama_lsm.c */ @@ -436,4 +440,867 @@ TEST_F(hierarchy, trace) _metadata->exit_code = KSFT_FAIL; } +static void create_unix_domain(struct __test_metadata *const _metadata) +{ + int ruleset_fd; + const struct landlock_ruleset_attr ruleset_attr = { + .scoped = LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET, + }; + + ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + EXPECT_LE(0, ruleset_fd) + { + TH_LOG("Failed to create a ruleset: %s", strerror(errno)); + } + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); +} + +/* clang-format off */ +FIXTURE(unix_socket) +{ + int server, client, dgram_server, dgram_client; +}; + +/* clang-format on */ +FIXTURE_VARIANT(unix_socket) +{ + bool domain_both; + bool domain_parent; + bool domain_child; + bool connect_to_parent; +}; + +/* + * No domain + * + * P1-. P1 -> P2 : allow + * \ P2 -> P1 : allow + * 'P2 + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_without_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = false, + .domain_parent = false, + .domain_child = false, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_without_domain_connect_to_child) { + /* clang-format on */ + .domain_both = false, + .domain_parent = false, + .domain_child = false, + .connect_to_parent = false, +}; + +/* + * Child domain + * + * P1--. P1 -> P2 : allow + * \ P2 -> P1 : deny + * .'-----. + * | P2 | + * '------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_one_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = false, + .domain_parent = false, + .domain_child = true, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_with_one_domain_connect_to_child) { + /* clang-format on */ + .domain_both = false, + .domain_parent = false, + .domain_child = true, + .connect_to_parent = false, +}; + +/* + * Parent domain + * .------. + * | P1 --. P1 -> P2 : deny + * '------' \ P2 -> P1 : allow + * ' + * P2 + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_with_parent_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = false, + .domain_parent = true, + .domain_child = false, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_parent_domain_connect_to_child) { + /* clang-format on */ + .domain_both = false, + .domain_parent = true, + .domain_child = false, + .connect_to_parent = false, +}; + +/* + * Parent + child domain (siblings) + * .------. + * | P1 ---. P1 -> P2 : deny + * '------' \ P2 -> P1 : deny + * .---'--. + * | P2 | + * '------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_sibling_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = false, + .domain_parent = true, + .domain_child = true, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_sibling_domain_connect_to_child) { + /* clang-format on */ + .domain_both = false, + .domain_parent = true, + .domain_child = true, + .connect_to_parent = false, +}; + +/* + * Same domain (inherited) + * .-------------. + * | P1----. | P1 -> P2 : allow + * | \ | P2 -> P1 : allow + * | ' | + * | P2 | + * '-------------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_inherited_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = true, + .domain_parent = false, + .domain_child = false, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_inherited_domain_connect_to_child) { + /* clang-format on */ + .domain_both = true, + .domain_parent = false, + .domain_child = false, + .connect_to_parent = false, +}; + +/* + * Inherited + child domain + * .-----------------. + * | P1----. | P1 -> P2 : allow + * | \ | P2 -> P1 : deny + * | .-'----. | + * | | P2 | | + * | '------' | + * '-----------------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_nested_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = true, + .domain_parent = false, + .domain_child = true, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_nested_domain_connect_to_child) { + /* clang-format on */ + .domain_both = true, + .domain_parent = false, + .domain_child = true, + .connect_to_parent = false, +}; + +/* + * Inherited + parent domain + * .-----------------. + * |.