Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction

[PATCH v7 0/4] Landlock: Abstract Unix Socket Scoping Support · Tahera Fahimi <hidden> · 2024-07-18
[PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-07-18
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-07-19
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-07-23
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-07-25
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · "Günther Noack" <gnoack@google.com> · 2024-07-26
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-07-26
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-07-30
Re: [PATCH v7 1/4] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-07-30
[PATCH v7 2/4] selftests/landlock: Abstract unix socket restriction tests · Tahera Fahimi <hidden> · 2024-07-18
Re: [PATCH v7 2/4] selftests/landlock: Abstract unix socket restriction tests · Mickaël Salaün <mic@digikod.net> · 2024-07-25
[PATCH v7 3/4] samples/landlock: Support abstract unix socket restriction · Tahera Fahimi <hidden> · 2024-07-18
Re: [PATCH v7 3/4] samples/landlock: Support abstract unix socket restriction · Mickaël Salaün <mic@digikod.net> · 2024-07-25
[PATCH v7 4/4] documentation/landlock: Adding scoping mechanism documentation · Tahera Fahimi <hidden> · 2024-07-18
Re: [PATCH v7 4/4] documentation/landlock: Adding scoping mechanism documentation · Mickaël Salaün <mic@digikod.net> · 2024-07-25
Re: [PATCH v7 4/4] documentation/landlock: Adding scoping mechanism documentation · Mickaël Salaün <mic@digikod.net> · 2024-07-26

From: Mickaël Salaün <mic@digikod.net>
Date: 2024-07-25 14:18:39
Also in: lkml, netdev

On Wed, Jul 17, 2024 at 10:15:19PM -0600, Tahera Fahimi wrote:

The patch introduces a new "scoped" attribute to the
landlock_ruleset_attr that can specify "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET"
to scope abstract unix sockets from connecting to a process outside of
the same landlock domain.

This patch implement two hooks, "unix_stream_connect" and "unix_may_send" to
enforce this restriction.

Signed-off-by: Tahera Fahimi <redacted>

-------

quoted hunk ↗ jump to hunk

diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 03b470f5a85a..799a50f11d79 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c

@@ -97,8 +97,9 @@ static void build_check_abi(void)
 	 */
 	ruleset_size = sizeof(ruleset_attr.handled_access_fs);
 	ruleset_size += sizeof(ruleset_attr.handled_access_net);
+	ruleset_size += sizeof(ruleset_attr.scoped);
 	BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);
-	BUILD_BUG_ON(sizeof(ruleset_attr) != 16);
+	BUILD_BUG_ON(sizeof(ruleset_attr) != 24);
 
 	path_beneath_size = sizeof(path_beneath_attr.allowed_access);
 	path_beneath_size += sizeof(path_beneath_attr.parent_fd);

@@ -149,7 +150,7 @@ static const struct file_operations ruleset_fops = {
 	.write = fop_dummy_write,
 };
 
-#define LANDLOCK_ABI_VERSION 5
+#define LANDLOCK_ABI_VERSION 6
 
 /**
  * sys_landlock_create_ruleset - Create a new ruleset

@@ -170,7 +171,7 @@ static const struct file_operations ruleset_fops = {
  * Possible returned errors are:
  *
  * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
- * - %EINVAL: unknown @flags, or unknown access, or too small @size;
+ * - %EINVAL: unknown @flags, or unknown access, or uknown scope, or too small @size;

You'll need to rebase on top of my next branch to take into account
recent Günther's changes.

  * - %E2BIG or %EFAULT: @attr or @size inconsistencies;
  * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
  */

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help