Re: [PATCH v9 4/5] sample/Landlock: Support abstract unix socket restriction

[PATCH v9 0/5] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-08-14
[PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-08-14
Re: [PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-08-16
Re: [PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-08-19
Re: [PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-08-19
Re: [PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-08-20
Re: [PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-08-19
[PATCH v9 2/5] selftests/Landlock: Abstract unix socket restriction tests · Tahera Fahimi <hidden> · 2024-08-14
Re: [PATCH v9 2/5] selftests/Landlock: Abstract unix socket restriction tests · Mickaël Salaün <mic@digikod.net> · 2024-08-16
Re: [PATCH v9 2/5] selftests/Landlock: Abstract unix socket restriction tests · Tahera Fahimi <hidden> · 2024-08-16
Re: [PATCH v9 2/5] selftests/Landlock: Abstract unix socket restriction tests · Mickaël Salaün <mic@digikod.net> · 2024-08-19
Re: [PATCH v9 2/5] selftests/Landlock: Abstract unix socket restriction tests · Mickaël Salaün <mic@digikod.net> · 2024-08-19
Re: [PATCH v9 2/5] selftests/Landlock: Abstract unix socket restriction tests · Tahera Fahimi <hidden> · 2024-08-19
[PATCH v9 3/5] selftests/Landlock: Adding pathname Unix socket tests · Tahera Fahimi <hidden> · 2024-08-14
Re: [PATCH v9 3/5] selftests/Landlock: Adding pathname Unix socket tests · Mickaël Salaün <mic@digikod.net> · 2024-08-19
[PATCH v9 4/5] sample/Landlock: Support abstract unix socket restriction · Tahera Fahimi <hidden> · 2024-08-14
Re: [PATCH v9 4/5] sample/Landlock: Support abstract unix socket restriction · Mickaël Salaün <mic@digikod.net> · 2024-08-19
[PATCH v9 5/5] Landlock: Document LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET and ABI versioning · Tahera Fahimi <hidden> · 2024-08-14
Re: [PATCH v9 5/5] Landlock: Document LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET and ABI versioning · Mickaël Salaün <mic@digikod.net> · 2024-08-19
Re: [PATCH v9 0/5] Landlock: Add abstract unix socket connect restriction · Mickaël Salaün <mic@digikod.net> · 2024-08-19
Re: [PATCH v9 0/5] Landlock: Add abstract unix socket connect restriction · Tahera Fahimi <hidden> · 2024-08-19

From: Mickaël Salaün <mic@digikod.net>
Date: 2024-08-19 19:47:55
Also in: lkml, netdev

On Wed, Aug 14, 2024 at 12:22:22AM -0600, Tahera Fahimi wrote:

A sandboxer can receive the character "a" as input from the environment
variable LL_SCOPE to restrict the abstract unix sockets from connecting
to a process outside its scoped domain.

Example
=======
Create an abstract unix socket to listen with socat(1):
socat abstract-listen:mysocket -
Create a sandboxed shell and pass the character "a" to LL_SCOPED:
LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash
If the sandboxed process tries to connect to the listening socket
with command "socat - abstract-connect:mysocket", the connection
will fail.

Signed-off-by: Tahera Fahimi <redacted>
---

quoted hunk ↗ jump to hunk

@@ -358,6 +403,11 @@ int main(const int argc, char *const argv[], char *const *const envp)
 			~LANDLOCK_ACCESS_NET_CONNECT_TCP;
 	}
 
+	if (abi >= 6 && !check_ruleset_scope(ENV_SCOPED_NAME, &ruleset_attr)) {
+		perror("Unsupported IPC scoping requested");

If LL_SCOPE="", the sandboxer prints:
"Unsupported IPC scoping requested: Success"

+		return 1;
+	}
+
 	ruleset_fd =
 		landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
 	if (ruleset_fd < 0) {
-- 
2.34.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help