------. | P1 -> P2 : deny + * || P1 ----. | P2 -> P1 : allow + * |'------' \ | + * | ' | + * | P2 | + * '-----------------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, allow_with_nested_and_parent_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = true, + .domain_parent = true, + .domain_child = false, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_nested_and_parent_domain_connect_to_child) { + /* clang-format on */ + .domain_both = true, + .domain_parent = true, + .domain_child = false, + .connect_to_parent = false, +}; + +/* + * Inherited + parent and child domain (siblings) + * .-----------------. + * | .------. | P1 -> P2 : deny + * | | P1 . | P2 -> P1 : deny + * | '------'\ | + * | \ | + * | .--'---. | + * | | P2 | | + * | '------' | + * '-----------------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_forked_domain_connect_to_parent) { + /* clang-format on */ + .domain_both = true, + .domain_parent = true, + .domain_child = true, + .connect_to_parent = true, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_socket, deny_with_forked_domain_connect_to_child) { + /* clang-format on */ + .domain_both = true, + .domain_parent = true, + .domain_child = true, + .connect_to_parent = false, +}; + +FIXTURE_SETUP(unix_socket) +{ +} + +FIXTURE_TEARDOWN(unix_socket) +{ + close(self->server); + close(self->client); + close(self->dgram_server); + close(self->dgram_client); +} + +/* Test UNIX_STREAM_CONNECT and UNIX_MAY_SEND for parent and child, + * when they have scoped domain or no domain. + */ +TEST_F(unix_socket, abstract_unix_socket) +{ + int status; + pid_t child; + socklen_t addrlen; + int sock_len = 5; + struct sockaddr_un addr, dgram_addr = { + .sun_family = AF_UNIX, + }; + const char sun_path[8] = "\0test"; + const char sun_path_dgram[8] = "\0dgrm"; + bool can_connect_to_parent, can_connect_to_child; + int err, err_dgram; + int pipe_child[2], pipe_parent[2]; + char buf_parent; + + /* + * can_connect_to_child is true if a parent process can connect to its + * child process. The parent process is not isolated from the child + * with a dedicated Landlock domain. + */ + can_connect_to_child = !variant->domain_parent; + /* + * can_connect_to_parent is true if a child process can connect to its + * parent process. This depends on the child process is not isolated from + * the parent with a dedicated Landlock domain. + */ + can_connect_to_parent = !variant->domain_child; + + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + if (variant->domain_both) { + create_unix_domain(_metadata); + if (!__test_passed(_metadata)) + return; + } + + addrlen = offsetof(struct sockaddr_un, sun_path) + sock_len; + memcpy(&addr.sun_path, sun_path, sock_len); + memcpy(&dgram_addr.sun_path, sun_path_dgram, sock_len); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + char buf_child; + + ASSERT_EQ(0, close(pipe_parent[1])); + ASSERT_EQ(0, close(pipe_child[0])); + if (variant->domain_child) + create_unix_domain(_metadata); + + /* Waits for the parent to be in a domain, if any. */ + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); + + if (variant->connect_to_parent) { + self->client = socket(AF_UNIX, SOCK_STREAM, 0); + self->dgram_client = socket(AF_UNIX, SOCK_DGRAM, 0); + + ASSERT_NE(-1, self->client); + ASSERT_NE(-1, self->dgram_client); + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); + + err = connect(self->client, (struct sockaddr *)&addr, + addrlen); + err_dgram = connect(self->dgram_client, + (struct sockaddr *)&dgram_addr, + addrlen); + if (can_connect_to_parent) { + EXPECT_EQ(0, err); + EXPECT_EQ(0, err_dgram); + } else { + EXPECT_EQ(-1, err); + EXPECT_EQ(-1, err_dgram); + EXPECT_EQ(EPERM, errno); + } + } else { + self->server = socket(AF_UNIX, SOCK_STREAM, 0); + self->dgram_server = socket(AF_UNIX, SOCK_DGRAM, 0); + ASSERT_NE(-1, self->server); + ASSERT_NE(-1, self->dgram_server); + + ASSERT_EQ(0, bind(self->server, + (struct sockaddr *)&addr, addrlen)); + ASSERT_EQ(0, bind(self->dgram_server, + (struct sockaddr *)&dgram_addr, + addrlen)); + ASSERT_EQ(0, listen(self->server, 32)); + + /* signal to parent that child is listening */ + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); + /* wait to connect */ + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); + } + _exit(_metadata->exit_code); + return; + } + + ASSERT_EQ(0, close(pipe_child[1])); + ASSERT_EQ(0, close(pipe_parent[0])); + + if (variant->domain_parent) + create_unix_domain(_metadata); + + /* Signals