From nobody Sun May 24 20:33:34 2026 Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 850B9372685 for ; Thu, 21 May 2026 16:06:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379618; cv=none; b=XWRhIvV02zUh+X36XANDpu9BvUEMkk0xpLpRWuejlJx5KHNp1zDU51CC3jEc40n0qce60So+26RW0GYEGNahtaFf5lKF0QhEHki5X/Qk8vKJUzulqnBPulNq4Sdj4gEnJetKBW5b+UozfKKVDQ05OTEAnXus2amxdgXU0DNSS2A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379618; c=relaxed/simple; bh=BU308g11FtLppIAB/aDcWxQuNwgPLrw8nrpt0uybx18=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eJZwCCtXg55csuNy6X8crXb+2++saHNNH/JLlrw6nfVYJpO9hB2KR8BkucDy+OashvVKVKnu7aEd7UJ+FtCH9KnSszHraFe1itxcgy4+Ayu67n/w2RdCfRyVw++pKgSLcRquNmPECE0lETzbdlnOSQi3SIPtknH40zCK8pDwgrs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PU9RvFuA; arc=none smtp.client-ip=209.85.128.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PU9RvFuA" Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-7c04749d739so42539717b3.3 for ; Thu, 21 May 2026 09:06:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379616; x=1779984416; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6hdgfN+G4et8ibY6iXu0zvGvxBXNyZHs8s+cU+ttE2o=; b=PU9RvFuAnzPfWcAz6zit6qNVxwWsV8TgMRcINpvOEnueBAObjFNRvUu98SizdW3/nX C8pdc75DSOW16NRhdfNO1TDQySCU92wfpEcxsFZ04rM+clH5V7BalUmZkzWFlMkUWTOM d1ubVH1rDhQyScdJdI3fZ3V6CP9apCQ+pAuV9m8/qmrcqo3Gr6lRzZYYSALpp1dDAXff 2x5BfihaRtxWN7m/cfBT6/KnB7bEYR7KKbD5pfPYT/JHNxe+bovu9TQ3dDTMo3WLWOc1 va8t9CHl8D/Fei6y6jeFlQPy5S7ol4ECz7Dm90+IWREQfB7ZLX5yQyG2UzIPGFqh/b/P KMAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379616; x=1779984416; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6hdgfN+G4et8ibY6iXu0zvGvxBXNyZHs8s+cU+ttE2o=; b=BgExfLYhzLJte1IAUwZDwzR+G/1Ux4R8SOmvaHqCMr9wHn8DVt/nl9BTp0KNpxm3R2 7mOdTqNaPa5FoYjOXM8Y8TSObjkuuxExwqi6fq94SemjM6X1JpaXiCxYuyy8BbYg+8YE LSZQFMUPbL4Y+FOWUZTCIopASvt60qAxLtXfWRz/8BjCbPJRSbWiMT/Q0mbAHKVNpDGO URVOIWGAHUs/mrqMdAS7gWPJ01SFYS4QIZZcR7bOtae7FADU+Xt8+3pAWaWy9CzyrwFj 9FiLFwVeS3PCX2KPfXmuFIK0ILmyu1HvoWsCsm139p0pgvkbtL8TKphaBCVilJJ6PDHO CI7g== X-Gm-Message-State: AOJu0YxIYm5TkC+vhB/vrPPPDWB2KGGMnMSMo684CVM/yMLdek3howno HaL+5osEsQ5sVMVksCQ3RO2M/OM5VRcyUIMDzggCqZwKOJSXalYBX8Ap X-Gm-Gg: Acq92OGidP6mXKe5NsLBKVM/3HYmV5M+Iv6fNNQuV4tNJN/OiIG8RjLzivLksmrofik MqJxjlA6+qPZTEtWRRsTh3EJqX4EE/Nj0ZNunVFsPtdIHND5oypPiwxgl38QVWFMNlZt0piNbr3 JzQKSG3F1LifrHXoeF37OXt2JyS4JQ6BexkKWkkr4STl2IEJheqRQYloBMqNPzXBL6SOyTvVpme UmI+QOo7ATjhqthR6KYCUR0yjfF5VKLHEV+dCd/1wWPDIzxvr5vuMKd3H64hO9L1zbNRfeSMrRI TgywdlbMG6/CxZwcLgJX747ZC6/QytpgFtLKLnmrxTDHAHmcRRRowJQGiTwzmBLACfmwXk6TsVg 0DptvFZnKZNhT3ZaiMUCOIH+5hJKC4wlUyjdOpVqTA/cPHOWEAgzNIu0FD5ZA6yfeVMP1rR5IUz WAAqbmhnlA6xM5cTSP4QSGxEHz7g59RG+b1WVipJorAbH5mBM0ANLwcPN/9iTftsBdjYXW13d78 gTg+qoNXQ== X-Received: by 2002:a05:690c:4d46:b0:7bd:5d03:dc1a with SMTP id 00721157ae682-7d20a6ab26emr36274407b3.1.1779379616568; Thu, 21 May 2026 09:06:56 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:c2cf:2e92:9a48:97a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d2c7abad87sm4657587b3.2.2026.05.21.09.06.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:06:56 -0700 (PDT) From: Justin Suess To: gnoack3000@gmail.com, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Justin Suess Subject: [PATCH 1/6] landlock: Add kern_ipc_perm credential blob structs Date: Thu, 21 May 2026 12:06:35 -0400 Message-ID: <20260521160640.1716746-2-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521160640.1716746-1-utilityemal77@gmail.com> References: <20260521160640.1716746-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add landlock_kern_ipc_perm_security, tracking ownership of SysV IPC objects. The struct contains the creating task's Landlock credential (@owner_subject) and a @kind enum identifying which SysV IPC object this blob describes. The LSM core allocates the IPC blob for every kern_ipc_perm regardless of object kind, so the generic ipc_permission hook needs to be able to tell which objects it should enforce a given scope on. An enum makes it straightforward to extend Landlock to sem and shm scoping later without revisiting the blob layout. Define the size of this struct in the lbs_ipc field for the Landlock blob sizes. Signed-off-by: Justin Suess --- security/landlock/setup.c | 1 + security/landlock/task.h | 50 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) diff --git a/security/landlock/setup.c b/security/landlock/setup.c index 47dac1736f10..44aff2d734e9 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -32,6 +32,7 @@ struct lsm_blob_sizes landlock_blob_sizes __ro_after_init= =3D { .lbs_file =3D sizeof(struct landlock_file_security), .lbs_inode =3D sizeof(struct landlock_inode_security), .lbs_superblock =3D sizeof(struct landlock_superblock_security), + .lbs_ipc =3D sizeof(struct landlock_kern_ipc_perm_security), }; =20 int landlock_errata __ro_after_init; diff --git a/security/landlock/task.h b/security/landlock/task.h index 7c00360219a2..0fb82e5e347c 100644 --- a/security/landlock/task.h +++ b/security/landlock/task.h @@ -9,6 +9,56 @@ #ifndef _SECURITY_LANDLOCK_TASK_H #define _SECURITY_LANDLOCK_TASK_H =20 +#include +#include + +#include "cred.h" +#include "setup.h" + +/** + * enum landlock_sysv_ipc_kind - Kind of SysV IPC object backed by a blob + * + * @LANDLOCK_SYSV_IPC_UNSET: Blob has not been tagged by a Landlock IPC + * allocation hook. This is the zero value used for sem and shm + * objects that Landlock does not currently scope, as well as for + * any future kind that has not yet been wired up. + * @LANDLOCK_SYSV_IPC_MSG_QUEUE: Blob belongs to a SysV message queue. + */ +enum landlock_sysv_ipc_kind { + LANDLOCK_SYSV_IPC_UNSET =3D 0, + LANDLOCK_SYSV_IPC_MSG_QUEUE, +}; + +/** + * struct landlock_kern_ipc_perm_security - IPC object security blob + * + * Enable provenance tracking of SysV IPC objects to scope IPC accesses. + * The LSM core allocates a blob for every kern_ipc_perm regardless of the + * underlying object kind (msg queue, semaphore, shared memory), so callers + * that act on a subset of object kinds must consult @kind before + * interpreting @owner_subject. + */ +struct landlock_kern_ipc_perm_security { + /** + * @owner_subject: Landlock credential of the task that created the + * kernel IPC object. Only meaningful when @kind is not + * %LANDLOCK_SYSV_IPC_UNSET. + */ + struct landlock_cred_security owner_subject; + /** + * @kind: Kind of SysV IPC object this blob describes. Set by the + * matching alloc hook; %LANDLOCK_SYSV_IPC_UNSET for objects whose + * kind Landlock does not currently track. + */ + enum landlock_sysv_ipc_kind kind; +}; + +static inline struct landlock_kern_ipc_perm_security * +landlock_kern_ipc_perm(const struct kern_ipc_perm *const perm) +{ + return perm->security + landlock_blob_sizes.lbs_ipc; +} + __init void landlock_add_task_hooks(void); =20 #endif /* _SECURITY_LANDLOCK_TASK_H */ --=20 2.53.0 From nobody Sun May 24 20:33:34 2026 Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3EEB379C20 for ; Thu, 21 May 2026 16:06:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379621; cv=none; b=NjW/tnDCBRvAwLQns/Tb98yGXzjL0qixomi+nlztx/GtZAePXfxL7FZjaIVfJQsc3EZV7zMhU0h5WWGkiIiufnAVcEhyoFYeAsmvTpUxEzFBuAcHtF+btjIBWOWW25azz3YFKVn31UgSLGdWm/ETSNkH2QH3gn1F2JBcg+1REwM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379621; c=relaxed/simple; bh=iwHqNlu59dKcBPKAYuW+qb/FbKV8TP+BhgUbJNG7Rp4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OVcGc6U7gABhXnl8HXhzj9FgBWnx2fl/CzR7/Dx+qUOtjUzGbRWmKC0qoik977qWg6BQxrkBawDKo9vG5+EXG+xAO0CkDAkW6i0VxiZpQvfzStHo5etoN1Y3pI7dh0oNAz9HgrTTPafB2yGhP2SvXMJ4CjdpLbnJKt4HeyaLC6g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Bni1kL5b; arc=none smtp.client-ip=209.85.128.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Bni1kL5b" Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-7c2fa14795aso48529977b3.1 for ; Thu, 21 May 2026 09:06:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379619; x=1779984419; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=J2YZgtYzCdoH3fKo8nj+WDqK1O7vQH6P5gI76NRfGS4=; b=Bni1kL5bmaI8L88ufZr6vjtPuKIphtFaFs8dOM9xPtNqFdm3akWcV/50ThBBDgZckI YXh3e68GO7oLgA+iQQ0VD0+8raR9Sy5cDeTyVl1VI3/MFsrgYuh5PpYQRtJWsonCQReh UFxDFhFtVBEVG2cXzFky/eXL8Wsp28kMz78Fk6ad5LP/3kaCatgTL9EzDwItdyV7suuO OCG6NlFBDkBsK/w++zivuYOAWM2Wel5H9aJFbOq3QnSDnsdiESn8Hf8EjeTaxGQBXYGB CZV8/XPo3LxLIAE5k6+X/VE8uQaddXL11dH+5507+2+K9vhGApghgw9ATw3J7DHS88NE 7F9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379619; x=1779984419; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=J2YZgtYzCdoH3fKo8nj+WDqK1O7vQH6P5gI76NRfGS4=; b=FcScVmo8j+/02WXzwTgfyzpzjfq4MOJ4IZJBunKKz4rb9tm2EMFOykD4HlWcB/dkIK sK5g78cPc8qBk99HXHvqEmIrPTDzel1rwrgcntXsO1CZiaY70QSlv7dzEsPhNUA67taN fg0/e/zxrDkXmAaK6VGCPV+YjnVAHmRLphu2J/3mLtW4akHYxDpLb6Rv/Bhw5q30rjH5 tKdc2bAwJXw4mkmQsywQkRwyVc3qUDgpYeQkgMGdmgvBFl3lQsNhLZ8YxLbsDHyJFtKd Z122ic4IYZmETHFi0/Sb2Xoj0sBs13GOWNo2ZWJYqWtro1ytWtR1fvJqKrVeVVEktOMJ J4ZQ== X-Gm-Message-State: AOJu0Ywq7edMvdJ+xvf0FespW0/SOk7zm6G4LqzQkghIzjjcfWkXbuYM ZkYACQrxMhHhyb4OotZb/dn7wtuq/HML32FUt3Cmh/9f0EJ2vrUlr7W6 X-Gm-Gg: Acq92OEnY4wX+sWxjKFb3gcxUIOioFiwZtx6zmW3jqZrwBw+jxdmbcSYYzA4r9+RkvV Ox8idGQerEJXqHmAcSp8InobGBkaqYDn4RSGD36vui1WIzdLeyOz6UL0wxc3OFnSBxjyOiWobRs z2QOIRu4Lhj51s51qL5SjutFipgVrXnEi2eaywRqFHrvydXK0WVnDxveoeLoFopG3K2Lp7GYboF Rv6Kq7INyynp8gclqA5PE2Z/ASfLOCTyAxkDRTkWf5yezKLngwt0VrGrKLTc+/xEvwVgrQXENVQ C7jiwgtsuKeFkfPalhVYx1vfbUkkoofk+GBdzsASXMxGHTUfau3rASiefFHYaysVYDRlo0UZLA8 wY3H2+2RG4+eikNwmuy5cvxxuns1HoUyIWY69G7+ebpSYFduEcp+5tHA8l94A3HHF7//9sJc2kg 5LHVmMTuVZTBA3oDZEi1ry0vGV/rns1g09YAh+NnWG67BSfI2/4UXuM3nqZ7m/HELCFI9jjVM= X-Received: by 2002:a05:690c:c531:b0:7c9:30f5:2054 with SMTP id 00721157ae682-7d20c9453b9mr38927037b3.40.1779379618563; Thu, 21 May 2026 09:06:58 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:c2cf:2e92:9a48:97a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d2c7abad87sm4657587b3.2.2026.05.21.09.06.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:06:58 -0700 (PDT) From: Justin Suess To: gnoack3000@gmail.com, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Justin Suess Subject: [PATCH 2/6] landlock: Add LANDLOCK_SCOPE_SYSV_MSG_QUEUE Date: Thu, 21 May 2026 12:06:36 -0400 Message-ID: <20260521160640.1716746-3-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521160640.1716746-1-utilityemal77@gmail.com> References: <20260521160640.1716746-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a new scoped access right LANDLOCK_SCOPE_SYSV_MSG_QUEUE for controlling operations msgget, msgsnd, msgrcv, and msgctl on SysV message queues. Merely handling msgget is insufficient; SysV message queues do not use FDs or process local handles, and the msqid associated with a queue is valid within the IPC namespace. There is no requirement to perform a msgget to interact with a SysV message queue. When a process enforces this scoping, access to SysV message queues by a restricted process is only allowed if the queue was created by a process in the same or a nested Landlock domain. When a SysV message queue is allocated by a process in a Landlock domain, the security blob for the kern_ipc_perm is updated to reflect domain provenance and the blob is tagged as a message queue via the new @kind enum. The scope is enforced from the generic ipc_permission hook rather than the per-call msg_queue_* hooks. ipc_permission is the choke point for msgget on an existing queue and for msgsnd / msgrcv / msgctl(IPC_STAT, MSG_STAT, MSG_STAT_ANY). ipc_permission also fires for semaphores and shared memory, so the hook bails out when the blob's @kind is not LANDLOCK_SYSV_IPC_MSG_QUEUE. msgctl_down() (IPC_RMID and IPC_SET) does not go through ipc_permission, so msg_queue_msgctl is kept to cover those. It also guards against the IPC_INFO / MSG_INFO case where @msq is NULL and there is no specific queue to scope. Also update the scoped_test ACCESS_LAST sentinel to track the new last scope so the unknown-scope selftest does not falsely accept LANDLOCK_SCOPE_SYSV_MSG_QUEUE as unknown. Audit records are generated for this scope on denials. Signed-off-by: Justin Suess --- include/uapi/linux/landlock.h | 3 + security/landlock/audit.c | 4 + security/landlock/audit.h | 1 + security/landlock/limits.h | 2 +- security/landlock/task.c | 137 ++++++++++++++++++ .../testing/selftests/landlock/scoped_test.c | 2 +- 6 files changed, 147 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 10a346e55e95..c879b345afa3 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -398,10 +398,13 @@ struct landlock_net_port_attr { * related Landlock domain (e.g., a parent domain or a non-sandboxed pro= cess). * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a s= ignal * to another process outside the domain. + * - %LANDLOCK_SCOPE_SYSV_MSG_QUEUE: Restrict a sandboxed process from int= eracting + * with a sysv msg queue created by a process outside the domain. */ /* clang-format off */ #define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0) #define LANDLOCK_SCOPE_SIGNAL (1ULL << 1) +#define LANDLOCK_SCOPE_SYSV_MSG_QUEUE (1ULL << 2) /* clang-format on*/ =20 #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/audit.c b/security/landlock/audit.c index 8d0edf94037d..174ddf6bd42c 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -79,6 +79,10 @@ get_blocker(const enum landlock_request_type type, case LANDLOCK_REQUEST_SCOPE_SIGNAL: WARN_ON_ONCE(access_bit !