[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240916122230.114800-1-matthieu@buffet.re>
Date: Mon, 16 Sep 2024 14:22:23 +0200
From: Matthieu Buffet <matthieu@...fet.re>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Günther Noack <gnoack@...gle.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
netdev@...r.kernel.org,
Matthieu Buffet <matthieu@...fet.re>
Subject: [RFC PATCH v1 0/7] landlock: Add UDP access control support
Landlocked processes can freely use UDP sockets. This may allow them to
escape their sandbox if they can reach UDP sockets of other vulnerable
processes on the same host, or allow them to send/receive to/from unwanted
hosts.
This is a first attempt to add access control around UDP usage, based on
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
Linux 6.11-rc1 (8400291e289e).
The first two commits fix what I interpret as a bug in landlock's sample's
options parsing, in order to allow testing the actual patch contents.
These two are finished afaict and could be merged separately, but are
bundled here to have a working base-commit and allow the actual patch to
get a first round of feedback.
Add two new access rights in the same bind/connect hooks as used for
TCP, with the same semantics.
Also add two new hooks in recvmsg/sendmsg and two additional rights,
because:
- UDP allows processes to send traffic to anyone without any `bind()` nor
`connect()` by specifying an arbitrary address in `sendmsg()`, so
simply using existing hooks cannot prevent sending that traffic;
- UDP allows processes to receive traffic on ephemeral ports without any
`bind()` (e.g. just `sendmsg()` to 127.0.0.1 to get a port assigned, then
you can `recv()` on that port).
When benchmarking `iperf3 --udp` with and without sendmsg/recvmsg
sandboxing, the difference appears negligible on my laptop, which makes
me think I'm looking at a completely unrelated bottleneck somewhere else.
Advice or tests from someone with non-potato hardware and benchmarking
knowledge would be appreciated.
Selftests updated for UDP, coverage should encompass all non-critical-error
paths.
This is a first kernel patch attempt, any feedback appreciated.
Link: https://github.com/landlock-lsm/linux/issues/10
Matthieu Buffet (7):
samples/landlock: Fix port parsing in sandboxer
samples/landlock: Clarify option parsing behaviour
landlock: Add UDP bind+connect access control
landlock: Add UDP send+recv access control
samples/landlock: Add sandboxer UDP access control
selftests/landlock: Adapt existing tests for UDP
selftests/landlock: Add UDP sendmsg/recvmsg tests
include/uapi/linux/landlock.h | 58 ++-
samples/landlock/sandboxer.c | 181 +++++--
security/landlock/limits.h | 2 +-
security/landlock/net.c | 255 +++++++--
security/landlock/syscalls.c | 2 +-
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/net_test.c | 518 +++++++++++++++++--
7 files changed, 886 insertions(+), 132 deletions(-)
--
2.39.5
Powered by blists - more mailing lists