[RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring (TCP port 0)
Konstantin Meskhidze
konstantin.meskhidze at huawei.com
Tue Apr 26 09:15:36 UTC 2022
4/12/2022 2:07 PM, Mickaël Salaün пишет:
>
> On 23/03/2022 09:41, Konstantin Meskhidze wrote:
>>
>>
>> 3/22/2022 4:24 PM, Mickaël Salaün пишет:
>>>
>
> [...]
>>> The remaining question is: should we need to accept 0 as a valid TCP
>>> port? Can it be used? How does the kernel handle it?
>>
>> I agree that must be a check for port 0 in add_rule_net_service(),
>> cause unlike most port numbers, port 0 is a reserved port in TCP/IP
>> networking, meaning that it should not be used in TCP or UDP messages.
>> Also network traffic sent across the internet to hosts listening on
>> port 0 might be generated from network attackers or accidentally by
>> applications programmed incorrectly.
>> Source: https://www.lifewire.com/port-0-in-tcp-and-udp-818145
>
> OK, so denying this port by default without a way to allow it should not
> be an issue. I guess an -EINVAL error would make sense when trying to
> allow this port. This should be documented in a comment (with a link to
> the RFC/section) and a dedicated test should check that behavior.
>
> What is the behavior of firewalls (e.g. Netfiler) when trying to filter
> port 0?
To be honest I don't know. I'm trying to check it.
>
> This doesn't seem to be settle though:
> https://www.austingroupbugs.net/view.php?id=1068
>
> Interesting article:
> https://z3r0trust.medium.com/socket-programming-the-bizarre-tcp-ip-port-0-saga-fcfbc0e0a276
Thanks. I will check.
>
> .
More information about the Linux-security-module-archive
mailing list