man/man7/landlock.7: Document IPC scoping (Landlock ABI v6)

With this ABI version, Landlock can restrict outgoing interactions with
higher-privileged Landlock domains through Abstract Unix Domain sockets
and signals.

Terminology:

*  The *IPC Scope* of a Landlock domain is that Landlock domain and its
   nested domains.

*  An *operation* (e.g., signaling, connecting to abstract UDS) is said
   to be *scoped within a domain* when the flag for that operation was
   set at ruleset creation time.  This means that for the purpose of
   this operation, only processes within the domain's IPC scope are
   reachable.

Link: <https://lore.kernel.org/all/20250303194510.135506-4-gnoack@google.com/>
Signed-off-by: Günther Noack <gnoack@google.com>
Cc: Mickaël Salaün <mic@digikod.net>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Cc: Tanya Agarwal <tanyaagarwal25699@gmail.com>
Cc: Daniel Burgener <dburgener@linux.microsoft.com>
Cc: <linux-security-module@vger.kernel.org>
Message-ID: <20250303195056.136777-4-gnoack@google.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 7b7a797ad6ca2bce61c3193d764952f9b58f39da..aa383860c6f8ed5873be5d9192b1ce0a0a67c2be 100644 (file)
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -246,7 +246,8 @@ This access right is available since the fifth version of the Landlock ABI.
 .SS Network flags
 These flags enable to restrict a sandboxed process
 to a set of network actions.
-This is supported since the Landlock ABI version 4.
+.P
+This is supported since Landlock ABI version 4.
 .P
 The following access rights apply to TCP port numbers:
 .TP
@@ -256,6 +257,24 @@ Bind a TCP socket to a local port.
 .B LANDLOCK_ACCESS_NET_CONNECT_TCP
 Connect an active TCP socket to a remote port.
 .\"
+.SS Scope flags
+These flags enable isolating a sandboxed process from a set of IPC actions.
+Setting a flag for a ruleset will isolate the Landlock domain
+to forbid connections to resources outside the domain.
+.P
+This is supported since Landlock ABI version 6.
+.P
+The following scopes exist:
+.TP
+.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+Restrict a sandboxed process from connecting to an abstract UNIX socket
+created by a process outside the related Landlock domain
+(e.g., a parent domain or a non-sandboxed process).
+.TP
+.B LANDLOCK_SCOPE_SIGNAL
+Restrict a sandboxed process from sending a signal
+to another process outside the domain.
+.\"
 .SS Layers of file path access rights
 Each time a thread enforces a ruleset on itself,
 it updates its Landlock domain with a new layer of policy.
@@ -332,6 +351,47 @@ and related syscalls on a target process,
 a sandboxed process should have a subset of the target process rules,
 which means the tracee must be in a sub-domain of the tracer.
 .\"
+.SS IPC scoping
+Similar to the implicit
+.BR "Ptrace restrictions" ,
+we may want to further restrict interactions between sandboxes.
+Therefore, at ruleset creation time,
+each Landlock domain can restrict the scope for certain operations,
+so that these operations can only reach out to processes
+within the same Landlock domain or in a nested Landlock domain (the "scope").
+.P
+The operations which can be scoped are:
+.TP
+.B LANDLOCK_SCOPE_SIGNAL
+This limits the sending of signals to target processes
+which run within the same or a nested Landlock domain.
+.TP
+.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+This limits the set of abstract
+.BR unix (7)
+sockets to which we can
+.BR connect (2)
+to socket addresses which were created
+by a process in the same or a nested Landlock domain.
+.IP
+A
+.BR sendto (2)
+on a non-connected datagram socket is treated as if it were doing an implicit
+.BR connect (2)
+and will be blocked if the remote end does not stem
+from the same or a nested Landlock domain.
+.IP
+A
+.BR sendto (2)
+on a socket which was previously connected will not be restricted.
+This works for both datagram and stream sockets.
+.P
+IPC scoping does not support exceptions via
+.BR landlock_add_rule (2).
+If an operation is scoped within a domain,
+no rules can be added to allow access to
+resources or processes outside of the scope.
+.\"
 .SS Truncating files
 The operations covered by
 .B LANDLOCK_ACCESS_FS_WRITE_FILE
@@ -411,6 +471,9 @@ _   _       _
 \^     \^      LANDLOCK_ACCESS_NET_CONNECT_TCP
 _      _       _
 5      6.10    LANDLOCK_ACCESS_FS_IOCTL_DEV
+_      _       _
+6      6.12    LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+\^     \^      LANDLOCK_SCOPE_SIGNAL
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version