On Mon, Apr 08, 2024 at 05:39:17PM +0800, Ivanov Mikhail wrote:
> Patchset implements new type of Landlock rule, that restricts actions for
> sockets of any protocol. Such restriction would be useful to ensure
> that a sandboxed process uses only necessary protocols.
> See [2] for more cases.
>
> The rules store information about the socket family(aka domain) and type.
>
> struct landlock_socket_attr {
> __u64 allowed_access;
> int domain; // see socket(2)
> int type; // see socket(2)
> }
>
> Patchset currently implements rule only for socket_create() method, but
> other necessary rules will also be impemented. [1]
>
> Code coverage(gcov) report with the launch of all the landlock selftests:
> * security/landlock:
> lines......: 94.7% (784 of 828 lines)
> functions..: 97.2% (105 of 108 functions)
>
> * security/landlock/socket.c:
> lines......: 100.0% (33 of 33 lines)
> functions..: 100.0% (5 of 5 functions)
>
> [1] https://lore.kernel.org/all/b8a2045a-e7e8-d141-7c01-bf47874c7930@xxxxxxxxxxx/
> [2] https://lore.kernel.org/all/ZJvy2SViorgc+cZI@xxxxxxxxxx/
Thank you, I am very excited to see this patch set! :)
You might want to also link to https://github.com/landlock-lsm/linux/issues/6
where the feature idea is tracked.
—Günther
