Cc: Mickaël Salaün <mic@xxxxxxxxxxx> Cc: Tahera Fahimi <fahimitahera@xxxxxxxxx> Cc: Tanya Agarwal <tanyaagarwal25699@xxxxxxxxx> Link: https://lore.kernel.org/linux-security-module/20250124154445.162841-2-gnoack@xxxxxxxxxx/ Signed-off-by: Günther Noack <gnoack@xxxxxxxxxx> --- man/man7/landlock.7 | 75 ++++++++++++++++++++++----------------------- 1 file changed, 37 insertions(+), 38 deletions(-) diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index 30dbac73d..749b4a3fa 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -357,46 +357,45 @@ which means the tracee must be in a sub-domain of the tracer. Similar to the implicit .BR "Ptrace restrictions" , we may want to further restrict interactions between sandboxes. -Each Landlock domain can be explicitly scoped for a set of actions -by specifying it on a ruleset. -For example, if a sandboxed process should not be able to -.BR connect (2) -to a non-sandboxed process through abstract +Therefore, at ruleset creation time, +each Landlock domain can restrict the scope for certain operations, +so that these operations can only reach out to processes +within the same Landlock domain or in a nested Landlock domain (the "scope"). +.P +The operations which can be scoped are: +.P +.TP +.B LANDLOCK_SCOPE_SIGNAL +When set, +this limits the sending of signals to target processes +which run within the same or a nested Landlock domain. +.TP +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET +When set, this limits the set of abstract .BR unix (7) -sockets, -we can specify such a restriction with -.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . -Moreover, if a sandboxed process should not be able -to send a signal to a non-sandboxed process, -we can specify this restriction with -.BR LANDLOCK_SCOPE_SIGNAL . -.P -A sandboxed process can connect to a non-sandboxed process -when its domain is not scoped. -If a process's domain is scoped, -it can only connect to sockets created by processes in the same scope. -Moreover, -If a process is scoped to send signal to a non-scoped process, -it can only send signals to processes in the same scope. -.P -A connected datagram socket behaves like a stream socket -when its domain is scoped, -meaning if the domain is scoped after the socket is connected, -it can still +sockets we can +.BR connect (2) +to +to socket addresses which were created +by a process in the same or a nested Landlock domain. +.IP +A +.BR send (2) +on a non-connected datagram socket is treated like an implicit +.BR connect (2) +and will be blocked when the remote end does not stem +from the same or a nested Landlock domain. +.IP +A .BR send (2) -data just like a stream socket. -However, in the same scenario, -a non-connected datagram socket cannot send data (with -.BR sendto (2)) -outside its scope. -.P -A process with a scoped domain can inherit a socket -created by a non-scoped process. -The process cannot connect to this socket since it has a scoped domain. -.P -IPC scoping does not support exceptions, so if a domain is scoped, -no rules can be added to allow access to resources or processes -outside of the scope. +on a socket which was previously connected will work. +This works for both datagram and stream sockets. +.P +IPC scoping does not support exceptions via +.BR landlock_add_rule (2). +If an operation is scoped within a domain, +no rules can be added to allow access +to resources or processes outside of the scope. .\" .SS Truncating files The operations covered by -- 2.48.1.262.g85cc9f2d1e-goog
