[RFC,v2,0/9] Support TCP listen access-control

Message ID	20240814030151.2380280-1-ivanov.mikhail1@huawei-partners.com (mailing list archive)
Headers	show Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 04F9918E3F; Wed, 14 Aug 2024 03:02:09 +0000 (UTC) From: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> To: <mic@digikod.net> CC: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>, <linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>, <artem.kuzin@huawei.com>, <konstantin.meskhidze@huawei.com> Subject: [RFC PATCH v2 0/9] Support TCP listen access-control Date: Wed, 14 Aug 2024 11:01:42 +0800 Message-ID: <20240814030151.2380280-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	Support TCP listen access-control \| expand [RFC,v2,0/9] Support TCP listen access-control [RFC,v2,1/9] landlock: Refactor current_check_access_socket() access right check [RFC,v2,2/9] landlock: Support TCP listen access-control [RFC,v2,3/9] selftests/landlock: Support LANDLOCK_ACCESS_NET_LISTEN_TCP [RFC,v2,4/9] selftests/landlock: Test listening restriction [RFC,v2,5/9] selftests/landlock: Test listen on connected socket [RFC,v2,6/9] selftests/landlock: Test listening without explicit bind restriction [RFC,v2,7/9] selftests/landlock: Test listen on ULP socket without clone method [RFC,v2,8/9] selftests/landlock: Test changing socket backlog with listen(2) [RFC,v2,9/9] samples/landlock: Support LANDLOCK_ACCESS_NET_LISTEN

Message ID

20240814030151.2380280-1-ivanov.mikhail1@huawei-partners.com (mailing list archive)

Headers

From: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
To: <mic@digikod.net>
CC: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>,
	<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
	<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
	<artem.kuzin@huawei.com>, <konstantin.meskhidze@huawei.com>
Subject: [RFC PATCH v2 0/9] Support TCP listen access-control
Date: Wed, 14 Aug 2024 11:01:42 +0800
Message-ID: <20240814030151.2380280-1-ivanov.mikhail1@huawei-partners.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

Support TCP listen access-control | expand

Message

Mikhail Ivanov Aug. 14, 2024, 3:01 a.m. UTC

Hello! This is v2 RFC patch dedicated to restriction of listening sockets.

It is based on the landlock's mic-next branch on top of 6.11-rc1 kernel
version.

Description
===========
LANDLOCK_ACCESS_NET_BIND_TCP is useful to limit the scope of "bindable"
ports to forbid a malicious sandboxed process to impersonate a legitimate
server process. However, bind(2) might be used by (TCP) clients to set the
source port to a (legitimate) value. Controlling the ports that can be
used for listening would allow (TCP) clients to explicitly bind to ports
that are forbidden for listening.

Such control is implemented with a new LANDLOCK_ACCESS_NET_LISTEN_TCP
access right that restricts listening on undesired ports with listen(2).

It's worth noticing that this access right doesn't affect changing 
backlog value using listen(2) on already listening socket. For this case
test ipv4_tcp.double_listen is provided.

Closes: https://github.com/landlock-lsm/linux/issues/15

Code coverage
=============
Code coverage(gcov) report with the launch of all the landlock selftests:
* security/landlock:
lines......: 93.4% (759 of 813 lines)
functions..: 95.3% (101 of 106 functions)

* security/landlock/net.c:
lines......: 100% (77 of 77 lines)
functions..: 100% (9 of 9 functions)

General changes
===============
 * Rebases on Linux 6.11-rc1.
 * Refactors 'struct landlock_net_port_attr' documentation.
 * Uses 'protocol' fixture instead of 'ipv4_tcp' in 'listen_on_connected'
   and 'espintcp_listen' tests.

Previous versions
=================
v1: https://lore.kernel.org/all/20240728002602.3198398-1-ivanov.mikhail1@huawei-partners.com/

Mikhail Ivanov (9):
  landlock: Refactor current_check_access_socket() access right check
  landlock: Support TCP listen access-control
  selftests/landlock: Support LANDLOCK_ACCESS_NET_LISTEN_TCP
  selftests/landlock: Test listening restriction
  selftests/landlock: Test listen on connected socket
  selftests/landlock: Test listening without explicit bind restriction
  selftests/landlock: Test listen on ULP socket without clone method
  selftests/landlock: Test changing socket backlog with listen(2)
  samples/landlock: Support LANDLOCK_ACCESS_NET_LISTEN

 include/uapi/linux/landlock.h                |  26 +-
 samples/landlock/sandboxer.c                 |  31 +-
 security/landlock/limits.h                   |   2 +-
 security/landlock/net.c                      | 139 +++++-
 security/landlock/syscalls.c                 |   2 +-
 tools/testing/selftests/landlock/base_test.c |   2 +-
 tools/testing/selftests/landlock/config      |   4 +
 tools/testing/selftests/landlock/net_test.c  | 469 +++++++++++++++----
 8 files changed, 554 insertions(+), 121 deletions(-)


base-commit: 8400291e289ee6b2bf9779ff1c83a291501f017b

Comments

Günther Noack Aug. 20, 2024, 1:11 p.m. UTC | #1

Hello!

