From: "Mickaël Salaün" <mic@digikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: willemdebruijn.kernel@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, yusongping@huawei.com,
anton.sirazetdinov@huawei.com, Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH v5 00/15] Network support for Landlock - UDP discussion
Date: Fri, 20 May 2022 12:48:23 +0200 [thread overview]
Message-ID: <a5ef620d-0447-3d58-d9bd-1220b8411957@digikod.net> (raw)
In-Reply-To: <20220516152038.39594-1-konstantin.meskhidze@huawei.com>
Hi,
Regarding future plan to support UDP, it may not be possible to
efficiently restrict sending on a port or receiving on a port because of
the non-connnected state of UDP sockets. Indeed, when setting up a
socket to send a packet on a specified port, we (automatically or
manually) have a receiving port configured and this socket can be used
to receive any UDP packet. An UDP socket could be restricted to only
send/write or to receive/read from a specific port, but this would
probably not be as useful as the TCP restrictions. That could look like
RECEIVE_UDP and SEND_UDP access-rights but the LSM implementation would
be more complex because of the socket/FD tracking. Moreover, the
performance impact could be more important for every read and write
syscall (whatever the FD type).
Any opinion?
Regards,
Mickaël
On 16/05/2022 17:20, Konstantin Meskhidze wrote:
> Hi,
> This is a new V5 patch related to Landlock LSM network confinement.
> It is based on the latest landlock-wip branch on top of v5.18-rc5:
> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/log/?h=landlock-wip
>
> It brings refactoring of previous patch version V4.
> Added additional selftests for IP6 network families and network namespace.
> Added TCP sockets confinement support in sandboxer demo.
>
> All test were run in QEMU evironment and compiled with
> -static flag.
> 1. network_test: 13/13 tests passed.
> 2. base_test: 7/7 tests passed.
> 3. fs_test: 59/59 tests passed.
> 4. ptrace_test: 8/8 tests passed.
>
> Still have issue with base_test were compiled without -static flag
> (landlock-wip branch without network support)
> 1. base_test: 6/7 tests passed.
> Error:
> # RUN global.inconsistent_attr ...
> # base_test.c:54:inconsistent_attr:Expected ENOMSG (42) == errno (22)
> # inconsistent_attr: Test terminated by assertion
> # FAIL global.inconsistent_attr
> not ok 1 global.inconsistent_attr
>
> LCOV - code coverage report:
> Hit Total Coverage
> Lines: 952 1010 94.3 %
> Functions: 79 82 96.3 %
>
> Previous versions:
> v4: https://lore.kernel.org/linux-security-module/20220309134459.6448-1-konstantin.meskhidze@huawei.com/
> v3: https://lore.kernel.org/linux-security-module/20220124080215.265538-1-konstantin.meskhidze@huawei.com/
> v2: https://lore.kernel.org/linux-security-module/20211228115212.703084-1-konstantin.meskhidze@huawei.com/
> v1: https://lore.kernel.org/linux-security-module/20211210072123.386713-1-konstantin.meskhidze@huawei.com/
>
> Konstantin Meskhidze (15):
> landlock: access mask renaming
> landlock: landlock_find/insert_rule refactoring
> landlock: merge and inherit function refactoring
> landlock: helper functions refactoring
> landlock: landlock_add_rule syscall refactoring
> landlock: user space API network support
> landlock: add support network rules
> landlock: TCP network hooks implementation
> seltests/landlock: add tests for bind() hooks
> seltests/landlock: add tests for connect() hooks
> seltests/landlock: connect() with AF_UNSPEC tests
> seltests/landlock: rules overlapping test
> seltests/landlock: ruleset expanding test
> seltests/landlock: invalid user input data test
> samples/landlock: adds network demo
>
> include/uapi/linux/landlock.h | 48 +
> samples/landlock/sandboxer.c | 105 ++-
> security/landlock/Kconfig | 1 +
> security/landlock/Makefile | 2 +
> security/landlock/fs.c | 169 +---
> security/landlock/limits.h | 8 +-
> security/landlock/net.c | 159 ++++
> security/landlock/net.h | 25 +
> security/landlock/ruleset.c | 481 ++++++++--
> security/landlock/ruleset.h | 102 +-
