Received: by 2002:ab2:69cc:0:b0:1fd:c486:4f03 with SMTP id n12csp198379lqp; Tue, 11 Jun 2024 01:25:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVxbfmEZ5yB5+kPrLy7Nr8VEq5EeNVaRVmnDI9H/HHpa5n/hvG5/Fn1w/drf7lVNroz1YdT3hKPPYvlOu9pQy4wPFrL05bewg8os0L3Xw== X-Google-Smtp-Source: AGHT+IGleHpIezu/ZYQw1wkBMYDIGO/63F0kihZJqWvYMlmU4cB9oU+8lVST5EEuLxP81LFrV3jP X-Received: by 2002:a17:906:7fd1:b0:a6f:377f:5c0e with SMTP id a640c23a62f3a-a6f377f5c8emr100777666b.0.1718094357956; Tue, 11 Jun 2024 01:25:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718094357; cv=pass; d=google.com; s=arc-20160816; b=jNvvkMZYlndjL7VbdTFso42o6dKWi0bXU/eAnxvuh1C86TEEbx9/XOV9ofIccg03xf gKfpxs0TEQF7O729IzDYdqAJxw7r74N7EiJnYvdh3+67LQFHhb+gjNQSX4ea99tunu+N AdDSlF+G+UxHjeeaKV0RJEUtg+R2sd6rHkRkY+ne3thKt31gIEgJSmJl6sYkTkUlwKpW IwKyX/i63JCTJqRoXliCinklhUgpcKZy5Xyaou7FKG9Gj0j7NcljO2pVp2vq9biq3zGJ rk+pi1bi1nVNkgLxaWaSRn7mcqxpzlA1aY82wp56S9zQGEK6u7diz71rHLA0Uwq6KFbF DeQg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=NW3ocj6F1Nb72KUy4vifp/1WY92XTuWX9CWEPsfwJug=; fh=no+YwzyGG8URHxNS0HFfU4WN7hzaVAetzIa5m4jH/B8=; b=E7j2zhPjWrQ8X+l7zAKkOYEQTIZiwEkQV3AUjwVvAoUMYIyB7NkVI2fSrzpRGQiRc6 ldRD79vH9iTnuewNoT4ffVn9MnabQSgKV94oJypiM+ydVxqTGxJRBQLip+nSSlz4Cb5s BhjpBd0g8fubx92EspXSxPwZaUFM0YM6MDh+cKv8hd6Aa+0MwhdK6ipgvrZE4WCQlC2w cDeUkKhXjF/By/DALYNi+zb/2rHfWWmvNpPmAr3RtjdihwDlYTDQDWyv8Y5AjFaPPSLw 2tlj0wTHSQNA6GGwUzkhzPyXx1dQxRvn+4l4KOtdBa9+qWKNcmsVsErvQ76UWDGQ0i8R DA+w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=p7gWMbH9; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-209469-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-209469-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a6efcdf34f1si351786966b.293.2024.06.11.01.25.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 01:25:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-209469-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=p7gWMbH9; arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net); spf=pass (google.com: domain of linux-kernel+bounces-209469-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-209469-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 802F51F27C31 for ; Tue, 11 Jun 2024 08:25:57 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2DFF4174EF3; Tue, 11 Jun 2024 08:25:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="p7gWMbH9" Received: from smtp-190e.mail.infomaniak.ch (smtp-190e.mail.infomaniak.ch [185.125.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C8DB42A93 for ; Tue, 11 Jun 2024 08:25:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.14 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718094343; cv=none; b=FHF2AJB2CF/RcG33qUn+8ACTtYBfyKb3Jqcj1DHloV4gBzn3ZeufxOEFsVnYDNTQv8rDerLurUrcMYG99sceykbqWFapzyBPkqUDLklGQ2t44rXvC0ap3irSLxG32EgxTaFj5GDCJ/Q2tLsiad2PtS9escaVJkwU53ENMG1Yuts= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718094343; c=relaxed/simple; bh=ybykIiW5VS3w+BkZyxy+Xnk5v4bDo8zglruVsuDtuxI=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=mMA4xhlIufrZjDSkpE0eOwumCxSjjmopm8ZF/O6wz0ZqABSeUdUFmCf3I3nBtJw06EatjTrfcLFfU+oSE5Vj1uUx8FkGryP1m2h17UnyNHGHalFtOIuRDC0U3qkbPaAVRykCeK3A7jl2eDQsRATkJBQz7DHqY4ByG3xAAWsYFjE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=p7gWMbH9; arc=none smtp.client-ip=185.125.25.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Vz1mY3v3Kzmd9; Tue, 11 Jun 2024 10:19:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1718093965; bh=NW3ocj6F1Nb72KUy4vifp/1WY92XTuWX9CWEPsfwJug=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=p7gWMbH9DGOuQoUYjnndqIVt2uAA3gUGDUyubDLx1JaPzfKf5SYKVV51GfcWqciLM hINyTroRtAcw//sLWZq18//REbzYac0e+KsNpLeubtjEWLLTBgcMIfCoGpB/qvGC/C oTkqrskWLQVC5V4PYi/DiCCsCQdk3VyQ/u6HJt60= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4Vz1mX56RQz9FN; Tue, 11 Jun 2024 10:19:24 +0200 (CEST) Date: Tue, 11 Jun 2024 10:19:20 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Jann Horn Cc: Tahera Fahimi , =?utf-8?Q?G=C3=BCnther?= Noack , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, Paul Moore , James Morris , "Serge E. Hallyn" , outreachy@lists.linux.dev, netdev@vger.kernel.org, =?utf-8?B?QmrDtnJu?