| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240916122230.114800-1-matthieu@buffet.re> Date: Mon, 16 Sep 2024 14:22:23 +0200 From: Matthieu Buffet <matthieu@...fet.re> To: Mickaël Salaün <mic@...ikod.net> Cc: Günther Noack <gnoack@...gle.com>, Paul Moore <paul@...l-moore.com>, James Morris <jmorris@...ei.org>, "Serge E . Hallyn" <serge@...lyn.com>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, Matthieu Buffet <matthieu@...fet.re> Subject: [RFC PATCH v1 0/7] landlock: Add UDP access control support Landlocked processes can freely use UDP sockets. This may allow them to escape their sandbox if they can reach UDP sockets of other vulnerable processes on the same host, or allow them to send/receive to/from unwanted hosts. This is a first attempt to add access control around UDP usage, based on https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git Linux 6.11-rc1 (8400291e289e). The first two commits fix what I interpret as a bug in landlock's sample's options parsing, in order to allow testing the actual patch contents. These two are finished afaict and could be merged separately, but are bundled here to have a working base-commit and allow the actual patch to get a first round of feedback. Add two new access rights in the same bind/connect hooks as used for TCP, with the same semantics. Also add two new hooks in recvmsg/sendmsg and two additional rights, because: - UDP allows processes to send traffic to anyone without any `bind()` nor `connect()` by specifying an arbitrary address in `sendmsg()`, so simply using existing hooks cannot prevent sending that traffic; - UDP allows processes to receive traffic on ephemeral ports without any `bind()` (e.g. just `sendmsg()` to 127.0.0.1 to get a port assigned, then you can `recv()` on that port). When benchmarking `iperf3 --udp` with and without sendmsg/recvmsg sandboxing, the difference appears negligible on my laptop, which makes me think I'm looking at a completely unrelated bottleneck somewhere else. Advice or tests from someone with non-potato hardware and benchmarking knowledge would be appreciated. Selftests updated for UDP, coverage should encompass all non-critical-error paths. This is a first kernel patch attempt, any feedback appreciated. Link: https://github.com/landlock-lsm/linux/issues/10 Matthieu Buffet (7): samples/landlock: Fix port parsing in sandboxer samples/landlock: Clarify option parsing behaviour landlock: Add UDP bind+connect access control landlock: Add UDP send+recv access control samples/landlock: Add sandboxer UDP access control selftests/landlock: Adapt existing tests for UDP selftests/landlock: Add UDP sendmsg/recvmsg tests include/uapi/linux/landlock.h | 58 ++- samples/landlock/sandboxer.c | 181 +++++-- security/landlock/limits.h | 2 +- security/landlock/net.c | 255 +++++++-- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- tools/testing/selftests/landlock/net_test.c | 518 +++++++++++++++++-- 7 files changed, 886 insertions(+), 132 deletions(-) -- 2.39.5
Powered by blists - more mailing lists