lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250719-landlock_abstractions-v1-0-2c4fd61f8973@gmail.com>
Date: Sat, 19 Jul 2025 06:41:23 -0600
From: Abhinav Saxena <xandfury@...il.com>
To: Mickaël Salaün <mic@...ikod.net>, 
 Günther Noack <gnoack@...gle.com>, 
 Shuah Khan <shuah@...nel.org>
Cc: linux-security-module@...r.kernel.org, linux-kselftest@...r.kernel.org, 
 linux-kernel@...r.kernel.org, Abhinav Saxena <xandfury@...il.com>
Subject: [PATCH RFC 0/3] selftests/landlock: scoping abstractions

Hi all,

I was starting to work on the memfd-exec[1] feature and observed that
Landlock's scoped-IPC features (abstract UNIX sockets and signals)
follow a consistent high-level model, which I'm calling a
resource-accessor pattern:

Resource Process <-> Accessor Process
    - Resource process: owns or manages the asset
        - socket creator (bind/accept)
        - signal handler  
        - memfd creator
    - Accessor process: attempts to use the asset
        - socket client (connect/sendto)
        - signal sender
        - memfd executor

RESOURCE-ACCESSOR PATTERN FUNDAMENTALS
======================================

This pattern appears fundamental to Landlock scoping because:

1. Consistent enforcement model: Landlock restrictions are enforced
   only on the accessor side; the resource side remains unconstrained
   across all scope types.

2. Reflects actual security boundaries: In practice, sandboxed
   processes typically need to access resources created by other
   processes, not the reverse.

3. Scalable design: This model works consistently whether processes
   are in parent-child relationships or independent peer domains.

4. Real-world usage patterns: Container runtimes and sandbox
   orchestrators routinely start multiple workers that restrict
   themselves independently.

CURRENT TEST COVERAGE GAP
=========================

Existing self-tests cover hierarchical resource <-> accessor pairs
but do not exercise the case where each task enters an independent
domain. While 'sibling_domain' tests exist, they still use
parent-child relationship patterns rather than true peer domains.

Current Coverage (Linear Hierarchies Only):
-------------------------------------------

Type 1: Parent-Child (scoped_domains)
   P1 ---- P2

Type 2: Three Generations (scoped_vs_unscoped)  
   P1 ---- P2 ---- P3

Variations tested for both types:
- No domains
- Various scoped domain combinations  
- Nested domains within inherited domains
- Mixed domain types (SCOPE vs OTHER vs NONE)

Missing Coverage (True Sibling Scenarios):
------------------------------------------

Root
 |
 +-- Child A [various domain types]
 |
 +-- Child B [various domain types]

Missing test scenarios:
- A <-> B cross-sibling communication
- Mixed sibling domain combinations
- Sibling isolation enforcement
- Parent -> A, Parent -> B differential access

SOLUTION
========

This series implements the missing sibling pattern using the
resource-accessor model. The tests create a fork tree that looks
like this:

    coordinator (no domain)  
    |
    +-- resource_proc (Domain X) /* owns the resource */  
    |
    +-- accessor_proc (Domain Y) /* tries to access */

This directly addresses the missing coverage by creating two
independent child processes that establish peer domains, rather than
the hierarchical parent-child domains covered by existing tests.

Both children call landlock_restrict_self() for the first time, so
their struct landlock_domain->parent pointers are NULL, creating
true peer domains. The harness exposes four test variants:

Variant name       | Resource domain | Accessor domain | Result   
-------------------|-----------------|-----------------|----------
none_to_none       | none            | none            | ALLOW    
none_to_scoped     | none            | scoped          | DENY     
scoped_to_none     | scoped          | none            | ALLOW    
scoped_to_scoped   | scoped          | scoped (peer)   | DENY

The scoped_to_scoped case was missing from current coverage.

TESTING
=======

All patches apply cleanly to v6.14-rc2 and pass on landlock/master.
The helpers are small and re-use the existing kselftest_harness.h
fixture/variant pattern. All patches have been validated with
scripts/checkpatch.pl --strict and show no warnings.

This series introduces **no kernel changes**, only selftests additions.

Feedback very welcome.

Thanks,
Abhinav

[1] https://github.com/landlock-lsm/linux/issues/37

Links:
- Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html
- Landlock LSM kernel docs: https://docs.kernel.org/security/landlock.html
- Existing tests: tools/testing/selftests/landlock/scoped_*

Signed-off-by: Abhinav Saxena <xandfury@...il.com>
---
Abhinav Saxena (3):
      selftests/landlock: move sandbox_type to common
      selftests/landlock: add cross-domain variants
      selftests/landlock: add cross-domain signal tests

 tools/testing/selftests/landlock/scoped_common.h   |   7 +
 .../landlock/scoped_cross_domain_variants.h        |  54 +++++
 .../landlock/scoped_multiple_domain_variants.h     |   7 -
 .../selftests/landlock/scoped_signal_test.c        | 237 +++++++++++++++++++++
 4 files changed, 298 insertions(+), 7 deletions(-)
---
base-commit: 5b74b2eff1eeefe43584e5b7b348c8cd3b723d38
change-id: 20250715-landlock_abstractions-dbc0aabf1063

Best regards,
-- 
Abhinav Saxena <xandfury@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