that the parent is in a domain, if any. */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + + if (!variant->connect_to_parent) { + self->client = socket(AF_UNIX, SOCK_STREAM, 0); + self->dgram_client = socket(AF_UNIX, SOCK_DGRAM, 0); + + ASSERT_NE(-1, self->client); + ASSERT_NE(-1, self->dgram_client); + + /* Waits for the child to listen */ + ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1)); + err = connect(self->client, (struct sockaddr *)&addr, addrlen); + err_dgram = connect(self->dgram_client, + (struct sockaddr *)&dgram_addr, addrlen); + + if (can_connect_to_child) { + EXPECT_EQ(0, err); + EXPECT_EQ(0, err_dgram); + } else { + EXPECT_EQ(-1, err); + EXPECT_EQ(-1, err_dgram); + EXPECT_EQ(EPERM, errno); + } + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + } else { + self->server = socket(AF_UNIX, SOCK_STREAM, 0); + self->dgram_server = socket(AF_UNIX, SOCK_DGRAM, 0); + ASSERT_NE(-1, self->server); + ASSERT_NE(-1, self->dgram_server); + ASSERT_EQ(0, bind(self->server, (struct sockaddr *)&addr, + addrlen)); + ASSERT_EQ(0, bind(self->dgram_server, + (struct sockaddr *)&dgram_addr, addrlen)); + ASSERT_EQ(0, listen(self->server, 32)); + + /* signal to child that parent is listening */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + } + + ASSERT_EQ(child, waitpid(child, &status, 0)); + + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + +enum sandbox_type { + NO_SANDBOX, + SCOPE_SANDBOX, + /* Any other type of sandboxing domain */ + OTHER_SANDBOX, +}; + +/* clang-format off */ +FIXTURE(optional_scoping) +{ + int parent_server, child_server, client; +}; + +/* clang-format on */ +FIXTURE_VARIANT(optional_scoping) +{ + const int domain_all; + const int domain_parent; + const int domain_children; + const int domain_child; + const int domain_grand_child; + const int type; +}; + +/* + * .-----------------. + * | ####### | P3 -> P2 : allow + * | P1----# P2 # | P3 -> P1 : deny + * | # | # | + * | # P3 # | + * | ####### | + * '-----------------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(optional_scoping, deny_scoped) { + .domain_all = OTHER_SANDBOX, + .domain_parent = NO_SANDBOX, + .domain_children = SCOPE_SANDBOX, + .domain_child = NO_SANDBOX, + .domain_grand_child = NO_SANDBOX, + .type = SOCK_DGRAM, + /* clang-format on */ +}; + +/* + * .-----------------. + * | .-----. | P3 -> P2 : allow + * | P1----| P2 | | P3 -> P1 : allow + * | | | | + * | | P3 | | + * | '-----' | + * '-----------------' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(optional_scoping, allow_with_other_domain) { + .domain_all = OTHER_SANDBOX, + .domain_parent = NO_SANDBOX, + .domain_children = OTHER_SANDBOX, + .domain_child = NO_SANDBOX, + .domain_grand_child = NO_SANDBOX, + .type = SOCK_DGRAM, + /* clang-format on */ +}; + +/* + * .----. ###### P3 -> P2 : allow + * | P1 |----# P2 # P3 -> P1 : allow + * '----' ###### + * | + * P3 + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(optional_scoping, allow_with_one_domain) { + .domain_all = NO_SANDBOX, + .domain_parent = OTHER_SANDBOX, + .domain_children = NO_SANDBOX, + .domain_child = SCOPE_SANDBOX, + .domain_grand_child = NO_SANDBOX, + .type = SOCK_DGRAM, + /* clang-format on */ +}; + +/* + * ###### .-----. P3 -> P2 : allow + * # P1 #----| P2 | P3 -> P1 : allow + * ###### '-----' + * | + * P3 + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(optional_scoping, allow_with_grand_parent_scoped) { + .domain_all = NO_SANDBOX, + .domain_parent = SCOPE_SANDBOX, + .domain_children = NO_SANDBOX, + .domain_child = OTHER_SANDBOX, + .domain_grand_child = NO_SANDBOX, + .type = SOCK_STREAM, + /* clang-format on */ +}; + +/* + * ###### ###### P3 -> P2 : allow + * # P1 #----# P2 # P3 -> P1 : allow + * ###### ###### + * | + * .