> security/landlock/setup.c | 2 +
> security/landlock/syscalls.c | 173 ++--
> tools/testing/selftests/landlock/base_test.c | 4 +-
> tools/testing/selftests/landlock/common.h | 9 +
> tools/testing/selftests/landlock/config | 5 +-
> tools/testing/selftests/landlock/fs_test.c | 10 -
> tools/testing/selftests/landlock/net_test.c | 935 +++++++++++++++++++
> 17 files changed, 1925 insertions(+), 313 deletions(-)
> create mode 100644 security/landlock/net.c
> create mode 100644 security/landlock/net.h
> create mode 100644 tools/testing/selftests/landlock/net_test.c
>
> --
> 2.25.1
>
next prev parent reply other threads:[~2022-05-20 10:48 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 15:20 [PATCH v5 00/15] Network support for Landlock Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 01/15] landlock: access mask renaming Konstantin Meskhidze
2022-05-17 8:12 ` Mickaël Salaün
2022-05-18 9:16 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 02/15] landlock: landlock_find/insert_rule refactoring Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 03/15] landlock: merge and inherit function refactoring Konstantin Meskhidze
2022-05-17 8:14 ` Mickaël Salaün
2022-05-18 9:18 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 04/15] landlock: helper functions refactoring Konstantin Meskhidze
2022-05-16 17:14 ` Mickaël Salaün
2022-05-16 17:43 ` Konstantin Meskhidze
2022-05-16 18:28 ` Mickaël Salaün
2022-05-18 9:14 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 05/15] landlock: landlock_add_rule syscall refactoring Konstantin Meskhidze
2022-05-17 8:04 ` Mickaël Salaün
2022-05-17 8:10 ` Mickaël Salaün
2022-05-19 9:24 ` Konstantin Meskhidze
2022-05-19 9:23 ` Konstantin Meskhidze
2022-05-19 14:37 ` Mickaël Salaün
2022-05-24 8:35 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 06/15] landlock: user space API network support Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 07/15] landlock: add support network rules Konstantin Meskhidze
2022-05-17 8:27 ` Mickaël Salaün
2022-05-19 9:27 ` Konstantin Meskhidze
2022-05-19 14:42 ` Mickaël Salaün
2022-05-24 8:36 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 08/15] landlock: TCP network hooks implementation Konstantin Meskhidze
2022-05-17 8:51 ` Mickaël Salaün
2022-05-19 11:40 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 09/15] seltests/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-05-16 21:11 ` Mickaël Salaün
2022-05-19 12:10 ` Konstantin Meskhidze
2022-05-19 14:29 ` Mickaël Salaün
2022-05-24 8:34 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 10/15] seltests/landlock: add tests for connect() hooks Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 11/15] seltests/landlock: connect() with AF_UNSPEC tests Konstantin Meskhidze
2022-05-17 8:55 ` Mickaël Salaün
2022-05-19 12:31 ` Konstantin Meskhidze
2022-05-19 15:00 ` Mickaël Salaün
2022-05-24 8:40 ` Konstantin Meskhidze
2022-05-19 15:02 ` Mickaël Salaün
2022-05-24 8:42 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 12/15] seltests/landlock: rules overlapping test Konstantin Meskhidze
2022-05-16 17:41 ` Mickaël Salaün
2022-05-19 12:24 ` Konstantin Meskhidze
2022-05-19 15:04 ` Mickaël Salaün
2022-05-24 8:55 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 13/15] seltests/landlock: ruleset expanding test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 14/15] seltests/landlock: invalid user input data test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 15/15] samples/landlock: adds network demo Konstantin Meskhidze
2022-05-17 9:19 ` Mickaël Salaün
2022-05-19 13:33 ` Konstantin Meskhidze
2022-05-19 15:09 ` Mickaël Salaün
2022-05-24 8:41 ` Konstantin Meskhidze
2022-05-20 10:48 ` Mickaël Salaün [this message]
2022-05-25 9:41 ` [PATCH v5 00/15] Network support for Landlock - UDP discussion Konstantin Meskhidze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a5ef620d-0447-3d58-d9bd-1220b8411957@digikod.net \
--to=mic@digikod.net \
--cc=anton.sirazetdinov@huawei.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).