samples/landlock: Add support for signal scoping

tahifahimi · l0kod · commit f490e205bcba · 2024-09-16T23:50:54.000+02:00
The sandboxer can receive the character "s" as input from the environment variable LL_SCOPE to restrict sandboxed processes from sending signals to processes outside of the sandbox. Example ======= Create a sandboxed shell and pass the character "s" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="s" ./sandboxer /bin/bash Try to send a SIGTRAP to a process with process ID <PID> through: kill -SIGTRAP <PID> The sandboxed process should not be able to send the signal. Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/1f3f1992b2abeb8e5d7aa61b854e1b0721978b9a.1725657728.git.fahimitahera@gmail.com [mic: Improve commit message, simplify code, rebase on previous sample change] Signed-off-by: Mickaël Salaün <mic@digikod.net>
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
@@ -194,9 +194,11 @@ static bool check_ruleset_scope(const char *const env_var,
 	char *env_type_scope, *env_type_scope_next, *ipc_scoping_name;
 	bool error = false;
 	bool abstract_scoping = false;
+	bool signal_scoping = false;
 
 	/* Scoping is not supported by Landlock ABI */
-	if (!(ruleset_attr->scoped & LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET))
+	if (!(ruleset_attr->scoped &
+	      (LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL)))
 		goto out_unset;
 
 	env_type_scope = getenv(env_var);
@@ -210,6 +212,9 @@ static bool check_ruleset_scope(const char *const env_var,
 			strsep(&env_type_scope_next, ENV_DELIMITER))) {
 		if (strcmp("a", ipc_scoping_name) == 0 && !abstract_scoping) {
 			abstract_scoping = true;
+		} else if (strcmp("s", ipc_scoping_name) == 0 &&
+			   !signal_scoping) {
+			signal_scoping = true;
 		} else {
 			fprintf(stderr, "Unknown or duplicate scope \"%s\"\n",
 				ipc_scoping_name);
@@ -224,6 +229,8 @@ static bool check_ruleset_scope(const char *const env_var,
 out_unset:
 	if (!abstract_scoping)
 		ruleset_attr->scoped &= ~LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET;
+	if (!signal_scoping)
+		ruleset_attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL;
 
 	unsetenv(env_var);
 	return error;
@@ -268,7 +275,8 @@ int main(const int argc, char *const argv[], char *const *const envp)
 		.handled_access_fs = access_fs_rw,
 		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
 				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
-		.scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+		.scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+			  LANDLOCK_SCOPE_SIGNAL,
 	};
 
 	if (argc < 2) {
@@ -305,7 +313,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
 			"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
 			"%s=\"9418\" "
 			"%s=\"80:443\" "
-			"%s=\"a\" "
+			"%s=\"a:s\" "
 			"%s bash -i\n\n",
 			ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
 			ENV_TCP_CONNECT_NAME, ENV_SCOPED_NAME, argv[0]);
@@ -378,8 +386,9 @@ int main(const int argc, char *const argv[], char *const *const envp)
 
 		__attribute__((fallthrough));
 	case 5:
-		/* Removes LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET for ABI < 6 */
-		ruleset_attr.scoped &= ~LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET;
+		/* Removes LANDLOCK_SCOPE_* for ABI < 6 */
+		ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+					 LANDLOCK_SCOPE_SIGNAL);
 		fprintf(stderr,
 			"Hint: You should update the running kernel "
 			"to leverage Landlock features "
