[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1ed20e34-c252-b849-ab92-78c82901c979@huawei.com>
Date: Wed, 11 Jan 2023 04:54:55 +0300
From: "Konstantin Meskhidze (A)" <konstantin.meskhidze@...wei.com>
To: Mickaël Salaün <mic@...ikod.net>,
<netdev@...r.kernel.org>, <linux-api@...r.kernel.org>,
"Alejandro Colomar (man-pages)" <alx.manpages@...il.com>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
<linux-security-module@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <artem.kuzin@...wei.com>
Subject: Re: [PATCH v8 08/12] landlock: Implement TCP network hooks
1/10/2023 8:24 PM, Mickaël Salaün пишет:
>
> On 10/01/2023 05:45, Konstantin Meskhidze (A) wrote:
>>
>>
>> 1/9/2023 3:38 PM, Mickaël Salaün пишет:
>>>
>>> On 09/01/2023 09:07, Konstantin Meskhidze (A) wrote:
>>>>
>>>>
>>>> 1/6/2023 10:30 PM, Mickaël Salaün пишет:
>>>>>
>>>>> On 05/01/2023 09:57, Konstantin Meskhidze (A) wrote:
>>>>>>
>>>>>>
>>>>>> 11/17/2022 9:43 PM, Mickaël Salaün пишет:
>>>>>>>
>>>>>>> On 21/10/2022 17:26, Konstantin Meskhidze wrote:
>>>>>>>> This patch adds support of socket_bind() and socket_connect() hooks.
>>>>>>>> It's possible to restrict binding and connecting of TCP sockets to
>>>>>>>> particular ports.
>>>>>>>
>>>>>>> Implement socket_bind() and socket_connect LSM hooks, which enable to
>>>>>>> restrict TCP socket binding and connection to specific ports.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
>>>>>>>> ---
>>>>>>>>
>>>>>>>> Changes since v7:
>>>>>>>> * Minor fixes.
>>>>>>>> * Refactors commit message.
>>>>>>>>
>>>>>>>> Changes since v6:
>>>>>>>> * Updates copyright.
>>>>>>>> * Refactors landlock_append_net_rule() and check_socket_access()
>>>>>>>> functions with landlock_id type.
>>>>>>>>
>>>>>>>> Changes since v5:
>>>>>>>> * Fixes some logic errors.
>>>>>>>> * Formats code with clang-format-14.
>>>>>>>>
>>>>>>>> Changes since v4:
>>>>>>>> * Factors out CONFIG_INET into make file.
>>>>>>>> * Refactors check_socket_access().
>>>>>>>> * Adds helper get_port().
>>>>>>>> * Adds CONFIG_IPV6 in get_port(), hook_socket_bind/connect
>>>>>>>> functions to support AF_INET6 family.
>>>>>>>> * Adds AF_UNSPEC family support in hook_socket_bind/connect
>>>>>>>> functions.
>>>>>>>> * Refactors add_rule_net_service() and landlock_add_rule
>>>>>>>> syscall to support network rule inserting.
>>>>>>>> * Refactors init_layer_masks() to support network rules.
>>>>>>>>
>>>>>>>> Changes since v3:
>>>>>>>> * Splits commit.
>>>>>>>> * Adds SECURITY_NETWORK in config.
>>>>>>>> * Adds IS_ENABLED(CONFIG_INET) if a kernel has no INET configuration.
>>>>>>>> * Adds hook_socket_bind and hook_socket_connect hooks.
>>>>>>>>
>>>>>>>> ---
>>>>>>>> security/landlock/Kconfig | 1 +
>>>>>>>> security/landlock/Makefile | 2 +
>>>>>>>> security/landlock/net.c | 164 +++++++++++++++++++++++++++++++++++
>>>>>>>> security/landlock/net.h | 26 ++++++
>>>>>>>> security/landlock/setup.c | 2 +
>>>>>>>> security/landlock/syscalls.c | 59 ++++++++++++-
>>>>>>>> 6 files changed, 251 insertions(+), 3 deletions(-)
>>>>>>>> create mode 100644 security/landlock/net.c
>>>>>>>> create mode 100644 security/landlock/net.h
>>>>>>>>
>>>>>>>> diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
>>>>>>>> index 8e33c4e8ffb8..10c099097533 100644
>>>>>>>> --- a/security/landlock/Kconfig
>>>>>>>> +++ b/security/landlock/Kconfig
>>>>>>>> @@ -3,6 +3,7 @@
>>>>>>>> config SECURITY_LANDLOCK
>>>>>>>> bool "Landlock support"
>>>>>>>> depends on SECURITY && !ARCH_EPHEMERAL_INODES
>>>>>>>> + select SECURITY_NETWORK
>>>>>>>> select SECURITY_PATH
>>>>>>>> help
>>>>>>>> Landlock is a sandboxing mechanism that enables processes to restrict
>>>>>>>> diff --git a/security/landlock/Makefile b/security/landlock/Makefile
>>>>>>>> index 7bbd2f413b3e..53d3c92ae22e 100644
>>>>>>>> --- a/security/landlock/Makefile
>>>>>>>> +++ b/security/landlock/Makefile
>>>>>>>> @@ -2,3 +2,5 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
>>>>>>>>
>>>>>>>> landlock-y := setup.o syscalls.o object.o ruleset.o \
>>>>>>>> cred.o ptrace.o fs.o
>>>>>>>> +
>>>>>>>> +landlock-$(CONFIG_INET) += net.o
>>>>>>>> \ No newline at end of file
>>>>>>>> diff --git a/security/landlock/net.c b/security/landlock/net.c
>>>>>>>> new file mode 100644
>>>>>>>> index 000000000000..39e8a156a1f4
>>>>>>>> --- /dev/null
>>>>>>>> +++ b/security/landlock/net.c
>>>>>>>> @@ -0,0 +1,164 @@
>>>>>>>> +// SPDX-License-Identifier: GPL-2.0-only
>>>>>>>> +/*
>>>>>>>> + * Landlock LSM - Network management and hooks
>>>>>>>> + *
>>>>>>>> + * Copyright © 2022 Huawei Tech. Co., Ltd.
