From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 54633147FB; Mon, 15 Dec 2025 08:20:52 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 3E6311485A; Mon, 15 Dec 2025 08:20:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by atuin.qyliss.net (Postfix) with ESMTPS id 60E7B14859 for ; Mon, 15 Dec 2025 08:20:47 +0000 (UTC) Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-b7eff205947so166183966b.1 for ; Mon, 15 Dec 2025 00:20:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765786843; x=1766391643; darn=spectrum-os.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=MgAwxLQKS49ovdUATm1n2L7redIdsOV7iEU7UKKm5tI=; b=ajTmhMD+r0TdA8P8t62R8t5WtKotjY7L5m8kMNHqh7DXAuUU5kJLfd5X7B5L2n/t3Y /DedIGkTA13HkujihgZkUVtxCImHVUIjUR4hnVtykGn4Nkj3CvZfegbhFH7PDP2pyOMr l23MAtd8uFj26g116SlRUUBKA4kulk036Pdc3t2CW+xQhFtVkeDSJ0vbXLVVDkBIgmVl eatg5dbVVwl1sBWWqqB2HIu9h5ncoWMTElPdVK2vTzheR50UrX2wJ3cvB4vNBGh8T6a8 EZ2hGliMf1Mme1D2z004f4OWate1doO0OMewkV+LKs+M+ouio3H6RzUHgG3eFF67Ucj3 kQAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765786843; x=1766391643; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=MgAwxLQKS49ovdUATm1n2L7redIdsOV7iEU7UKKm5tI=; b=HmgeNH9JU0tWFhLQb7nh1Yqk9YkkWA+W3f/BJd0qwhApJ4mnVLfK9qGzQ2s513glnU YmM0yIZwPHr18lc+3EAhyTltl9ud1uLcL/oxPTTeQFRMkWE5tUEth55uqvnqVTKclYLR ADXV2CTvSkY6l51c3eSVsDLymj+OOGNprgo02cdItACj86sEZd6u2XWceUI3sDhXk1gy pJtdvMimgd6Msfn8ujzAV7tXuJogmD3kAQ7tgsrWt9/CSw5mTDks3FhSFg23F6xQ2x7J 1pemdSBS4pVe6SgIlPLEW1yTUtSB1w98GYK3xe+LcIIKESlLrpzJgEEbvbDDzMF+pzM/ B82Q== X-Forwarded-Encrypted: i=1; AJvYcCV9Qh0M2iGHgLgg33A6xjEpj6FsqpPZLTkHkOm7yikOk9jIPLUwqOzpekTn686Fa7We8J2OxA==@spectrum-os.org X-Gm-Message-State: AOJu0Yx6cLI5zvz6pb73HOvZb4Qt9xxbJzDmI9BjuppSm5V6Q1SLnfyZ Yfv9EME9uds9TGXyDKdD2y3nGod8KD/2oNSWiL/aVEgWowYi8ycq0Uw3 X-Gm-Gg: AY/fxX71oilmXPnvC+60NZyKfjXuDpj4TYS5mRyFOGHOvfe88D46GczRTEHnIQYDQlp vj+ITka+rFvWRywFeNdR/xNVdoOnsYiaMTCqAYT1ui3K1rDfFN+miNcSaRHu0GKOzkI1q8t+buN kMxY7cWrcNxkSQJNDoZ440QWi6EfqlqRqwaKAFNwq64yolyPFZZ2nK6Cp9PWsbJo2cPhM+pZ9wq A2vJGdtmvDMI214OhP4UFxE8mLoKGFMyuvxmsL6Cma5xNddKB750Bj9/NiHwH62BIAeJRqKXyBW D4MTrDqfmibZKzYA0YQzW8RVQNojOnP3EfL9zaT6LvgRHFulHU8UXzGj0pFEKxpis6GG6qgyS6B IWM9kwaSKHr+kYs5x8b8CvRcYFep6+gjzyQd7+SLc5LyrkS4l/uiOPlm1c7CcjqGTUNbvPHNdan KQzxfLiXYsy8IBwYaFRAupCCRNfg9D7k9xdv/2 X-Google-Smtp-Source: AGHT+IHZJmaQaHIyZu23aY20L8OEhXcH95sjK+OBTRsa2WtJe6DENa+J+EPR/hVV2ccdKAytzQEetA== X-Received: by 2002:a17:907:8694:b0:b73:1e09:7377 with SMTP id a640c23a62f3a-b7d23aa5631mr1096802166b.58.1765786843063; Mon, 15 Dec 2025 00:20:43 -0800 (PST) Received: from localhost (ip87-106-108-193.pbiaas.com. [87.106.108.193]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b7cfa51754dsm1360553966b.42.2025.12.15.00.20.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Dec 2025 00:20:42 -0800 (PST) Date: Mon, 15 Dec 2025 09:20:37 +0100 From: =?iso-8859-1?Q?G=FCnther?= Noack To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Subject: Re: [PATCH] host/roots: Sandbox xdg-desktop-portal-spectrum-host Message-ID: <20251215.5d7e473daa34@gnoack.org> References: <20251212-sandbox-dbus-portal-v1-1-522705202482@gmail.com> <87o6o25h6y.fsf@alyssa.is> <87ikea5a8x.fsf@alyssa.is> <00256266-26db-40cf-8f5b-f7c7064084c2@gmail.com> <87bjk16dvv.fsf@alyssa.is> <515ff0f4-2ab3-46de-8d1e-5c66a93c6ede@gmail.com> <20251214.aiW5oc2izaxa@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20251214.aiW5oc2izaxa@digikod.net> Message-ID-Hash: FJA3RRZRSZO5DWECJUDDMG3S25OOI5G6 X-Message-ID-Hash: FJA3RRZRSZO5DWECJUDDMG3S25OOI5G6 X-MailFrom: gnoack3000@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross , Spectrum OS Development , linux-security-module@vger.kernel.org, landlock@lists.linux.dev, "Ryan B. Sullivan" , =?iso-8859-1?Q?G=FCnther?= Noack X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Sun, Dec 14, 2025 at 08:50:45PM +0100, Mickaël Salaün wrote: > On Sat, Dec 13, 2025 at 11:49:11PM -0500, Demi Marie Obenour wrote: > > On 12/13/25 20:39, Alyssa Ross wrote: > > > Demi Marie Obenour writes: > > > > > >> On 12/13/25 16:42, Alyssa Ross wrote: > > >>> Demi Marie Obenour writes: > > >>> > > >>>> On 12/13/25 14:12, Alyssa Ross wrote: > > >>>>> Demi Marie Obenour writes: > > >>>>> > > >>>>>> It is quite possible that these Landlock rules are unnecessarily > > >>>>>> permissive, but all of the paths to which read and execute access is > > >>>>>> granted are part of the root filesystem and therefore assumed to be > > >>>>>> public knowledge. Removing access from any of them would only increase > > >>>>>> the risk of accidental breakage in the future, and would not provide any > > >>>>>> security improvements. seccomp *could* provide