----. + * | P3 | + * '----' + */ +/* clang-format off */ +FIXTURE_VARIANT_ADD(optional_scoping, allow_with_parents_domain) { + .domain_all = NO_SANDBOX, + .domain_parent = SCOPE_SANDBOX, + .domain_children = NO_SANDBOX, + .domain_child = SCOPE_SANDBOX, + .domain_grand_child = NO_SANDBOX, + .type = SOCK_STREAM, + /* clang-format on */ +}; + +FIXTURE_SETUP(optional_scoping) +{ +} + +FIXTURE_TEARDOWN(optional_scoping) +{ + close(self->parent_server); + close(self->child_server); + close(self->client); +} + +/* Test UNIX_STREAM_CONNECT and UNIX_MAY_SEND for parent, child + * and grand child processes when they can have scoped or non-scoped + * domains. + **/ +TEST_F(optional_scoping, unix_scoping) +{ + pid_t child; + socklen_t addrlen; + int sock_len = 5; + int status; + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + }; + const char sun_path[8] = "\0test"; + bool can_connect_to_parent, can_connect_to_child; + int pipe_parent[2]; + + if (variant->domain_grand_child == SCOPE_SANDBOX) + can_connect_to_child = false; + else + can_connect_to_child = true; + + if (!can_connect_to_child || variant->domain_children == SCOPE_SANDBOX) + can_connect_to_parent = false; + else + can_connect_to_parent = true; + + addrlen = offsetof(struct sockaddr_un, sun_path) + sock_len; + memcpy(&addr.sun_path, sun_path, sock_len); + + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + + if (variant->domain_all == OTHER_SANDBOX) + create_domain(_metadata); + else if (variant->domain_all == SCOPE_SANDBOX) + create_unix_domain(_metadata); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + int pipe_child[2]; + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); + pid_t grand_child; + struct sockaddr_un child_addr = { + .sun_family = AF_UNIX, + }; + const char child_sun_path[8] = "\0tsst"; + + memcpy(&child_addr.sun_path, child_sun_path, sock_len); + + if (variant->domain_children == OTHER_SANDBOX) + create_domain(_metadata); + else if (variant->domain_children == SCOPE_SANDBOX) + create_unix_domain(_metadata); + + grand_child = fork(); + ASSERT_LE(0, grand_child); + if (grand_child == 0) { + ASSERT_EQ(0, close(pipe_parent[1])); + ASSERT_EQ(0, close(pipe_child[1])); + + char buf1, buf2; + int err; + + if (variant->domain_grand_child == OTHER_SANDBOX) + create_domain(_metadata); + else if (variant->domain_grand_child == SCOPE_SANDBOX) + create_unix_domain(_metadata); + + self->client = socket(AF_UNIX, variant->type, 0); + ASSERT_NE(-1, self->client); + + ASSERT_EQ(1, read(pipe_child[0], &buf2, 1)); + err = connect(self->client, + (struct sockaddr *)&child_addr, addrlen); + if (can_connect_to_child) { + EXPECT_EQ(0, err); + } else { + EXPECT_EQ(-1, err); + EXPECT_EQ(EPERM, errno); + } + + if (variant->type == SOCK_STREAM) { + EXPECT_EQ(0, close(self->client)); + self->client = + socket(AF_UNIX, variant->type, 0); + ASSERT_NE(-1, self->client); + } + + ASSERT_EQ(1, read(pipe_parent[0], &buf1, 1)); + err = connect(self->client, (struct sockaddr *)&addr, + addrlen); + if (can_connect_to_parent) { + EXPECT_EQ(0, err); + } else { + EXPECT_EQ(-1, err); + EXPECT_EQ(EPERM, errno); + } + EXPECT_EQ(0, close(self->client)); + + _exit(_metadata->exit_code); + return; + } + + ASSERT_EQ(0, close(pipe_child[0])); + if (variant->domain_child == OTHER_SANDBOX) + create_domain(_metadata); + else if (variant->domain_child == SCOPE_SANDBOX) + create_unix_domain(_metadata); + + self->child_server = socket(AF_UNIX, variant->type, 0); + ASSERT_NE(-1, self->child_server); + ASSERT_EQ(0, bind(self->child_server, + (struct sockaddr *)&child_addr, addrlen)); + if (variant->type == SOCK_STREAM) + ASSERT_EQ(0, listen(self->child_server, 32)); + + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); + ASSERT_EQ(grand_child, waitpid(grand_child, &status, 0)); + return; + } + ASSERT_EQ(0, close(pipe_parent[0])); + + if (variant->domain_parent == OTHER_SANDBOX) + create_domain(_metadata); + else if (variant->domain_parent == SCOPE_SANDBOX) + create_unix_domain(_metadata); + + self->parent_server = socket(AF_UNIX, variant->type, 0); + ASSERT_NE(-1, self->parent_server); + ASSERT_EQ(0, + bind(self->parent_server, (struct sockaddr *)&addr, addrlen)); + + if (variant->type == SOCK_STREAM) + ASSERT_EQ(0, listen(self->parent_server, 32)); + + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + ASSERT_EQ(child, waitpid(child, &status, 0)); + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} + +/* + * Since the special case of scoping only happens when the connecting socket + * is scoped, the client's domain is true for all the following test cases. + */ +/* clang-format off */ +FIXTURE(unix_sock_special_cases) { + int server_socket, client; + int