=3D -1); return "scope.signal"; + + case LANDLOCK_REQUEST_SCOPE_MSG_QUEUE: + WARN_ON_ONCE(access_bit !=3D -1); + return "scope.sysv_msg_queue"; } =20 WARN_ON_ONCE(1); diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 56778331b58c..cc5700adab5a 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -21,6 +21,7 @@ enum landlock_request_type { LANDLOCK_REQUEST_NET_ACCESS, LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET, LANDLOCK_REQUEST_SCOPE_SIGNAL, + LANDLOCK_REQUEST_SCOPE_MSG_QUEUE, }; =20 /* diff --git a/security/landlock/limits.h b/security/landlock/limits.h index b454ad73b15e..7b74bcd66470 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -27,7 +27,7 @@ #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1) #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NE= T) =20 -#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_SIGNAL +#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_SYSV_MSG_QUEUE #define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1) #define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE) =20 diff --git a/security/landlock/task.c b/security/landlock/task.c index 6d46042132ce..68ac46baa2a5 100644 --- a/security/landlock/task.c +++ b/security/landlock/task.c @@ -434,6 +434,138 @@ static int hook_file_send_sigiotask(struct task_struc= t *tsk, return -EPERM; } =20 +static const struct access_masks sysv_msg_queue_scope =3D { + .scope =3D LANDLOCK_SCOPE_SYSV_MSG_QUEUE, +}; + +/** + * hook_msg_queue_alloc_security - Record the creator's domain on a SysV m= sg + * queue + * + * @perm: IPC permission structure of the newly created message queue. + * + * Save a reference to the creating task's Landlock domain in the IPC secu= rity + * blob and tag the blob as belonging to a message queue so that the gener= ic + * ipc_permission hook can distinguish msg queues from sem and shm objects. + * + * Return: 0 (allocation of the blob itself is handled by the LSM core). + */ +static int hook_msg_queue_alloc_security(struct kern_ipc_perm *const perm) +{ + struct landlock_kern_ipc_perm_security *const ipc_sec =3D + landlock_kern_ipc_perm(perm); + const struct landlock_cred_security *const subject =3D + landlock_get_applicable_subject(current_cred(), + sysv_msg_queue_scope, NULL); + + ipc_sec->kind =3D LANDLOCK_SYSV_IPC_MSG_QUEUE; + + /* + * The blob is zero-allocated by the LSM core, so owner_subject.domain + * is already NULL for an unsandboxed creator. + */ + if (!subject) + return 0; + + landlock_get_ruleset(subject->domain); + ipc_sec->owner_subject =3D *subject; + return 0; +} + +/** + * hook_msg_queue_free_security - Release the creator's domain reference + * + * @perm: IPC permission structure of the message queue being destroyed. + * + * The IPC security blob itself is freed by the LSM core. + */ +static void hook_msg_queue_free_security(struct kern_ipc_perm *const perm) +{ + struct landlock_kern_ipc_perm_security *const ipc_sec =3D + landlock_kern_ipc_perm(perm); + + /* May be called from an RCU callback (msg_rcu_free()). */ + landlock_put_ruleset_deferred(ipc_sec->owner_subject.domain); +} + +/** + * hook_ipc_permission - Enforce SysV msg queue scoping on the current task + * + * @ipcp: IPC permission structure of the object being accessed. + * @flag: Requested mode bits (unused; same value for every msg queue acce= ss). + * + * The ipc_permission hook is the choke point for msgget on an existing qu= eue + * and for msgsnd / msgrcv / msgctl(IPC_STAT, MSG_STAT, MSG_STAT_ANY) befo= re + * they touch any per-message state. Using the per-message msg_queue_msgrc= v hook + * instead would not work: find_msg() silently skips messages for which the + * hook returns an error and turns the result into -EAGAIN / -ENOMSG. + * + * The hook fires for sem and shm objects as well; @kind is used to filter + * them out. + * + * Return: 0 if access is allowed, -EPERM if scoped out. + */ +static int hook_ipc_permission(struct kern_ipc_perm *const ipcp, + const short flag) +{ + const struct landlock_kern_ipc_perm_security *const ipc_sec =3D + landlock_kern_ipc_perm(ipcp); + size_t handle_layer; + const struct landlock_cred_security *subject; + + /* Don't worry about other IPC objects for now */ + if (ipc_sec->kind !=3D LANDLOCK_SYSV_IPC_MSG_QUEUE) + return 0; + + subject =3D landlock_get_applicable_subject(current_cred(), + sysv_msg_queue_scope, + &handle_layer); + if (!subject) + return 0; + + if (!domain_is_scoped(subject->domain, ipc_sec->owner_subject.domain, + sysv_msg_queue_scope.scope)) + return 0; + + landlock_log_denial(subject, &(struct landlock_request) { + .type =3D LANDLOCK_REQUEST_SCOPE_MSG_QUEUE, + .audit =3D { + .type =3D LSM_AUDIT_DATA_IPC, + .u.ipc_id =3D ipcp->key, + }, + .layer_plus_one =3D handle_layer + 1, + }); + /* + * What error return here technically doesn't matter; it all gets + * mapped into EACCES when it's non-zero. Return EACCES anyway for + * consistency. + */ + return -EACCES; +} + +/** + * hook_msg_queue_msgctl - Enforce scoping on msgctl(IPC_RMID, IPC_SET) + * + * @msq: IPC permission structure of the message queue, or NULL for + * namespace-wide commands (IPC_INFO, MSG_INFO). + * @cmd: msgctl command code (unused). + * + * msgctl_down() does not go through ipc_permission(), so this hook is + * needed to cover IPC_RMID and IPC_SET. IPC_INFO and MSG_INFO are + * namespace-wide queries with no specific queue, so they are not in scope + * for SysV msg queue scoping. + * + * Return: 0 if access is allowed, -EPERM if scoped out. + */ +static int