lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240524093015.2402952-1-ivanov.mikhail1@huawei-partners.com>
Date: Fri, 24 May 2024 17:30:03 +0800
From: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
To: <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
	<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
	<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
	<artem.kuzin@...wei.com>, <konstantin.meskhidze@...wei.com>
Subject: [RFC PATCH v2 00/12] Socket type control for Landlock

Hello! This is v2 RFC patch dedicated to socket protocols restriction.

It is based on the landlock's mic-next branch on top of v6.9 kernel
version.

Description
===========
Patchset implements new type of Landlock rule, that restricts socket
protocols used in the sandboxed process. This restriction does not affect
socket actions such as bind(2) or send(2), only those actions that result
in a socket with unwanted protocol (e.g. creating socket with socket(2)).

Such restriction would be useful to ensure that a sandboxed process uses
only necessary protocols. For example sandboxed TCP server may want to
permit only TCP sockets and deny any others. See [1] for more cases.

The rules store information about the socket family and type. Thus, any
protocol that can be defined by a family-type pair can be restricted by
Landlock.

struct landlock_socket_attr {
	__u64 allowed_access;
	int family; // same as domain in socket(2)
	int type; // see socket(2)
}

Patchset currently implements rule only for socket creation, but
other necessary rules will also be impemented. [2]

[1] https://lore.kernel.org/all/ZJvy2SViorgc+cZI@google.com/
[2] https://lore.kernel.org/all/b8a2045a-e7e8-d141-7c01-bf47874c7930@digikod.net/

Code coverage
=============
Code coverage(gcov) report with the launch of all the landlock selftests:
* security/landlock:
lines......: 93.3% (795 of 852 lines)
functions..: 95.5% (106 of 111 functions)

* security/landlock/socket.c:
lines......: 100.0% (33 of 33 lines)
functions..: 100.0% (5 of 5 functions)

General changes
===============
 * Rebases on mic-next (landlock-6.10-rc1).
 * Refactors code and commits.
 * Renames `family` into `domain` in landlock_socket_attr.
 * Changes ABI version from 5 to 6.
 * Reverts landlock_key.data type from u64 to uinptr_t.
 * Adds mini.socket_overflow, mini.socket_invalid_type tests.

Previous versions
=================
v1: https://lore.kernel.org/all/20240408093927.1759381-1-ivanov.mikhail1@huawei-partners.com/

Mikhail Ivanov (12):
  landlock: Support socket access-control
  landlock: Add hook on socket creation
  selftests/landlock: Add protocol.create to socket tests
  selftests/landlock: Add protocol.socket_access_rights to socket tests
  selftests/landlock: Add protocol.rule_with_unknown_access to socket
    tests
  selftests/landlock: Add protocol.rule_with_unhandled_access to socket
    tests
  selftests/landlock: Add protocol.inval to socket tests
  selftests/landlock: Add tcp_layers.ruleset_overlap to socket tests
  selftests/landlock: Add mini.ruleset_with_unknown_access to socket
    tests
  selftests/landlock: Add mini.socket_overflow to socket tests
  selftests/landlock: Add mini.socket_invalid_type to socket tests
  samples/landlock: Support socket protocol restrictions

 include/uapi/linux/landlock.h                 |  53 +-
 samples/landlock/sandboxer.c                  | 141 ++++-
 security/landlock/Makefile                    |   2 +-
 security/landlock/limits.h                    |   5 +
 security/landlock/ruleset.c                   |  37 +-
 security/landlock/ruleset.h                   |  41 +-
 security/landlock/setup.c                     |   2 +
 security/landlock/socket.c                    | 130 ++++
 security/landlock/socket.h                    |  19 +
 security/landlock/syscalls.c                  |  66 +-
 tools/testing/selftests/landlock/base_test.c  |   2 +-
 tools/testing/selftests/landlock/common.h     |   1 +
 tools/testing/selftests/landlock/config       |   1 +
 .../testing/selftests/landlock/socket_test.c  | 581 ++++++++++++++++++
 14 files changed, 1056 insertions(+), 25 deletions(-)
 create mode 100644 security/landlock/socket.c
 create mode 100644 security/landlock/socket.h
 create mode 100644 tools/testing/selftests/landlock/socket_test.c

-- 
2.34.1


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