lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240916122230.114800-1-matthieu@buffet.re>
Date: Mon, 16 Sep 2024 14:22:23 +0200
From: Matthieu Buffet <matthieu@...fet.re>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Günther Noack <gnoack@...gle.com>,
	Paul Moore <paul@...l-moore.com>,
	James Morris <jmorris@...ei.org>,
	"Serge E . Hallyn" <serge@...lyn.com>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org,
	Matthieu Buffet <matthieu@...fet.re>
Subject: [RFC PATCH v1 0/7] landlock: Add UDP access control support

Landlocked processes can freely use UDP sockets. This may allow them to
escape their sandbox if they can reach UDP sockets of other vulnerable
processes on the same host, or allow them to send/receive to/from unwanted
hosts.

This is a first attempt to add access control around UDP usage, based on
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
Linux 6.11-rc1 (8400291e289e).

The first two commits fix what I interpret as a bug in landlock's sample's
options parsing, in order to allow testing the actual patch contents.
These two are finished afaict and could be merged separately, but are
bundled here to have a working base-commit and allow the actual patch to
get a first round of feedback.

Add two new access rights in the same bind/connect hooks as used for
TCP, with the same semantics.

Also add two new hooks in recvmsg/sendmsg and two additional rights,
because:
- UDP allows processes to send traffic to anyone without any `bind()` nor
  `connect()` by specifying an arbitrary address in `sendmsg()`, so
  simply using existing hooks cannot prevent sending that traffic;
- UDP allows processes to receive traffic on ephemeral ports without any
  `bind()` (e.g. just `sendmsg()` to 127.0.0.1 to get a port assigned, then
  you can `recv()` on that port).

When benchmarking `iperf3 --udp` with and without sendmsg/recvmsg
sandboxing, the difference appears negligible on my laptop, which makes
me think I'm looking at a completely unrelated bottleneck somewhere else.
Advice or tests from someone with non-potato hardware and benchmarking
knowledge would be appreciated.

Selftests updated for UDP, coverage should encompass all non-critical-error
paths.

This is a first kernel patch attempt, any feedback appreciated.

Link: https://github.com/landlock-lsm/linux/issues/10

Matthieu Buffet (7):
  samples/landlock: Fix port parsing in sandboxer
  samples/landlock: Clarify option parsing behaviour
  landlock: Add UDP bind+connect access control
  landlock: Add UDP send+recv access control
  samples/landlock: Add sandboxer UDP access control
  selftests/landlock: Adapt existing tests for UDP
  selftests/landlock: Add UDP sendmsg/recvmsg tests

 include/uapi/linux/landlock.h                |  58 ++-
 samples/landlock/sandboxer.c                 | 181 +++++--
 security/landlock/limits.h                   |   2 +-
 security/landlock/net.c                      | 255 +++++++--
 security/landlock/syscalls.c                 |   2 +-
 tools/testing/selftests/landlock/base_test.c |   2 +-
 tools/testing/selftests/landlock/net_test.c  | 518 +++++++++++++++++--
 7 files changed, 886 insertions(+), 132 deletions(-)

-- 
2.39.5


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