[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240524093015.2402952-1-ivanov.mikhail1@huawei-partners.com>
Date: Fri, 24 May 2024 17:30:03 +0800
From: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
To: <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>, <konstantin.meskhidze@...wei.com>
Subject: [RFC PATCH v2 00/12] Socket type control for Landlock
Hello! This is v2 RFC patch dedicated to socket protocols restriction.
It is based on the landlock's mic-next branch on top of v6.9 kernel
version.
Description
===========
Patchset implements new type of Landlock rule, that restricts socket
protocols used in the sandboxed process. This restriction does not affect
socket actions such as bind(2) or send(2), only those actions that result
in a socket with unwanted protocol (e.g. creating socket with socket(2)).
Such restriction would be useful to ensure that a sandboxed process uses
only necessary protocols. For example sandboxed TCP server may want to
permit only TCP sockets and deny any others. See [1] for more cases.
The rules store information about the socket family and type. Thus, any
protocol that can be defined by a family-type pair can be restricted by
Landlock.
struct landlock_socket_attr {
__u64 allowed_access;
int family; // same as domain in socket(2)
int type; // see socket(2)
}
Patchset currently implements rule only for socket creation, but
other necessary rules will also be impemented. [2]
[1] https://lore.kernel.org/all/ZJvy2SViorgc+cZI@google.com/
[2] https://lore.kernel.org/all/b8a2045a-e7e8-d141-7c01-bf47874c7930@digikod.net/
Code coverage
=============
Code coverage(gcov) report with the launch of all the landlock selftests:
* security/landlock:
lines......: 93.3% (795 of 852 lines)
functions..: 95.5% (106 of 111 functions)
* security/landlock/socket.c:
lines......: 100.0% (33 of 33 lines)
functions..: 100.0% (5 of 5 functions)
General changes
===============
* Rebases on mic-next (landlock-6.10-rc1).
* Refactors code and commits.
* Renames `family` into `domain` in landlock_socket_attr.
* Changes ABI version from 5 to 6.
* Reverts landlock_key.data type from u64 to uinptr_t.
* Adds mini.socket_overflow, mini.socket_invalid_type tests.
Previous versions
=================
v1: https://lore.kernel.org/all/20240408093927.1759381-1-ivanov.mikhail1@huawei-partners.com/
Mikhail Ivanov (12):
landlock: Support socket access-control
landlock: Add hook on socket creation
selftests/landlock: Add protocol.create to socket tests
selftests/landlock: Add protocol.socket_access_rights to socket tests
selftests/landlock: Add protocol.rule_with_unknown_access to socket
tests
selftests/landlock: Add protocol.rule_with_unhandled_access to socket
tests
selftests/landlock: Add protocol.inval to socket tests
selftests/landlock: Add tcp_layers.ruleset_overlap to socket tests
selftests/landlock: Add mini.ruleset_with_unknown_access to socket
tests
selftests/landlock: Add mini.socket_overflow to socket tests
selftests/landlock: Add mini.socket_invalid_type to socket tests
samples/landlock: Support socket protocol restrictions
include/uapi/linux/landlock.h | 53 +-
samples/landlock/sandboxer.c | 141 ++++-
security/landlock/Makefile | 2 +-
security/landlock/limits.h | 5 +
security/landlock/ruleset.c | 37 +-
security/landlock/ruleset.h | 41 +-
security/landlock/setup.c | 2 +
security/landlock/socket.c | 130 ++++
security/landlock/socket.h | 19 +
security/landlock/syscalls.c | 66 +-
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/common.h | 1 +
tools/testing/selftests/landlock/config | 1 +
.../testing/selftests/landlock/socket_test.c | 581 ++++++++++++++++++
14 files changed, 1056 insertions(+), 25 deletions(-)
create mode 100644 security/landlock/socket.c
create mode 100644 security/landlock/socket.h
create mode 100644 tools/testing/selftests/landlock/socket_test.c
--
2.34.1
Powered by blists - more mailing lists