[PATCH v8 08/12] landlock: Implement TCP network hooks

Konstantin Meskhidze (A) konstantin.meskhidze at huawei.com
Mon Jan 9 08:07:04 UTC 2023 


1/6/2023 10:30 PM, Mickaël Salaün пишет:
> 
> On 05/01/2023 09:57, Konstantin Meskhidze (A) wrote:
>> 
>> 
>> 11/17/2022 9:43 PM, Mickaël Salaün пишет:
>>>
>>> On 21/10/2022 17:26, Konstantin Meskhidze wrote:
>>>> This patch adds support of socket_bind() and socket_connect() hooks.
>>>> It's possible to restrict binding and connecting of TCP sockets to
>>>> particular ports.
>>>
>>> Implement socket_bind() and socket_connect LSM hooks, which enable to
>>> restrict TCP socket binding and connection to specific ports.
>>>
>>>
>>>>
>>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>>>> ---
>>>>
>>>> Changes since v7:
>>>> * Minor fixes.
>>>> * Refactors commit message.
>>>>
>>>> Changes since v6:
>>>> * Updates copyright.
>>>> * Refactors landlock_append_net_rule() and check_socket_access()
>>>>     functions with landlock_id type.
>>>>
>>>> Changes since v5:
>>>> * Fixes some logic errors.
>>>> * Formats code with clang-format-14.
>>>>
>>>> Changes since v4:
>>>> * Factors out CONFIG_INET into make file.
>>>> * Refactors check_socket_access().
>>>> * Adds helper get_port().
>>>> * Adds CONFIG_IPV6 in get_port(), hook_socket_bind/connect
>>>> functions to support AF_INET6 family.
>>>> * Adds AF_UNSPEC family support in hook_socket_bind/connect
>>>> functions.
>>>> * Refactors add_rule_net_service() and landlock_add_rule
>>>> syscall to support network rule inserting.
>>>> * Refactors init_layer_masks() to support network rules.
>>>>
>>>> Changes since v3:
>>>> * Splits commit.
>>>> * Adds SECURITY_NETWORK in config.
>>>> * Adds IS_ENABLED(CONFIG_INET) if a kernel has no INET configuration.
>>>> * Adds hook_socket_bind and hook_socket_connect hooks.
>>>>
>>>> ---
>>>>    security/landlock/Kconfig    |   1 +
>>>>    security/landlock/Makefile   |   2 +
>>>>    security/landlock/net.c      | 164 +++++++++++++++++++++++++++++++++++
>>>>    security/landlock/net.h      |  26 ++++++
>>>>    security/landlock/setup.c    |   2 +
>>>>    security/landlock/syscalls.c |  59 ++++++++++++-
>>>>    6 files changed, 251 insertions(+), 3 deletions(-)
>>>>    create mode 100644 security/landlock/net.c
>>>>    create mode 100644 security/landlock/net.h
>>>>
>>>> diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
>>>> index 8e33c4e8ffb8..10c099097533 100644
>>>> --- a/security/landlock/Kconfig
>>>> +++ b/security/landlock/Kconfig
>>>> @@ -3,6 +3,7 @@
>>>>    config SECURITY_LANDLOCK
>>>>    	bool "Landlock support"
>>>>    	depends on SECURITY && !ARCH_EPHEMERAL_INODES
>>>> +	select SECURITY_NETWORK
>>>>    	select SECURITY_PATH
>>>>    	help
>>>>    	  Landlock is a sandboxing mechanism that enables processes to restrict
>>>> diff --git a/security/landlock/Makefile b/security/landlock/Makefile
>>>> index 7bbd2f413b3e..53d3c92ae22e 100644
>>>> --- a/security/landlock/Makefile
>>>> +++ b/security/landlock/Makefile
>>>> @@ -2,3 +2,5 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
>>>>
>>>>    landlock-y := setup.o syscalls.o object.o ruleset.o \
>>>>    	cred.o ptrace.o fs.o
>>>> +
>>>> +landlock-$(CONFIG_INET) += net.o
>>>> \ No newline at end of file
>>>> diff --git a/security/landlock/net.c b/security/landlock/net.c
>>>> new file mode 100644
>>>> index 000000000000..39e8a156a1f4
>>>> --- /dev/null
>>>> +++ b/security/landlock/net.c
>>>> @@ -0,0 +1,164 @@
