From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 923A9C137; Sun, 14 Dec 2025 00:28:57 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 695EDC069; Sun, 14 Dec 2025 00:28:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fhigh-a1-smtp.messagingengine.com (fhigh-a1-smtp.messagingengine.com [103.168.172.152]) by atuin.qyliss.net (Postfix) with ESMTPS id 9749DC10D for ; Sun, 14 Dec 2025 00:28:53 +0000 (UTC) Received: from phl-compute-09.internal (phl-compute-09.internal [10.202.2.49]) by mailfhigh.phl.internal (Postfix) with ESMTP id 4FF3F14000C2; Sat, 13 Dec 2025 19:28:51 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-09.internal (MEProxy); Sat, 13 Dec 2025 19:28:51 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1765672131; x=1765758531; bh=2NkO3zPoXr dIJ7vd0wiSKDNP7ytzd2tbFzHS0LSLHSI=; b=hxx2GRHMqfoRcuPL0V25Bonbp7 z4EWzvaO2qSyLadd8HsjjkQ9+VbYU98C+68lIUNt1wqCJH155GFXKsmuxlsg6eGF tbCT+vP9zZAGfVZMb18nQv00i4ZNwQJKRNZ2pE7q2cxNbEoy1c6zYWdez79AeVsl OGbR07Y/YTQ42/7X4/48o4eP8mT9E3q6IuYvjYmGEZ13vELHdRNnclLUBEyAwZol nshaSDicUioFa+XK89E745xcKEeL3Hlk77Vt0Ns3jXMsAVZlpoL6NtRMvFhkqrGn LLYQWm27aVhfMUQP9GBTOQH1eG/9JWfpnHRPSFg5d9yB9MuKXHNM9Q9fss7A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1765672131; x=1765758531; bh=2NkO3zPoXrdIJ7vd0wiSKDNP7ytzd2tbFzH S0LSLHSI=; b=FCXViiRVlZvVkt2paTZZpiDMo/5DD4WLKl8uUMEeva6Mdq6Td3F sO8OkRfaRuWHaeIfPdPL+QoPmHYTFH+UseOvqblWb/ouIXTJX2gQprmhrLZHg9cg ZFPlla1Fl/wxD3wpB1r6tc9wdNk5yeFnsInTNW3ZCbHOlASsO4fU5X0k3dKAqgFZ CD0VqVYe+Q7UyyjYCPyHrBRI9A/6ONQ1Yj4zc9XwhNSOAmByEZaLtIabgGmrZ2aI icDASF1QI2O7YKIt++6FNs5+s5DI9nlJ2B5AVmTqhMPhRA2fbz6kYnEpMr0sWhH7 Q5ICnNB3yrjCSbjyFwcSdJwbOQWA+rh+Jfw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdefvdehtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefhvfevufgjfhffkfggtgesghdtreertddttdenucfhrhhomheptehlhihsshgrucft ohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepieduffeuie elgfetgfdttddtkeekheekgfehkedufeevteegfeeiffetvdetueevnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrgdrih hspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopegu vghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggvvhgvlhessh hpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 13 Dec 2025 19:28:50 -0500 (EST) Received: by fw12.qyliss.net (Postfix, from userid 1000) id 09EE87BF6A51; Sun, 14 Dec 2025 01:28:40 +0100 (CET) From: Alyssa Ross To: Demi Marie Obenour Subject: Re: [PATCH] host/roots: Sandbox xdg-desktop-portal-spectrum-host In-Reply-To: <00256266-26db-40cf-8f5b-f7c7064084c2@gmail.com> References: <20251212-sandbox-dbus-portal-v1-1-522705202482@gmail.com> <87o6o25h6y.fsf@alyssa.is> <87ikea5a8x.fsf@alyssa.is> <00256266-26db-40cf-8f5b-f7c7064084c2@gmail.com> Date: Sun, 14 Dec 2025 01:28:38 +0100 Message-ID: <87fr9d6h55.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: MVMDVY4H74QV4DA66VKPMFEFTMWOR4BJ X-Message-ID-Hash: MVMDVY4H74QV4DA66VKPMFEFTMWOR4BJ X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Spectrum OS Development X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > On 12/13/25 16:42, Alyssa Ross wrote: >> Demi Marie Obenour writes: >>=20 >>> On 12/13/25 14:12, Alyssa Ross wrote: >>>> Demi Marie Obenour writes: >>>> >>>>> It is quite possible that these Landlock rules are unnecessarily >>>>> permissive, but all of the paths to which read and execute access is >>>>> granted are part of the root filesystem and therefore assumed to be >>>>> public knowledge. Removing access from any of them would only increa= se >>>>> the risk of accidental breakage in the future, and would not provide = any >>>>> security improvements. seccomp *could* provide some improvements, but >>>>> the effort needed is too high for now. >>>>> >>>>> Signed-off-by: Demi Marie Obenour >>>>> --- >>>>> .../template/data/service/xdg-desktop-portal-spectrum-host/run | = 8 ++++++++ >>>>> 1 file changed, 8 insertions(+) >>>> >>>> Are you sure this is working as intended? There's no rule allowing >>>> access to Cloud Hypervisor's VSOCK socket, and yet it still seems to be >>>> able to access that. Don't you need to set a rule that *restricts* >>>> filesystem access and then add holes? Did you ever see this deny >>>> anything? >>> >>> 'man 1 setpriv' states that '--landlock-access fs' blocks all >>> filesystem access unless a subsequent --landlock-rule permits it. >>> I tried running with no --landlock-rule flags and the execve of >>> xdg-desktop-portal-spectrum-host failed as expected. >>> >>> The socket is passed over stdin, and I'm pretty sure Landlock >>> doesn't restrict using an already-open file descriptor. >>> xdg-desktop-portal-spectrum-host does need to find the path to the >>> socket, but I don't think it ever accesses that path. >>=20 >> I've been looking into this a bit myself, and from what I can tell >> Landlock just doesn't restrict connecting to sockets at all, even if >> they're inside directories that would otherwise be inaccessible. It's >> able to connect to both Cloud Hypervisor's VSOCK socket and the D-Bus >> socket even with a maximally restrictive landlock rule. So you were >> right after all, sorry! > > That's not good at all! It's a trivial sandbox escape in so many cases. > For instance, with access to D-Bus I can just call `systemd-run`. > > I'm CCing the Landlock and LSM mailing lists because if you are > correct, then this is a bad security hole. > >> I will still go ahead with doing this in the program though, since I >> already got that far. > > Would it make sense to connect to the sockets and then block connect() > and friends using seccomp? I'm not sure it's worth it. There's not a lot else to connect to and I expect we'll be able to do this with landlock at some point. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQQGoGac7QfI+H5ZtFCZddwkt31pFQUCaT4EtgAKCRCZddwkt31p FT/yAPwN6YZgJ+6TUHc7N3AyR7yfpuV2ZEWkpi3Zbv/9ip+OrQEA4+ZWHnqzMDOn s9HxzYzx0mmIJp50i1Ih8puTpr5hFQU= =mzf9 -----END PGP SIGNATURE----- --=-=-=--