Hi, On Wed, Feb 26, 2025 at 10:29:12PM +0100, Günther Noack wrote: > * Clarify terminology > * Stop mixing the unix(7) and signal(7) aspects in the explanation. > > Terminology: > > * The *IPC Scope* of a Landlock domain is that Landlock domain and its > nested domains. > > * An *operation* (e.g., signaling, connecting to abstract UDS) is said to > be *scoped within a domain* when the flag for that operation was set at > ruleset creation time. This means that for the purpose of this > operation, only processes within the domain's IPC scope are reachable. > > Link: https://lore.kernel.org/all/20250226211814.31420-4-gnoack@xxxxxxxxxx/ > Signed-off-by: Günther Noack <gnoack@xxxxxxxxxx> > --- > man/man7/landlock.7 | 73 ++++++++++++++++++++++----------------------- > 1 file changed, 35 insertions(+), 38 deletions(-) > > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 > index 30dbac73d..42cd7286f 100644 > --- a/man/man7/landlock.7 > +++ b/man/man7/landlock.7 > @@ -357,46 +357,43 @@ which means the tracee must be in a sub-domain of the tracer. > Similar to the implicit > .BR "Ptrace restrictions" , > we may want to further restrict interactions between sandboxes. > -Each Landlock domain can be explicitly scoped for a set of actions > -by specifying it on a ruleset. > -For example, if a sandboxed process should not be able to > -.BR connect (2) > -to a non-sandboxed process through abstract > +Therefore, at ruleset creation time, > +each Landlock domain can restrict the scope for certain operations, > +so that these operations can only reach out to processes > +within the same Landlock domain or in a nested Landlock domain (the "scope"). > +.P > +The operations which can be scoped are: > +.P Redundant P before TP. > +.TP > +.B LANDLOCK_SCOPE_SIGNAL > +This limits the sending of signals to target processes > +which run within the same or a nested Landlock domain. > +.TP > +.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET > +This limits the set of abstract > .BR unix (7) > -sockets, > -we can specify such a restriction with > -.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET . > -Moreover, if a sandboxed process should not be able > -to send a signal to a non-sandboxed process, > -we can specify this restriction with > -.BR LANDLOCK_SCOPE_SIGNAL . > +sockets to which we can > +.BR connect (2) > +to socket addresses which were created > +by a process in the same or a nested Landlock domain. > +.IP > +A > +.BR sendto (2) > +on a non-connected datagram socket is treated as if it were doing an implicit > +.BR connect (2) > +and will be blocked if the remote end does not stem > +from the same or a nested Landlock domain. > +.IP > +A > +.BR sendto (2) > +on a socket which was previously connected will not be restricted. > +This works for both datagram and stream sockets. > .P > -A sandboxed process can connect to a non-sandboxed process > -when its domain is not scoped. > -If a process's domain is scoped, > -it can only connect to sockets created by processes in the same scope. > -Moreover, > -If a process is scoped to send signal to a non-scoped process, > -it can only send signals to processes in the same scope. > -.P > -A connected datagram socket behaves like a stream socket > -when its domain is scoped, > -meaning if the domain is scoped after the socket is connected, > -it can still > -.BR send (2) > -data just like a stream socket. > -However, in the same scenario, > -a non-connected datagram socket cannot send data (with > -.BR sendto (2)) > -outside its scope. > -.P > -A process with a scoped domain can inherit a socket This text seems to have been added in patch 2/3. Why is it being removed in the same set? Cheers, Alex > -created by a non-scoped process. > -The process cannot connect to this socket since it has a scoped domain. > -.P > -IPC scoping does not support exceptions, so if a domain is scoped, > -no rules can be added to allow access to resources or processes > -outside of the scope. > +IPC scoping does not support exceptions via > +.BR landlock_add_rule (2). > +If an operation is scoped within a domain, > +no rules can be added to allow access > +to resources or processes outside of the scope. > .\" > .SS Truncating files > The operations covered by > -- > 2.48.1.711.g2feabab25a-goog > -- <https://www.alejandro-colomar.es/>
Attachment:
signature.asc
Description: PGP signature
