| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 3 Aug 2023 17:13:33 +0300
From: "Konstantin Meskhidze (A)" <konstantin.meskhidze@...wei.com>
To: Mickaël Salaün <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>
Subject: Re: [PATCH v11 08/12] landlock: Add network rules and TCP hooks
support
8/3/2023 5:12 PM, Mickaël Salaün пишет:
> On Tue, May 16, 2023 at 12:13:35AM +0800, Konstantin Meskhidze wrote:
>> This commit adds network rules support in the ruleset management
>> helpers and the landlock_create_ruleset syscall.
>> Refactor user space API to support network actions. Add new network
>> access flags, network rule and network attributes. Increment Landlock
>> ABI version. Expand access_masks_t to u32 to be sure network access
>> rights can be stored. Implement socket_bind() and socket_connect()
>> LSM hooks, which enables to restrict TCP socket binding and connection
>> to specific ports.
>>
>> Co-developed-by: Mickaël Salaün <mic@...ikod.net>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
>> ---
>
> [...]
>
>> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
>> index 8a54e87dbb17..5cb0a1bc6ec0 100644
>> --- a/security/landlock/syscalls.c
>> +++ b/security/landlock/syscalls.c
>
> [...]
>
>> +static int add_rule_net_service(struct landlock_ruleset *ruleset,
>> + const void __user *const rule_attr)
>> +{
>> +#if IS_ENABLED(CONFIG_INET)
>
> We should define two add_rule_net_service() functions according to
> IS_ENABLED(CONFIG_INET) instead of changing the body of the only
> function. The second function would only return -EAFNOSUPPORT. This
> cosmetic change would make the code cleaner.
Ok. Got it.
>
>
>> + struct landlock_net_service_attr net_service_attr;
>> + int res;
>> + access_mask_t mask;
>> +
>> + /* Copies raw user space buffer, only one type for now. */
>> + res = copy_from_user(&net_service_attr, rule_attr,
>> + sizeof(net_service_attr));
>> + if (res)
>> + return -EFAULT;
>> +
>> + /*
>> + * Informs about useless rule: empty allowed_access (i.e. deny rules)
>> + * are ignored by network actions.
>> + */
>> + if (!net_service_attr.allowed_access)
>> + return -ENOMSG;
>> +
>> + /*
>> + * Checks that allowed_access matches the @ruleset constraints
>> + * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
>> + */
>> + mask = landlock_get_net_access_mask(ruleset, 0);
>> + if ((net_service_attr.allowed_access | mask) != mask)
>> + return -EINVAL;
>> +
>> + /* Denies inserting a rule with port 0 or higher than 65535. */
>> + if ((net_service_attr.port == 0) || (net_service_attr.port > U16_MAX))
>> + return -EINVAL;
>> +
>> + /* Imports the new rule. */
>> + return landlock_append_net_rule(ruleset, net_service_attr.port,
>> + net_service_attr.allowed_access);
>> +#else /* IS_ENABLED(CONFIG_INET) */
>> + return -EAFNOSUPPORT;
>> +#endif /* IS_ENABLED(CONFIG_INET) */
>> +}
> .
Powered by blists - more mailing lists