Thanks for sending v2 of this patchset!

On Wed, Aug 14, 2024 at 11:01:42AM +0800, Mikhail Ivanov wrote:
> Hello! This is v2 RFC patch dedicated to restriction of listening sockets.
> 
> It is based on the landlock's mic-next branch on top of 6.11-rc1 kernel
> version.
> 
> Description
> ===========
> LANDLOCK_ACCESS_NET_BIND_TCP is useful to limit the scope of "bindable"
> ports to forbid a malicious sandboxed process to impersonate a legitimate
> server process. However, bind(2) might be used by (TCP) clients to set the
> source port to a (legitimate) value. Controlling the ports that can be
> used for listening would allow (TCP) clients to explicitly bind to ports
> that are forbidden for listening.
> 
> Such control is implemented with a new LANDLOCK_ACCESS_NET_LISTEN_TCP
> access right that restricts listening on undesired ports with listen(2).
> 
> It's worth noticing that this access right doesn't affect changing 
> backlog value using listen(2) on already listening socket. For this case
> test ipv4_tcp.double_listen is provided.

This is a good catch, btw, that seems like the right thing to do.

Günther Noack Aug. 20, 2024, 1:23 p.m. UTC | #2

On Tue, Aug 20, 2024 at 03:11:07PM +0200, Günther Noack wrote:
> Hello!
> 
> Thanks for sending v2 of this patchset!
> 
> On Wed, Aug 14, 2024 at 11:01:42AM +0800, Mikhail Ivanov wrote:
> > Hello! This is v2 RFC patch dedicated to restriction of listening sockets.
> > 
> > It is based on the landlock's mic-next branch on top of 6.11-rc1 kernel
> > version.
> > 
> > Description
> > ===========
> > LANDLOCK_ACCESS_NET_BIND_TCP is useful to limit the scope of "bindable"
> > ports to forbid a malicious sandboxed process to impersonate a legitimate
> > server process. However, bind(2) might be used by (TCP) clients to set the
> > source port to a (legitimate) value. Controlling the ports that can be
> > used for listening would allow (TCP) clients to explicitly bind to ports
> > that are forbidden for listening.
> > 
> > Such control is implemented with a new LANDLOCK_ACCESS_NET_LISTEN_TCP
> > access right that restricts listening on undesired ports with listen(2).
> > 
> > It's worth noticing that this access right doesn't affect changing 
> > backlog value using listen(2) on already listening socket. For this case
> > test ipv4_tcp.double_listen is provided.
> 
> This is a good catch, btw, that seems like the right thing to do.

Mikhail Ivanov Aug. 20, 2024, 1:53 p.m. UTC | #3

8/20/2024 4:23 PM, Günther Noack wrote:
> On Tue, Aug 20, 2024 at 03:11:07PM +0200, Günther Noack wrote:
>> Hello!
>>
>> Thanks for sending v2 of this patchset!
>>
>> On Wed, Aug 14, 2024 at 11:01:42AM +0800, Mikhail Ivanov wrote:
>>> Hello! This is v2 RFC patch dedicated to restriction of listening sockets.
>>>
>>> It is based on the landlock's mic-next branch on top of 6.11-rc1 kernel
>>> version.
>>>
>>> Description
>>> ===========
>>> LANDLOCK_ACCESS_NET_BIND_TCP is useful to limit the scope of "bindable"
>>> ports to forbid a malicious sandboxed process to impersonate a legitimate
>>> server process. However, bind(2) might be used by (TCP) clients to set the
>>> source port to a (legitimate) value. Controlling the ports that can be
>>> used for listening would allow (TCP) clients to explicitly bind to ports
>>> that are forbidden for listening.
>>>
>>> Such control is implemented with a new LANDLOCK_ACCESS_NET_LISTEN_TCP
>>> access right that restricts listening on undesired ports with listen(2).
>>>
>>> It's worth noticing that this access right doesn't affect changing
>>> backlog value using listen(2) on already listening socket. For this case
>>> test ipv4_tcp.double_listen is provided.
>>
>> This is a good catch, btw, that seems like the right thing to do.