| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250422.iesaivaj8Aeb@digikod.net> Date: Tue, 22 Apr 2025 19:19:02 +0200 From: Mickaël Salaün <mic@...ikod.net> To: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com> Cc: willemdebruijn.kernel@...il.com, gnoack3000@...il.com, linux-security-module@...r.kernel.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, yusongping@...wei.com, artem.kuzin@...wei.com, konstantin.meskhidze@...wei.com, Paul Moore <paul@...l-moore.com> Subject: Re: [RFC PATCH v3 00/19] Support socket access-control Hi Mikhail. Could you please send a new version taking into account the reviews? This series should support audit by logging socket creation denials and extending audit_log_lsm_data(). You can get inspiration from the format used by audit_net_cb() but without the number to text translation, that can be handled by auditd if needed. New tests should check these new audit logs. On Wed, Sep 04, 2024 at 06:48:05PM +0800, Mikhail Ivanov wrote: > Hello! This is v3 RFC patch dedicated to socket protocols restriction. > > It is based on the landlock's mic-next branch on top of v6.11-rc1 kernel > version. > > Objective > ========= > Extend Landlock with a mechanism to restrict any set of protocols in > a sandboxed process. > > Closes: https://github.com/landlock-lsm/linux/issues/6 > > Motivation > ========== > Landlock implements the `LANDLOCK_RULE_NET_PORT` rule type, which provides > fine-grained control of actions for a specific protocol. Any action or > protocol that is not supported by this rule can not be controlled. As a > result, protocols for which fine-grained control is not supported can be > used in a sandboxed system and lead to vulnerabilities or unexpected > behavior. > > Controlling the protocols used will allow to use only those that are > necessary for the system and/or which have fine-grained Landlock control > through others types of rules (e.g. TCP bind/connect control with > `LANDLOCK_RULE_NET_PORT`, UNIX bind control with > `LANDLOCK_RULE_PATH_BENEATH`). > > Consider following examples: > * Server may want to use only TCP sockets for which there is fine-grained > control of bind(2) and connect(2) actions [1]. > * System that does not need a network or that may want to disable network > for security reasons (e.g. [2]) can achieve this by restricting the use > of all possible protocols. > > [1] https://lore.kernel.org/all/ZJvy2SViorgc+cZI@google.com/ > [2] https://cr.yp.to/unix/disablenetwork.html > > Implementation > ============== > This patchset adds control over the protocols used by implementing a > restriction of socket creation. This is possible thanks to the new type > of rule - `LANDLOCK_RULE_SOCKET`, that allows to restrict actions on > sockets, and a new access right - `LANDLOCK_ACCESS_SOCKET_CREATE`, that > corresponds to creating user space sockets. The key in this rule is a pair > of address family and socket type (Cf. socket(2)). > > The right to create a socket is checked in the LSM hook, which is called > in the __sock_create method. The following user space operations are > subject to this check: socket(2), socketpair(2), io_uring(7). > > In the case of connection-based socket types, > `LANDLOCK_ACCESS_SOCKET_CREATE` does not restrict the actions that result > in creation of sockets used for messaging between already existing > endpoints (e.g. accept(2), setsockopt(2) with option > `SCTP_SOCKOPT_PEELOFF`). > > Current limitations > =================== > `SCTP_SOCKOPT_PEELOFF` should not be restricted (see test > socket_creation.sctp_peeloff). > > SCTP socket can be connected to a multiple endpoints (one-to-many > relation). Calling setsockopt(2) on such socket with option > `SCTP_SOCKOPT_PEELOFF` detaches one of existing connections to a separate > UDP socket. This detach is currently restrictable. > > Code coverage > ============= > Code coverage(gcov) report with the launch of all the landlock selftests: > * security/landlock: > lines......: 93.5% (794 of 849 lines) > functions..: 95.5% (106 of 111 functions) > > * security/landlock/socket.c: > lines......: 100.0% (33 of 33 lines) > functions..: 100.0% (4 of 4 functions) > > General changes v2->v3 > ====================== > * Implementation > * Accepts (AF_INET, SOCK_PACKET) as an alias for (AF_PACKET, SOCK_PACKET). > * Adds check to not restrict kernel sockets. > * Fixes UB in pack_socket_key(). > * Refactors documentation. > * Tests > * Extends variants of `protocol` fixture with every protocol that can be > used to create user space sockets. > * Adds 5 new tests: > * 3 tests to check socketpair(2), accept(2) and sctp_peeloff > restriction. > * 1 test to check restriction of kernel sockets. > * 1 test to check AF_PACKET aliases. > * Documentation > * Updates Documentation/userspace-api/landlock.rst. > * Commits > * Rebases on mic-next. > * Refactors commits. > > Previous versions > ================= > v2: https://lore.kernel.org/all/20240524093015.2402952-1-ivanov.mikhail1@huawei-partners.com/ > v1: https://lore.kernel.org/all/20240408093927.1759381-1-ivanov.mikhail1@huawei-partners.com/ > > Mikhail Ivanov (19): > landlock: Support socket access-control > landlock: Add hook on socket creation > selftests/landlock: Test basic socket restriction > selftests/landlock: Test adding a rule with each supported access > selftests/landlock: Test adding a rule for each unknown access > selftests/landlock: Test adding a rule for unhandled access > selftests/landlock: Test adding a rule for empty access > selftests/landlock: Test overlapped restriction > selftests/landlock: Test creating a ruleset with unknown access > selftests/landlock: Test adding a rule with family and type outside > the range > selftests/landlock: Test unsupported protocol restriction > selftests/landlock: Test that kernel space sockets are not restricted > selftests/landlock: Test packet protocol alias > selftests/landlock: Test socketpair(2) restriction > selftests/landlock: Test SCTP peeloff restriction > selftests/landlock: Test that accept(2) is not restricted > samples/landlock: Replace atoi() with strtoull() in > populate_ruleset_net() > samples/landlock: Support socket protocol restrictions > landlock: Document socket rule type support > > Documentation/userspace-api/landlock.rst | 46 +- > include/uapi/linux/landlock.h | 61 +- > samples/landlock/sandboxer.c | 135 ++- > security/landlock/Makefile | 2 +- > security/landlock/limits.h | 4 + > security/landlock/ruleset.c | 33 +- > security/landlock/ruleset.h | 45 +- > security/landlock/setup.c | 2 + > security/landlock/socket.c | 137 +++ > security/landlock/socket.h | 19 + > security/landlock/syscalls.c | 66 +- > tools/testing/selftests/landlock/base_test.c | 2 +- > tools/testing/selftests/landlock/common.h | 13 + > tools/testing/selftests/landlock/config | 47 + > tools/testing/selftests/landlock/net_test.c | 11 - > .../testing/selftests/landlock/socket_test.c | 1013 +++++++++++++++++ > 16 files changed, 1593 insertions(+), 43 deletions(-) > create mode 100644 security/landlock/socket.c > create mode 100644 security/landlock/socket.h > create mode 100644 tools/testing/selftests/landlock/socket_test.c > > > base-commit: 8400291e289ee6b2bf9779ff1c83a291501f017b > -- > 2.34.1 > >
Powered by blists - more mailing lists