libstore: Use landlock with LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET for new enough kernels

xokdvium · xokdvium · commit 44017ca497c8 · 2026-04-06T21:26:35.000+03:00
This partially fixes the issue with cooperating processes being able
to communicate via abstract sockets. The fix is partial, because processes
outside the landlock domain of the sandboxed process can still connect to
a socket created by the FOD. There's no equivalent way of restricting inbound
connections. This closes the gap when there's no cooperating process on the host
(i.e. 2 separate FODs).

&gt;= 6.12 kernel is widespread enough (NixOS 25.11 ships it by
default) that we have no reason not to apply this hardening, even though
it's incomplete.

ca-fd-leak test exercises this exact code path and now the smuggling
process fails with (on new enough kernels that have landlock support enabled):

vm-test-run-ca-fd-leak&gt; machine # sandbox setup: applied landlock sandboxing
vm-test-run-ca-fd-leak&gt; machine # building '/nix/store/s7brgi6pdr5f3n8yqlgmdlz8blb89njc-smuggled.drv'...
vm-test-run-ca-fd-leak&gt; machine # building derivation '/nix/store/s7brgi6pdr5f3n8yqlgmdlz8blb89njc-smuggled.drv': woken up
vm-test-run-ca-fd-leak&gt; machine # connect: Operation not permitted
vm-test-run-ca-fd-leak&gt; machine # sendmsg: Socket not connected
diff --git a/src/libstore/meson.build b/src/libstore/meson.build
@@ -79,6 +79,11 @@ foreach funcspec : check_funcs
   configdata_priv.set(define_name, define_value)
 endforeach
 
+if host_machine.system() == 'linux'
+  has_landlock = cxx.has_header('linux/landlock.h')
+  configdata_priv.set('HAVE_LANDLOCK', has_landlock.to_int())
+endif
+
 has_acl_support = cxx.has_header('sys/xattr.h') \
   and cxx.has_function('llistxattr') \
   and cxx.has_function('lremovexattr')
diff --git a/src/libstore/unix/build/linux-derivation-builder.cc b/src/libstore/unix/build/linux-derivation-builder.cc
@@ -1,5 +1,7 @@
 #ifdef __linux__
 
+#  include "store-config-private.hh"
+
 #  include "nix/store/globals.hh"
 #  include "nix/store/personality.hh"
 #  include "nix/store/filetransfer.hh"
@@ -11,6 +13,8 @@
 
 #  include <algorithm>
 #  include <string_view>
+#  include <cstdint>
+
 #  include <sys/ioctl.h>
 #  include <net/if.h>
 #  include <netinet/ip.h>
@@ -19,11 +23,16 @@
 #  include <sys/param.h>
 #  include <sys/mount.h>
 #  include <sys/syscall.h>
+#  include <sys/prctl.h>
 
 #  if HAVE_SECCOMP
 #    include <seccomp.h>
 #  endif
 
+#  if HAVE_LANDLOCK
+#    include <linux/landlock.h>
+#  endif
+
 #  define pivot_root(new_root, put_old) (syscall(SYS_pivot_root, new_root, put_old))
 
 namespace nix {
@@ -129,6 +138,77 @@ static void setupSeccomp(const LocalSettings & localSettings)
 #  endif
 }
 