hook_msg_queue_msgctl(struct kern_ipc_perm *const msq, const in= t cmd) +{ + /* IPC_INFO and MSG_INFO are queue-less; nothing to scope. */ + if (!msq) + return 0; + + return hook_ipc_permission(msq, 0); +} + static struct security_hook_list landlock_hooks[] __ro_after_init =3D { LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check), LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme), @@ -443,6 +575,11 @@ static struct security_hook_list landlock_hooks[] __ro= _after_init =3D { =20 LSM_HOOK_INIT(task_kill, hook_task_kill), LSM_HOOK_INIT(file_send_sigiotask, hook_file_send_sigiotask), + + LSM_HOOK_INIT(msg_queue_alloc_security, hook_msg_queue_alloc_security), + LSM_HOOK_INIT(msg_queue_free_security, hook_msg_queue_free_security), + LSM_HOOK_INIT(msg_queue_msgctl, hook_msg_queue_msgctl), + LSM_HOOK_INIT(ipc_permission, hook_ipc_permission), }; =20 __init void landlock_add_task_hooks(void) diff --git a/tools/testing/selftests/landlock/scoped_test.c b/tools/testing= /selftests/landlock/scoped_test.c index b90f76ed0d9c..6692ba0573e6 100644 --- a/tools/testing/selftests/landlock/scoped_test.c +++ b/tools/testing/selftests/landlock/scoped_test.c @@ -12,7 +12,7 @@ =20 #include "common.h" =20 -#define ACCESS_LAST LANDLOCK_SCOPE_SIGNAL +#define ACCESS_LAST LANDLOCK_SCOPE_SYSV_MSG_QUEUE =20 TEST(ruleset_with_unknown_scope) { --=20 2.53.0 From nobody Sun May 24 20:33:34 2026 Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A4BC379C3C for ; Thu, 21 May 2026 16:07:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379624; cv=none; b=k7G+Xk64xl4pkIQWdi+YSsL5vQ5pxt0cWwanU7YiG4mSBj/JC+0n8cr5iTW3Mh0NkFFeQr085csZ937+uy3VzbFwN2681lvM2mUUY8b+n5ZkHaNT5jjoWr9wRRf8QvSXV+aX8FE+AYIzhiCkrR8ZK3vBra2CC00LBSinyVygZaY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379624; c=relaxed/simple; bh=znmD3jxer5HnR1uXhUrMxkukQCBwP6GV+vspk1LdGqY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RXbz4+5eT2Y85VNayJ5OUttR3xZzLs4qcF+M/0CBnrocgGeIAQO6AIIW1BMsTdrzpLM16C4HTvW6bFXnSEMwj4mznmivL9giFRKu2Kh57NNAbRgFlleV5rC8dp+KZXipA0LdsWE1Cy87yrVD9/17mwP+sRASE1JAzrNux3tp11g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OXYcbku2; arc=none smtp.client-ip=209.85.128.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OXYcbku2" Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-7c23248f3a3so67385047b3.1 for ; Thu, 21 May 2026 09:07:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379621; x=1779984421; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gQ05UihKfoEYJIZZpuqxvSGy6ymSc4dbTnes7yhWqD8=; b=OXYcbku2r/YxFsQHmyROC3tmEKBCikAcMvNb7DAHo9G5KCIWhP6ALQpGPhNKs5lNlb 3aDU5TgRWFKK8iO95FrpH6UbAedoSeHxXzoB7+nziXT8uHZeWL23g9GVENXg887g9D+Y KfJzi8fyUKaz+KbjWL+jh0rsliAf7kD73VlMm0qZrLblyoL1/RRwl11JWsfByPmxnIHN rTKTdMlDV8o+E1j62ouggZX6ArJTtoIAeNWO3T+6fvOmSZDil6nPVLPHQCs8Z3lAeWlX 9yU7wUu0PScb3Vqw2fJPGgO8XuZVvhUV6+ryFLUt3oy/cSQ2w9VQ2rVb+HPbbizBDURK Jc2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379621; x=1779984421; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gQ05UihKfoEYJIZZpuqxvSGy6ymSc4dbTnes7yhWqD8=; b=OjvK6SLdhx/ESvNtDAlvnVOZXiiNdQwkKJpXPjwo0XZkGMcHc3y38rdL12c9Ty+mCR yWAllGcv6LWmdRF69lC4qTDz2IYo8tVUfSPrIebHdDKVfJK39RCZKpk2liH4fAa2OZOb PPTLs/0vAUksG3+b8wu+noD2rnedZ54vqqLRfW2+qvTv8hX7aBgGwDcl7Ej9DkVQCQsT pB0awgCB3n8r+RAS9QkT6xCkER090B1w5z+2CaRAOkEDCwWs4FXvmyaBHzsB6j60Ot2v y+mtwl9RL63j0pF9mVmHg67Ip8sVSZ0MOjtt9I57OLci+DdigVrzHIUtdQuEyi4x34Iz 4lEw== X-Gm-Message-State: AOJu0YxNV8W2pxx841d7OUBlkIUhWaRqjOdyYZkPf+YSkfV/baBup/ic t24/+qPSFjEf/sVmF+1nluHrSEE+3MTPVbaqBrcYaJ0L8KjCpzlMxm7O X-Gm-Gg: Acq92OG5MZsPPE/iFqJ/Cf1Msg1mKkpABhN74o5FRsMbupzJIyWeWq9wv9NGQoEhPOO Ha9z/7BjQV9r4KvHwwA+Q/+iGZvnIP55p7l2A2MihWfoCcnfMs+1GwYX0ZO13qpmeZrJsj+Ng9E iQKDT2OD0B6Mt82fNk2wK5dtdLSC16K2v6ctpA2ke33MkrrZ4mR4W7TIVnOTjAnR8TrlnDtlz0/ VsVPQkSGxlz+t+o/eg1iwfU/opw0n3EP+MDTX9Iw6Ejs7mRniE8jdFG/WXKUvA0aU6Q/c5FXBvb Ydhv0v2hovliND9xGwAZ8KGdcI19wXzfVt+22BcvAtEkohFEPl195IxyXszVvZIiO1Kg2xzDNcg VrsQmRl5W6jHaWvs06TkXQWbuXJxFw/tt7mG8TzZ9eBimnz0dw4JK0hqlEi6kIPCV8cYdG0gyso 90cuFSUbv8DXPF07/htDXTuoAiknr1GJyE1ZR3ylYJa91M6BDonDueF+8cXeOeZju8GKwneEM= X-Received: by 2002:a05:690c:9a13:b0:7c0:deb6:ce36 with SMTP id 00721157ae682-7d20b378a03mr40619737b3.22.1779379621080; Thu, 21 May 2026 09:07:01 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:c2cf:2e92:9a48:97a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d2c7abad87sm4657587b3.2.2026.05.21.09.07.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:07:00 -0700 (PDT) From: Justin Suess To: gnoack3000@gmail.com, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Justin Suess Subject: [PATCH 3/6] landlock: Bump ABI for LANDLOCK_SCOPE_SYSV_MSG_QUEUE Date: Thu, 21 May 2026 12:06:37 -0400 Message-ID: <20260521160640.1716746-4-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521160640.1716746-1-utilityemal77@gmail.com> References: <20260521160640.1716746-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Bump the ABI version for Landlock SysV message queue scoping. Signed-off-by: Justin Suess --- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index accfd2e5a0cd..d45469d5d464 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -166,7 +166,7 @@ static const struct file_operations ruleset_fops =3D { * If the change involves a fix that requires userspace awareness, also up= date * the errata documentation in Documentation/userspace-api/landlock.rst . */ -const int landlock_abi_version =3D 9; +const int landlock_abi_version =3D 10; =20 /** * sys_landlock_create_ruleset - Create a new ruleset diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index 30d37234086c..6c8113c2ded1 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -76,8 +76,8 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr =3D { .handled_access_fs =3D LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(9, landlock_create_ruleset(NULL, 0, - LANDLOCK_CREATE_RULESET_VERSION)); + ASSERT_EQ(10, landlock_create_ruleset(NULL, 0, + LANDLOCK_CREATE_RULESET_VERSION)); =20 ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, LANDLOCK_CREATE_RULESET_VERSION)); --=20 2.53.0 From nobody Sun May 24 20:33:34 2026 Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E0873812F6 for ; Thu, 21 May 2026 16:07:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379626; cv=none; b=UpoGvlSt6S2aHBaEamUHKsH8oaTz9flFy12YHutaXrXtXR2v8dVBeBm7z4umKX5dOEN8WXdOIm32H2t28m2IhQvdmbZAW9q51gPlvjNIMtAgQDO0Eg5NE2f3s8EXQ7Rtw+0pGZBoYkGGsi2pG6R+Ch0EEkqmpKDR4qN5v/ABano= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379626; c=relaxed/simple; bh=whrwT3HhWF0Ebe/bAs4ZKqpJW/GfCpqxzvntHp4HO+U=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FNwViCmYI+BkG8Vy5Fp7ipcT13fyAaA0U3fmi5ZQN1bO4Qzpl36+AAgovw9+IL3dnyzZrjoOlbwG17+qMVLR6n0DSYJNk5mL42j/7NtePHIfya8WZdvfxJYa8PMti2dDGtkom/RJeRfnehkKH78TwJtq45VRilw5Pk95F3gsHHM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YBXAuup6; arc=none smtp.client-ip=209.85.128.