lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZsOoBPpNZ+8KXKus@tahera-OptiPlex-5000>
Date: Mon, 19 Aug 2024 14:16:04 -0600
From: Tahera Fahimi <fahimitahera@...il.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: outreachy@...ts.linux.dev, gnoack@...gle.com, paul@...l-moore.com,
	jmorris@...ei.org, serge@...lyn.com,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
	bjorn3_gh@...tonmail.com, jannh@...gle.com, netdev@...r.kernel.org
Subject: Re: [PATCH v9 0/5] Landlock: Add abstract unix socket connect
 restriction

On Mon, Aug 19, 2024 at 09:58:27PM +0200, Mickaël Salaün wrote:
> There are still some issues (mainly with tests) but overall the kernel
> part looks good!  I pushed this patch series to the -next branch.  I'll
> update with the next versions of this series.
Thank you :) 
> I'll do the same with the next signal scoping patch series once the
> lifetime issue that Jann reported is fixed.
I have already applied those changes, but still need to add a test case
for file_send_sigiotask()
> On Wed, Aug 14, 2024 at 12:22:18AM -0600, Tahera Fahimi wrote:
> > This patch series adds scoping mechanism for abstract unix sockets.
> > Closes: https://github.com/landlock-lsm/linux/issues/7
> > 
> > Problem
> > =======
> > 
> > Abstract unix sockets are used for local inter-process communications
> > independent of the filesystem. Currently, a sandboxed process can
> > connect to a socket outside of the sandboxed environment, since Landlock
> > has no restriction for connecting to an abstract socket address(see more
> > details in [1,2]). Access to such sockets for a sandboxed process should
> > be scoped the same way ptrace is limited.
> > 
> > [1] https://lore.kernel.org/all/20231023.ahphah4Wii4v@digikod.net/
> > [2] https://lore.kernel.org/all/20231102.MaeWaepav8nu@digikod.net/
> > 
> > Solution
> > ========
> > 
> > To solve this issue, we extend the user space interface by adding a new
> > "scoped" field to Landlock ruleset attribute structure. This field can
> > contains different rights to restrict different functionalities. For
> > abstract unix sockets, we introduce
> > "LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET" field to specify that a ruleset
> > will deny any connection from within the sandbox domain to its parent
> > (i.e. any parent sandbox or non-sandbox processes).
> > 
> > Example
> > =======
> > 
> > Starting a listening socket with socat(1):
> > 	socat abstract-listen:mysocket -
> > 
> > Starting a sandboxed shell from $HOME with samples/landlock/sandboxer:
> > 	LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash
> > 
> > If we try to connect to the listening socket, the connection would be
> > refused.
> > 	socat - abstract-connect:mysocket --> fails
> > 
> > 
> > Notes of Implementation
> > =======================
> > 
> > * Using the "scoped" field provides enough compatibility and flexibility
> >   to extend the scoping mechanism for other IPCs(e.g. signals).
> > 
> > * To access the domain of a socket, we use its credentials of the file's FD
> >   which point to the credentials of the process that created the socket.
> >   (see more details in [3]). Cases where the process using the socket has
> >   a different domain than the process created it are covered in the 
> >   unix_sock_special_cases test.
> > 
> > [3]https://lore.kernel.org/all/20240611.Pi8Iph7ootae@digikod.net/
> > 
> > Previous Versions
> > =================
> > v8: https://lore.kernel.org/all/cover.1722570749.git.fahimitahera@gmail.com/
> > v7: https://lore.kernel.org/all/cover.1721269836.git.fahimitahera@gmail.com/
> > v6: https://lore.kernel.org/all/Zn32CYZiu7pY+rdI@tahera-OptiPlex-5000/
> > and https://lore.kernel.org/all/Zn32KKIJrY7Zi51K@tahera-OptiPlex-5000/
> > v5: https://lore.kernel.org/all/ZnSZnhGBiprI6FRk@tahera-OptiPlex-5000/
> > v4: https://lore.kernel.org/all/ZnNcE3ph2SWi1qmd@tahera-OptiPlex-5000/
> > v3: https://lore.kernel.org/all/ZmJJ7lZdQuQop7e5@tahera-OptiPlex-5000/
> > v2: https://lore.kernel.org/all/ZgX5TRTrSDPrJFfF@tahera-OptiPlex-5000/
> > v1: https://lore.kernel.org/all/ZgXN5fi6A1YQKiAQ@tahera-OptiPlex-5000/
> > 
> > Tahera Fahimi (5):
> >   Landlock: Add abstract unix socket connect restriction
> >   selftests/Landlock: Abstract unix socket restriction tests
> >   selftests/Landlock: Adding pathname Unix socket tests
> >   sample/Landlock: Support abstract unix socket restriction
> >   Landlock: Document LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET and ABI
> >     versioning
> > 
> >  Documentation/userspace-api/landlock.rst      |   33 +-
> >  include/uapi/linux/landlock.h                 |   27 +
> >  samples/landlock/sandboxer.c                  |   58 +-
> >  security/landlock/limits.h                    |    3 +
> >  security/landlock/ruleset.c                   |    7 +-
> >  security/landlock/ruleset.h                   |   23 +-
> >  security/landlock/syscalls.c                  |   17 +-
> >  security/landlock/task.c                      |  129 ++
> >  tools/testing/selftests/landlock/base_test.c  |    2 +-
> >  tools/testing/selftests/landlock/common.h     |   38 +
> >  tools/testing/selftests/landlock/net_test.c   |   31 +-
> >  .../landlock/scoped_abstract_unix_test.c      | 1146 +++++++++++++++++
> >  12 files changed, 1469 insertions(+), 45 deletions(-)
> >  create mode 100644 tools/testing/selftests/landlock/scoped_abstract_unix_test.c
> > 
> > -- 
> > 2.34.1
> > 
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