• Tahera Fahimi's avatar
    landlock: Add signal scoping · 54a6e6bb
    Tahera Fahimi authored
    Currently, a sandbox process is not restricted to sending a signal (e.g.
    SIGKILL) to a process outside the sandbox environment.  The ability to
    send a signal for a sandboxed process should be scoped the same way
    abstract UNIX sockets are scoped. Therefore, we extend the "scoped"
    field in a ruleset with LANDLOCK_SCOPE_SIGNAL to specify that a ruleset
    will deny sending any signal from within a sandbox process to its parent
    (i.e. any parent sandbox or non-sandboxed processes).
    
    This patch adds file_set_fowner and file_free_security hooks to set and
    release a pointer to the file owner's domain. This pointer, fown_domain
    in landlock_file_security will be used in file_send_sigiotask to check
    if the process can send a signal.
    
    The ruleset_with_unknown_scope test is updated to support
    LANDLOCK_SCOPE_SIGNAL.
    
    This depends on two new changes:
    - commit 1934b212 ("file: reclaim 24 bytes from f_owner"): replace
      container_of(fown, struct file, f_owner) with fown->file .
    - commit 26f20438 ("fs: Fix file_set_fowner LSM hook
      inconsistencies"): lock before calling the hook.
    Signed-off-by: default avatarTahera Fahimi <fahimitahera@gmail.com>
    Closes: https://github.com/landlock-lsm/linux/issues/8
    Link: https://lore.kernel.org/r/df2b4f880a2ed3042992689a793ea0951f6798a5.1725657727.git.fahimitahera@gmail.com
    [mic: Update landlock_get_current_domain()'s return type, improve and
    fix locking in hook_file_set_fowner(), simplify and fix sleepable call
    and locking issue in hook_file_send_sigiotask() and rebase on the latest
    VFS tree, simplify hook_task_kill() and quickly return when not
    sandboxed, improve comments, rename LANDLOCK_SCOPED_SIGNAL]
    Co-developed-by: default avatarMickaël Salaün <mic@digikod.net>
    Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
    54a6e6bb
limits.h 1.1 KB