stream_server, stream_client; +}; + +/* clang-format on */ +FIXTURE_VARIANT(unix_sock_special_cases) +{ + const bool domain_server; + const bool domain_server_socket; + const int type; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_sock_special_cases, allow_dgram_server_sock_domain) { + /* clang-format on */ + .domain_server = false, + .domain_server_socket = true, + .type = SOCK_DGRAM, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_sock_special_cases, deny_dgram_server_domain) { + /* clang-format off */ + .domain_server = true, + .domain_server_socket = false, + .type = SOCK_DGRAM, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_sock_special_cases, allow_stream_server_sock_domain) { + /* clang-format on */ + .domain_server = false, + .domain_server_socket = true, + .type = SOCK_STREAM, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(unix_sock_special_cases, deny_stream_server_domain) { + /* clang-format off */ + .domain_server = true, + .domain_server_socket = false, + .type = SOCK_STREAM, +}; + +FIXTURE_SETUP(unix_sock_special_cases) +{ +} + +FIXTURE_TEARDOWN(unix_sock_special_cases) +{ + close(self->client); + close(self->server_socket); + close(self->stream_server); + close(self->stream_client); +} + +/* Test UNIX_STREAM_CONNECT and UNIX_MAY_SEND for parent and + * child processes when connecting socket has different domain + * than the process using it. + **/ +TEST_F(unix_sock_special_cases, dgram_cases) +{ + pid_t child; + socklen_t addrlen; + int sock_len = 5; + struct sockaddr_un addr, addr_stream = { + .sun_family = AF_UNIX, + }; + const char sun_path[8] = "\0test"; + const char sun_path_stream[8] = "\0strm"; + int err, status; + int pipe_child[2], pipe_parent[2]; + char buf_parent; + + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + + addrlen = offsetof(struct sockaddr_un, sun_path) + sock_len; + memcpy(&addr.sun_path, sun_path, sock_len); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + char buf_child; + + ASSERT_EQ(0, close(pipe_parent[1])); + ASSERT_EQ(0, close(pipe_child[0])); + + /* client always has domain */ + create_unix_domain(_metadata); + + if (variant->domain_server_socket) { + int data_socket; + int fd_sock = socket(AF_UNIX, variant->type, 0); + + ASSERT_NE(-1, fd_sock); + + self->stream_server = socket(AF_UNIX, SOCK_STREAM, 0); + + ASSERT_NE(-1, self->stream_server); + memcpy(&addr_stream.sun_path, sun_path_stream, + sock_len); + ASSERT_EQ(0, bind(self->stream_server, + (struct sockaddr *)&addr_stream, + addrlen)); + ASSERT_EQ(0, listen(self->stream_server, 32)); + + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); + + data_socket = accept(self->stream_server, NULL, NULL); + + ASSERT_EQ(0, send_fd(data_socket, fd_sock)); + ASSERT_EQ(0, close(fd_sock)); + TH_LOG("sending completed\n"); + } + + self->client = socket(AF_UNIX, variant->type, 0); + ASSERT_NE(-1, self->client); + /* wait for parent signal for connection */ + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); + + err = connect(self->client, (struct sockaddr *)&addr, addrlen); + if (!variant->domain_server_socket) { + EXPECT_EQ(-1, err); + EXPECT_EQ(EPERM, errno); + } else { + EXPECT_EQ(0, err); + } + _exit(_metadata->exit_code); + return; + } + + ASSERT_EQ(0, close(pipe_child[1])); + ASSERT_EQ(0, close(pipe_parent[0])); + + if (!variant->domain_server_socket) { + self->server_socket = socket(AF_UNIX, variant->type, 0); + } else { + int cli = socket(AF_UNIX, SOCK_STREAM, 0); + + ASSERT_NE(-1, cli); + memcpy(&addr_stream.sun_path, sun_path_stream, sock_len); + ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1)); + ASSERT_EQ(0, connect(cli, (struct sockaddr *)&addr_stream, + addrlen)); + + self->server_socket = recv_fd(cli); + ASSERT_LE(0, self->server_socket); + } + + ASSERT_NE(-1, self->server_socket); + + if (variant->domain_server) + create_unix_domain(_metadata); + + ASSERT_EQ(0, + bind(self->server_socket, (struct sockaddr *)&addr, addrlen)); + if (variant->type == SOCK_STREAM) + ASSERT_EQ(0, listen(self->server_socket, 32)); + /* signal to child that parent is listening */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + + ASSERT_EQ(child, waitpid(child, &status, 0)); + + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) != EXIT_SUCCESS) + _metadata->exit_code = KSFT_FAIL; +} TEST_HARNESS_MAIN From patchwork Thu Jul 18 04:15:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13736022 Received: from mail-oo1-f54.google.com (mail-oo1-f54.google.com [209.85.161.