On Wed, Sep 04, 2024 at 06:13:55PM -0600, Tahera Fahimi wrote: > This patch introduces a new "scoped" attribute to the > landlock_ruleset_attr that can specify > "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" to scope abstract UNIX sockets > from connecting to a process outside of the same Landlock domain. It > implements two hooks, unix_stream_connect and unix_may_send to enforce > this restriction. > > Closes: https://github.com/landlock-lsm/linux/issues/7 > Signed-off-by: Tahera Fahimi <fahimitahera@xxxxxxxxx> > diff --git a/security/landlock/task.c b/security/landlock/task.c > index 849f5123610b..b9390445d242 100644 > --- a/security/landlock/task.c > +++ b/security/landlock/task.c > +static int hook_unix_stream_connect(struct sock *const sock, > + struct sock *const other, > + struct sock *const newsk) > +{ > + const struct landlock_ruleset *const dom = > + landlock_get_current_domain(); > + > + /* quick return for non-sandboxed processes */ > + if (!dom) > + return 0; > + > + if (is_abstract_socket(other) && sock_is_scoped(other, dom)) > + return -EPERM; I was wondering if it would make more sense to return -EACCES here. EACCES is usually related to file permission, but send(2)/sendto(2) don't return EPERM according to man pages. Well, according to the kernel code they can return EPERM so I think we are good with EPERM. It looks like other LSMs always use EACCES though... > + > + return 0; > +} > + > +static int hook_unix_may_send(struct socket *const sock, > + struct socket *const other) > +{ > + const struct landlock_ruleset *const dom = > + landlock_get_current_domain(); > + > + if (!dom) > + return 0; > + > + if (is_abstract_socket(other->sk)) { > + /* > + * Checks if this datagram socket was already allowed to > + * be connected to other. > + */ > + if (unix_peer(sock->sk) == other->sk) > + return 0; > + > + if (sock_is_scoped(other->sk, dom)) > + return -EPERM; ditto
