lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231102131354.263678-1-mic@digikod.net>
Date:   Thu,  2 Nov 2023 14:13:54 +0100
From:   Mickaël Salaün <mic@...ikod.net>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Mickaël Salaün <mic@...ikod.net>,
        Günther Noack <gnoack@...gle.com>,
        Paul Moore <paul@...l-moore.com>,
        Willem de Bruijn <willemdebruijn.kernel@...il.com>,
        artem.kuzin@...wei.com, yusongping <yusongping@...wei.com>,
        linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org, netdev@...r.kernel.org,
        netfilter-devel@...r.kernel.org
Subject: [GIT PULL] Landlock updates for v6.7

Hi Linus,

This PR adds initial network support for Landlock (TCP bind and connect
access control), contributed by Konstantin Meskhidze [1].  Please pull
these changes for v6.7-rc1 .  These 13 commits merged cleanly with your
master branch and the LSM/dev branch [2].  The kernel code has been
tested in the latest linux-next releases for a month (next-20231003 [3])
but the related patch series has since been updated (while keeping the
same kernel code): extended tests, improved documentation and commit
messages.  I rebased the latest patch series (with some cosmetic fixes)
on v6.6-rc7 and added two more tests.

A Landlock ruleset can now handle two new access rights:
LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP.  When
handled, the related actions are denied unless explicitly allowed by a
Landlock network rule for a specific port.

The related patch series has been reviewed for almost two years, it has
evolved a lot and we now have reached a decent design, code and testing.
The refactored kernel code and the new test helpers also bring the
foundation to support more network protocols.

Test coverage for security/landlock is 92.4% of 710 lines according to
gcc/gcov-13, and it was 93.1% of 597 lines before this series.  The
decrease in coverage is due to code refactoring to make the ruleset
management more generic (i.e. dealing with inodes and ports) that also
added new WARN_ON_ONCE() checks not possible to test from user space.

syzkaller has been updated accordingly [4], and such patched instance
(tailored to Landlock) has been running for a month, covering all the
new network-related code [5].

Link: https://lore.kernel.org/r/20231026014751.414649-1-konstantin.meskhidze@huawei.com [1]
Link: https://lore.kernel.org/r/CAHC9VhS1wwgH6NNd+cJz4MYogPiRV8NyPDd1yj5SpaxeUB4UVg@mail.gmail.com [2]
Link: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next-history.git/commit/?id=c8dc5ee69d3a [3]
Link: https://github.com/google/syzkaller/pull/4266 [4]
Link: https://storage.googleapis.com/syzbot-assets/82e8608dec36/ci-upstream-linux-next-kasan-gce-root-ab577164.html#security%2flandlock%2fnet.c [5]

Regards,
 Mickaël

--
The following changes since commit 05d3ef8bba77c1b5f98d941d8b2d4aeab8118ef1:

  Linux 6.6-rc7 (2023-10-22 12:11:21 -1000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/landlock-6.7-rc1

for you to fetch changes up to f12f8f84509a084399444c4422661345a15cc713:

  selftests/landlock: Add tests for FS topology changes with network rules (2023-10-27 17:53:31 +0200)

----------------------------------------------------------------
Landlock updates for v6.7-rc1

----------------------------------------------------------------
Konstantin Meskhidze (11):
      landlock: Make ruleset's access masks more generic
      landlock: Refactor landlock_find_rule/insert_rule helpers
      landlock: Refactor merge/inherit_ruleset helpers
      landlock: Move and rename layer helpers
      landlock: Refactor layer helpers
      landlock: Refactor landlock_add_rule() syscall
      landlock: Support network rules with TCP bind and connect
      selftests/landlock: Share enforce_ruleset() helper
      selftests/landlock: Add network tests
      samples/landlock: Support TCP restrictions
      landlock: Document network support

Mickaël Salaün (2):
      landlock: Allow FS topology changes for domains without such rule type
      selftests/landlock: Add tests for FS topology changes with network rules

 Documentation/userspace-api/landlock.rst     |   99 +-
 include/uapi/linux/landlock.h                |   55 +
 samples/landlock/sandboxer.c                 |  115 +-
 security/landlock/Kconfig                    |    1 +
 security/landlock/Makefile                   |    2 +
 security/landlock/fs.c                       |  232 ++--
 security/landlock/limits.h                   |    6 +
 security/landlock/net.c                      |  200 +++
 security/landlock/net.h                      |   33 +
 security/landlock/ruleset.c                  |  405 ++++--
 security/landlock/ruleset.h                  |  185 ++-
 security/landlock/setup.c                    |    2 +
 security/landlock/syscalls.c                 |  158 ++-
 tools/testing/selftests/landlock/base_test.c |    2 +-
 tools/testing/selftests/landlock/common.h    |   13 +
 tools/testing/selftests/landlock/config      |    4 +
 tools/testing/selftests/landlock/fs_test.c   |   69 +-
 tools/testing/selftests/landlock/net_test.c  | 1738 ++++++++++++++++++++++++++
 18 files changed, 2967 insertions(+), 352 deletions(-)
 create mode 100644 security/landlock/net.c
 create mode 100644 security/landlock/net.h
 create mode 100644 tools/testing/selftests/landlock/net_test.c

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