| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250131163447.1140564-4-mic@digikod.net>
Date: Fri, 31 Jan 2025 17:34:47 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Christian Brauner <brauner@...nel.org>,
Günther Noack <gnoack@...gle.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
Charles Zaffery <czaffery@...lox.com>,
Daniel Burgener <dburgener@...ux.microsoft.com>,
Francis Laniel <flaniel@...ux.microsoft.com>,
James Morris <jmorris@...ei.org>,
Jann Horn <jannh@...gle.com>,
Jeff Xu <jeffxu@...gle.com>,
Kees Cook <kees@...nel.org>,
Luca Boccassi <luca.boccassi@...il.com>,
Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>,
Praveen K Paladugu <prapal@...ux.microsoft.com>,
Robert Salvet <robert.salvet@...lox.com>,
Shervin Oloumi <enlightened@...gle.com>,
Tyler Hicks <code@...icks.com>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [RFC PATCH v1 3/3] samples/landlock: Print domain ID
If the PIDFD_GET_INFO IOCTL command and the related
PIDFD_INFO_LANDLOCK_FIRST_DOMAIN flag are supported, print the newly
created domain before launching the sandboxed program.
Cc: Günther Noack <gnoack@...gle.com>
Cc: Praveen K Paladugu <prapal@...ux.microsoft.com>
Signed-off-by: Mickaël Salaün <mic@...ikod.net>
Link: https://lore.kernel.org/r/20250131163447.1140564-4-mic@digikod.net
---
samples/landlock/sandboxer.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 68a5f16bacd5..018bafaa470a 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -15,15 +15,20 @@
#include <linux/landlock.h>
#include <linux/prctl.h>
#include <linux/socket.h>
+#include <stdbool.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/ioctl.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>
-#include <stdbool.h>
+
+/* Avoids conflict with fcntl.h */
+#define _LINUX_FCNTL_H
+#include <linux/pidfd.h>
#ifndef landlock_create_ruleset
static inline int
@@ -53,6 +58,11 @@ static inline int landlock_restrict_self(const int ruleset_fd,
}
#endif
+static inline int sys_pidfd_open(const pid_t pid, const unsigned int flags)
+{
+ return syscall(__NR_pidfd_open, pid, flags);
+}
+
#define ENV_FS_RO_NAME "LL_FS_RO"
#define ENV_FS_RW_NAME "LL_FS_RW"
#define ENV_TCP_BIND_NAME "LL_TCP_BIND"
@@ -343,7 +353,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
{
const char *cmd_path;
char *const *cmd_argv;
- int ruleset_fd, abi;
+ int ruleset_fd, abi, pidfd;
char *env_port_name, *env_force_log;
__u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ,
access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE;
@@ -510,6 +520,9 @@ int main(const int argc, char *const argv[], char *const *const envp)
goto err_close_ruleset;
}
+ /* Opens our own pidfd before sandboxing, if supported. */
+ pidfd = sys_pidfd_open(getpid(), 0);
+
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("Failed to restrict privileges");
goto err_close_ruleset;
@@ -520,6 +533,18 @@ int main(const int argc, char *const argv[], char *const *const envp)
}
close(ruleset_fd);
+ if (pidfd >= 0) {
+ struct pidfd_info info = {
+ .mask = PIDFD_INFO_LANDLOCK_FIRST_DOMAIN,
+ };
+
+ if (!ioctl(pidfd, PIDFD_GET_INFO, &info) &&
+ (info.mask & PIDFD_INFO_LANDLOCK_FIRST_DOMAIN)) {
+ fprintf(stderr, "Entered the Landlock domain %llx.\n",
+ info.landlock_first_domain);
+ }
+ }
+
cmd_path = argv[1];
cmd_argv = argv + 1;
fprintf(stderr, "Executing the sandboxed command...\n");
--
2.48.1
Powered by blists - more mailing lists