security/hakurei
security/hakurei
6
3
Fork 0
Code Issues 11 Pull Requests Actions Packages Projects Releases 9 Wiki Activity

container: optionally isolate host abstract UNIX domain sockets via landlock #1

Closed
ophestra wants to merge 0 commits from netadr-landlock-lsm into staging
pull from: netadr-landlock-lsm
merge into: security:staging
Conversation 4 Commits - Files Changed -
ophestra commented 2025-08-17 13:33:09 +09:00
Owner
Copy Link

This pull request is made on behalf of @netadr.

Hi,

Attached is a patch from the v0.1.1 tag that adds optional isolation of host abstract UNIX domain sockets from the container via the Landlock LSM's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. I had to use libpsx to invoke landlock_restrict_self atomically across all threads due to Go's unpredictable thread model and the fact that Landlock applies rulesets on a per-thread basis. The patch introduces a corresponding NixOS option and matching documentation in addition the core functionality. The only notable omission is automated testing through the sandbox test tool -- I wasn't sure how the maintainers would want that to be set up. I would love if this could be upstreamed; please let me know if I can do anything further to assist :)

netadr (Clayton)

This pull request is made on behalf of @netadr. Hi, Attached is a patch from the v0.1.1 tag that adds optional isolation of host abstract UNIX domain sockets from the container via the Landlock LSM's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. I had to use libpsx to invoke landlock_restrict_self atomically across all threads due to Go's unpredictable thread model and the fact that Landlock applies rulesets on a per-thread basis. The patch introduces a corresponding NixOS option and matching documentation in addition the core functionality. The only notable omission is automated testing through the sandbox test tool -- I wasn't sure how the maintainers would want that to be set up. I would love if this could be upstreamed; please let me know if I can do anything further to assist :) netadr (Clayton)
❤️ 2
ophestra commented 2025-08-17 13:53:52 +09:00
Author
Owner
Copy Link

For landlock_restrict_self we might not need libpsx, since we can call runtime.LockOSThread() in [Container.Start] somewhere before landlock_restrict_self is called. I have yet to verify this for landlock_restrict_self but it works for all other syscalls that works on the calling thread.

For landlock_restrict_self we might not need libpsx, since we can call runtime.LockOSThread() in [Container.Start] somewhere before landlock_restrict_self is called. I have yet to verify this for landlock_restrict_self but it works for all other syscalls that works on the calling thread.
cat force-pushed netadr-landlock-lsm from 7add29b79c to 2de7c2d07d 2025-08-17 16:06:10 +09:00 Compare
cat force-pushed netadr-landlock-lsm from 2de7c2d07d to c809e9bd7c 2025-08-17 16:16:57 +09:00 Compare
cat force-pushed netadr-landlock-lsm from c809e9bd7c to d0d6f192ad 2025-08-17 17:34:17 +09:00 Compare
cat force-pushed netadr-landlock-lsm from d0d6f192ad to 141bec290b 2025-08-17 17:36:57 +09:00 Compare
cat force-pushed netadr-landlock-lsm from 141bec290b to 9eb6bc71c4 2025-08-17 17:44:24 +09:00 Compare
cat referenced this issue from a commit 2025-08-18 02:27:57 +09:00
app: set up acl on X11 socket
cat referenced this issue from a commit 2025-08-18 02:33:34 +09:00
app: set up acl on X11 socket
cat force-pushed netadr-landlock-lsm from 9eb6bc71c4 to a5baad9e00 2025-08-18 02:36:50 +09:00 Compare
cat force-pushed netadr-landlock-lsm from a5baad9e00 to c1ff73b1b1 2025-08-18 02:50:21 +09:00 Compare
cat referenced this issue from a commit 2025-08-18 11:31:22 +09:00
app: set up acl on X11 socket
cat force-pushed netadr-landlock-lsm from c1ff73b1b1 to 22d577ab49 2025-08-18 11:37:23 +09:00 Compare
cat referenced this issue from a commit 2025-08-18 11:50:20 +09:00
app: set up acl on X11 socket
cat force-pushed netadr-landlock-lsm from 55d8c3bacb to c9eeafbbf0 2025-08-18 11:50:20 +09:00 Compare
cat referenced this issue from a commit 2025-08-18 11:57:35 +09:00
app: set up acl on X11 socket
cat force-pushed netadr-landlock-lsm from c9eeafbbf0 to 2cf3077c07 2025-08-18 11:57:35 +09:00 Compare
cat force-pushed netadr-landlock-lsm from 2cf3077c07 to a6b2b9df22 2025-08-18 12:01:04 +09:00 Compare
cat force-pushed netadr-landlock-lsm from a6b2b9df22 to 1fa1ea5cbb 2025-08-18 12:06:23 +09:00 Compare
cat force-pushed netadr-landlock-lsm from 1fa1ea5cbb to 40028f3c03 2025-08-18 14:35:56 +09:00 Compare
cat force-pushed netadr-landlock-lsm from 40028f3c03 to ff58de323a 2025-08-18 16:15:11 +09:00 Compare
cat force-pushed netadr-landlock-lsm from ff58de323a to 75c260cd8d 2025-08-18 16:18:42 +09:00 Compare
cat force-pushed netadr-landlock-lsm from 75c260cd8d to 5db0714072 2025-08-18 16:28:31 +09:00 Compare
ophestra commented 2025-08-18 16:34:36 +09:00
Author
Owner
Copy Link

