lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZhPtVYkVcKsUJrty@google.com>
Date: Mon, 8 Apr 2024 15:12:53 +0200
From: "Günther Noack" <gnoack@...gle.com>
To: Ivanov Mikhail <ivanov.mikhail1@...wei-partners.com>
Cc: mic@...ikod.net, willemdebruijn.kernel@...il.com, gnoack3000@...il.com, 
	linux-security-module@...r.kernel.org, netdev@...r.kernel.org, 
	netfilter-devel@...r.kernel.org, yusongping@...wei.com, 
	artem.kuzin@...wei.com, konstantin.meskhidze@...wei.com
Subject: Re: [RFC PATCH v1 00/10] Socket type control for Landlock

On Mon, Apr 08, 2024 at 05:39:17PM +0800, Ivanov Mikhail wrote:
> Patchset implements new type of Landlock rule, that restricts actions for
> sockets of any protocol. Such restriction would be useful to ensure
> that a sandboxed process uses only necessary protocols.
> See [2] for more cases.
> 
> The rules store information about the socket family(aka domain) and type.
> 
> struct landlock_socket_attr {
> 	__u64 allowed_access;
> 	int domain; // see socket(2)
> 	int type; // see socket(2)
> }
> 
> Patchset currently implements rule only for socket_create() method, but
> other necessary rules will also be impemented. [1]
> 
> Code coverage(gcov) report with the launch of all the landlock selftests:
> * security/landlock:
> lines......: 94.7% (784 of 828 lines)
> functions..: 97.2% (105 of 108 functions)
> 
> * security/landlock/socket.c:
> lines......: 100.0% (33 of 33 lines)
> functions..: 100.0% (5 of 5 functions)
> 
> [1] https://lore.kernel.org/all/b8a2045a-e7e8-d141-7c01-bf47874c7930@digikod.net/
> [2] https://lore.kernel.org/all/ZJvy2SViorgc+cZI@google.com/

Thank you, I am very excited to see this patch set! :)

You might want to also link to https://github.com/landlock-lsm/linux/issues/6
where the feature idea is tracked.

—Günther

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