>>>>>>>> + * Copyright © 2022 Microsoft Corporation
>>>>>>>> + */
>>>>>>>> +
>>>>>>>> +#include <linux/in.h>
>>>>>>>> +#include <linux/net.h>
>>>>>>>> +#include <linux/socket.h>
>>>>>>>> +#include <net/ipv6.h>
>>>>>>>> +
>>>>>>>> +#include "common.h"
>>>>>>>> +#include "cred.h"
>>>>>>>> +#include "limits.h"
>>>>>>>> +#include "net.h"
>>>>>>>> +#include "ruleset.h"
>>>>>>>> +
>>>>>>>> +int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
>>>>>>>> + const u16 port, access_mask_t access_rights)
>>>>>>>> +{
>>>>>>>> + int err;
>>>>>>>> + const struct landlock_id id = {
>>>>>>>> + .key.data = port,
>>>>>>>> + .type = LANDLOCK_KEY_NET_PORT,
>>>>>>>> + };
>>>>>>>> + BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
>>>>>>>> +
>>>>>>>> + /* Transforms relative access rights to absolute ones. */
>>>>>>>> + access_rights |= LANDLOCK_MASK_ACCESS_NET &
>>>>>>>> + ~landlock_get_net_access_mask(ruleset, 0);
>>>>>>>> +
>>>>>>>> + mutex_lock(&ruleset->lock);
>>>>>>>> + err = landlock_insert_rule(ruleset, id, access_rights);
>>>>>>>> + mutex_unlock(&ruleset->lock);
>>>>>>>> +
>>>>>>>> + return err;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static int check_socket_access(const struct landlock_ruleset *const domain,
>>>>>>>> + u16 port, access_mask_t access_request)
>>>>>>>> +{
>>>>>>>> + bool allowed = false;
>>>>>>>> + layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
>>>>>>>> + const struct landlock_rule *rule;
>>>>>>>> + access_mask_t handled_access;
>>>>>>>> + const struct landlock_id id = {
>>>>>>>> + .key.data = port,
>>>>>>>> + .type = LANDLOCK_KEY_NET_PORT,
>>>>>>>> + };
>>>>>>>> +
>>>>>>>> + if (WARN_ON_ONCE(!domain))
>>>>>>>> + return 0;
>>>>>>>> + if (WARN_ON_ONCE(domain->num_layers < 1))
>>>>>>>> + return -EACCES;
>>>>>>>> +
>>>>>>>> + rule = landlock_find_rule(domain, id);
>>>>>>>> + handled_access = init_layer_masks(domain, access_request, &layer_masks,
>>>>>>>> + LANDLOCK_KEY_NET_PORT);
>>>>>>>> + allowed = unmask_layers(rule, handled_access, &layer_masks,
>>>>>>>> + ARRAY_SIZE(layer_masks));
>>>>>>>> +
>>>>>>>> + return allowed ? 0 : -EACCES;
>>>>>>>> +}
>>>>>>>> +
>>>>>>>> +static u16 get_port(const struct sockaddr *const address)
>>>>>>>
>>>>>>> get_port() should return a __be16 type. This enables to avoid converting
>>>>>>> port when checking a rule.
>>>>>>
>>>>>> In this case a user must do a coverting port into __be16:
>>>>>>
>>>>>> struct landlock_net_service_attr net_service = {
>>>>>> .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
>>>>>>
>>>>>> .port = htons(sock_port),
>>>>>> };
>>>>>> I think that a user should not think about this conversion cause it
>>>>>> makes UAPI more complex to use. Lets do this under kernel's hood and let
>>>>>> it as it is now -> u16 port.
>>>>>>
>>>>>> What do you think?
>>>>>
>>>>> BE and LE conversions may be error prone without strong typing, but the
>>>>> current Linux network UAPI uses this convention (see related syscalls),
>>>>> so developers already use htons() in their applications. I think it is
>>>>> less hazardous to use the same convention. It would be nice to have the
>>>>> point of view of network and API folks though.
>>>>
>>>> Ok. Thanks. Let ports be in BE format like in network packets.
>>>>
>>>> What should a selftest with port conversion be like?
>>>>
>>>> 1. Set a port with a Landlock rule with no conversion. get an error
>>>> wit bind/connect actions.
>>>> 2. Convert a port with htons(sock_port). get no error.
>>>>
>>>> What do you think?
>>>
>>> Right, you can do both on a LE architecture (that must be checked in the
>>> test or it should be skipped), test with a port value that has different
>>> representation in LE and BE.
>>
>> Do you mean to check architecture in a test first and then port
>> representaton? What about BE architectures? My current VM is X86-64
>> architecture a LE one. I can test just it now.
>
> It's just that tests should pass whatever architecture they are run on.
> So we need to check that the current architecture is LE to check against
> an LE result but not against a BE one, and vice versa. In fact no test
> should be skipped, just the result to compare with adjusted (i.e. either
> it pass or it failed).
Ok. Thanks.
> .
Powered by blists - more mailing lists