Received: by 2002:a05:7208:2202:b0:86:316c:7444 with SMTP id s2csp98250rbb; Thu, 30 May 2024 16:22:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUDTQLmjOtcY0QhAWivbP+wVlm0x/JG0pXm09zR+qPxHlF00dQgCabUJn69n+brlxQAcbBT1YjZKknJKHq+F/a/nx8OQOOEBZBs8J5BAA== X-Google-Smtp-Source: AGHT+IE1IOvoWUjI1Cfq6W870NvI+Nkz86yMwZTH5UrShAysvUyHb1VsT5JnuD71HYNsORY/Te8X X-Received: by 2002:a05:6a00:2d1c:b0:6ed:d68d:948a with SMTP id d2e1a72fcca58-702478c70aemr262442b3a.23.1717111377796; Thu, 30 May 2024 16:22:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717111377; cv=pass; d=google.com; s=arc-20160816; b=0jTS8xHopQvCL4adEXW49ULwBE3HaHRCD+eqLE3Gk6Pb82XDZPw2WLBVydEfD4HZ9S 0EMJDqwgmKIz9kzVLEI9Ykvw8f4f2SPqYePmSuLI4Tg4Xvks1SEb/58G3nmSZgTfEyMV 6i3MA7OBhObEFDB01gnGJgSko5eLoIY2iHN+/EuDAlFj4WBX7LtzOWJ9PKwXLOonQ0ju +tgbfcMa6NlwFFQHeVQdpqP11HY7s4MuC7zS+w7LSpKIor0NKYQmoY208YB0Tywtichc lvsJUzxAQHizrGnLviogmNl9Y860oyZ8tTomQBXXClZiaKfOAcy7YxgW3AqYF8nDgvFR unjQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=FuqdMEwY6ApcjLMbdp1tLuV20KDvi7MGyAlyHkkts5I=; fh=w7ZQXjLMIZ5tbiPEsPgJhq5lU5LACvheb+4rqPhuwCE=; b=eEw/rMzyZX+Yt4MTKXu8k6wQKa6ZFYB8AMKxNCh24VdG695AhqDg8mLKbASwkKCeYM L0b1n8LzVbGp9XoDFfrz3K8Wmm/r+YfW+vj37mQy92c290IHVhgQcuI/NFUkOuOHqTi2 lWHQZoGhmzpVl2VBD8/ZrKsseHU/6be2MxQ203kWQ0ZyAZWgWVJUURuLNopnX8TLTzI8 tloFvP+MePgKPcP2qyxcC7HbkNhW9qMT5HzDIhuF3C2N5z4K+9a8tmqeTJ00ZgYwQ42o 4/kTErGk35kB2e15mh5/g/JxVkLHnmLaagwXFtVECo+R8j4+TW6PMhjF7ZW4lx2GlaqO ssBQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SXsrmrkl; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-196019-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196019-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id 41be03b00d2f7-6c355157df3si414405a12.206.2024.05.30.16.22.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 May 2024 16:22:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-196019-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SXsrmrkl; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-196019-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196019-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id EC633B258BF for ; Thu, 30 May 2024 23:14:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A648E19069F; Thu, 30 May 2024 23:13:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SXsrmrkl" Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28B0418629F; Thu, 30 May 2024 23:13:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717110789; cv=none; b=DoYBZc/O8KYRF1XmKVw+ejEch9IdGnTckLxPFC//q6I3ALmnvi91bhPm0vhTN5cPqhAInqoITAVSGjuHRZbxk8K43FloE8XFp1Z8O0unzcrh7R27IPNtWK8D0z3JyqJH+QBsXOQxYeYBFcpVEV5Xd79+9aoyGFbDd6H9KvzMDr4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717110789; c=relaxed/simple; bh=po7DAgy8YTC2bJzT7s/B+fFjRETSLdi28cWfqH3P/sU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FAFE2fdCk4yCVXsBk2ExhmnZuGVegDrjxM6t24H8QSLkIkVadwfprHf0ctChkzoLDD090HT8cMuTB+3Z0mRde1VbW49RLCtxDUy151PUFnadZOu2Fvxj6+5+zXZhr/O74r+nDWLufn3magwuIkiMoJJD5t8o2pzekpal7uKgk+0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SXsrmrkl; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-1f6134df05fso13532375ad.1; Thu, 30 May 2024 16:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717110787; x=1717715587; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=FuqdMEwY6ApcjLMbdp1tLuV20KDvi7MGyAlyHkkts5I=; b=SXsrmrklZ1RMGL+v9Ewg7AUrrnpV3NsJsqWlH9pymMEPNIJKrwCk9IHvpxmcDT58m8 J2Areu5sFc+rEa0uSYQNRSc0fyVMBIohXGqWhqNnIihZygW6f9haAMJ9lWEFhy3YBjNx ObF+nH4Z3Oo4v/MvozyeOzmsnxHLPVCUTfT2zuUThDnBvRhhaq9M0c/fOOZJ4IlQZj4A z0FOGhqWGwj3jBjx8hhe+Qr5I+ImfAzb3/HzKpg1/scyyWVXNu0ima1ZpPYGBdAgMHbk Wj08F0ig3Rnna46k634F2booSJ+6StMQqaVw1Tu5k4NT9lZ0YOBO2Sh/MAetrbh5O11o TtXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717110787; x=1717715587; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FuqdMEwY6ApcjLMbdp1tLuV20KDvi7MGyAlyHkkts5I=; b=omrMY1XI8/1ezWNsGKDtyH5xCWxaxRfnkk701bule8byOuPVkRxdoDqK2liuOmQ1Qv 1iCqAEYfwFV4jchUpPpCGARy++vD7h220K5rEwfBNQa87k4+0FMC608jdILbl1otlUMH QhYkLnQ9iBezgJ7yiAvUYpnsO6ZTd7d4qq7F88C4wBxdDM/KjMbo1S9/9zwERHFCVWR6 tDVDOToMYuZfi4E7NdcBcfbmlG6CV23d2nooSMLFZu0birJWHvb/AG2PLmKPTGbE36UI s86ULWIW6YbhpFYXuFeURyByKx+3d4bYcFGpFgMDUuwZX2qSHg5Aou4n5WRgSCvFCdJr tiDA== X-Forwarded-Encrypted: i=1; AJvYcCVD/1im+nGiquY/R9bNDmJTLrNQwHxp+PIBCqgqB8RCgm9pRMBC+lmZCDYLcHADcQPrVGW5xZDHtCxoberAHdI2WBV7YD0bCd/XEKGbKi0zm/2z7mppySn6Gb+r8RfR3B0F9uNYBGXMpjMLNTPpOPQuGJ65UpsFjIDN3VKLpzeR/beFbpb1hqkGG/A/ X-Gm-Message-State: AOJu0YykGCeSfjFaH3+h/lEOermLRSVoWuCJgzCVA0pHsSrEdX3WZCiR f+7yYeXv5oZ+5qs4Bph2gqL8ht9kc5OkeAKVkOnk8MMAaWCFtvdH X-Received: by 2002:a17:902:e851:b0:1f4:947b:b7b6 with SMTP id d9443c01a7336-1f6370320c1mr2748675ad.39.1717110787217; Thu, 30 May 2024 16:13:07 -0700 (PDT) Received: from tahera-OptiPlex-5000 ([136.159.49.123]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1f6323e9f2csm3160285ad.200.2024.05.30.16.13.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 May 2024 16:13:06 -0700 (PDT) Date: Thu, 30 May 2024 17:13:04 -0600 From: Tahera Fahimi To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: Paul Moore , James Morris , "Serge E.Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, outreachy@lists.linux.dev, netdev@vger.kernel.org, =?iso-8859-1?Q?Bj=F6rn?= Roy Baron , Jann Horn , =?iso-8859-1?Q?G=FCnther?= Noack Subject: Re: [PATCH v2] landlock: Add abstract unix socket connect restrictions Message-ID: References: <20240401.ieC2uqua5sha@digikod.net> <20240411.ahgeefeiNg4i@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240411.ahgeefeiNg4i@digikod.net> On Tue, Apr 30, 2024 at 05:24:45PM +0200, Mickaël Salaün wrote: > On Wed, Apr 10, 2024 at 04:24:30PM -0600, Tahera Fahimi wrote: > > On Tue, Apr 02, 2024 at 11:53:09AM +0200, Mickaël Salaün wrote: > > > Thanks for this patch. Please CC the netdev mailing list too, they may > > > be interested by this feature. I also added a few folks that previously > > > showed their interest for this feature. > > > > > > On Thu, Mar 28, 2024 at 05:12:13PM -0600, TaheraFahimi wrote: > > > > Abstract unix sockets are used for local interprocess communication without > > > > relying on filesystem. Since landlock has no restriction for connecting to > > > > a UNIX socket in the abstract namespace, a sandboxed process can connect to > > > > a socket outside the sandboxed environment. Access to such sockets should > > > > be scoped the same way ptrace access is limited. > > > > > > This is good but it would be better to explain that Landlock doesn't > > > currently control abstract unix sockets and that it would make sense for > > > a sandbox. > > > > > > > > > > > > > > For a landlocked process to be allowed to connect to a target process, it > > > > must have a subset of the target process’s rules (the connecting socket > > > > must be in a sub-domain of the listening socket). This patch adds a new > > > > LSM hook for connect function in unix socket with the related access rights. > > > > > > Because of compatibility reasons, and because Landlock should be > > > flexible, we need to extend the user space interface. As explained in > > > the GitHub issue, we need to add a new "scoped" field to the > > > landlock_ruleset_attr struct. This field will optionally contain a > > > LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET flag to specify that this > > > ruleset will deny any connection from within the sandbox to its parents > > > (i.e. any parent sandbox or not-sandboxed processes). > > > Thanks for the feedback. Here is what I understood, please correct me if > > I am wrong. First, I should add another field to the > > landlock_ruleset_attr (a field like handled_access_net, but for the unix > > sockets) with a flag LANDLOCK_ACCESS_UNIX_CONNECT (it is a flag like > > LANDLOCK_ACCESS_NET_CONNECT_TCP but fot the unix sockets connect). > > That was the initial idea, but after thinking more about it and talking > with some users, I now think we can get a more generic interface. > > Because unix sockets, signals, and other IPCs are fully controlled by > the kernel (contrary to inet sockets that get out of the system), we can > add ingress and egress control according to the source and the > destination. > > To control the direction we could add an > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE and a > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND rights (these names are a bit > long but at least explicit). To control the source and destination, it > makes sense to use Landlock domain (i.e. sandboxes): > LANDLOCK_DOMAIN_HIERARCHY_PARENT, LANDLOCK_DOMAIN_HIERARCHY_SELF, and > LANDLOCK_DOMAIN_HIERARCHY_CHILD. This could be used by extending the > landlock_ruleset_attr type and adding a new > landlock_domain_hierarchy_attr type: > > struct landlock_ruleset_attr ruleset_attr = { > .handled_access_dom = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | \ > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > } > > // Allows sending data to and receiving data from processes in the same > // domain or a child domain, through abstract unix sockets. > struct landlock_domain_hierarchy_attr dom_attr = { > .allowed_access = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | \ > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > .relationship = LANDLOCK_DOMAIN_HIERARCHY_SELF | \ > LANDLOCK_DOMAIN_HIERARCHY_CHILD, > }; > > It should also work with other kind of IPCs: > * LANDLOCK_ACCESS_DOM_UNIX_PATHNAME_RECEIVE/SEND (signal) > * LANDLOCK_ACCESS_DOM_SIGNAL_RECEIVE/SEND (signal) > * LANDLOCK_ACCESS_DOM_XSI_RECEIVE/SEND (XSI message queue) > * LANDLOCK_ACCESS_DOM_MQ_RECEIVE/SEND (POSIX message queue) > * LANDLOCK_ACCESS_DOM_PTRACE_RECEIVE/SEND (ptrace, which would be > limited) > > What do you think? I was wondering if you expand your idea on the following example. Considering P1 with the rights that you mentioned in your email, forks a new process (P2). Now both P1 and P2 are on the same domain and are allowed to send data to and receive data from processes in the same domain or a child domain. /* * Same domain (inherited) * .-------------. * | P1----. | P1 -> P2 : allow * | \ | P2 -> P1 : allow * | ' | * | P2 | * '-------------' */ (P1 domain) = (P2 domain) = { .allowed_access = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, .relationship = LANDLOCK_DOMAIN_HIERARCHY_SELF | LANDLOCK_DOMAIN_HIERARCHY_CHILD, } In another example, if P1 has the same domain as before but P2 has LANDLOCK_DOMAIN_HIERARCHY_PARENT in their domain, so P1 still can connect to P2. /* * Parent domain * .------. * | P1 --. P1 -> P2 : allow * '------' \ P2 -> P1 : allow * ' * P2 */ (P1 domain) = { .allowed_access = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, .relationship = LANDLOCK_DOMAIN_HIERARCHY_SELF | LANDLOCK_DOMAIN_HIERARCHY_CHILD, } (P2 domain) = { .allowed_access = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, .relationship = LANDLOCK_DOMAIN_HIERARCHY_SELF | LANDLOCK_DOMAIN_HIERARCHY_CHILD | LANDLOCK_DOMAIN_HIERARCHY_PARENT, }