+#  if HAVE_LANDLOCK && defined(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET)
+
+#    define DO_LANDLOCK 1
+
+/* We are using LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET on best-effort basis. There are no glibc wrappers for now. */
+
+static int landlockCreateRuleset(const ::landlock_ruleset_attr * attr, std::size_t size, std::uint32_t flags)
+{
+    return ::syscall(__NR_landlock_create_ruleset, attr, size, flags);
+}
+
+static int landlockRestrictSelf(Descriptor rulesetFd, std::uint32_t flags)
+{
+    return ::syscall(__NR_landlock_restrict_self, rulesetFd, flags);
+}
+
+static int getLandlockAbiVersion()
+{
+    int abiVersion = landlockCreateRuleset(nullptr, 0, LANDLOCK_CREATE_RULESET_VERSION);
+    return abiVersion;
+}
+
+static void setupLandlock()
+{
+    bool landlockSupportsScopeAbstractUnixSocket = []() {
+        int abiVersion = getLandlockAbiVersion();
+        if (abiVersion >= 6)
+            /* All good, we can use LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET. See
+               https://docs.kernel.org/userspace-api/landlock.html#abstract-unix-socket-abi-6 */
+            return true;
+
+        if (abiVersion == -1) {
+            debug("landlock is not available");
+            return false;
+        }
+
+        debug("landlock version %d does not support LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET", abiVersion);
+        return false;
+    }();
+
+    /* Bail out early if landlock is not enabled or LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET wouldn't work.
+       TODO: Consider adding more landlock rules for filesystem access as defense-in-depth on top. */
+    if (!landlockSupportsScopeAbstractUnixSocket)
+        return;
+
+    ::landlock_ruleset_attr attr = {
+        /* This prevents multiple FODs from communicating with each other
+           via abstract sockets. Note that cooperating processes outside the
+           sandbox can still connect to an abstract socket created by the FOD. To
+           mitigate that issue entirely we'd still need network namespaces. */
+        .scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
+    };
+
+    /* This better not fail - if the kernel reports a new enough ABI version we
+       should treat any errors as fatal from now on. */
+    AutoCloseFD rulesetFd = landlockCreateRuleset(&attr, sizeof(attr), 0);
+    if (!rulesetFd)
+        throw SysError("failed to create a landlock ruleset");
+
+    if (landlockRestrictSelf(rulesetFd.get(), 0) == -1)
+        throw SysError("failed to apply landlock");
+
+    debug("applied landlock sandboxing");
+}
+
+#  else
+
+#    define DO_LANDLOCK 0
+
+#  endif
+
 static void doBind(const std::filesystem::path & source, const std::filesystem::path & target, bool optional = false)
 {
     debug("bind mounting %1% to %2%", PathFmt(source), PathFmt(target));
@@ -169,8 +249,27 @@ struct LinuxDerivationBuilder : virtual DerivationBuilderImpl
     {
         auto & localSettings = store.config->getLocalSettings();
 
+        /* Set the NO_NEW_PRIVS before doing seccomp/landlock setup.
+           landlock_restrict_self requires either NO_NEW_PRIVS or CAP_SYS_ADMIN.
+           With user namespaces we do get CAP_SYS_ADMIN. */
+        if (!localSettings.allowNewPrivileges)
+            if (::prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1)
+                throw SysError("failed to set PR_SET_NO_NEW_PRIVS");
+
         setupSeccomp(localSettings);
 
+#  if DO_LANDLOCK
+        try {
+            setupLandlock();
+        } catch (SysError & e) {
+            if (e.errNo != EPERM)
+                throw;
+            /* If allowNewPrivileges is true and we don't have CAP_SYS_ADMIN
+               this code path might be hit. */
+            warn("setting up landlock: %s", e.message());
+        }
+#  endif
+
         linux::setPersonality({
             .system = drv.platform,
             .impersonateLinux26 = localSettings.impersonateLinux26,
@@ -765,4 +864,6 @@ struct ChrootLinuxDerivationBuilder : ChrootDerivationBuilder, LinuxDerivationBu
 
 } // namespace nix
 
+#  undef DO_LANDLOCK
+
 #endif
diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix
@@ -78,7 +78,7 @@ in
 
       # Build the smuggled derivation.
       # This will connect to the smuggler server and send it the file descriptor
-      machine.succeed(r"""
+      sender_output = machine.succeed(r"""
         nix-build -E '
           builtins.derivation {
             name = "smuggled";
@@ -89,9 +89,13 @@ in
             outputHash = builtins.hashString "sha256" "hello, world\n";
             builder = "${pkgs.busybox-sandbox-shell}/bin/sh";
             args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ];
-        }'
+        }' 2>&1
       """.strip())
 
+      # Landlock's LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET prevents a sandboxed process
+      # from connecting to an abstract socket created in an unrelated landlock domain.
+      # There's no such flag for preventing inbound connections.
+      assert "connect: Operation not permitted" in sender_output
 
       # Tell the smuggler server that we're done
       machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}")
