www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Tahera Fahimi <fahimitahera@gmail.com>
	Thu, 5 Sep 2024 00:13:55 +0000 (18:13 -0600)
committer	Mickaël Salaün <mic@digikod.net>
	Mon, 16 Sep 2024 21:50:45 +0000 (23:50 +0200)
commit	21d52e295ad2afc76bbd105da82a003b96f6ac77
tree	3d9ed5b828c60e65d8a6d16ce59126c7a6f79053	tree
parent	a430d95c5efa2b545d26a094eb5f624e36732af0	commit \| diff

landlock: Add abstract UNIX socket scoping

Introduce a new "scoped" member to landlock_ruleset_attr that can
specify LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET to restrict connection to
abstract UNIX sockets from a process outside of the socket's domain.

Two hooks are implemented to enforce these restrictions:
unix_stream_connect and unix_may_send.

Closes: https://github.com/landlock-lsm/linux/issues/7
Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
Link: https://lore.kernel.org/r/5f7ad85243b78427242275b93481cfc7c127764b.1725494372.git.fahimitahera@gmail.com
[mic: Fix commit message formatting, improve documentation, simplify
hook_unix_may_send(), and cosmetic fixes including rename of
LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET]
Co-developed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Mickaël Salaün <mic@digikod.net>

include/uapi/linux/landlock.h		diff \| blob \| history
security/landlock/limits.h		diff \| blob \| history
security/landlock/ruleset.c		diff \| blob \| history
security/landlock/ruleset.h		diff \| blob \| history
security/landlock/syscalls.c		diff \| blob \| history
security/landlock/task.c		diff \| blob \| history
tools/testing/selftests/landlock/base_test.c		diff \| blob \| history