container: optionally isolate host abstract UNIX domain sockets via landlock #1

Open

ophestra wants to merge 1 commits from netadr-landlock-lsm into staging

pull from: netadr-landlock-lsm

merge into: security:staging

security:master

security:staging

security:develop

Conversation 1 Commits 1 Files Changed 14 +105 -5

ophestra commented 2025-08-17 13:33:09 +09:00

Owner

Copy Link

This pull request is made on behalf of @netadr.

Hi,

Attached is a patch from the v0.1.1 tag that adds optional isolation of host abstract UNIX domain sockets from the container via the Landlock LSM's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. I had to use libpsx to invoke landlock_restrict_self atomically across all threads due to Go's unpredictable thread model and the fact that Landlock applies rulesets on a per-thread basis. The patch introduces a corresponding NixOS option and matching documentation in addition the core functionality. The only notable omission is automated testing through the sandbox test tool -- I wasn't sure how the maintainers would want that to be set up. I would love if this could be upstreamed; please let me know if I can do anything further to assist :)

netadr (Clayton)

This pull request is made on behalf of @netadr. Hi, Attached is a patch from the v0.1.1 tag that adds optional isolation of host abstract UNIX domain sockets from the container via the Landlock LSM's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. I had to use libpsx to invoke landlock_restrict_self atomically across all threads due to Go's unpredictable thread model and the fact that Landlock applies rulesets on a per-thread basis. The patch introduces a corresponding NixOS option and matching documentation in addition the core functionality. The only notable omission is automated testing through the sandbox test tool -- I wasn't sure how the maintainers would want that to be set up. I would love if this could be upstreamed; please let me know if I can do anything further to assist :) netadr (Clayton)

❤️ 1

ophestra added 1 commit 2025-08-17 13:33:10 +09:00

container: optionally isolate host abstract UNIX domain sockets via landlock 7add29b79c

ophestra commented 2025-08-17 13:53:52 +09:00

Author

Owner

Copy Link

For landlock_restrict_self we might not need libpsx, since we can call runtime.LockOSThread() in [Container.Start] somewhere before landlock_restrict_self is called. I have yet to verify this for landlock_restrict_self but it works for all other syscalls that works on the calling thread.

For landlock_restrict_self we might not need libpsx, since we can call runtime.LockOSThread() in [Container.Start] somewhere before landlock_restrict_self is called. I have yet to verify this for landlock_restrict_self but it works for all other syscalls that works on the calling thread.

cat force-pushed netadr-landlock-lsm from 7add29b79c to 2de7c2d07d 2025-08-17 16:06:10 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 2de7c2d07d to c809e9bd7c 2025-08-17 16:16:57 +09:00 Compare

cat force-pushed netadr-landlock-lsm from c809e9bd7c to d0d6f192ad 2025-08-17 17:34:17 +09:00 Compare

cat force-pushed netadr-landlock-lsm from d0d6f192ad to 141bec290b 2025-08-17 17:36:57 +09:00 Compare

cat force-pushed netadr-landlock-lsm from 141bec290b to 9eb6bc71c4 2025-08-17 17:44:24 +09:00 Compare

cat referenced this issue from a commit 2025-08-18 02:27:57 +09:00

app: set up acl on X11 socket

cat referenced this issue from a commit 2025-08-18 02:33:34 +09:00

app: set up acl on X11 socket

cat force-pushed netadr-landlock-lsm from 9eb6bc71c4 to a5baad9e00 2025-08-18 02:36:50 +09:00 Compare

cat force-pushed netadr-landlock-lsm from a5baad9e00 to c1ff73b1b1 2025-08-18 02:50:21 +09:00 Compare

Some checks failed

Hide all checks

Test / Create distribution (push) Successful in 36s

Details

Test / Create distribution (pull_request) Successful in 31s

Details

Test / Sandbox (pull_request) Successful in 2m13s

Details

Test / Sandbox (push) Successful in 2m20s

Details

Test / Hpkg (push) Successful in 4m6s

Details

Test / Hpkg (pull_request) Successful in 3m59s

Details

Test / Sandbox (race detector) (pull_request) Successful in 4m15s

Details

Test / Sandbox (race detector) (push) Successful in 4m27s

Details

Test / Hakurei (race detector) (push) Failing after 22m30s

Details

Test / Flake checks (pull_request) Has been cancelled

Details

Test / Hakurei (pull_request) Has been cancelled

Details

Test / Hakurei (race detector) (pull_request) Has been cancelled

Details

Test / Hakurei (push) Failing after 39m52s

Details

Test / Flake checks (push) Has been skipped

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions.

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin netadr-landlock-lsm:netadr-landlock-lsm

git checkout netadr-landlock-lsm

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cat maemachinebroke noir ophestra

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: security/hakurei#1

No description provided.