[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <524f3c11-f228-1519-451f-c992bff8be79@digikod.net>
Date: Mon, 26 Jun 2023 20:59:54 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
Cc: willemdebruijn.kernel@...il.com, gnoack3000@...il.com,
linux-security-module@...r.kernel.org, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, yusongping@...wei.com,
artem.kuzin@...wei.com
Subject: Re: [PATCH v11 12/12] landlock: Document Landlock's network support
On 15/05/2023 18:13, Konstantin Meskhidze wrote:
> Describe network access rules for TCP sockets. Add network access
> example in the tutorial. Add kernel configuration support for network.
>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
> ---
>
> Changes since v10:
> * Fixes documentaion as Mickaёl suggested:
> https://lore.kernel.org/linux-security-module/ec23be77-566e-c8fd-179e-f50e025ac2cf@digikod.net/
>
> Changes since v9:
> * Minor refactoring.
>
> Changes since v8:
> * Minor refactoring.
>
> Changes since v7:
> * Fixes documentaion logic errors and typos as Mickaёl suggested:
> https://lore.kernel.org/netdev/9f354862-2bc3-39ea-92fd-53803d9bbc21@digikod.net/
>
> Changes since v6:
> * Adds network support documentaion.
>
> ---
> Documentation/userspace-api/landlock.rst | 83 ++++++++++++++++++------
> 1 file changed, 62 insertions(+), 21 deletions(-)
>
[...]
> @@ -143,10 +159,23 @@ for the ruleset creation, by filtering access rights according to the Landlock
> ABI version. In this example, this is not required because all of the requested
> ``allowed_access`` rights are already available in ABI 1.
>
> -We now have a ruleset with one rule allowing read access to ``/usr`` while
> -denying all other handled accesses for the filesystem. The next step is to
> -restrict the current thread from gaining more privileges (e.g. thanks to a SUID
> -binary).
> +For network access-control, we can add a set of rules that allow to use a port
> +number for a specific action: HTTPS connections.
> +
> +.. code-block:: c
> +
> + struct landlock_net_service_attr net_service = {
> + .allowed_access = NET_CONNECT_TCP,
LANDLOCK_ACCESS_NET_CONNECT_TCP
> + .port = 443,
> + };
> +
> + err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
> + &net_service, 0);
> +
Powered by blists - more mailing lists