some improvements, but > > >>>>>> the effort needed is too high for now. > > >>>>>> > > >>>>>> Signed-off-by: Demi Marie Obenour > > >>>>>> --- > > >>>>>> .../template/data/service/xdg-desktop-portal-spectrum-host/run | 8 ++++++++ > > >>>>>> 1 file changed, 8 insertions(+) > > >>>>> > > >>>>> Are you sure this is working as intended? There's no rule allowing > > >>>>> access to Cloud Hypervisor's VSOCK socket, and yet it still seems to be > > >>>>> able to access that. Don't you need to set a rule that *restricts* > > >>>>> filesystem access and then add holes? Did you ever see this deny > > >>>>> anything? > > >>>> > > >>>> 'man 1 setpriv' states that '--landlock-access fs' blocks all > > >>>> filesystem access unless a subsequent --landlock-rule permits it. > > >>>> I tried running with no --landlock-rule flags and the execve of > > >>>> xdg-desktop-portal-spectrum-host failed as expected. > > >>>> > > >>>> The socket is passed over stdin, and I'm pretty sure Landlock > > >>>> doesn't restrict using an already-open file descriptor. > > >>>> xdg-desktop-portal-spectrum-host does need to find the path to the > > >>>> socket, but I don't think it ever accesses that path. > > >>> > > >>> I've been looking into this a bit myself, and from what I can tell > > >>> Landlock just doesn't restrict connecting to sockets at all, even if > > >>> they're inside directories that would otherwise be inaccessible. It's > > >>> able to connect to both Cloud Hypervisor's VSOCK socket and the D-Bus > > >>> socket even with a maximally restrictive landlock rule. So you were > > >>> right after all, sorry! > > >> > > >> That's not good at all! It's a trivial sandbox escape in so many cases. > > >> For instance, with access to D-Bus I can just call `systemd-run`. > > >> > > >> I'm CCing the Landlock and LSM mailing lists because if you are > > >> correct, then this is a bad security hole. > > > > > > I don't find it that surprising given the way landlock works. "connect" > > > (to a non-abstract AF_UNIX socket) is not an operation there's a > > > landlock action for, and it's not like the other actions care about > > > access to parent directories and the like — I was able to execute a > > > program via a symlink after only giving access to the symlink's target, > > > without any access to the directory containing the symlink or the > > > symlink itself, for example. Landlock, as I understand it, is intended > > > to block a specified set of operations (on particular file hierarchies), > > > rather than to completely prevent access to those hierarchies like > > > permissions or mount namespaces could, so the lack of a way to block > > > connecting to a socket is more of a missing feature than a security > > > hole. > > > > 'man 7 unix' states: > > > > On Linux, connecting to a stream socket object requires write > > permission on that socket; sending a datagram to a datagram socket > > likewise requires write permission on that socket. > > > > Landlock is definitely being inconsistent with DAC here. Also, this > > allows real-world sandbox breakouts. On systemd systems, the simplest > > way to escape is to use systemd-run to execute arbitrary commands. > > The Linux kernel is complex and the link between the VFS and named UNIX > sockets is "special" (see the linked GitHub issue). Landlock doesn't > handle named UNIX sockets yet for the same reason it doesn't handle some > other kind of kernel resources or access rights: someone needs to > implement it (including tests, doc...). There is definitely interest to > add this feature, it has been discussed for some time, but it's not > trivial. It is a work in progress though: > https://github.com/landlock-lsm/linux/issues/36 Agreed, this would be the change that would let us restrict connect() on AF_UNIX sockets. Additionally, *in the case that you do not actually need* Unix sockets, the other patch set that would be of interest is the one for restricting the creation of new socket FDs: https://github.com/landlock-lsm/linux/issues/6 In this talk in 2014, I explained my mental model around the network-related restrictions: https://youtu.be/K2onopkMhuM?si=LCObEX6HhGdzPnks&t=2030 The discussed socket control feature continues to be a central missing piece, as the TCP port restrictions do not make much sense as long as you can still create sockets for other protocol types. Issue #6 that should fix this is still under active development -- an updated version of the patch was posted just last month. To bridge the gap, the same thing can also be emulated with seccomp, but as you noted above as well in this thread, this is harder. –Günther