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YBXAuup6" Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-7c58e6eb2c8so61319347b3.1 for ; Thu, 21 May 2026 09:07:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379624; x=1779984424; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TQfsrKNUiX8+vgtzK0jnEN51Eri0U4Ru/qmwjetQ71E=; b=YBXAuup6v5fNGljXMX+rRysABmTztyuF95wWu+B7H0k8Y/p+WGjvEG5q5e/z+bEFNy mN7wVx/YAZBqghidpqFd1vc5b67YRamILDLQV5QwuzPTsit2UNJlDPimkDxxIzFpjn/G Ao+PtbY/BNeMLF8LXIgK+WKFCRY/O/TQMtZOUiubfq9Gc5OUqA46KSKSy2rOHwB/l+jb 7FXVg5JC+a752dpi8K0CrN2KYmXdXFjQfyyOKAcsxcSkdYWBdggEvgbX8dDerZ2jTJpF ziD97tbZWyqwjKZ6vvX7QrDx9d22tXmR90JHAaS4AQ+/Nkd2Nv3LC0qpvRM8oq9RTZX7 F6Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379624; x=1779984424; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=TQfsrKNUiX8+vgtzK0jnEN51Eri0U4Ru/qmwjetQ71E=; b=C34B152KuVJiEHI6TLTJrnI69jECeDzk2AgNDm/grtXaUyG9khIkVxfpUCHaV6PZUQ 2Q7tAvDVAeds3vtWbQwMPWx+vC5FvMMkDZvqoIUVBfJ7Fqu4lG7MweDBgukXZmygPpQE DxgGupqBPOkkTJedAMig0Y+7GLIdHfMbzh3aH3t/MA3wxP7cIlkbPU092gbrOcwDUnoQ OWNsvzG1KHPYBDv3hv1DexulK0k2SQ4fjr8j321Tvgx300Weeo573+pvPSfsNsU4F5bS LHZ2HkVfgfoKnuGw7eU37ruLFq1gGQGM4m7U6h6qDGkAQnsOjfjg7jI1gtiCd0PClxnS yzWw== X-Gm-Message-State: AOJu0YzvTKXdWr6fbhzwYuTGIUTyVDb9aMVPExpuRmn1SK3vMmgG5JoS dVFg8sjBZgKtfpN8pqUhG9MLccBaJ7iDkQ7AruGWyCy48+pbgtMXXwU9cS6I3vS2 X-Gm-Gg: Acq92OFNs8PwgpspsV+XPwnmpGWXFl+2ayA7VqJ6GqBhf7Eit42gmIaXiunE2n+V4U0 jpqX0WDrbDm+AnvdGDZbOGuUElFt2QRr1WH1JVAgoeHhYV/Eu7po52KD1NfIJ/HP+iCkqFUrF10 YjIap5opW7vXoxqHHNzPAuDXIhGBDlsgYuQOwfeEyIJueDvBAQg2b1cZSvlTELqS9kABQ77RM+R Cz1weqzRR0HlpTBzrXpdpuWmLpF8ccBebsuoowzLFy9fJhWj6I33nXemDHq9dV7vuPb1WVkMBqK il6oDIZQ3UlvyDtDYZL+ybj1fGxnnQuG/IduVFm6x1Hxev7bTSgjQbGcaemBVqzV0vKbPkXwt2N ST7LZaPDdTEDbVGMitOIzbWSphrlZcbg1F/xNtYwG9yRwWDj/sm8sRuKS30gCcYhe62gv52nqzk e/cuCAPWIJuJHH84JzOIUq+3fqpBPNeWozSUsnXsINp1h3H7IR4Z/DZp/FMTjyNstvvZ2pw9s= X-Received: by 2002:a05:690c:c245:b0:7bd:73f3:7a59 with SMTP id 00721157ae682-7d20cb38001mr37733757b3.27.1779379624129; Thu, 21 May 2026 09:07:04 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:c2cf:2e92:9a48:97a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d2c7abad87sm4657587b3.2.2026.05.21.09.07.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:07:03 -0700 (PDT) From: Justin Suess To: gnoack3000@gmail.com, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Justin Suess Subject: [PATCH 4/6] selftests/landlock: Test LANDLOCK_SCOPE_SYSV_MSG_QUEUE Date: Thu, 21 May 2026 12:06:38 -0400 Message-ID: <20260521160640.1716746-5-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521160640.1716746-1-utilityemal77@gmail.com> References: <20260521160640.1716746-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add selftests for SysV message queue scoped right. Use the existing scoped domain harness for msgget, and another fixture for testing msgsnd, msgrcv and msgctl. Pass the msqid around for coverage of non-msgget syscalls, since calling msgget while already restricted would fail and prevent testing the operation under test. Denials are checked against -EACCES rather than -EPERM: msgget, msgsnd, msgrcv and msgctl(IPC_STAT) all reach the Landlock scope check via ipcperms(), whose callers map every non-zero return into -EACCES before propagating it to user space. Signed-off-by: Justin Suess --- .../landlock/scoped_sysv_msg_queue_test.c | 256 ++++++++++++++++++ 1 file changed, 256 insertions(+) create mode 100644 tools/testing/selftests/landlock/scoped_sysv_msg_queue_= test.c diff --git a/tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c = b/tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c new file mode 100644 index 000000000000..41f99803b593 --- /dev/null +++ b/tools/testing/selftests/landlock/scoped_sysv_msg_queue_test.c @@ -0,0 +1,256 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - SysV Message Queue Scoping + * + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#include "common.h" +#include "scoped_common.h" + +/* + * Removes the message queue identified by @msqid, ignoring any error since + * the caller might no longer have permission to operate on it (for exampl= e, + * after entering a scoped domain). + */ +static void cleanup_msg_queue(int msqid) +{ + if (msqid >=3D 0) + msgctl(msqid, IPC_RMID, NULL); +} + +/* clang-format off */ +FIXTURE(scoped_domains) {}; +/* clang-format on */ + +#include "scoped_base_variants.h" + +FIXTURE_SETUP(scoped_domains) +{ + drop_caps(_metadata); +} + +FIXTURE_TEARDOWN(scoped_domains) +{ +} + +/* + * Parent creates a SysV message queue, then the child tries to associate + * with it via msgget(2). When the child is in a domain that scopes messa= ge + * queues and the parent is not in that same scope, the association must be + * denied with -EACCES (msgget runs the scope check via ipcperms(), which + * masks every denial as -EACCES). + */ +TEST_F(scoped_domains, check_access_msg_queue) +{ + pid_t child; + int status; + int msqid =3D -1; + int pipe_parent[2], pipe_child[2]; + char buf; + key_t key; + bool can_associate; + + /* + * The child can associate with the parent's queue unless the child + * is in a scoped domain that does not include the parent (i.e. the + * parent is outside the child's domain). + */ + can_associate =3D !variant->domain_child; + + /* + * Picks a per-test key derived from PID to avoid collisions. Stale + * queues from a previous run are unlikely but handled by removing + * any matching entry before applying any scope. + */ + key =3D (key_t)(getpid() & 0x7fffffff); + cleanup_msg_queue(msgget(key, 0)); + + if (variant->domain_both) + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SYSV_MSG_QUEUE); + + ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); + ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); + + child =3D fork(); + ASSERT_LE(0, child); + if (child =3D=3D 0) { + int ret; + + EXPECT_EQ(0, close(pipe_child[0])); + EXPECT_EQ(0, close(pipe_parent[1])); + + if (variant->domain_child) + create_scoped_domain(_metadata, + LANDLOCK_SCOPE_SYSV_MSG_QUEUE); + + /* Signals readiness to the parent. */ + ASSERT_EQ(1, write(pipe_child[1], ".", 1)); + EXPECT_EQ(0, close(pipe_child[1])); + + /* Waits for the parent to have created the queue. */ + ASSERT_EQ(1, read(pipe_parent[0], &buf, 1)); + EXPECT_EQ(0, close(pipe_parent[0])); + + ret =3D msgget(key, 0); + if (can_associate) { + ASSERT_LE(0, ret); + } else { + ASSERT_EQ(-1, ret); + /* + * msgget uses ipcperms(), which masks every LSM + * denial as -EACCES regardless of the value the + * LSM hook returns. + */ + ASSERT_EQ(EACCES, errno); + } + + _exit(_metadata->exit_code); + return; + } + EXPECT_EQ(0, close(pipe_child[1])); + EXPECT_EQ(0, close(pipe_parent[0])); + + if (variant->domain_parent) + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SYSV_MSG_QUEUE); + + /* Waits for the child to be ready. */ + ASSERT_EQ(1, read(pipe_child[0], &buf, 1)); + EXPECT_EQ(0, close(pipe_child[0])); + + msqid =3D msgget(key, IPC_CREAT | IPC_EXCL | 0600); + ASSERT_LE(0, msqid); + + /* Releases the child. */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); + EXPECT_EQ(0, close(pipe_parent[1])); + + ASSERT_EQ(child, waitpid(child, &status, 0)); + cleanup_msg_queue(msqid); + + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) !=3D EXIT_SUCCESS) + _metadata->exit_code =3D KSFT_FAIL; +} + +/* + * The msg_queue_associate hook (exercised by msgget(2)) is covered by the + * scoped_domains fixture above. The remaining hooks all funnel through t= he + * same scope check, so it suffices to verify that each operation is denied + * when the child is scoped relative to the queue's creator. + * + * To attribute a denial to the operation under test (and not to a precedi= ng + * msgget(2) call), the parent creates the queue and the child inherits the + * msqid across fork(2), bypassing msg_queue_associate. + */ +enum msg_op { + MSG_OP_SND, + MSG_OP_RCV, + MSG_OP_CTL, +}; + +/* clang-format off */ +FIXTURE(scoping_msg_ops) {}; +/* clang-format on */ + +FIXTURE_VARIANT(scoping_msg_ops) +{ + enum msg_op op; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_msg_ops, msgsnd) { + /* clang-format on */ + .op =3D MSG_OP_SND, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_msg_ops, msgrcv) { + /* clang-format on */ + .op =3D MSG_OP_RCV, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoping_msg_ops, msgctl) { + /* clang-format on */ + .op =3D MSG_OP_CTL, +}; + +FIXTURE_SETUP(scoping_msg_ops) +{ + drop_caps(_metadata); +} + +FIXTURE_TEARDOWN(scoping_msg_ops) +{ +} + +TEST_F(scoping_msg_ops, deny_op) +{ + struct msgbuf { + long mtype; + char mtext[1]; + } msg =3D { .mtype =3D 1 }; + struct msqid_ds ds; + pid_t child; + int status; + int msqid, ret =3D 0; + key_t key; + + key =3D (key_t)(getpid() & 0x7fffffff); + cleanup_msg_queue(msgget(key, 0)); + + msqid =3D msgget(key, IPC_CREAT | IPC_EXCL | 0600); + ASSERT_LE(0, msqid); + + /* Preloads a message so msgrcv(2) would otherwise succeed. */ + ASSERT_EQ(0, msgsnd(msqid, &msg, sizeof(msg.mtext), 0)); + + child =3D fork(); + ASSERT_LE(0, child); + if (child =3D=3D 0) { + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SYSV_MSG_QUEUE); + + switch (variant->op) { + case MSG_OP_SND: + ret =3D msgsnd(msqid, &msg, sizeof(msg.mtext), 0); + break; + case MSG_OP_RCV: + ret =3D msgrcv(msqid, &msg, sizeof(msg.mtext), 0, + IPC_NOWAIT); + break; + case MSG_OP_CTL: + ret =3D msgctl(msqid, IPC_STAT, &ds); + break; + } + ASSERT_EQ(-1, ret); + /* + * msgsnd, msgrcv and msgctl(IPC_STAT) all reach the + * Landlock scope check via ipcperms(), whose callers map + * any non-zero return into -EACCES before propagating it + * to user space. + */ + ASSERT_EQ(EACCES, errno); + + _exit(_metadata->exit_code); + return; + } + + ASSERT_EQ(child, waitpid(child, &status, 0)); + cleanup_msg_queue(msqid); + + if (WIFSIGNALED(status) || !WIFEXITED(status) || + WEXITSTATUS(status) !=3D EXIT_SUCCESS) + _metadata->exit_code =3D KSFT_FAIL; +} + +TEST_HARNESS_MAIN --=20 2.53.0 From nobody Sun May 24 20:33:34 2026 Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1646383989 for ; Thu, 21 May 2026 16:07:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379631; cv=none; b=PIo9RMxanvd+WdCF6bsmM5X68XV1KpBwQCds0dOcks2IsWmgRSOd4ldUKVD0/Va/nnMXYjtlrxyssxCwFihAbsmajaQhorC8cZoosaugI1LZJpSlQUhoNnA48nYbGfXx8uc/xUVn/qFukDBNNRvxeZ2zYLsbm5BVOxQHL+VaFf0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379631; c=relaxed/simple; bh=Zw5z54erCSTGg/mG8h8Y1+6Fvw8RXBf25VfL/v6jBIE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fbRmt4xyk/T17CXv2h9x0KknFi+tAP5KJN6Hbd8nOOul1MJqxEkQ1+WGsKFGl17pwMdbjqH3WQaiEPdRqsTJUTiHceBw0hTVZP9MmeLpyr6W27BJDOuwuXjR9IBrp4fR4xxmEQ9xPL0G5OF8ytOK5V5iYQfMsTfkNNO97sMuEJk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Fh8lW5Gr; arc=none smtp.client-ip=209.85.128.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Fh8lW5Gr" Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-7bd5c773ef3so58198517b3.1 for ; Thu, 21 May 2026 09:07:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379629; x=1779984429; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7j1R7ydUbojI9HTehxoq4C+M0tevraBNI7P2+NL1MOI=; b=Fh8lW5Gr6Ue032gluu+ZVND/cqOoxHB88sDaZWmXqzwFX2lwAydp26CSZPtZY2xHyZ kMGpz1/JFOJjdcWVMLQsqHz+EZZHuaPCIz9ipeiGYBY5EuUh6paNZ1ERQGL9T8RNDyLF 1uK9VxkC3I27mOfQjAJTNxm6XTS06p6xIPqOCkQx/4JO7wDHxVLeD6ny7OsFk7aOXyor Z6/efaP1q7V9VzVW6itp8ATa2xYLkmbCGqRb9hMrRwJRQTwGdS/zfDzWmME0IMNqrF4W 0Alc45Weo4a64Wc3BuXsQmKNySdScLJomcSUc40UZSsVCykFbbMrgyz3wLlca2QHPPyO UIpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379629; x=1779984429; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=7j1R7ydUbojI9HTehxoq4C+M0tevraBNI7P2+NL1MOI=; b=SKBXSO6iNAhjqp+00V3KHBDJVSDtLSV/sXgNd1Jdt3aRJn5kLpkk5Cgv2uloUGRpKH GCFdDWqnWAQx+htBW5qk/E45ZFx0WJZ+RwbjpTt/3n0S+9UDRA57ZVoDdK6k0/fEeYmV TkV5aKBeol3FhJudZo0VhUce414okt+B+MfuSMbdJklUNTPKHLtexb03HPnzjMcY2sBq 6QpFQNYwjyBNWat7wLZXzztrPEw9zlKuL/btlPFEzbCS+8Po1JQEP2Z7YDxZlD5ht3Wm JJ3wQmV1zaHd5dwKb6Kuec5D96vZrrsuXjGXkdX0i4Yqjpe/jjL7dR5VKlWPZx2cQb04 