Landlock Scoped Control

The “scoped” operations restrict operations which interact with processes in higher-privileged Landlock domains.

The two operations that are available as of LandlockAbiVersion V5 are:

• LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict the use of abstract UNIX Domain Sockets.
• LANDLOCK_SCOPE_SIGNAL: Restrict signaling of processes in higher-privileged Landlock domains.

Example

A process P1 is in Landlock domain D1 where signals are scope-restricted. It has started a child process P2 which has entered a new Landlock domain, D2, in which signals are are also scope-restricted. P1 has additionally started a child process P3 in which signals are not scope-restricted.

Signaling works as expected, with the following twists:

• P1 may signal P2 and P3, which are both in nested Landlock domains.
• P1 may not signal processes outside of the Landlock domain D1.
• P2 may not signal processes outside of the Landlock domain D2.
• P3 may signal the same processes as P1, as the D3 domain has no additional scope-restriction for signals.

Arrows indicate the direction in which signals may flow. Everytime the arrow crosses a domain boundary of a domain with scope-restricted signals, it can only go inwards.