Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp1035776lqj; Mon, 3 Jun 2024 08:22:39 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXIzCV2KBDKtpmcTA7gRYPGMI+GNY56i4PkN9r2vR9EVDPX7kRO8Ljb4MYYHf1rJ1X3nONS+8Xg0HB5UOmTi8QBtAT+dEOibCv5mO/1wQ== X-Google-Smtp-Source: AGHT+IFWrNJExk5oeqhkMyuZZZY1+J3ZcR1P2NUrLGnR/Q5PK9aCwjzxpaMCwtwdejqUTLCh/VKK X-Received: by 2002:a05:6a20:da81:b0:1af:d95f:cd9 with SMTP id adf61e73a8af0-1b26f1857bdmr9820288637.29.1717428159043; Mon, 03 Jun 2024 08:22:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717428159; cv=pass; d=google.com; s=arc-20160816; b=W+J2cbX4zr4GxNgd6CP+5As64loxRyMKIIMEeAw9cimCsWrUTVKt46ikxey3PJnZTL uUyS1xZH1MoqoMUIYEtNStTIAzWsY0Xs7qZRH36zdBQBT8NhhfsSIqnXHH64DwOxZ48r PDkwGN2nlmSdyXLgxOAsNEfZfjlKuCZDzAmYNMbLhmw+Fso8+eWnKYaKORlkvIxQ/XHn CeZIDTe2Jfvdh0aT6GwLj63CcMiftnbumCivLAeyf4Zm5KXamqddqcVgZWVwPFhnPQqF QgSQLAJM3m8oQt/MepkkzLNDC69fbombFdNVqCyl6gRRrS+ouymGw7C1iCS8si2jKJYU ObUQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=f72YWsPTvzhPYR8mlANeq/hcliyb10E3qJT1dzHyWlE=; fh=1my6FxWCWWblcQa1A6s+LQTpMGVDBCyT4dgSyoq+lh4=; b=cSOgXC8Wg8tw+DUhiHQszxTGzigA7KhehadX85RmBTtz7iijUOcADHzbj9v8RZdvES /ND1oIKHR13w4neJVZq82fbbP4t0bXuYFSaaVXQwlDfcjmPPmwjMs6PTsxbxbNygf+PQ 9HPeA0qG8mykJkddxRbQEjFqspPZdEX/d2utEcm9aeK2HmBg1tPQvz1IOWMiI+J1RwHr OdzMIn/2n94pl4lJgcgWrdSDCJSw//1//gKkHFsuW9a2LDcrJ7WCOEslKL+1tXYYd/nz copHjDv2O1hosVnCfJPN2TzgUVXqctnwJUuFs/tWY3ecx+K1kzpEJ9y3d1/cpQ+gBv++ UMQw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=FCviUm6O; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-199355-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199355-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d2e1a72fcca58-702425e20edsi6585336b3a.30.2024.06.03.08.22.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 08:22:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-199355-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=FCviUm6O; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-199355-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199355-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0BE23283AAE for ; Mon, 3 Jun 2024 15:22:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EB5D81304B1; Mon, 3 Jun 2024 15:22:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="FCviUm6O" Received: from smtp-8fab.mail.infomaniak.ch (smtp-8fab.mail.infomaniak.ch [83.166.143.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBC2B6E619 for ; Mon, 3 Jun 2024 15:22:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.166.143.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717428151; cv=none; b=AcA5V02m/DEkJvDIu7GQlEJ/9mrpm7TbzEjpCGG8PibeXvFFo/nK5Dd/p7oh6hVM4K3G6QxWt5Y7FY8vWwbsBv9vgbecghLcE0HqY2gWnAsVUpdjnm9q6l4/HJVpEyd6aQhMAa8IJLLoKkSlcgfuOJCwNX9bZ1K8rwN1bB/q/U0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717428151; c=relaxed/simple; bh=/mjcv62h20/YuCxxk+v08bUG5s4jmTFwSRETq+kYZyY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=LNqCA4ON+Sn7ZgD7Q1xuQonY6PEb/g0Vzt9FW39kuRKtMv6h1D2Ra0z4s0B/Sr3bW34wZ3tae5n0nnJyI7SwI4lEXtb1CQO6VYZY8FzTsh+gDk38U2enVl6H197wiOoogXFchzG9uip/scxImrc5D3E5h+yi2dKJvr3EpV1/A4Y= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=FCviUm6O; arc=none smtp.client-ip=83.166.143.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4VtHXC0M63zslV; Mon, 3 Jun 2024 17:22:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1717428138; bh=f72YWsPTvzhPYR8mlANeq/hcliyb10E3qJT1dzHyWlE=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FCviUm6OSZIQsFmYeFMuIVZSwN3n7uizhrCyJkHYNEMuBhApx6FQ67CDILxyskfop aVAyh5a/QaxyW5HZqgTV0n+wufcPEfHn7T9x3Uhpb8+S66FQgwXnapRugQg/6mMUQc oPo+VOLyV3QwXGr/GGUFWisYCXLdGXACc30gwVBA= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4VtHX95W5szJ1K; Mon, 3 Jun 2024 17:22:17 +0200 (CEST) Date: Mon, 3 Jun 2024 17:22:12 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Tahera Fahimi Cc: aul Moore , James Morris , "Serge E.Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, outreachy@lists.linux.dev, netdev@vger.kernel.org, =?utf-8?B?QmrDtnJu?= Roy Baron , Jann Horn , =?utf-8?Q?G=C3=BCnther?