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B767847A6A; Thu, 18 Jul 2024 04:15:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276154; cv=none; b=ZjBCKKnH8bCPRR8+XNSZlajAuvObvGTKT8sIvFSeioKtcNlP2pWxQ9Z6EdK0qdqFfg6UHzp22837gvwbfsuNM2iGeiTMfali9YrLt+MypMvmokM/oev/Lk2UvvkTB80DV9u0yEizUnmPQkI+I9dW78HIBEgqryxbJSq9cIfXWoA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276154; c=relaxed/simple; bh=Mi5ZUM41/ktJX7zKCU6FlONfY/9U4/6+NbrEylDFMN4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=pDuABLi53s8LY5CxaFiGIIwbi/frW5459uXuO6jjsXqpdWkXjrbkLPpdcOhd3BqzDzeHHlpvNU1Me5kcaD1z3lI6DEbx0L05k+QRTpzLdyTBeUlE7VVP08IsPUtS5IEKdt45CoXLDrudPqLFgzW9CkbonPTdttNIlva81158lHk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=X0GYPv6n; arc=none smtp.client-ip=209.85.161.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="X0GYPv6n" Received: by mail-oo1-f54.google.com with SMTP id 006d021491bc7-5b9778bb7c8so161877eaf.3; Wed, 17 Jul 2024 21:15:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721276152; x=1721880952; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s6zBj5uZPcxriKU++D3mNaRl/FODLGy5kTzzaF5U6JU=; b=X0GYPv6nsQnDv8eh+4hv1Fun5avsyHW/qi6McOiP2acHoT9Vaupa15tNijlLlhDqdL HlANIGPlRcY281Je2WNTQn6fmaJ7nPu92znrO9BRyS4HWGOlJv0MqwvT0QNdSGLzaaSS YUvEaqAEDn4YheMWOXEkPXKnTYPNaICoQhIBdHQtfz+x72mRIvetUs+3CZXIF96CGom8 fMr0xvlHxznXC+KsvWVFU7aMHpeJwj4gk/DAmGigMHp+NR3Hj06Vt0bmDjhLUA7xIQeA 8cJzX2cFCk4fkxyhkokeglRevI161CoXncC+EFyarRpu1ED6OA2PfeCt8ntkRBaBHraB rtow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721276152; x=1721880952; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s6zBj5uZPcxriKU++D3mNaRl/FODLGy5kTzzaF5U6JU=; b=iLVdOrvIuJGr/4LVu8Xrb/xOfrQHUsKhqAxLC/x6ibtoY4/oIvR3V8wzC+gHzDz9hp 08C6jBi8jVITXBaCDGT/3vsTDm3lnBZzQowGvq1wZs3Bhc/lqRV8qq2PAbWZBNNQ34mo b2TU0sY5wFPyp49heWf9+pCyj9PsZ27398rAPXuO0aQcRW2C8+/NDUcC3DryBUOi5foc S2N6jzv96fRCSRQTXT6KSDRBZPVKc+m7uE6DaPi11y1l8RIZtTBf3Kg5w6Wm/7IdOflf nOvVfPHZ9XYYZFjtTeNxXQSY2C0z+NqHaZIlboV9M5k371uPhzILV5BYty872Wz3feKN BoyA== X-Forwarded-Encrypted: i=1; AJvYcCVfR95jAuagPTtwplf3iPUYpC9quwCTEuTxunptjvDo+87xzjPQYze3qbUSgxGfZXR66uGLx1OqahkreCSSPGXHgev384GbDsXT+G8RDYeV4wzY0q/VnmEuPJbZAg5Fz6jky/11HgD09Nv+a56JGD3wmzD/w2HreRkVN3zoUpUtsjkEbY2KMwZOZz+G X-Gm-Message-State: AOJu0Ywoztvy0EojOb19dFw0yTrXJm/rWtjCUe39TUeAidDF6CQ+x94x YQEaj6RR9brGLEF2HuzQvzrYBzsSuXOxU88weYnNQJRZWYnlbOoS X-Google-Smtp-Source: AGHT+IFwFt3EVAdJbOsXpxxA3vfHmISA7yugItyNb7EugfFXHK8ITWJL2iMN37Ie6Bpm5iDgO7brkg== X-Received: by 2002:a05:6359:4121:b0:1aa:d71f:6921 with SMTP id e5c5f4694b2df-1aca9e92f8dmr148395155d.5.1721276151571; Wed, 17 Jul 2024 21:15:51 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fc0bc38dc0sm83152785ad.215.2024.07.17.21.15.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jul 2024 21:15:51 -0700 (PDT) From: Tahera Fahimi To: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, outreachy@lists.linux.dev, netdev@vger.kernel.org Cc: Tahera Fahimi Subject: [PATCH v7 3/4] samples/landlock: Support abstract unix socket restriction Date: Wed, 17 Jul 2024 22:15:21 -0600 Message-Id: <4f533a80d56d9f57d50a87d55101cfdeb03404c3.1721269836.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 - Adding IPC scoping to the sandbox demo by defining a new "LL_SCOPED" environment variable. "LL_SCOPED" gets value "a" to restrict abstract unix sockets. - Change to LANDLOCK_ABI_LAST to 6. Signed-off-by: Tahera Fahimi --- samples/landlock/sandboxer.