From: "Mickaël Salaün" <mic@digikod.net>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
yusongping <yusongping@huawei.com>,
Artem Kuzin <artem.kuzin@huawei.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
netfilter@vger.kernel.org
Subject: Re: [RFC PATCH 0/2] Landlock network PoC implementation
Date: Sat, 18 Dec 2021 11:59:26 +0100 [thread overview]
Message-ID: <1344bc15-6dec-fcc2-8523-215aad17a535@digikod.net> (raw)
In-Reply-To: <CA+FuTSd8RxC9UGfJZA99p3CMxAQhESR_huXYScgwJWGonwbxOw@mail.gmail.com>
Here is the beginning of the thread:
https://lore.kernel.org/linux-security-module/a1769c4239ee4e8aadb65f9ebb6061d8@huawei.com/
On 17/12/2021 22:29, Willem de Bruijn wrote:
> On Fri, Dec 17, 2021 at 4:38 AM Mickaël Salaün <mic@digikod.net> wrote:
[...]
>>>>
>>>> Accesses/suffixes should be:
>>>> - CREATE
>>>> - ACCEPT
>>>> - BIND
>>>> - LISTEN
>>>> - CONNECT
>>>> - RECEIVE (RECEIVE_FROM and SEND_TO should not be needed)
>>>> - SEND
>>>> - SHUTDOWN
>>>> - GET_OPTION (GETSOCKOPT)
>>>> - SET_OPTION (SETSOCKOPT)
>>
>> For now, the only access rights should be LANDLOCK_ACCESS_NET_BIND_TCP
>> and LANDLOCK_ACCESS_NET_CONNECT_TCP (tie to two LSM hooks with struct
>> sockaddr).
>>
>> These attribute and access right changes reduce the scope of the network
>> access control and make it simpler but still really useful. Datagram
>> (e.g. UDP, which could add BIND_UDP and SEND_UDP) sockets will be more
>> complex to restrict correctly and should then come in another patch
>> series, once TCP is supported.
>
> Thanks for cc:ing the netdev list. I miss some of context, assume that
> limits are configured on a socket basis.
>
> One practical use-case I had for voluntary relinquish of privileges:
> do not allow connect AF_UNSPEC. This is a little-used feature that
> allows an already established connection to disconnect and create a
> new connection. Without this option, it is possible for a privileged
> process to create connections and hand those off to a less privileged
> process. Also, do not allow listen calls, to avoid elevating a socket
> to a listener.
Thanks for the heads up. connect + AF_UNSPEC is a nice trick but the
security_socket_connect() hook should handle that, and then the
LANDOCK_ACCESS_NET_CONNECT_TCP right too. This should be part of tests
though.
next prev parent reply other threads:[~2021-12-18 10:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 7:21 [RFC PATCH 0/2] Landlock network PoC implementation Konstantin Meskhidze
2021-12-10 16:57 ` Casey Schaufler
2021-12-10 23:01 ` Paul Moore
2021-12-30 6:53 ` Konstantin Meskhidze
2021-12-13 8:29 ` Mickaël Salaün
[not found] ` <12467d8418f04fbf9fd4a456a2a999f1@huawei.com>
2021-12-14 11:51 ` Mickaël Salaün
2021-12-17 9:39 ` Mickaël Salaün
2021-12-17 21:29 ` Willem de Bruijn
2021-12-18 10:59 ` Mickaël Salaün [this message]
2021-12-18 8:26 ` Konstantin Meskhidze
2021-12-18 11:01 ` Mickaël Salaün
2021-12-20 3:52 ` Konstantin Meskhidze
2021-12-21 21:15 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1344bc15-6dec-fcc2-8523-215aad17a535@digikod.net \
--to=mic@digikod.net \
--cc=artem.kuzin@huawei.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).