Merged.

Merged.
🚀 1
ophestra closed this pull request 2025-08-18 16:34:36 +09:00
ophestra deleted branch netadr-landlock-lsm 2025-08-18 16:35:09 +09:00
kat commented 2025-08-18 16:56:27 +09:00
First-time contributor
Copy Link

Merged.

xref 5db0714072.

> Merged. xref https://git.gensokyo.uk/security/hakurei/commit/5db07140726e6e1bf615ed075e9a8b653508c2a7.
netadr commented 2025-08-19 02:24:52 +09:00
First-time contributor
Copy Link

Hey, I just today saw the response to my initial patch! Thank you for cleaning it up and merging it (and thank you @maemachinebroke for forwarding the response) 🙂

Hey, I just today saw the response to my initial patch! Thank you for cleaning it up and merging it (and thank you @maemachinebroke for forwarding the response) 🙂
❤️ 2
ophestra added the
Kind
Feature
Kind
Security
Priority
Critical
Reviewed
Confirmed
 labels 2025-11-10 01:14:19 +09:00
All checks were successful
Test / Create distribution (pull_request) Successful in 33s
Details
Test / Sandbox (pull_request) Successful in 2m10s
Details
Test / Hpkg (pull_request) Successful in 4m1s
Details
Test / Sandbox (race detector) (pull_request) Successful in 4m19s
Details
Test / Hakurei (pull_request) Successful in 4m55s
Details
Test / Hakurei (race detector) (pull_request) Successful in 5m0s
Details
Test / Create distribution (push) Successful in 27s
Details
Test / Sandbox (race detector) (push) Successful in 44s
Details
Test / Sandbox (push) Successful in 44s
Details
Test / Hakurei (push) Successful in 47s
Details
Test / Hakurei (race detector) (push) Successful in 47s
Details
Test / Hpkg (push) Successful in 45s
Details
Test / Flake checks (pull_request) Successful in 1m47s
Details
Test / Flake checks (push) Successful in 1m36s
Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Compat
Breaking
Breaking change that won't be backward compatible
Kind
Bug
Something is not working
Kind
Documentation
Documentation changes
Kind
Enhancement
Improve existing functionality
Kind
Feature
New functionality
Kind
Security
This is security issue
Kind
Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label
Kind
Feature
Kind
Security
Priority
Critical
Reviewed
Confirmed
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cat maemachinebroke noir ophestra
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: security/hakurei#1
No description provided.
Delete Branch "netadr-landlock-lsm"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?