Re: [PATCH v9 1/5] Landlock: Add abstract unix socket connect restriction
From: Mickaël Salaün <mic@digikod.net>
Date: 2024-08-19 19:35:43
Also in:
linux-security-module, lkml
On Wed, Aug 14, 2024 at 12:22:19AM -0600, Tahera Fahimi wrote:
This patch introduces a new "scoped" attribute to the landlock_ruleset_attr that can specify "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" to scope abstract Unix sockets from connecting to a process outside of the same landlock domain. It implements two hooks, unix_stream_connect and unix_may_send to enforce this restriction. Closes: https://github.com/landlock-lsm/linux/issues/7 Signed-off-by: Tahera Fahimi <redacted> ---
quoted hunk ↗ jump to hunk
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 03b470f5a85a..20d2a8b5aa42 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c@@ -97,8 +97,9 @@ static void build_check_abi(void) */ ruleset_size = sizeof(ruleset_attr.handled_access_fs); ruleset_size += sizeof(ruleset_attr.handled_access_net); + ruleset_size += sizeof(ruleset_attr.scoped); BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size); - BUILD_BUG_ON(sizeof(ruleset_attr) != 16); + BUILD_BUG_ON(sizeof(ruleset_attr) != 24); path_beneath_size = sizeof(path_beneath_attr.allowed_access); path_beneath_size += sizeof(path_beneath_attr.parent_fd);@@ -149,7 +150,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 5 +#define LANDLOCK_ABI_VERSION 6
Each test need to pass with each commit (not only this one BTW), so we need to update the abi_version test with this commit. To be sure that everything is OK, you can run `check-linux.sh all` on each commit.