1DbA== X-Gm-Message-State: AOJu0YzVd1iO4RGoWSsjwIu8788Xr9qxc+zeLgCaQGER0By3teMaTP7W t9YmMBeFLeuguf99R/0Lf6Ht/yP4eOS+PqRchIgPGfQAGpH2j35zG1y0 X-Gm-Gg: Acq92OGt9MjKGEerM+y7c77JMWYlkLE71W0s5V021p4dL1++KbfYmsRCHUB7D5MG1Lf YMCfKWeCOfUR9HD/yHSZQmuzBTPgWXkJeWbVIyVEU4CBlDTE9azAZdNpGCHxCbnNJ2Ym+1ZbB6Z UqqNHIN6Qpl08xUOwqWOtkTCyDafYMY5w2fkcY64w5KtvZVI3BLuH7aOFO0yk5+LU+dSmn3ATIY rEKQPFG8DxYGAUt/HHQdn8JD6L/cS5QHaYD1rictmxFI/7NlJsVPZ2fS2VJ3JVKJ9JPHOEGr9Et 2KGfU6c7dmqyq+8f2eCd5VKu+CtiEoGGUia5+2m6kGmVXY+ZHjTXtFL1LYGW06n3+V5e0WD41+k EMYlqVUVzAg4a86XwkH9wwIA7/D9krZsK3CzaNM9dAutTuVgXT7WG+2hc1Bg7QBaPMq9oizkrip 6dl5q4Wgk8nLIflq98TJWWHjwT4j8Q0cPt4SsRSDrRa46XYjDnbi2DR20WlFp/iLTK4szaEbM9/ a++e7tDjg== X-Received: by 2002:a05:690c:6202:b0:79a:6249:a046 with SMTP id 00721157ae682-7d209cd3355mr34423037b3.9.1779379628872; Thu, 21 May 2026 09:07:08 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:c2cf:2e92:9a48:97a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d2c7abad87sm4657587b3.2.2026.05.21.09.07.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:07:08 -0700 (PDT) From: Justin Suess To: gnoack3000@gmail.com, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Justin Suess Subject: [PATCH 5/6] samples/landlock: Support LANDLOCK_SCOPE_SYSV_MSG_QUEUE in sandboxer Date: Thu, 21 May 2026 12:06:39 -0400 Message-ID: <20260521160640.1716746-6-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521160640.1716746-1-utilityemal77@gmail.com> References: <20260521160640.1716746-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add sandboxer support for the new LANDLOCK_SCOPE_SYSV_MSG_QUEUE access right. Signed-off-by: Justin Suess --- samples/landlock/sandboxer.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 66e56ae275c6..689628b87f5f 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -235,10 +235,12 @@ static bool check_ruleset_scope(const char *const env= _var, bool error =3D false; bool abstract_scoping =3D false; bool signal_scoping =3D false; + bool sysv_msg_queue_scoping =3D false; =20 /* Scoping is not supported by Landlock ABI */ if (!(ruleset_attr->scoped & - (LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL))) + (LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL | + LANDLOCK_SCOPE_SYSV_MSG_QUEUE))) goto out_unset; =20 env_type_scope =3D getenv(env_var); @@ -255,6 +257,9 @@ static bool check_ruleset_scope(const char *const env_v= ar, } else if (strcmp("s", ipc_scoping_name) =3D=3D 0 && !signal_scoping) { signal_scoping =3D true; + } else if (strcmp("m", ipc_scoping_name) =3D=3D 0 && + !sysv_msg_queue_scoping) { + sysv_msg_queue_scoping =3D true; } else { fprintf(stderr, "Unknown or duplicate scope \"%s\"\n", ipc_scoping_name); @@ -271,6 +276,8 @@ static bool check_ruleset_scope(const char *const env_v= ar, ruleset_attr->scoped &=3D ~LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET; if (!signal_scoping) ruleset_attr->scoped &=3D ~LANDLOCK_SCOPE_SIGNAL; + if (!sysv_msg_queue_scoping) + ruleset_attr->scoped &=3D ~LANDLOCK_SCOPE_SYSV_MSG_QUEUE; =20 unsetenv(env_var); return error; @@ -301,7 +308,7 @@ static bool check_ruleset_scope(const char *const env_v= ar, =20 /* clang-format on */ =20 -#define LANDLOCK_ABI_LAST 9 +#define LANDLOCK_ABI_LAST 10 =20 #define XSTR(s) #s #define STR(s) XSTR(s) @@ -327,6 +334,7 @@ static const char help[] =3D "* " ENV_SCOPED_NAME ": actions denied on the outside of the landlock dom= ain\n" " - \"a\" to restrict opening abstract unix sockets\n" " - \"s\" to restrict sending signals\n" + " - \"m\" to restrict associating with message queues\n" "\n" "A sandboxer should not log denied access requests to avoid spamming logs= , " "but to test audit we can set " ENV_FORCE_LOG_NAME "=3D1\n" @@ -336,7 +344,7 @@ static const char help[] =3D ENV_FS_RW_NAME "=3D\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" " ENV_TCP_BIND_NAME "=3D\"9418\" " ENV_TCP_CONNECT_NAME "=3D\"80:443\" " - ENV_SCOPED_NAME "=3D\"a:s\" " + ENV_SCOPED_NAME "=3D\"a:s:m\" " "%1$s bash -i\n" "\n" "This sandboxer can use Landlock features up to ABI version " @@ -358,7 +366,7 @@ int main(const int argc, char *const argv[], char *cons= t *const envp) .handled_access_net =3D LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, .scoped =3D LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | - LANDLOCK_SCOPE_SIGNAL, + LANDLOCK_SCOPE_SIGNAL | LANDLOCK_SCOPE_SYSV_MSG_QUEUE, }; int supported_restrict_flags =3D LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; int set_restrict_flags =3D 0; @@ -444,6 +452,10 @@ int main(const int argc, char *const argv[], char *con= st *const envp) /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */ ruleset_attr.handled_access_fs &=3D ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX; + __attribute__((fallthrough)); + case 9: + /* Removes LANDLOCK_SCOPE_SYSV_MSG_QUEUE for ABI < 10 */ + ruleset_attr.scoped &=3D ~LANDLOCK_SCOPE_SYSV_MSG_QUEUE; /* Must be printed for any ABI < LANDLOCK_ABI_LAST. */ fprintf(stderr, "Hint: You should update the running kernel " --=20 2.53.0 From nobody Sun May 24 20:33:34 2026 Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com [209.85.128.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03A853812F6 for ; Thu, 21 May 2026 16:07:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379634; cv=none; b=dNgadO1qgLu8tGSJwWTlXtLjyXCv1S9APwqpDU4NXh06F5qPr8L5u3Uo7gkrPogF/4XjIyi6sgeLCfXw1qeMDhBC8fJmFMT9gKBBh7pywhQuiGzvIBOGV9fZ7i1sBP5okJurtXM5n6pGms5G5dVLSJBd8fEU8Q3nc5MFLQQBPZA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779379634; c=relaxed/simple; bh=nGhsmtgWyFPjr/aq1yL0y+wlRu69TvN1tcwIESDlxZg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AYKsfSdgZDGI7KvbHnt5ZlMhmvnNroRKj1Hy6W6Xo9wW7AI1w2tATRf3zgv+b8F0lc6oV/InoXlzOgBvpoBx5yQSc2Yl7Za7mMBv3nW0hCh2lCu/kF4HFvmgZ1ulCxwFsYFC7b/2tWaiKXxoqIh7lFt8n/epZDsyjvPo8ngia10= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=G2pPvKIj; arc=none smtp.client-ip=209.85.128.