lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231011.shuu8oomi4Mo@digikod.net>
Date: Wed, 11 Oct 2023 18:02:13 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: "Konstantin Meskhidze (A)" <konstantin.meskhidze@...wei.com>
Cc: willemdebruijn.kernel@...il.com, gnoack3000@...il.com, 
	linux-security-module@...r.kernel.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, 
	yusongping@...wei.com, artem.kuzin@...wei.com, Eric Dumazet <edumazet@...gle.com>
Subject: Re: [PATCH v12 08/12] landlock: Add network rules and TCP hooks
 support

On Wed, Oct 11, 2023 at 04:53:57AM +0300, Konstantin Meskhidze (A) wrote:
> 
> 
> 10/2/2023 11:26 PM, Mickaël Salaün пишет:
> > Thanks for this new version Konstantin. I pushed this series, with minor
> > changes, to -next. So far, no warning. But it needs some changes, mostly
> > kernel-only, but also one with the handling of port 0 with bind (see my
> > review below).
> > 
> > On Wed, Sep 20, 2023 at 05:26:36PM +0800, Konstantin Meskhidze wrote:
> > > This commit adds network rules support in the ruleset management
> > > helpers and the landlock_create_ruleset syscall.
> > > Refactor user space API to support network actions. Add new network
> > > access flags, network rule and network attributes. Increment Landlock
> > > ABI version. Expand access_masks_t to u32 to be sure network access
> > > rights can be stored. Implement socket_bind() and socket_connect()
> > > LSM hooks, which enables to restrict TCP socket binding and connection
> > > to specific ports.
> > > The new landlock_net_port_attr structure has two fields. The allowed_access
> > > field contains the LANDLOCK_ACCESS_NET_* rights. The port field contains
> > > the port value according to the allowed protocol. This field can
> > > take up to a 64-bit value [1] but the maximum value depends on the related
> > > protocol (e.g. 16-bit for TCP).
> > > 
> > > [1]
> > > https://lore.kernel.org/r/278ab07f-7583-a4e0-3d37-1bacd091531d@digikod.net
> > > 
> > > Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> > > Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
> > > ---
> > > 

> > > +int add_rule_net_service(struct landlock_ruleset *ruleset,
> > 
> > We should only export functions with a "landlock_" prefix, and "service"
> > is now replaced with "port", which gives landlock_add_rule_net_port().
> > 
> > For consistency, we should also rename add_rule_path_beneath() into
> > landlock_add_rule_path_beneath(), move it into fs.c, and merge
> > landlock_append_fs_rule() into it (being careful to not move the related
> > code to ease review). This change should be part of the "landlock:
> > Refactor landlock_add_rule() syscall" patch. Please be careful to keep
> > the other changes happening in other patches.
> > 
> > 
> > > +			 const void __user *const rule_attr)
> > > +{
> > > +	struct landlock_net_port_attr net_port_attr;
> > > +	int res;
> > > +	access_mask_t mask, bind_access_mask;
> > > +
> > > +	/* Copies raw user space buffer. */
> > > +	res = copy_from_user(&net_port_attr, rule_attr, sizeof(net_port_attr));
> > 
> > We should include <linux/uaccess.h> because of copy_from_user().
> > 
> > Same for landlock_add_rule_path_beneath().
> > 
> > > +	if (res)
> > > +		return -EFAULT;
> > > +
> > > +	/*
> > > +	 * Informs about useless rule: empty allowed_access (i.e. deny rules)
> > > +	 * are ignored by network actions.
> > > +	 */
> > > +	if (!net_port_attr.allowed_access)
> > > +		return -ENOMSG;
> > > +
> > > +	/*
> > > +	 * Checks that allowed_access matches the @ruleset constraints
> > > +	 * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
> > > +	 */
> > > +	mask = landlock_get_net_access_mask(ruleset, 0);
> > > +	if ((net_port_attr.allowed_access | mask) != mask)
> > > +		return -EINVAL;
> > > +
> > > +	/*
> > > +	 * Denies inserting a rule with port 0 (for bind action) or
> > > +	 * higher than 65535.
> > > +	 */
> > > +	bind_access_mask = net_port_attr.allowed_access &
> > > +			   LANDLOCK_ACCESS_NET_BIND_TCP;
> > > +	if (((net_port_attr.port == 0) &&
> > > +	     (bind_access_mask == LANDLOCK_ACCESS_NET_BIND_TCP)) ||
> > 
> > For context about "port 0 binding" see
> > https://lore.kernel.org/all/7cb458f1-7aff-ccf3-abfd-b563bfc65b84@huawei.com/
> > 
> > I previously said:
> > > > > To say it another way, we should not allow to add a rule with port
> > > > > 0 for
> > > > > LANDLOCK_ACCESS_NET_BIND_TCP, but return -EINVAL in this case. This
> > > > > limitation should be explained, documented and tested.
> > 
> > Thinking more about this port 0 for bind (and after an interesting
> > discussion with Eric), it would be a mistake to forbid a rule to bind on
> > port 0 because this is very useful for some network services, and
> > because it would not be reasonable to have an LSM hook to control such
> > "random ports". Instead we should document what using this value means
> > (i.e. pick a dynamic available port in a range defined by the sysadmin)
> > and highlight the fact that it is controlled with the
> > /proc/sys/net/ipv4/ip_local_port_range sysctl, which is also used by
> > IPv6.
> 
>   Hi Mickaёl.
>   I also wonder which part of documentation (landlock.rst) we should include
> zero port description in?

This documentation should be in the struct landlock_net_port_attr's @port
description, which will then be part of the generated documentation.


> > 
> > We then need to test binding on port zero by getting the binded port
> > (cf. getsockopt/getsockname) and checking that we can indeed connect to
> > it.
> > 
> > > +	    (net_port_attr.port > U16_MAX))
> > > +		return -EINVAL;
> > > +
> > > +	/* Imports the new rule. */
> > > +	return landlock_append_net_rule(ruleset, net_port_attr.port,
> > > +					net_port_attr.allowed_access);
> > > +}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