container: optionally isolate host abstract UNIX domain sockets via landlock #1

Closed

ophestra wants to merge 0 commits from netadr-landlock-lsm into staging

pull from: netadr-landlock-lsm

merge into: security:staging

security:master

security:staging

security:develop

Conversation 4 Commits - Files Changed -

ophestra commented 2025-08-17 13:33:09 +09:00

Owner

Copy Link

This pull request is made on behalf of @netadr.

Hi,

Attached is a patch from the v0.1.1 tag that adds optional isolation of host abstract UNIX domain sockets from the container via the Landlock LSM's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. I had to use libpsx to invoke landlock_restrict_self atomically across all threads due to Go's unpredictable thread model and the fact that Landlock applies rulesets on a per-thread basis. The patch introduces a corresponding NixOS option and matching documentation in addition the core functionality. The only notable omission is automated testing through the sandbox test tool -- I wasn't sure how the maintainers would want that to be set up. I would love if this could be upstreamed; please let me know if I can do anything further to assist :)

netadr (Clayton)

This pull request is made on behalf of @netadr. Hi, Attached is a patch from the v0.1.1 tag that adds optional isolation of host abstract UNIX domain sockets from the container via the Landlock LSM's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. I had to use libpsx to invoke landlock_restrict_self atomically across all threads due to Go's unpredictable thread model and the fact that Landlock applies rulesets on a per-thread basis. The patch introduces a corresponding NixOS option and matching documentation in addition the core functionality. The only notable omission is automated testing through the sandbox test tool -- I wasn't sure how the maintainers would want that to be set up. I would love if this could be upstreamed; please let me know if I can do anything further to assist :) netadr (Clayton)

❤️ 2

ophestra added 1 commit 2025-08-17 13:33:10 +09:00

container: optionally isolate host abstract UNIX domain sockets via landlock 7add29b79c

ophestra commented 2025-08-17 13:53:52 +09:00

Author

Owner

Copy Link

For landlock_restrict_self we might not need libpsx, since we can call runtime.LockOSThread() in [Container.Start] somewhere before landlock_restrict_self is called. I have yet to verify this for landlock_restrict_self but it works for all other syscalls that works on the calling thread.

For landlock_restrict_self we might not need libpsx, since we can call runtime.LockOSThread() in [Container.Start] somewhere before landlock_restrict_self is called. I have yet to verify this for landlock_restrict_self but it works for all other syscalls that works on the calling thread.

cat force-pushed netadr-landlock-lsm from 7add29b79c to 2de7c2d07d 2025-08-17 16:06:10 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 2de7c2d07d to c809e9bd7c 2025-08-17 16:16:57 +09:00 Compare

cat force-pushed netadr-landlock-lsm from c809e9bd7c to d0d6f192ad 2025-08-17 17:34:17 +09:00 Compare

cat force-pushed netadr-landlock-lsm from d0d6f192ad to 141bec290b 2025-08-17 17:36:57 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 141bec290b to 9eb6bc71c4 2025-08-17 17:44:24 +09:00 Compare

cat referenced this issue from a commit 2025-08-18 02:27:57 +09:00

app: set up acl on X11 socket

cat referenced this issue from a commit 2025-08-18 02:33:34 +09:00

app: set up acl on X11 socket

cat force-pushed netadr-landlock-lsm from 9eb6bc71c4 to a5baad9e00 2025-08-18 02:36:50 +09:00 Compare

cat force-pushed netadr-landlock-lsm from a5baad9e00 to c1ff73b1b1 2025-08-18 02:50:21 +09:00 Compare

cat referenced this issue from a commit 2025-08-18 11:31:22 +09:00

app: set up acl on X11 socket

cat force-pushed netadr-landlock-lsm from c1ff73b1b1 to 22d577ab49 2025-08-18 11:37:23 +09:00 Compare

cat added 1 commit 2025-08-18 11:48:14 +09:00

container: optionally isolate host abstract UNIX domain sockets via landlock 55d8c3bacb

cat referenced this issue from a commit 2025-08-18 11:50:20 +09:00

app: set up acl on X11 socket

cat force-pushed netadr-landlock-lsm from 55d8c3bacb to c9eeafbbf0 2025-08-18 11:50:20 +09:00 Compare

cat referenced this issue from a commit 2025-08-18 11:57:35 +09:00

app: set up acl on X11 socket

cat force-pushed netadr-landlock-lsm from c9eeafbbf0 to 2cf3077c07 2025-08-18 11:57:35 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 2cf3077c07 to a6b2b9df22 2025-08-18 12:01:04 +09:00 Compare

cat force-pushed netadr-landlock-lsm from a6b2b9df22 to 1fa1ea5cbb 2025-08-18 12:06:23 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 1fa1ea5cbb to 40028f3c03 2025-08-18 14:35:56 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 40028f3c03 to ff58de323a 2025-08-18 16:15:11 +09:00 Compare

cat force-pushed netadr-landlock-lsm from ff58de323a to 75c260cd8d 2025-08-18 16:18:42 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 75c260cd8d to 5db0714072 2025-08-18 16:28:31 +09:00 Compare

ophestra commented 2025-08-18 16:34:36 +09:00

Author

Owner

Copy Link

Merged.

Merged.

🚀 1

ophestra closed this pull request 2025-08-18 16:34:36 +09:00

ophestra deleted branch netadr-landlock-lsm 2025-08-18 16:35:09 +09:00

kat commented 2025-08-18 16:56:27 +09:00

First-time contributor

Copy Link

Merged.

xref 5db0714072.

> Merged. xref https://git.gensokyo.uk/security/hakurei/commit/5db07140726e6e1bf615ed075e9a8b653508c2a7.

netadr commented 2025-08-19 02:24:52 +09:00

First-time contributor

Copy Link

Hey, I just today saw the response to my initial patch! Thank you for cleaning it up and merging it (and thank you @maemachinebroke for forwarding the response) 🙂

Hey, I just today saw the response to my initial patch! Thank you for cleaning it up and merging it (and thank you @maemachinebroke for forwarding the response) 🙂

❤️ 2

ophestra referenced this pull request 2025-09-02 20:38:17 +09:00

Many X clients break when only the pathname socket is available #10

All checks were successful

Hide all checks

Test / Create distribution (pull_request) Successful in 33s

Details

Test / Sandbox (pull_request) Successful in 2m10s

Details

Test / Hpkg (pull_request) Successful in 4m1s

Details

Test / Sandbox (race detector) (pull_request) Successful in 4m19s

Details

Test / Hakurei (pull_request) Successful in 4m55s

Details

Test / Hakurei (race detector) (pull_request) Successful in 5m0s

Details

Test / Create distribution (push) Successful in 27s

Details

Test / Sandbox (race detector) (push) Successful in 44s

Details

Test / Sandbox (push) Successful in 44s

Details

Test / Hakurei (push) Successful in 47s

Details

Test / Hakurei (race detector) (push) Successful in 47s

Details

Test / Hpkg (push) Successful in 45s

Details

Test / Flake checks (pull_request) Successful in 1m47s

Details

Test / Flake checks (push) Successful in 1m36s

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cat maemachinebroke noir ophestra

No Assignees

4 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: security/hakurei#1

No description provided.