Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Scoped access rights #33

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support for Scoped access rights #33

wants to merge 2 commits into from

Conversation

gnoack
Copy link
Collaborator

@gnoack gnoack commented Nov 9, 2024
edited
Loading

This adds Go-Landlock support for Scoped access rights for IPC between processes,
which were added by @tahifahimi in

https://lore.kernel.org/all/cover.1725657727.git.fahimitahera@gmail.com/
and https://lore.kernel.org/all/cover.1725494372.git.fahimitahera@gmail.com/

Known bug about IPC between goroutines

A noteworthy difference to C is that in Go, we technically create multiple Landlock domains. All Go programs inherently have multiple goroutines and OS threads. We enforce the Landlock ruleset on each of these OS threads, but they do technically become separate Landlock domains. As a result, it becomes dependent on Goroutine scheduling whether IPC between two goroutines is considered to cross the boundary to an "unrelated" Landlock domain.

In order to fix that, I think we'd need to address landlock-lsm/linux#2 first, so that we could apply the same domain on all threads of a process.

Also see the section I added to the documentation:

// # Current Limitations (IPC within the same Go program)
//
// For a Go process which restricts Landlock "scoped" IPC operations
// for itself, goroutines within this process might be inconsistently
// permitted or denied to use these IPC mechanisms among themselves.
//
// This is because different OS threads within the Go process may
// technically belong to different Landlock domains (even if these
// domains enforce the same policies).

To reproduce the issue:

  • Enforce a Landlock domain with the Abstract Unix Domain Socket scope
  • Listen on an Abstract Unix Domain Socket
  • n times, kick off a goroutine, sleep briefly (to irritate the scheduler), and dial the abstract Unix Domain Socket

Observed behaviour:

  • Dialing fails most of the time, but succeeds in a small fraction of attempts (when the listen and dial operation happened on the same OS thread, by chance)

Desired behaviour:

  • Would be nicer if these forms of IPC were always permitted across goroutines on the same process, because the Landlock policies are equivalent.

gnoack added 2 commits November 9, 2024 08:26
@gnoack
Replace mention of "PathRules" with "FSRules" #cleanup
6e98333
@gnoack
Landlock ABI v6 support (scoped IPC)
b981810 
This feature restricts the use of UNIX signals and dialing out to
Linux's Abstract UNIX Domain Sockets when the recipient process is in
a more privileged or unrelated Landlock domain.  When the restriction
is enabled, these forms of IPC are only permitted if the target
process is in the same or a less privileged (nested) Landlock domain.

Link: https://lore.kernel.org/all/cover.1725657727.git.fahimitahera@gmail.com/
Link: https://lore.kernel.org/all/cover.1725494372.git.fahimitahera@gmail.com/
@gnoack
Copy link
Collaborator Author

gnoack commented Nov 9, 2024

Reminder to myself: Double check that Abstract Unix Domain Sockets and Signals are actually not needed within the same Go process.

(I am pretty certain about Abstract Unix Domain Sockets, but I start having doubts about the signals. IIRC, when using cgo, libpsx is using signals itself to get all the OS threads to run that syscall.)

This was referenced Nov 9, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gnoack