lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241204.ipheevic6eeB@digikod.net>
Date: Wed, 4 Dec 2024 20:29:59 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: David Laight <David.Laight@...lab.com>
Cc: 'Mikhail Ivanov' <ivanov.mikhail1@...wei-partners.com>, 
	Matthieu Baerts <matttbe@...nel.org>, "linux-sctp@...r.kernel.org" <linux-sctp@...r.kernel.org>, 
	"gnoack@...gle.com" <gnoack@...gle.com>, 
	"willemdebruijn.kernel@...il.com" <willemdebruijn.kernel@...il.com>, "matthieu@...fet.re" <matthieu@...fet.re>, 
	"linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, 
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>, "yusongping@...wei.com" <yusongping@...wei.com>, 
	"artem.kuzin@...wei.com" <artem.kuzin@...wei.com>, 
	"konstantin.meskhidze@...wei.com" <konstantin.meskhidze@...wei.com>, MPTCP Linux <mptcp@...ts.linux.dev>
Subject: Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction

On Fri, Nov 08, 2024 at 05:16:50PM +0000, David Laight wrote:
> From: Mikhail Ivanov
> > Sent: 31 October 2024 16:22
> > 
> > On 10/18/2024 9:08 PM, Mickaël Salaün wrote:
> > > On Thu, Oct 17, 2024 at 02:59:48PM +0200, Matthieu Baerts wrote:
> > >> Hi Mikhail and Landlock maintainers,
> > >>
> > >> +cc MPTCP list.
> > >
> > > Thanks, we should include this list in the next series.
> > >
> > >>
> > >> On 17/10/2024 13:04, Mikhail Ivanov wrote:
> > >>> Do not check TCP access right if socket protocol is not IPPROTO_TCP.
> > >>> LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP
> > >>> should not restrict bind(2) and connect(2) for non-TCP protocols
> > >>> (SCTP, MPTCP, SMC).
> 
> I suspect you should check all IP protocols.
> After all if TCP is banned why should SCTP be allowed?
> Maybe you should have a different (probably more severe) restriction on SCTP.
> You'd also need to look at the socket options used to add additional
> local and remote IP addresses to a connect attempt.

Indeed, setsockopt()'s SCTP_SOCKOPT_BINDX_ADD and SCTP_SOCKOPT_CONNECTX
don't go through the socket_bind() nor socket_connect() LSM hooks bu the
security_sctp_bind_connect() hook instead.  This SCTP-specific hook is
not implemented for Landlock and the current implementation only
partially control such operations for SCTP.  This also make it clear
that we really need to stick to TCP-only for the TCP access rights.

It would be nice to add support for SCTP but we'll need to implement
security_sctp_bind_connect() and new tests with the setsockopt()
commands.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