[PATCH v11 12/12] landlock: Document Landlock's network support
Konstantin Meskhidze (A)
konstantin.meskhidze at huawei.com
Mon Jul 3 10:42:44 UTC 2023
6/26/2023 9:59 PM, Mickaël Salaün пишет:
>
> On 15/05/2023 18:13, Konstantin Meskhidze wrote:
>> Describe network access rules for TCP sockets. Add network access
>> example in the tutorial. Add kernel configuration support for network.
>>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>> ---
>>
>> Changes since v10:
>> * Fixes documentaion as Mickaёl suggested:
>> https://lore.kernel.org/linux-security-module/ec23be77-566e-c8fd-179e-f50e025ac2cf@digikod.net/
>>
>> Changes since v9:
>> * Minor refactoring.
>>
>> Changes since v8:
>> * Minor refactoring.
>>
>> Changes since v7:
>> * Fixes documentaion logic errors and typos as Mickaёl suggested:
>> https://lore.kernel.org/netdev/9f354862-2bc3-39ea-92fd-53803d9bbc21@digikod.net/
>>
>> Changes since v6:
>> * Adds network support documentaion.
>>
>> ---
>> Documentation/userspace-api/landlock.rst | 83 ++++++++++++++++++------
>> 1 file changed, 62 insertions(+), 21 deletions(-)
>>
>
> [...]
>
>> @@ -143,10 +159,23 @@ for the ruleset creation, by filtering access rights according to the Landlock
>> ABI version. In this example, this is not required because all of the requested
>> ``allowed_access`` rights are already available in ABI 1.
>>
>> -We now have a ruleset with one rule allowing read access to ``/usr`` while
>> -denying all other handled accesses for the filesystem. The next step is to
>> -restrict the current thread from gaining more privileges (e.g. thanks to a SUID
>> -binary).
>> +For network access-control, we can add a set of rules that allow to use a port
>> +number for a specific action: HTTPS connections.
>> +
>> +.. code-block:: c
>> +
>> + struct landlock_net_service_attr net_service = {
>> + .allowed_access = NET_CONNECT_TCP,
>
> LANDLOCK_ACCESS_NET_CONNECT_TCP
Yep. Thanks.
>
>
>> + .port = 443,
>> + };
>> +
>> + err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
>> + &net_service, 0);
>> +
> .
More information about the Linux-security-module-archive
mailing list