Re: [PATCH v5 00/15] Network support for Landlock - UDP discussion

From: "Mickaël Salaün" <mic@digikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: willemdebruijn.kernel@gmail.com,
	linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
	netfilter-devel@vger.kernel.org, yusongping@huawei.com,
	anton.sirazetdinov@huawei.com, Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH v5 00/15] Network support for Landlock - UDP discussion
Date: Fri, 20 May 2022 12:48:23 +0200	[thread overview]
Message-ID: <a5ef620d-0447-3d58-d9bd-1220b8411957@digikod.net> (raw)
In-Reply-To: <20220516152038.39594-1-konstantin.meskhidze@huawei.com>

Hi,

Regarding future plan to support UDP, it may not be possible to 
efficiently restrict sending on a port or receiving on a port because of 
the non-connnected state of UDP sockets. Indeed, when setting up a 
socket to send a packet on a specified port, we (automatically or 
manually) have a receiving port configured and this socket can be used 
to receive any UDP packet. An UDP socket could be restricted to only 
send/write or to receive/read from a specific port, but this would 
probably not be as useful as the TCP restrictions. That could look like 
RECEIVE_UDP and SEND_UDP access-rights but the LSM implementation would 
be more complex because of the socket/FD tracking. Moreover, the 
performance impact could be more important for every read and write 
syscall (whatever the FD type).

Any opinion?

Regards,
  Mickaël

On 16/05/2022 17:20, Konstantin Meskhidze wrote:
> Hi,
> This is a new V5 patch related to Landlock LSM network confinement.
> It is based on the latest landlock-wip branch on top of v5.18-rc5:
> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip
> 
> It brings refactoring of previous patch version V4.
> Added additional selftests for IP6 network families and network namespace.
> Added TCP sockets confinement support in sandboxer demo.
> 
> All test were run in QEMU evironment and compiled with
>   -static flag.
>   1. network_test: 13/13 tests passed.
>   2. base_test: 7/7 tests passed.
>   3. fs_test: 59/59 tests passed.
>   4. ptrace_test: 8/8 tests passed.
> 
> Still have issue with base_test were compiled without -static flag
> (landlock-wip branch without network support)
> 1. base_test: 6/7 tests passed.
>   Error:
>   #  RUN           global.inconsistent_attr ...
>   # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
>   # inconsistent_attr: Test terminated by assertion
>   #          FAIL  global.inconsistent_attr
> not ok 1 global.inconsistent_attr
> 
> LCOV - code coverage report:
>              Hit  Total  Coverage
> Lines:      952  1010    94.3 %
> Functions:  79   82      96.3 %
> 
> Previous versions:
> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
> 
> Konstantin Meskhidze (15):
>    landlock: access mask renaming
>    landlock: landlock_find/insert_rule refactoring
>    landlock: merge and inherit function refactoring
>    landlock: helper functions refactoring
>    landlock: landlock_add_rule syscall refactoring
>    landlock: user space API network support
>    landlock: add support network rules
>    landlock: TCP network hooks implementation
>    seltests/landlock: add tests for bind() hooks
>    seltests/landlock: add tests for connect() hooks
>    seltests/landlock: connect() with AF_UNSPEC tests
>    seltests/landlock: rules overlapping test
>    seltests/landlock: ruleset expanding test
>    seltests/landlock: invalid user input data test
>    samples/landlock: adds network demo
> 
>   include/uapi/linux/landlock.h                |  48 +
>   samples/landlock/sandboxer.c                 | 105 ++-
>   security/landlock/Kconfig                    |   1 +
>   security/landlock/Makefile                   |   2 +
>   security/landlock/fs.c                       | 169 +---
>   security/landlock/limits.h                   |   8 +-
>   security/landlock/net.c                      | 159 ++++
>   security/landlock/net.h                      |  25 +
>   security/landlock/ruleset.c                  | 481 ++++++++--
>   security/landlock/ruleset.h                  | 102 +-
>   security/landlock/setup.c                    |   2 +
>   security/landlock/syscalls.c                 | 173 ++--
>   tools/testing/selftests/landlock/base_test.c |   4 +-
>   tools/testing/selftests/landlock/common.h    |   9 +
>   tools/testing/selftests/landlock/config      |   5 +-
>   tools/testing/selftests/landlock/fs_test.c   |  10 -
>   tools/testing/selftests/landlock/net_test.c  | 935 +++++++++++++++++++
>   17 files changed, 1925 insertions(+), 313 deletions(-)
>   create mode 100644 security/landlock/net.c
>   create mode 100644 security/landlock/net.h
>   create mode 100644 tools/testing/selftests/landlock/net_test.c
> 
> --
> 2.25.1
> 