lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ed94e1e51c4545a7b4be6a756dcdc44d@AcuMS.aculab.com>
Date: Fri, 8 Nov 2024 17:16:50 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Mikhail Ivanov' <ivanov.mikhail1@...wei-partners.com>,
	Mickaël Salaün <mic@...ikod.net>, Matthieu Baerts
	<matttbe@...nel.org>, "linux-sctp@...r.kernel.org"
	<linux-sctp@...r.kernel.org>
CC: "gnoack@...gle.com" <gnoack@...gle.com>, "willemdebruijn.kernel@...il.com"
	<willemdebruijn.kernel@...il.com>, "matthieu@...fet.re" <matthieu@...fet.re>,
	"linux-security-module@...r.kernel.org"
	<linux-security-module@...r.kernel.org>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, "netfilter-devel@...r.kernel.org"
	<netfilter-devel@...r.kernel.org>, "yusongping@...wei.com"
	<yusongping@...wei.com>, "artem.kuzin@...wei.com" <artem.kuzin@...wei.com>,
	"konstantin.meskhidze@...wei.com" <konstantin.meskhidze@...wei.com>, "MPTCP
 Linux" <mptcp@...ts.linux.dev>
Subject: RE: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction

From: Mikhail Ivanov
> Sent: 31 October 2024 16:22
> 
> On 10/18/2024 9:08 PM, Mickaël Salaün wrote:
> > On Thu, Oct 17, 2024 at 02:59:48PM +0200, Matthieu Baerts wrote:
> >> Hi Mikhail and Landlock maintainers,
> >>
> >> +cc MPTCP list.
> >
> > Thanks, we should include this list in the next series.
> >
> >>
> >> On 17/10/2024 13:04, Mikhail Ivanov wrote:
> >>> Do not check TCP access right if socket protocol is not IPPROTO_TCP.
> >>> LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP
> >>> should not restrict bind(2) and connect(2) for non-TCP protocols
> >>> (SCTP, MPTCP, SMC).

I suspect you should check all IP protocols.
After all if TCP is banned why should SCTP be allowed?
Maybe you should have a different (probably more severe) restriction on SCTP.
You'd also need to look at the socket options used to add additional
local and remote IP addresses to a connect attempt.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