= Roy Baron Subject: Re: [PATCH v3] landlock: Add abstract unix socket connect restriction Message-ID: <20240611.Pi8Iph7ootae@digikod.net> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Infomaniak-Routing: alpha On Tue, Jun 11, 2024 at 12:27:58AM +0200, Jann Horn wrote: > Hi! > > Thanks for helping with making Landlock more comprehensive! > > On Fri, Jun 7, 2024 at 1:44 AM Tahera Fahimi wrote: > > Abstract unix sockets are used for local inter-process communications > > without on a filesystem. Currently a sandboxed process can connect to a > > socket outside of the sandboxed environment, since landlock has no > > restriction for connecting to a unix socket in the abstract namespace. > > Access to such sockets for a sandboxed process should be scoped the same > > way ptrace is limited. > > This reminds me - from what I remember, Landlock also doesn't restrict > access to filesystem-based unix sockets yet... I'm I'm right about > that, we should probably at some point add code at some point to > restrict that as part of the path-based filesystem access rules? (But > to be clear, I'm not saying I expect you to do that as part of your > patch, just commenting for context.) Yes, I totally agree. For now, unix socket binding requires to create the LANDLOCK_ACCESS_FS_MAKE_SOCK right, but connecting to an existing socket is not controlled. The abstract unix socket scoping is orthogonal and extends Landlock with unix socket LSM hooks, which are required to extend the "filesystem" access rights to control path-based unix socket. > > > Because of compatibility reasons and since landlock should be flexible, > > we extend the user space interface by adding a new "scoped" field. This > > field optionally contains a "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" to > > specify that the ruleset will deny any connection from within the > > sandbox to its parents(i.e. any parent sandbox or non-sandbox processes) > > You call the feature "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET", but I > don't see anything in this code that actually restricts it to abstract > unix sockets (as opposed to path-based ones and unnamed ones, see the > "Three types of address are distinguished" paragraph of > https://man7.org/linux/man-pages/man7/unix.7.html). If the feature is > supposed to be limited to abstract unix sockets, I guess you'd maybe > have to inspect the unix_sk(other)->addr, check that it's non-NULL, > and then check that `unix_sk(other)->addr->name->sun_path[0] == 0`, > similar to what unix_seq_show() does? (unix_seq_show() shows abstract > sockets with an "@".) Right, that should be part of the next series. Tests should check that too. > > Separately, I wonder if it would be useful to have another mode for > forbidding access to abstract unix sockets entirely; or alternatively > to change the semantics of LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET so > that it also forbids access from outside the landlocked domain as was > discussed elsewhere in the thread. If a landlocked process starts > listening on something like "@/tmp/.X11-unix/X0", maybe X11 clients > elsewhere on my system shouldn't be confused into connecting to that > landlocked socket... In this case, I think we should have a (light) Landlock domain for a user session to make sure apps only connect to the legitimate X11 socket (either in the same domain, or through a path-based socket). There is also ongoing work to restrict socket creation according to their type: https://lore.kernel.org/all/20240524093015.2402952-1-ivanov.mikhail1@huawei-partners.com/ This will make possible to control abstract unix socket creation and avoid this kind of issue too. > > [...] > > +static bool sock_is_scoped(struct sock *const other) > > +{ > > + bool is_scoped = true; > > + const struct landlock_ruleset *dom_other; > > + const struct cred *cred_other; > > + > > + const struct landlock_ruleset *const dom = > > + landlock_get_current_domain(); > > + if (!dom) > > + return true; > > + > > + lockdep_assert_held(&unix_sk(other)->lock); > > + /* the credentials will not change */ > > + cred_other = get_cred(other->sk_peer_cred); > > + dom_other = landlock_cred(cred_other)->domain; > > + is_scoped = domain_scope_le(dom, dom_other); > > + put_cred(cred_other); > > You don't have to use get_cred()/put_cred() here; as the comment says, > the credentials will not change, so we don't need to take another > reference to them. > > > + return is_scoped; > > +} >