With this ABI version, Landlock can restrict outgoing interactions with higher-privileged Landlock domains through Abstract Unix Domain sockets and signals. Cc: Mickaël Salaün <mic@xxxxxxxxxxx> Cc: Tahera Fahimi <fahimitahera@xxxxxxxxx> Cc: Tanya Agarwal <tanyaagarwal25699@xxxxxxxxx> Signed-off-by: Günther Noack <gnoack@xxxxxxxxxx> --- man/man7/landlock.7 | 69 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 68 insertions(+), 1 deletion(-) diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index 11f76b072..30dbac73d 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -248,7 +248,8 @@ This access right is available since the fifth version of the Landlock ABI. .SS Network flags These flags enable to restrict a sandboxed process to a set of network actions. -This is supported since the Landlock ABI version 4. +.P +This is supported since Landlock ABI version 4. .P The following access rights apply to TCP port numbers: .TP @@ -258,6 +259,24 @@ Bind a TCP socket to a local port. .B LANDLOCK_ACCESS_NET_CONNECT_TCP Connect an active TCP socket to a remote port. .\" +.SS Scope flags +These flags enable to isolate a sandboxed process from a set of IPC actions. +Setting a flag for a ruleset will isolate the Landlock domain +to forbid connections to resources outside the domain. +.P +This is supported since Landlock ABI version 6. +.P +The following scopes exist: +.TP +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +Restrict a sandboxed process from connecting to an abstract UNIX socket +created by a process outside the related Landlock domain +(e.g., a parent domain or a non-sandboxed process). +.TP +.B LANDLOCK_SCOPE_SIGNAL +Restrict a sandboxed process from sending a signal +to another process outside the domain. +.\" .SS Layers of file path access rights Each time a thread enforces a ruleset on itself, it updates its Landlock domain with a new layer of policy. @@ -334,6 +353,51 @@ and related syscalls on a target process, a sandboxed process should have a subset of the target process rules, which means the tracee must be in a sub-domain of the tracer. .\" +.SS IPC scoping +Similar to the implicit +.BR "Ptrace restrictions" , +we may want to further restrict interactions between sandboxes. +Each Landlock domain can be explicitly scoped for a set of actions +by specifying it on a ruleset. +For example, if a sandboxed process should not be able to +.BR connect (2) +to a non-sandboxed process through abstract +.BR unix (7) +sockets, +we can specify such a restriction with +.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . +Moreover, if a sandboxed process should not be able +to send a signal to a non-sandboxed process, +we can specify this restriction with +.BR LANDLOCK_SCOPE_SIGNAL . +.P +A sandboxed process can connect to a non-sandboxed process +when its domain is not scoped. +If a process's domain is scoped, +it can only connect to sockets created by processes in the same scope. +Moreover, +If a process is scoped to send signal to a non-scoped process, +it can only send signals to processes in the same scope. +.P +A connected datagram socket behaves like a stream socket +when its domain is scoped, +meaning if the domain is scoped after the socket is connected, +it can still +.BR send (2) +data just like a stream socket. +However, in the same scenario, +a non-connected datagram socket cannot send data (with +.BR sendto (2)) +outside its scope. +.P +A process with a scoped domain can inherit a socket +created by a non-scoped process. +The process cannot connect to this socket since it has a scoped domain. +.P +IPC scoping does not support exceptions, so if a domain is scoped, +no rules can be added to allow access to resources or processes +outside of the scope. +.\" .SS Truncating files The operations covered by .B LANDLOCK_ACCESS_FS_WRITE_FILE @@ -413,6 +477,9 @@ _ _ _ \^ \^ LANDLOCK_ACCESS_NET_CONNECT_TCP _ _ _ 5 6.10 LANDLOCK_ACCESS_FS_IOCTL_DEV +_ _ _ +6 6.12 LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +\^ \^ LANDLOCK_SCOPE_SIGNAL .TE .P Users should use the Landlock ABI version rather than the kernel version -- 2.48.1.262.g85cc9f2d1e-goog
