Re: [RFC PATCH 0/2] Landlock network PoC implementation

["Mickaël Salaün" <mic@digikod.net>]

Here is the beginning of the thread: 
https://lore.kernel.org/linux-security-module/a1769c4239ee4e8aadb65f9ebb6061d8@huawei.com/

On 17/12/2021 22:29, Willem de Bruijn wrote:
> On Fri, Dec 17, 2021 at 4:38 AM Mickaël Salaün <mic@digikod.net> wrote:

[...]

>>>>
>>>> Accesses/suffixes should be:
>>>> - CREATE
>>>> - ACCEPT
>>>> - BIND
>>>> - LISTEN
>>>> - CONNECT
>>>> - RECEIVE (RECEIVE_FROM and SEND_TO should not be needed)
>>>> - SEND
>>>> - SHUTDOWN
>>>> - GET_OPTION (GETSOCKOPT)
>>>> - SET_OPTION (SETSOCKOPT)
>>
>> For now, the only access rights should be LANDLOCK_ACCESS_NET_BIND_TCP
>> and LANDLOCK_ACCESS_NET_CONNECT_TCP (tie to two LSM hooks with struct
>> sockaddr).
>>
>> These attribute and access right changes reduce the scope of the network
>> access control and make it simpler but still really useful. Datagram
>> (e.g. UDP, which could add BIND_UDP and SEND_UDP) sockets will be more
>> complex to restrict correctly and should then come in another patch
>> series, once TCP is supported.
> 
> Thanks for cc:ing the netdev list. I miss some of context, assume that
> limits are configured on a socket basis.
> 
> One practical use-case I had for voluntary relinquish of privileges:
> do not allow connect AF_UNSPEC. This is a little-used feature that
> allows an already established connection to disconnect and create a
> new connection. Without this option, it is possible for a privileged
> process to create connections and hand those off to a less privileged
> process. Also, do not allow listen calls, to avoid elevating a socket
> to a listener.

Thanks for the heads up. connect + AF_UNSPEC is a nice trick but the 
security_socket_connect() hook should handle that, and then the 
LANDOCK_ACCESS_NET_CONNECT_TCP right too. This should be part of tests 
though.