Hi all,
I was starting to work on the memfd-exec[1] feature and observed that
Landlock's scoped-IPC features (abstract UNIX sockets and signals)
follow a consistent high-level model, which I'm calling a
resource-accessor pattern:
Resource Process <-> Accessor Process
- Resource process: owns or manages the asset
- socket creator (bind/accept)
- signal handler
- memfd creator
- Accessor process: attempts to use the asset
- socket client (connect/sendto)
- signal sender
- memfd executor
RESOURCE-ACCESSOR PATTERN FUNDAMENTALS
======================================
This pattern appears fundamental to Landlock scoping because:
1. Consistent enforcement model: Landlock restrictions are enforced
only on the accessor side; the resource side remains unconstrained
across all scope types.
2. Reflects actual security boundaries: In practice, sandboxed
processes typically need to access resources created by other
processes, not the reverse.
3. Scalable design: This model works consistently whether processes
are in parent-child relationships or independent peer domains.
4. Real-world usage patterns: Container runtimes and sandbox
orchestrators routinely start multiple workers that restrict
themselves independently.
CURRENT TEST COVERAGE GAP
=========================
Existing self-tests cover hierarchical resource <-> accessor pairs
but do not exercise the case where each task enters an independent
domain. While 'sibling_domain' tests exist, they still use
parent-child relationship patterns rather than true peer domains.
Current Coverage (Linear Hierarchies Only):
-------------------------------------------
Type 1: Parent-Child (scoped_domains)
P1 ---- P2
Type 2: Three Generations (scoped_vs_unscoped)
P1 ---- P2 ---- P3
Variations tested for both types:
- No domains
- Various scoped domain combinations
- Nested domains within inherited domains
- Mixed domain types (SCOPE vs OTHER vs NONE)
Missing Coverage (True Sibling Scenarios):
------------------------------------------
Root
|
+-- Child A [various domain types]
|
+-- Child B [various domain types]
Missing test scenarios:
- A <-> B cross-sibling communication
- Mixed sibling domain combinations
- Sibling isolation enforcement
- Parent -> A, Parent -> B differential access
SOLUTION
========
This series implements the missing sibling pattern using the
resource-accessor model. The tests create a fork tree that looks
like this:
coordinator (no domain)
|
+-- resource_proc (Domain X) /* owns the resource */
|
+-- accessor_proc (Domain Y) /* tries to access */
This directly addresses the missing coverage by creating two
independent child processes that establish peer domains, rather than
the hierarchical parent-child domains covered by existing tests.
Both children call landlock_restrict_self() for the first time, so
their struct landlock_domain->parent pointers are NULL, creating
true peer domains. The harness exposes four test variants:
Variant name | Resource domain | Accessor domain | Result
-------------------|-----------------|-----------------|----------
none_to_none | none | none | ALLOW
none_to_scoped | none | scoped | DENY
scoped_to_none | scoped | none | ALLOW
scoped_to_scoped | scoped | scoped (peer) | DENY
The scoped_to_scoped case was missing from current coverage.
TESTING
=======
All patches apply cleanly to v6.14-rc2 and pass on landlock/master.
The helpers are small and re-use the existing kselftest_harness.h
fixture/variant pattern. All patches have been validated with
scripts/checkpatch.pl --strict and show no warnings.
This series introduces **no kernel changes**, only selftests additions.
Feedback very welcome.
Thanks,
Abhinav
[1] https://github.com/landlock-lsm/linux/issues/37
Links:
- Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html
- Landlock LSM kernel docs: https://docs.kernel.org/security/landlock.html
- Existing tests: tools/testing/selftests/landlock/scoped_*
Signed-off-by: Abhinav Saxena <xandf...@gmail.com>
---
Abhinav Saxena (3):
selftests/landlock: move sandbox_type to common
selftests/landlock: add cross-domain variants
selftests/landlock: add cross-domain signal tests
tools/testing/selftests/landlock/scoped_common.h | 7 +
.../landlock/scoped_cross_domain_variants.h | 54 +++++
.../landlock/scoped_multiple_domain_variants.h | 7 -
.../selftests/landlock/scoped_signal_test.c | 237 +++++++++++++++++++++
4 files changed, 298 insertions(+), 7 deletions(-)
---
base-commit: 5b74b2eff1eeefe43584e5b7b348c8cd3b723d38
change-id: 20250715-landlock_abstractions-dbc0aabf1063
Best regards,
--
Abhinav Saxena <xandf...@gmail.com>