= Noack Subject: Re: [PATCH v2] landlock: Add abstract unix socket connect restrictions Message-ID: <20240603.Quaes2eich5f@digikod.net> References: <20240401.ieC2uqua5sha@digikod.net> <20240411.ahgeefeiNg4i@digikod.net> <20240531.Ahg5aap6caeG@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Infomaniak-Routing: alpha OK, thanks to your examples I found some issues with this "send/recv" design. A sandboxed process should not be able to block actions on its own socket from a higher privileged domain (or a process without domain). One issue is that if a domain D2 denies access (to its abstract unix sockets) to its parent D1, processes without domains (e.g. parent of D1) should not be restricted in any way. Furthermore, it should not be possible for a process to enforce such restriction if it is not already sandboxed in a domain. Implementing such mechanism would require to add exceptions, which makes this design inconsistent. Let's get back to the initial "scope" design, which is simpler and consistent with the ptrace restrictions. Sorry for the back and forth. This discussions will be useful for the rationale though. ;) I kept the relevant parts: On Fri, May 31, 2024 at 02:04:44PM -0600, Tahera Fahimi wrote: > On Fri, May 31, 2024 at 11:39:12AM +0200, Mickaël Salaün wrote: > > On Thu, May 30, 2024 at 05:13:04PM -0600, Tahera Fahimi wrote: > > > On Tue, Apr 30, 2024 at 05:24:45PM +0200, Mickaël Salaün wrote: > > > > On Wed, Apr 10, 2024 at 04:24:30PM -0600, Tahera Fahimi wrote: > > > > > On Tue, Apr 02, 2024 at 11:53:09AM +0200, Mickaël Salaün wrote: [...] > > > > > > Because of compatibility reasons, and because Landlock should be > > > > > > flexible, we need to extend the user space interface. As explained in > > > > > > the GitHub issue, we need to add a new "scoped" field to the > > > > > > landlock_ruleset_attr struct. This field will optionally contain a > > > > > > LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET flag to specify that this > > > > > > ruleset will deny any connection from within the sandbox to its parents > > > > > > (i.e. any parent sandbox or not-sandboxed processes). > > > > > > > > > Thanks for the feedback. Here is what I understood, please correct me if > > > > > I am wrong. First, I should add another field to the > > > > > landlock_ruleset_attr (a field like handled_access_net, but for the unix > > > > > sockets) with a flag LANDLOCK_ACCESS_UNIX_CONNECT (it is a flag like > > > > > LANDLOCK_ACCESS_NET_CONNECT_TCP but fot the unix sockets connect). Yes, but the field's name should be "scoped", and it will only accept a LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET flag. This is a bit different than handled_access_net because there is no rule that would accept LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET (i.e. it is a restriction-only). Without LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET, the current behavior should not be changed. This should be covered with appropriate tests. Taking the following examples for domains with LANDLOCK_RULESET_SCOPED_ABSTRACT_UNIX_SOCKET, we get the same restrictions as with ptrace: [...] > /* > * No domain > * > * P1-. P1 -> P2 : allow > * \ P2 -> P1 : allow > * 'P2 > */ This is still correct. > /* > * Child domain: > * > * P1--. P1 -> P2 : deny > * \ P2 -> P1 : deny > * .'-----. > * | P2 | > * '------' > */ With the "scoped" approach: P1 -> P2: allow P2 -> P1: deny > /* > * Parent domain > * .------. > * | P1 --. P1 -> P2 : allow > * '------' \ P2 -> P1 : allow > * ' > * P2 > */ With the "scoped" approach: P1 -> P2: deny P2 -> P1: allow Indeed, only the domain hierarchy matters, not the process hierarchy. This works the same way with ptrace restrictions. > /* > * Parent + child domain(inherited) > * .------. > * | P1 ---. P1 -> P2 : deny > * '------' \ P2 -> P1 : deny > * .---'--. > * | P2 | > * '------' > */ This is still correct. > /* > * Same domain (sibling) > * .-------------. > * | P1----. | P1 -> P2 : allow > * | \ | P2 -> P1 : allow > * | ' | > * | P2 | > * '-------------' > */ This is still correct. > /* > * Inherited + child domain > * .-----------------. > * | P1----. | P1 -> P2 : deny > * | \ | P2 -> P1 : deny > * | .-'----. | > * | | P2 | | > * | '------' | > * '-----------------' > */ With the "scoped" approach: P1 -> P2: allow P2 -> P1: deny > /* > * Inherited + parent domain > * .-----------------. > * |.------. | P1 -> P2 : allow > * || P1 ----. | P2 -> P1 : allow > * |'------' \ | > * | ' | > * | P2 | > * '-----------------' > */ With the "scoped" approach: P1 -> P2: deny P2 -> P1: allow > /* > * Inherited + parent and child domain > * .-----------------. > * | .------. | P1 -> P2 : deny > * | | P1 . | P2 -> P1 : deny > * | '------'\ | > * | \ | > * | .--'---. | > * | | P2 | | > * | '------' | > * '-----------------' > */ This is still correct.