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index e8223c3e781a..d280616585d4 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -55,6 +56,7 @@ static inline int landlock_restrict_self(const int ruleset_fd, #define ENV_FS_RW_NAME "LL_FS_RW" #define ENV_TCP_BIND_NAME "LL_TCP_BIND" #define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT" +#define ENV_SCOPED_NAME "LL_SCOPED" #define ENV_DELIMITER ":" static int parse_path(char *env_path, const char ***const path_list) @@ -208,7 +210,7 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd, /* clang-format on */ -#define LANDLOCK_ABI_LAST 5 +#define LANDLOCK_ABI_LAST 6 int main(const int argc, char *const argv[], char *const *const envp) { @@ -216,6 +218,7 @@ int main(const int argc, char *const argv[], char *const *const envp) char *const *cmd_argv; int ruleset_fd, abi; char *env_port_name; + char *env_scoped_name; __u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ, access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE; @@ -223,14 +226,15 @@ int main(const int argc, char *const argv[], char *const *const envp) .handled_access_fs = access_fs_rw, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, + .scoped = LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET, }; if (argc < 2) { fprintf(stderr, - "usage: %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\"%s " + "usage: %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\" %s " " [args]...\n\n", ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME, - ENV_TCP_CONNECT_NAME, argv[0]); + ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]); fprintf(stderr, "Execute a command in a restricted environment.\n\n"); fprintf(stderr, @@ -251,15 +255,18 @@ int main(const int argc, char *const argv[], char *const *const envp) fprintf(stderr, "* %s: list of ports allowed to connect (client).\n", ENV_TCP_CONNECT_NAME); + fprintf(stderr, "* %s: list of allowed restriction on IPCs.\n", + ENV_SCOPED_NAME); fprintf(stderr, "\nexample:\n" "%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" " "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " "%s=\"9418\" " "%s=\"80:443\" " + "%s=\"a\" " "%s bash -i\n\n", ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME, - ENV_TCP_CONNECT_NAME, argv[0]); + ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]); fprintf(stderr, "This sandboxer can use Landlock features " "up to ABI version %d.\n", @@ -326,7 +333,10 @@ int main(const int argc, char *const argv[], char *const *const envp) case 4: /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; - + __attribute__((fallthrough)); + case 5: + /* Removes IPC scoping mechanism for ABI < 6 */ + ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " @@ -357,7 +367,10 @@ int main(const int argc, char *const argv[], char *const *const envp) ruleset_attr.handled_access_net &= ~LANDLOCK_ACCESS_NET_CONNECT_TCP; } - + /* Removes IPC scoping attribute if not supported by a user. */ + env_scoped_name = getenv(ENV_SCOPED_NAME); + if (!env_scoped_name) + ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET; ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); if (ruleset_fd < 0) { From patchwork Thu Jul 18 04:15:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tahera Fahimi X-Patchwork-Id: 13736023 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48B0E1B86E7; Thu, 18 Jul 2024 04:15:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276154; cv=none; b=GCurUM77OD/ztPiIm8RKwjBlnJgJPznF3JR86w7H2mZGY4jLDKReq1iTZr7WFYxZaB/6e2UQp7vRTbsX3fPGRQyu6/2niZzWB24/qoeGQQDWze0fzelJtp76EI7B3Rrod2py4jvg6rMWY94EDgxVdckvqpDqE/CP/xWORMZ32cw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721276154; c=relaxed/simple; bh=U1skI0/owqu89TPWoLBxrMB2fOvZuZ6/wD+ec3esMxU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=ZR5qUhYb9G7tJHTFFPKwEj0QT/wRWUmFubJriXpkR0fZItnl14SQMnjnE8nEUaKOLKWMRvzfMiV8XCUgYCYU5PDsLBF/jx5uakaVfmWjrh9HP3JeltqZzhFXOB/eGufC2bHC04vtqqbQd9neYFxUwmQ7y2MpKetLbjTt76fuAXI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=htsPrR+o; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="htsPrR+o" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1fc569440e1so3878315ad.3; Wed, 17 Jul 2024 21:15:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721276152; x=1721880952; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=K4AZApuNWuMCTq5fWJPFQbHeMwMdXxcGaz7OzmTbO1M=; b=htsPrR+oxs7E3DAVDT3EvTvH43AjFsbjS+zAKbExEVUSB2OaB83p8Td2V/zUZstO7q GpZPSJPjCXkrcH4i7eBQC35Ozk622pFZ9mm4fsWh0fIRONiO80mj4DsFPsSsy2gPmxyP Q0SP/dSO9djaE2ceqbclerYnYPnITX3sEsMmd1HLB9NsHWicJHVjXnOnFX0BvvopevAg FTUsnhs/Dy6B0BkllvOmGn8XrVE4YydLrNWvf7xL1CntsC4jdIOjFdq6o7lM5dRC4x8t 6JTF1VUWj53kXtBXD3ZtPdmfjAhbOEqzh1MxkZ/bttyzGYJYjGogItngkHrAy64Z9dBj kJsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721276152; x=1721880952; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=K4AZApuNWuMCTq5fWJPFQbHeMwMdXxcGaz7OzmTbO1M=; b=jkrnzNAlQ8hoVeqyTGHSaZql+fXEHD9mvcXskoTtD7SQn769OxEosoAOXvLaYdopYj TsalUeKn9YvRRe0U3b+lUw9/bO78YD5aO7/tf95PHA9qfyLKzjDt5IqnZDnYpg0M0ykZ SBCtLVewGBwr4QIqCz/yfW+9ZnERAZuZd6FmqgicvyAQVC2YObIxVtBqRiMa/fhcOXaO 5cY56XuazohVOdrVDR7B9bTz5XWug3pRfm36CCsGJeecyjqFIpt4TXOR+aWphspHouEv A+xnkCNLoBkpEoCmEGgLh0H3CfwklIP2u3w4S1B1yURb4Fx0LdQ2TW5Tz8qu7p83/gPU KqDw== X-Forwarded-Encrypted: i=1; AJvYcCV0nXldHXheZ+Hto9XjfVCqgqDBE2m7LJdNu7C60KiiR6qm5KMdj9q/+377+kqoxj2lzfXsYYv98qNYZWpZ6xff1kLNw99CcqX6+y3mheZFWKDCxOcyur4MAvTyfvl9I3O8UknhCmZ82pPJjTn+5dUOYU/K9WQ37rQ04AfkR9cPCP1eUulTpk0p7RFh X-Gm-Message-State: AOJu0YxUKHHZJUiOhJCOHYf5y/3hPiyjlRhhO0iRYazRtuCmj43j+bsU sShhul319kb1Sss0gCK9Uc7NOoE0RyYlOObupVIxtQJ2JeXJfJzD X-Google-Smtp-Source: AGHT+IE89WGHF6zhVB1Wo0uchAQ3vvWGFzOEJsdiKRmsm4DKPl2YocYWq1TxHWGxltp2Fr6Wyayu7g== X-Received: by 2002:a17:902:c94d:b0:1fb:5808:73c9 with SMTP id d9443c01a7336-1fc4e676606mr33999065ad.33.1721276152529; Wed, 17 Jul 2024 21:15:52 -0700 (PDT) Received: from tahera-OptiPlex-5000.tail3bf47f.ts.net ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fc0bc38dc0sm83152785ad.215.2024.07.17.21.15.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Jul 2024 21:15:52 -0700 (PDT) From: Tahera Fahimi To: mic@digikod.net, gnoack@google.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com, jannh@google.com, outreachy@lists.linux.dev, netdev@vger.kernel.org Cc: Tahera Fahimi Subject: [PATCH v7 4/4] documentation/landlock: Adding scoping mechanism documentation Date: Wed, 17 Jul 2024 22:15:22 -0600 Message-Id: <319fd95504a9e491fa756c56048e63791ecd2aed.1721269836.git.fahimitahera@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 - Defining ABI version 6 that supports IPC restriction. - Adding "scoped" to the "Access rights". - In current limitation, unnamed sockets are specified as sockets that are not restricted. Signed-off-by: Tahera Fahimi --- Documentation/userspace-api/landlock.rst | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 07b63aec56fa..61b91cc03560 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: April 2024 +:Date: July 2024 The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock @@ -306,6 +306,16 @@ To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target process, a sandboxed process should have a subset of the target process rules, which means the tracee must be in a sub-domain of the tracer. +IPC Scoping +----------- + +Similar to Ptrace, a sandboxed process should not be able to access the resources +(like abstract unix sockets, or signals) outside of the sandbox domain. For example, +a sandboxed process should not be able to :manpage:`connect(2)` to a non-sandboxed +process through abstract unix sockets (:manpage:`unix(7)`). This restriction is +applicable by optionally specifying ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET`` in +the ruleset. + Truncating files ---------------- @@ -404,7 +414,7 @@ Access rights ------------- .. kernel-doc:: include/uapi/linux/landlock.h - :identifiers: fs_access net_access + :identifiers: fs_access net_access scoped Creating a new ruleset ---------------------- @@ -446,7 +456,7 @@ Special filesystems Access to regular files and directories can be restricted by Landlock, according to the handled accesses of a ruleset. However, files that do not -come from a user-visible filesystem (e.g. pipe, socket), but can still be +come from a user-visible filesystem (e.g. pipe, unnamed socket), but can still be accessed through ``/proc//fd/*``, cannot currently be explicitly restricted. Likewise, some special kernel filesystems such as nsfs, which can be accessed through ``/proc//ns/*``, cannot currently be explicitly @@ -541,6 +551,13 @@ earlier ABI. Starting with the Landlock ABI version 5, it is possible to restrict the use of :manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right. +Special filesystems (ABI < 6) +----------------------------- + +With ABI version 6, it is possible to restrict IPC actions such as connecting to +an abstract Unix socket through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``, thanks +to the ``.scoped`` ruleset attribute. + .. _kernel_support: Kernel support