[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <dae0dbe1a78be2ce5506b90fc4ffd12c82fa1061.1725657728.git.fahimitahera@gmail.com>
Date: Fri, 6 Sep 2024 15:30:08 -0600
From: Tahera Fahimi <fahimitahera@...il.com>
To: outreachy@...ts.linux.dev
Cc: mic@...ikod.net,
gnoack@...gle.com,
paul@...l-moore.com,
jmorris@...ei.org,
serge@...lyn.com,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
bjorn3_gh@...tonmail.com,
jannh@...gle.com,
netdev@...r.kernel.org,
Tahera Fahimi <fahimitahera@...il.com>
Subject: [PATCH v4 6/6] landlock: Document LANDLOCK_SCOPED_SIGNAL
Improving Landlock ABI version 6 to support signal scoping with
LANDLOCK_SCOPED_SIGNAL.
Signed-off-by: Tahera Fahimi <fahimitahera@...il.com>
---
v3:
- update date
---
Documentation/userspace-api/landlock.rst | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index c3b87755e98d..c694e9fe36fc 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -82,7 +82,8 @@ to be explicit about the denied-by-default access rights.
LANDLOCK_ACCESS_NET_BIND_TCP |
LANDLOCK_ACCESS_NET_CONNECT_TCP,
.scoped =
- LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET,
+ LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET |
+ LANDLOCK_SCOPED_SIGNAL,
};
Because we may not know on which kernel version an application will be
@@ -123,7 +124,8 @@ version, and only use the available subset of access rights:
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV;
case 5:
/* Removes LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET for ABI < 6 */
- ruleset_attr.scoped &= ~LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET;
+ ruleset_attr.scoped &= ~(LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET |
+ LANDLOCK_SCOPED_SIGNAL);
}
This enables to create an inclusive ruleset that will contain our rules.
@@ -320,11 +322,15 @@ explicitly scoped for a set of actions by specifying it on a ruleset.
For example, if a sandboxed process should not be able to
:manpage:`connect(2)` to a non-sandboxed process through abstract
:manpage:`unix(7)` sockets, we can specify such restriction with
-``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``.
+``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``. Moreover, if a sandboxed
+process should not be able to send a signal to a non-sandboxed process,
+we can specify this restriction with ``LANDLOCK_SCOPED_SIGNAL``.
A sandboxed process can connect to a non-sandboxed process when its
domain is not scoped. If a process's domain is scoped, it can only
connect to sockets created by processes in the same scoped domain.
+Moreover, If a process is scoped to send signal to a non-scoped process,
+it can only send signals to processes in the same scoped domain.
A connected datagram socket behaves like a stream socket when its domain
is scoped, meaning if the domain is scoped after the socket is connected
@@ -575,12 +581,14 @@ earlier ABI.
Starting with the Landlock ABI version 5, it is possible to restrict the use of
:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.
-Abstract UNIX sockets Restriction (ABI < 6)
---------------------------------------------
+Abstract Unix sockets and Signal Restriction (ABI < 6)
+-------------------------------------------------------
+<<<<<<< current
With ABI version 6, it is possible to restrict connection to an abstract
-Unix socket through ``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET``, thanks to
-the ``scoped`` ruleset attribute.
+:manpage:`unix(7)` socket through
+``LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET`` and sending signal through
+``LANDLOCK_SCOPED_SIGNAL``, thanks to the ``scoped`` ruleset attribute.
.. _kernel_support:
--
2.34.1
Powered by blists - more mailing lists