Received: by 2002:a05:6500:2018:b0:1fb:9675:f89d with SMTP id t24csp394173lqh; Fri, 31 May 2024 05:00:50 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVyOO09Kxs6SGgBsiBgyO0CLdcQJ9zdWiz+iwcfOJkLv5glpDySEpj0m5b41iKHFOa/L5HY/DKOOiugCt8ctRiIqSIAyEckIzHrFmpDsw== X-Google-Smtp-Source: AGHT+IGQt0Ux3aA4dt0mte/NzBf6ExIhRiSVjEPOu47xrIdZn/QjwiqM7TRJq69ci5CZTYz3lQY9 X-Received: by 2002:a05:6a21:33a1:b0:1b0:58e:1b93 with SMTP id adf61e73a8af0-1b26f0ef87bmr2237664637.1.1717156850581; Fri, 31 May 2024 05:00:50 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717156850; cv=pass; d=google.com; s=arc-20160816; b=vDdW/nRdBwhKTZ1gs7Ci/ysIT/SuHbJwyDHflvwre5DvdJQf8+srMTrxEsZZfF6ejK nHJjyTq3mEZsHN0SYOBQhDOzTkyV/E73Wn3mqsdFcBoaboDTvs2Djqyinivl+G76bcpG fnBVtqdRtblp72jYqzSHSYsbTYviS07yr/zXlc6X7QkyCnjPW2SPq9Of89T5GJK821zb KMWr+uGGDj12poCTh2hYYMVV7sYZdwqeI0DTpJlYvWQZFv+3y7OJfsealN2r6S/8oZCc J0IZF7ZWx2nT9pCnAJgfDUVcQSpdXxpYn+AIAgYtv/tT4SwonfiANXNg6o2ISdA8SpDk bbkQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=PTdHv7fGQLwj9u1hLPUCBVWvG4NslAaAcaO2qrWkcQk=; fh=TMSpwZfPu+xxwP3jeGXlMhIz2EsgxvVP1t3IT7wRXUc=; b=WpeVDO1xtXbpex3fpRDqX7+0yT57qdpDXYA+96mpY2qXFPNJv1rB/tQ5Ed4c42Mg+b ZSAw4hnS9C3F4ms7oFqnWM6MIFi04+aG6airsAi9OaBOy0kIyOWsnH5sMHtthnGjvzwK GRKnThL0Yy84Bp2lEYStW/JYsztkALuywDnzyl15y02W6KGX1yJZfAijdxPcM6ZNut+8 0hYdBAcT9Z3HYQwXUdnBPu+5PPRoXsNC96nBCdNTdgiq07QqW34mKXresyED81V2JThU rwaXMysdW1P4dgcg3c1OYtpmMT5NhWjT679YAj3jm5U8DMoLXZsDgMKcRKPm3dwl8SIR +89A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=XixqvIIV; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-196750-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196750-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-6c35c181d24si1429476a12.687.2024.05.31.05.00.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 05:00:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-196750-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=XixqvIIV; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-196750-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196750-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id B9A922871DF for ; Fri, 31 May 2024 12:00:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CCBE91581E6; Fri, 31 May 2024 12:00:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="XixqvIIV" Received: from smtp-8fac.mail.infomaniak.ch (smtp-8fac.mail.infomaniak.ch [83.166.143.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4455C29A0 for ; Fri, 31 May 2024 12:00:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717156844; cv=none; b=uQKgSuSHC91cHgSvBh0ebSd8G4cxILUwND2ifOUMzaN3oCCBnJrDQjjmalMcMuxMT7SCmPYEMwZXruNvySfhDGRsgdFbQ/SgO5mi8VDwU3YXWUeauiJoErR0KlM7J4nkymfLLYs9GLcxKJOVabG7gFgxQO8wetxJpchPi6Gbo9w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717156844; c=relaxed/simple; bh=/fNJjki3s+FiaWJi/pZfpB/oREdyo+P3mnzggQXSVFg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FgW9d+DY5W3fOG9TCecbF1dEApuXEgsvE/Dx1/AVJfno87eNLBG1Tm+UUIXfbCvuXobGP5SqomrrYfZUjNrjwlItrmgw32W1AbzwbjoxltUHrtJCW+PLOcQWlyZMWxNBGfSN+SeI9KVEx1oJPYegbejTJ6DPuU3FCena0jauJsY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=XixqvIIV; arc=none smtp.client-ip=83.166.143.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4VrJ3l5mjBzR2; Fri, 31 May 2024 11:39:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1717148355; bh=PTdHv7fGQLwj9u1hLPUCBVWvG4NslAaAcaO2qrWkcQk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XixqvIIVm/qoziDyjt+S7HOGZId9u2DzV2KjsxtPTjOy6QIx/+zd3xRNHQP7eVy8r mfHLFGk0RtA6q5icg6c5+TLSgd/513l0BN1RlNVbg0e3m34uwxc+HOB+wJgC70KSr3 R8zPZ7hcAWFubneduokr8003QwG+fO2HwWvKxhCA= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4VrJ3k0hfGzZk3; Fri, 31 May 2024 11:39:14 +0200 (CEST) Date: Fri, 31 May 2024 11:39:12 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Tahera Fahimi Cc: Paul Moore , James Morris , "Serge E.Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, outreachy@lists.linux.dev, netdev@vger.kernel.org, =?utf-8?B?QmrDtnJu?= Roy Baron , Jann Horn , =?utf-8?Q?G=C3=BCnther?= Noack Subject: Re: [PATCH v2] landlock: Add abstract unix socket connect restrictions Message-ID: <20240531.Ahg5aap6caeG@digikod.net> References: <20240401.ieC2uqua5sha@digikod.net> <20240411.ahgeefeiNg4i@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Infomaniak-Routing: alpha On Thu, May 30, 2024 at 05:13:04PM -0600, Tahera Fahimi wrote: > On Tue, Apr 30, 2024 at 05:24:45PM +0200, Mickaël Salaün wrote: > > On Wed, Apr 10, 2024 at 04:24:30PM -0600, Tahera Fahimi wrote: > > > On Tue, Apr 02, 2024 at 11:53:09AM +0200, Mickaël Salaün wrote: > > > > Thanks for this patch. Please CC the netdev mailing list too, they may > > > > be interested by this feature. I also added a few folks that previously > > > > showed their interest for this feature. > > > > > > > > On Thu, Mar 28, 2024 at 05:12:13PM -0600, TaheraFahimi wrote: > > > > > Abstract unix sockets are used for local interprocess communication without > > > > > relying on filesystem. Since landlock has no restriction for connecting to > > > > > a UNIX socket in the abstract namespace, a sandboxed process can connect to > > > > > a socket outside the sandboxed environment. Access to such sockets should > > > > > be scoped the same way ptrace access is limited. > > > > > > > > This is good but it would be better to explain that Landlock doesn't > > > > currently control abstract unix sockets and that it would make sense for > > > > a sandbox. > > > > > > > > > > > > > > > > > > For a landlocked process to be allowed to connect to a target process, it > > > > > must have a subset of the target process’s rules (the connecting socket > > > > > must be in a sub-domain of the listening socket). This patch adds a new > > > > > LSM hook for connect function in unix socket with the related access rights. > > > > > > > > Because of compatibility reasons, and because Landlock should be > > > > flexible, we need to extend the user space interface. As explained in > > > > the GitHub issue, we need to add a new "scoped" field to the > > > > landlock_ruleset_attr struct. This field will optionally contain a > > > > LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET flag to specify that this > > > > ruleset will deny any connection from within the sandbox to its parents > > > > (i.e. any parent sandbox or not-sandboxed processes). > > > > > Thanks for the feedback. Here is what I understood, please correct me if > > > I am wrong. First, I should add another field to the > > > landlock_ruleset_attr (a field like handled_access_net, but for the unix > > > sockets) with a flag LANDLOCK_ACCESS_UNIX_CONNECT (it is a flag like > > > LANDLOCK_ACCESS_NET_CONNECT_TCP but fot the unix sockets connect). > > > > That was the initial idea, but after thinking more about it and talking > > with some users, I now think we can get a more generic interface. > > > > Because unix sockets, signals, and other IPCs are fully controlled by > > the kernel (contrary to inet sockets that get out of the system), we can > > add ingress and egress control according to the source and the > > destination. > > > > To control the direction we could add an > > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE and a > > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND rights (these names are a bit > > long but at least explicit). To control the source and destination, it > > makes sense to use Landlock domain (i.e. sandboxes): > > LANDLOCK_DOMAIN_HIERARCHY_PARENT, LANDLOCK_DOMAIN_HIERARCHY_SELF, and > > LANDLOCK_DOMAIN_HIERARCHY_CHILD. This could be used by extending the > > landlock_ruleset_attr type and adding a new > > landlock_domain_hierarchy_attr type: > > > > struct landlock_ruleset_attr ruleset_attr = { > > .handled_access_dom = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | \ > > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > > } > > > > // Allows sending data to and receiving data from processes in the same > > // domain or a child domain, through abstract unix sockets. > > struct landlock_domain_hierarchy_attr dom_attr = { > > .allowed_access = LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | \ > > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > > .relationship = LANDLOCK_DOMAIN_HIERARCHY_SELF | \ > > LANDLOCK_DOMAIN_HIERARCHY_CHILD, > > }; > > > > It should also work with other kind of IPCs: > > * LANDLOCK_ACCESS_DOM_UNIX_PATHNAME_RECEIVE/SEND (signal) > > * LANDLOCK_ACCESS_DOM_SIGNAL_RECEIVE/SEND (signal) > > * LANDLOCK_ACCESS_DOM_XSI_RECEIVE/SEND (XSI message queue) > > * LANDLOCK_ACCESS_DOM_MQ_RECEIVE/SEND (POSIX message queue) > > * LANDLOCK_ACCESS_DOM_PTRACE_RECEIVE/SEND (ptrace, which would be > > limited) > > > > What do you think? > > I was wondering if you expand your idea on the following example. > > Considering P1 with the rights that you mentioned in your email, forks a > new process (P2). Now both P1 and P2 are on the same domain and are > allowed to send data to and receive data from processes in the same > domain or a child domain. > /* > * Same domain (inherited) > * .-------------. > * | P1----. | P1 -> P2 : allow > * | \ | P2 -> P1 : allow > * | ' | > * | P2 | > * '-------------' > */ > (P1 domain) = (P2 domain) = { > .allowed_access = > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > .relationship = > LANDLOCK_DOMAIN_HIERARCHY_SELF | > LANDLOCK_DOMAIN_HIERARCHY_CHILD, In this case LANDLOCK_DOMAIN_HIERARCHY_CHILD would not be required because P1 and P2 are on the same domain. > } > > In another example, if P1 has the same domain as before but P2 has > LANDLOCK_DOMAIN_HIERARCHY_PARENT in their domain, so P1 still can > connect to P2. > /* > * Parent domain > * .------. > * | P1 --. P1 -> P2 : allow > * '------' \ P2 -> P1 : allow > * ' > * P2 > */ > > (P1 domain) = { > .allowed_access = > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > .relationship = > LANDLOCK_DOMAIN_HIERARCHY_SELF | > LANDLOCK_DOMAIN_HIERARCHY_CHILD, Hmm, in this case P2 doesn't have a domain, so LANDLOCK_DOMAIN_HIERARCHY_CHILD doesn't make sense. > } > (P2 domain) = { > .allowed_access = > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE | > LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND, > .relationship = > LANDLOCK_DOMAIN_HIERARCHY_SELF | > LANDLOCK_DOMAIN_HIERARCHY_CHILD | > LANDLOCK_DOMAIN_HIERARCHY_PARENT, > } I think you wanted to use the "Inherited + child domain" example here, in which case the domain policies make sense. I was maybe too enthusiastic with the "relationship" field. Let's rename landlock_domain_hierarchy_attr to landlock_domain_attr and remove the "relationship" field. We'll always consider that LANDLOCK_DOMAIN_HIERARCHY_SELF is set as well as LANDLOCK_DOMAIN_HIERARCHY_CHILD (i.e. no restriction to send/received to/from a child domain or our own domain). In a nutshell, please only keep the LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_{RECEIVE,SEND} rights and follow the same logic as with ptrace restrictions. It will be easier to reason about and will be useful for most cases. We could later extend that with more features. LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_RECEIVE will then translates to "allow to receive from the parent domain". LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_SEND will then translates to "allow to send to the parent domain". As for other Landlock access rights, the restrictions of domains should only be changed if LANDLOCK_ACCESS_DOM_UNIX_ABSTRACT_* is "handled" by the ruleset/domain.