samples/landlock: Add support for named UNIX domain socket restrictions

The access right for UNIX domain socket lookups is grouped with the
read-write rights in the sample tool.  Rationale: In the general case,
any operations are possible through a UNIX domain socket, including
data-mutating operations.

Cc: Justin Suess <utilityemal77@gmail.com>
Cc: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20260327164838.38231-7-gnoack3000@gmail.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 9f21088c0855c8d37fd63cf70fd1104e92d7a94e..66e56ae275c6b350cc0dedb4ef05aca5e1d4d8e3 100644 (file)
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -111,7 +111,8 @@ static int parse_path(char *env_path, const char ***const path_list)
        LANDLOCK_ACCESS_FS_WRITE_FILE | \
        LANDLOCK_ACCESS_FS_READ_FILE | \
        LANDLOCK_ACCESS_FS_TRUNCATE | \
-       LANDLOCK_ACCESS_FS_IOCTL_DEV)
+       LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+       LANDLOCK_ACCESS_FS_RESOLVE_UNIX)
 
 /* clang-format on */
 
@@ -295,11 +296,12 @@ out_unset:
        LANDLOCK_ACCESS_FS_MAKE_SYM | \
        LANDLOCK_ACCESS_FS_REFER | \
        LANDLOCK_ACCESS_FS_TRUNCATE | \
-       LANDLOCK_ACCESS_FS_IOCTL_DEV)
+       LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+       LANDLOCK_ACCESS_FS_RESOLVE_UNIX)
 
 /* clang-format on */
 
-#define LANDLOCK_ABI_LAST 8
+#define LANDLOCK_ABI_LAST 9
 
 #define XSTR(s) #s
 #define STR(s) XSTR(s)
@@ -438,6 +440,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
                        ~LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
                __attribute__((fallthrough));
        case 7:
+       case 8:
+               /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */
+               ruleset_attr.handled_access_fs &=
+                       ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
                /* Must be printed for any ABI < LANDLOCK_ABI_LAST. */
                fprintf(stderr,
                        "Hint: You should update the running kernel "