>>>> +// SPDX-License-Identifier: GPL-2.0-only
>>>> +/*
>>>> + * Landlock LSM - Network management and hooks
>>>> + *
>>>> + * Copyright © 2022 Huawei Tech. Co., Ltd.
>>>> + * Copyright © 2022 Microsoft Corporation
>>>> + */
>>>> +
>>>> +#include <linux/in.h>
>>>> +#include <linux/net.h>
>>>> +#include <linux/socket.h>
>>>> +#include <net/ipv6.h>
>>>> +
>>>> +#include "common.h"
>>>> +#include "cred.h"
>>>> +#include "limits.h"
>>>> +#include "net.h"
>>>> +#include "ruleset.h"
>>>> +
>>>> +int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
>>>> +			     const u16 port, access_mask_t access_rights)
>>>> +{
>>>> +	int err;
>>>> +	const struct landlock_id id = {
>>>> +		.key.data = port,
>>>> +		.type = LANDLOCK_KEY_NET_PORT,
>>>> +	};
>>>> +	BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
>>>> +
>>>> +	/* Transforms relative access rights to absolute ones. */
>>>> +	access_rights |= LANDLOCK_MASK_ACCESS_NET &
>>>> +			 ~landlock_get_net_access_mask(ruleset, 0);
>>>> +
>>>> +	mutex_lock(&ruleset->lock);
>>>> +	err = landlock_insert_rule(ruleset, id, access_rights);
>>>> +	mutex_unlock(&ruleset->lock);
>>>> +
>>>> +	return err;
>>>> +}
>>>> +
>>>> +static int check_socket_access(const struct landlock_ruleset *const domain,
>>>> +			       u16 port, access_mask_t access_request)
>>>> +{
>>>> +	bool allowed = false;
>>>> +	layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
>>>> +	const struct landlock_rule *rule;
>>>> +	access_mask_t handled_access;
>>>> +	const struct landlock_id id = {
>>>> +		.key.data = port,
>>>> +		.type = LANDLOCK_KEY_NET_PORT,
>>>> +	};
>>>> +
>>>> +	if (WARN_ON_ONCE(!domain))
>>>> +		return 0;
>>>> +	if (WARN_ON_ONCE(domain->num_layers < 1))
>>>> +		return -EACCES;
>>>> +
>>>> +	rule = landlock_find_rule(domain, id);
>>>> +	handled_access = init_layer_masks(domain, access_request, &layer_masks,
>>>> +					  LANDLOCK_KEY_NET_PORT);
>>>> +	allowed = unmask_layers(rule, handled_access, &layer_masks,
>>>> +				ARRAY_SIZE(layer_masks));
>>>> +
>>>> +	return allowed ? 0 : -EACCES;
>>>> +}
>>>> +
>>>> +static u16 get_port(const struct sockaddr *const address)
>>>
>>> get_port() should return a __be16 type. This enables to avoid converting
>>> port when checking a rule.
>> 
>>     In this case a user must do a coverting port into __be16:
>> 
>>     struct landlock_net_service_attr net_service = {
>>                   .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>> 
>>                   .port = htons(sock_port),
>>           };
>>    I think that a user should not think about this conversion cause it
>> makes UAPI more complex to use. Lets do this under kernel's hood and let
>> it as it is now -> u16 port.
>> 
>> What do you think?
> 
> BE and LE conversions may be error prone without strong typing, but the
> current Linux network UAPI uses this convention (see related syscalls),
> so developers already use htons() in their applications. I think it is
> less hazardous to use the same convention. It would be nice to have the
> point of view of network and API folks though.

   Ok. Thanks. Let ports be in BE format like in network packets.

   What should a selftest with port conversion be like?

   1. Set a port with a Landlock rule with no conversion. get an error 
wit bind/connect actions.
   2. Convert a port with htons(sock_port). get no error.

   What do you think?
> .

More information about the Linux-security-module-archive mailing list