This is more of a question/discussion than a concrete proposal.
#7 and LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET that stemmed from that works only in the one direction: sandboxed processes can restrict themselves from being able to connect to outside resources. This works well for the threat model where there are no malicious unsandboxed processes. But if there are malicious cooperating sandboxed and an unsandboxed process, the connection order could be reversed to make the unsandboxed one connect to an abstract socket created by the landlocked process. The only way to mitigate that threat is to either unshare network namespaces (and require userspace networking like slirp4netns or pasta if one wants to give network access to the sandbox).
It would be quite useful (and avoid the userspace networking complexity and overhead) to be able to restrict a sandboxed process from being able to accept incoming connections from outside the sandbox - having connection process get a ECONNREFUSED or EACCES e.g. That way the primary headache of abstract sockets - passing file descriptors via SCM_RIGHTS - could be fully mitigated via landlock. As noted in the threads from #7, using seccomp for this turns out to be quite complex and racy.
I'm framing it this way, because if such a feature was implemented, then it would be quite a big change for the landlock model of only restricting the sandboxed thread/process. Nevertheless, such functionality would provide a very convenient and robust way of completely scoping IPC access.
It's not clear to me whether this approach would align with Landlock semantics.
An alternative solution might be to disallow sending messages to outside processes (including SCM_RIGHTS) - not preventing processes from the outside from connecting. This would be more in-line with existing precedent, yet less complete - an outside process could still smuggle file descriptors into the sandbox - even for something that the sandbox couldn't access due to FS landlock restrictions.
This is more of a question/discussion than a concrete proposal.
#7 and
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKETthat stemmed from that works only in the one direction: sandboxed processes can restrict themselves from being able to connect to outside resources. This works well for the threat model where there are no malicious unsandboxed processes. But if there are malicious cooperating sandboxed and an unsandboxed process, the connection order could be reversed to make the unsandboxed one connect to an abstract socket created by the landlocked process. The only way to mitigate that threat is to either unshare network namespaces (and require userspace networking like slirp4netns or pasta if one wants to give network access to the sandbox).It would be quite useful (and avoid the userspace networking complexity and overhead) to be able to restrict a sandboxed process from being able to accept incoming connections from outside the sandbox - having connection process get a
ECONNREFUSEDorEACCESe.g. That way the primary headache of abstract sockets - passing file descriptors viaSCM_RIGHTS- could be fully mitigated via landlock. As noted in the threads from #7, using seccomp for this turns out to be quite complex and racy.I'm framing it this way, because if such a feature was implemented, then it would be quite a big change for the landlock model of only restricting the sandboxed thread/process. Nevertheless, such functionality would provide a very convenient and robust way of completely scoping IPC access.
It's not clear to me whether this approach would align with Landlock semantics.
An alternative solution might be to disallow sending messages to outside processes (including
SCM_RIGHTS) - not preventing processes from the outside from connecting. This would be more in-line with existing precedent, yet less complete - an outside process could still smuggle file descriptors into the sandbox - even for something that the sandbox couldn't access due to FS landlock restrictions.