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="G2pPvKIj" Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-7bdf83185bbso60535387b3.2 for ; Thu, 21 May 2026 09:07:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779379632; x=1779984432; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kpCxEzWYsgGR14o06zRZo2uJlStV20Rqwj1IODcyfdc=; b=G2pPvKIjkUj57Pgrp1NTxwuwJOPd4gZJFmZAVqZ63lNOaD2oIk7GYdVr57vmd+NU66 Trf7TpuQ3ehueGLtcRCyEdrryjVQkMlNIJPAl7KckASzKy40HzpSWzOyTIJZVlGvmEY1 aYHs0r1fEHz6e0MiW4DxbVAieO4Ujc05olMnGqspvEZ5Q6gCUsklgZUr6U+DMABo7aQj t+dZoPcm+jjpW0ETb764GWfaPsUsmQL+nDoiO77jfJ4FCa1vw/Fa1JAkQN+pfvHfmiyN ckMlMK8UWhdcZz0/Uh4P3meYGk73vNCIWJImLCaUS1eVl6yl7sQyscX7zEZ8jR5o3lEN 5seQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779379632; x=1779984432; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=kpCxEzWYsgGR14o06zRZo2uJlStV20Rqwj1IODcyfdc=; b=oxHGZqNJ2wzXOu3jP43LOloM8YtAROhQ3cGiYa3tmhlCJmGy7tJNuFQJwRA34NoDJ2 H5xck+wZblqkaROeV3rdfE4S9ANJewJTvmTzQfzfTMI8Mp66pdzgaxSRpahUkCMq8B1m s5pNGdUZwairsm0BwnrmqQe3dXEXg61O4mU6voUxNH/FQcZN5UkgYgv9DrRua3jUpbX5 7m2oi29yWLGnnrH5PqNJDfHF2uP7Rok3f9B9JP7tHLuZlb/ECvZjd0wsP5Sfss46qNJh Ze6ifQKR2QBci19M1zWib81t3oZhIDgIzYKH0uSc25joNUdcMCsVLbwhJAoWM3NRcFvn At+g== X-Gm-Message-State: AOJu0YwhBIEPTMdWTDEWU33g/JbGo6MwQx+i+0ITFszPvB4rJpOG1jnD B6rett+x0mo+Tb3p8BEL4fOJ0Ne1uaeH4DxuIt6I9accLQXVHBxnSyju X-Gm-Gg: Acq92OHauKmducomin/wAyZIyThzLYxqXm8KRHV1TlLntnWwkp/2z/gioGkGA2sbt8i IUJYBPtc1HfhmBtEj6urGi9IPiZL1rILDyEopsCVKmzHnOsIEd6nhdcTE9YJyphVA8bmlLnzQnJ BPKiFTG1dEHEuY/J/WiyM20nIA3WM3VV/BcjG26VWHgbdCnFQjOrDGVK5sZTi+XBOjSXZSWq/vA 8kJveX2l12lIDRVRrGB0LxOZMIhxaXPAp2YDPifvB7bUHdwZYLoizHbT6wZ4hdSWTO/p/OXWrrf AdQbm7BYHIriHyCAYzyheQcJzND8tigrWygpCP03+fFAmGRgBBpHnpMgUzX2DXQzEYU5/JOUScw iGKcvu3anS7U6tOkZ64lB/p126yAC0MUO+z2iYARJPf1Gl5kuaWjJ5lgUQ978me7uXTvHy+lIkB uu+xvefAePEiXkwlbtUS6MuX6jiKL7wWARw1RhOLHkLXOu+JlbGn1Pq7t5B2NWaYQDy3UlbbM= X-Received: by 2002:a05:690c:4442:b0:7d1:cd93:c8e4 with SMTP id 00721157ae682-7d20ad8f545mr36338967b3.18.1779379631731; Thu, 21 May 2026 09:07:11 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:c2cf:2e92:9a48:97a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7d2c7abad87sm4657587b3.2.2026.05.21.09.07.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 09:07:11 -0700 (PDT) From: Justin Suess To: gnoack3000@gmail.com, mic@digikod.net Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Justin Suess Subject: [PATCH 6/6] landlock: Document LANDLOCK_SCOPE_SYSV_MESSAGE_QUEUE Date: Thu, 21 May 2026 12:06:40 -0400 Message-ID: <20260521160640.1716746-7-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521160640.1716746-1-utilityemal77@gmail.com> References: <20260521160640.1716746-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Document the new SysV message queue scope restriction. Make clear that because these queues do not use persistent handles, subsequent operations on a queue already obtained via msgget (or any other means) may be restricted once this right is enforced. Also note that denials surface as -EACCES rather than -EPERM, since the generic SysV IPC permission path maps every LSM denial to -EACCES. Signed-off-by: Justin Suess --- Documentation/admin-guide/LSM/landlock.rst | 1 + Documentation/userspace-api/landlock.rst | 30 +++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/adm= in-guide/LSM/landlock.rst index 9923874e2156..e983d903bdf9 100644 --- a/Documentation/admin-guide/LSM/landlock.rst +++ b/Documentation/admin-guide/LSM/landlock.rst @@ -58,6 +58,7 @@ AUDIT_LANDLOCK_ACCESS **scope.*** - IPC scoping restrictions (ABI 6+): - scope.abstract_unix_socket - Abstract UNIX socket connection den= ied - scope.signal - Signal sending denied + - scope.sysv_msg_queue - SysV message queue operation denied (ABI = 10+) =20 Multiple blockers can appear in a single event (comma-separated) when multiple access rights are missing. For example, creating a regular fi= le diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/users= pace-api/landlock.rst index 45861fa75685..933b2994fec4 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -84,7 +84,8 @@ to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_NET_CONNECT_TCP, .scoped =3D LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | - LANDLOCK_SCOPE_SIGNAL, + LANDLOCK_SCOPE_SIGNAL | + LANDLOCK_SCOPE_SYSV_MSG_QUEUE, }; =20 Because we may not know which kernel version an application will be execut= ed @@ -132,6 +133,10 @@ version, and only use the available subset of access r= ights: case 6 ... 8: /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */ ruleset_attr.handled_access_fs &=3D ~LANDLOCK_ACCESS_FS_RESOLVE_UN= IX; + __attribute__((fallthrough)); + case 9: + /* Removes LANDLOCK_SCOPE_SYSV_MSG_QUEUE for ABI < 10 */ + ruleset_attr.scoped &=3D ~LANDLOCK_SCOPE_SYSV_MSG_QUEUE; } =20 This enables the creation of an inclusive ruleset that will contain our ru= les. @@ -380,6 +385,22 @@ The operations which can be scoped are: A :manpage:`sendto(2)` on a socket which was previously connected will= not be restricted. This works for both datagram and stream sockets. =20 +``LANDLOCK_SCOPE_SYSV_MSG_QUEUE`` + This limits the set of System V message queues to which we can perform + :manpage:`msgget(2)`, :manpage:`msgrcv(2)`, :manpage:`msgsnd(2)`, and + :manpage:`msgctl(2)` calls to only message queues which were created b= y a + process in the same or a nested Landlock domain. + + Since System V message queues are IPC namespace global constructs and = do + not use file descriptors, enforcement of a ruleset with this scoping m= ay + cause subsequent operations on an msqid that were allowed prior to + enforcement to be denied. + + Denials are reported as ``EACCES``. Unlike other Landlock scopes, + the check shares the generic SysV IPC permission path + (``ipcperms(3)``), which maps every denial to ``EACCES`` before it + reaches user space. + IPC scoping does not support exceptions via :manpage:`landlock_add_rule(2)= `. If an operation is scoped within a domain, no rules can be added to allow = access to resources or processes outside of the scope. @@ -722,6 +743,13 @@ Starting with the Landlock ABI version 9, it is possib= le to restrict connections to pathname UNIX domain sockets (:manpage:`unix(7)`) using the new ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` right. =20 +System V message queue (ABI < 10) +--------------------------------- + +Starting with the Landlock ABI version 10, it is possible to restrict +operations on System V message queues by setting +``LANDLOCK_SCOPE_SYSV_MSG_QUEUE`` to the ``scoped`` ruleset attribute. + .. _kernel_support: =20 Kernel support --=20 2.53.0