lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1344bc15-6dec-fcc2-8523-215aad17a535@digikod.net>
Date:   Sat, 18 Dec 2021 11:59:26 +0100
From:   Mickaël Salaün <mic@...ikod.net>
To:     Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc:     Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
        yusongping <yusongping@...wei.com>,
        Artem Kuzin <artem.kuzin@...wei.com>,
        linux-security-module <linux-security-module@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>,
        netfilter@...r.kernel.org
Subject: Re: [RFC PATCH 0/2] Landlock network PoC implementation

Here is the beginning of the thread: 
https://lore.kernel.org/linux-security-module/a1769c4239ee4e8aadb65f9ebb6061d8@huawei.com/

On 17/12/2021 22:29, Willem de Bruijn wrote:
> On Fri, Dec 17, 2021 at 4:38 AM Mickaël Salaün <mic@...ikod.net> wrote:

[...]

>>>>
>>>> Accesses/suffixes should be:
>>>> - CREATE
>>>> - ACCEPT
>>>> - BIND
>>>> - LISTEN
>>>> - CONNECT
>>>> - RECEIVE (RECEIVE_FROM and SEND_TO should not be needed)
>>>> - SEND
>>>> - SHUTDOWN
>>>> - GET_OPTION (GETSOCKOPT)
>>>> - SET_OPTION (SETSOCKOPT)
>>
>> For now, the only access rights should be LANDLOCK_ACCESS_NET_BIND_TCP
>> and LANDLOCK_ACCESS_NET_CONNECT_TCP (tie to two LSM hooks with struct
>> sockaddr).
>>
>> These attribute and access right changes reduce the scope of the network
>> access control and make it simpler but still really useful. Datagram
>> (e.g. UDP, which could add BIND_UDP and SEND_UDP) sockets will be more
>> complex to restrict correctly and should then come in another patch
>> series, once TCP is supported.
> 
> Thanks for cc:ing the netdev list. I miss some of context, assume that
> limits are configured on a socket basis.
> 
> One practical use-case I had for voluntary relinquish of privileges:
> do not allow connect AF_UNSPEC. This is a little-used feature that
> allows an already established connection to disconnect and create a
> new connection. Without this option, it is possible for a privileged
> process to create connections and hand those off to a less privileged
> process. Also, do not allow listen calls, to avoid elevating a socket
> to a listener.

Thanks for the heads up. connect + AF_UNSPEC is a nice trick but the 
security_socket_connect() hook should handle that, and then the 
LANDOCK_ACCESS_NET_CONNECT_TCP right too. This should be part of tests 
though.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