[PATCH v12 08/12] landlock: Add network rules and TCP hooks support

Konstantin Meskhidze (A) konstantin.meskhidze at huawei.com
Wed Oct 11 16:04:35 UTC 2023



10/11/2023 7:02 PM, Mickaël Salaün пишет:
> On Wed, Oct 11, 2023 at 04:53:57AM +0300, Konstantin Meskhidze (A) wrote:
>> 
>> 
>> 10/2/2023 11:26 PM, Mickaël Salaün пишет:
>> > Thanks for this new version Konstantin. I pushed this series, with minor
>> > changes, to -next. So far, no warning. But it needs some changes, mostly
>> > kernel-only, but also one with the handling of port 0 with bind (see my
>> > review below).
>> > 
>> > On Wed, Sep 20, 2023 at 05:26:36PM +0800, Konstantin Meskhidze wrote:
>> > > This commit adds network rules support in the ruleset management
>> > > helpers and the landlock_create_ruleset syscall.
>> > > Refactor user space API to support network actions. Add new network
>> > > access flags, network rule and network attributes. Increment Landlock
>> > > ABI version. Expand access_masks_t to u32 to be sure network access
>> > > rights can be stored. Implement socket_bind() and socket_connect()
>> > > LSM hooks, which enables to restrict TCP socket binding and connection
>> > > to specific ports.
>> > > The new landlock_net_port_attr structure has two fields. The allowed_access
>> > > field contains the LANDLOCK_ACCESS_NET_* rights. The port field contains
>> > > the port value according to the allowed protocol. This field can
>> > > take up to a 64-bit value [1] but the maximum value depends on the related
>> > > protocol (e.g. 16-bit for TCP).
>> > > 
>> > > [1]
>> > > https://lore.kernel.org/r/278ab07f-7583-a4e0-3d37-1bacd091531d@digikod.net
>> > > 
>> > > Signed-off-by: Mickaël Salaün <mic at digikod.net>
>> > > Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>> > > ---
>> > > 
> 
>> > > +int add_rule_net_service(struct landlock_ruleset *ruleset,
>> > 
>> > We should only export functions with a "landlock_" prefix, and "service"
>> > is now replaced with "port", which gives landlock_add_rule_net_port().
>> > 
>> > For consistency, we should also rename add_rule_path_beneath() into
>> > landlock_add_rule_path_beneath(), move it into fs.c, and merge
>> > landlock_append_fs_rule() into it (being careful to not move the related
>> > code to ease review). This change should be part of the "landlock:
>> > Refactor landlock_add_rule() syscall" patch. Please be careful to keep
>> > the other changes happening in other patches.
>> > 
>> > 
>> > > +			 const void __user *const rule_attr)
>> > > +{
>> > > +	struct landlock_net_port_attr net_port_attr;
>> > > +	int res;
>> > > +	access_mask_t mask, bind_access_mask;
>> > > +
>> > > +	/* Copies raw user space buffer. */
>> > > +	res = copy_from_user(&net_port_attr, rule_attr, sizeof(net_port_attr));
>> > 
>> > We should include <linux/uaccess.h> because of copy_from_user().
>> > 
>> > Same for landlock_add_rule_path_beneath().
>> > 
>> > > +	if (res)
>> > > +		return -EFAULT;
>> > > +
>> > > +	/*
>> > > +	 * Informs about useless rule: empty allowed_access (i.e. deny rules)
>> > > +	 * are ignored by network actions.
>> > > +	 */
>> > > +	if (!net_port_attr.allowed_access)
>> > > +		return -ENOMSG;
>> > > +
>> > > +	/*
>> > > +	 * Checks that allowed_access matches the @ruleset constraints
>> > > +	 * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
>> > > +	 */
>> > > +	mask = landlock_get_net_access_mask(ruleset, 0);
>> > > +	if ((net_port_attr.allowed_access | mask) != mask)
>> > > +		return -EINVAL;
>> > > +
>> > > +	/*
>> > > +	 * Denies inserting a rule with port 0 (for bind action) or
>> > > +	 * higher than 65535.
>> > > +	 */
>> > > +	bind_access_mask = net_port_attr.allowed_access &
>> > > +			   LANDLOCK_ACCESS_NET_BIND_TCP;
>> > > +	if (((net_port_attr.port == 0) &&
>> > > +	     (bind_access_mask == LANDLOCK_ACCESS_NET_BIND_TCP)) ||
>> > 
>> > For context about "port 0 binding" see
>> > https://lore.kernel.org/all/7cb458f1-7aff-ccf3-abfd-b563bfc65b84@huawei.com/
>> > 
>> > I previously said:
>> > > > > To say it another way, we should not allow to add a rule with port
>> > > > > 0 for
>> > > > > LANDLOCK_ACCESS_NET_BIND_TCP, but return -EINVAL in this case. This
>> > > > > limitation should be explained, documented and tested.
>> > 
>> > Thinking more about this port 0 for bind (and after an interesting
>> > discussion with Eric), it would be a mistake to forbid a rule to bind on
>> > port 0 because this is very useful for some network services, and
>> > because it would not be reasonable to have an LSM hook to control such
>> > "random ports". Instead we should document what using this value means
>> > (i.e. pick a dynamic available port in a range defined by the sysadmin)
>> > and highlight the fact that it is controlled with the
>> > /proc/sys/net/ipv4/ip_local_port_range sysctl, which is also used by
>> > IPv6.
>> 
>>   Hi Mickaёl.
>>   I also wonder which part of documentation (landlock.rst) we should include
>> zero port description in?
> 
> This documentation should be in the struct landlock_net_port_attr's @port
> description, which will then be part of the generated documentation.
> 
   Got it.
   Thanks.
> 
>> > 
>> > We then need to test binding on port zero by getting the binded port
>> > (cf. getsockopt/getsockname) and checking that we can indeed connect to
>> > it.
>> > 
>> > > +	    (net_port_attr.port > U16_MAX))
>> > > +		return -EINVAL;
>> > > +
>> > > +	/* Imports the new rule. */
>> > > +	return landlock_append_net_rule(ruleset, net_port_attr.port,
>> > > +					net_port_attr.allowed_access);
>> > > +}
> .



More information about the Linux-security-module-archive mailing list