From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: yusongping <yusongping@huawei.com>,
Artem Kuzin <artem.kuzin@huawei.com>,
linux-security-module <linux-security-module@vger.kernel.org>,
"Network Development" <netdev@vger.kernel.org>,
"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Subject: RE: [RFC PATCH 0/2] Landlock network PoC implementation
Date: Mon, 20 Dec 2021 03:52:45 +0000 [thread overview]
Message-ID: <dc1866cec3134c51939a5fa104359b6c@huawei.com> (raw)
In-Reply-To: <c325e5f6-d8d5-b085-fd2d-7f454629a1ec@digikod.net>
Hi, Mickaёl!
-----Original Message-----
From: Mickaël Salaün <mic@digikod.net>
Sent: Saturday, December 18, 2021 7:01 PM
To: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: yusongping <yusongping@huawei.com>; Artem Kuzin <artem.kuzin@huawei.com>; linux-security-module <linux-security-module@vger.kernel.org>; Network Development <netdev@vger.kernel.org>; netfilter@vger.kernel.org; Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Subject: Re: [RFC PATCH 0/2] Landlock network PoC implementation
On 18/12/2021 09:26, Konstantin Meskhidze wrote:
> Hi, Mickaёl
> Thanks again for your opinion about minimal Landlock IPv4 network version.
> I have already started refactoring the code.
> Here are some additional thoughts about the design.
[...]
>>>
>>> Accesses/suffixes should be:
>>> - CREATE
>>> - ACCEPT
>>> - BIND
>>> - LISTEN
>>> - CONNECT
>>> - RECEIVE (RECEIVE_FROM and SEND_TO should not be needed)
>>> - SEND
>>> - SHUTDOWN
>>> - GET_OPTION (GETSOCKOPT)
>>> - SET_OPTION (SETSOCKOPT)
>
>>> For now, the only access rights should be LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP (tie to two LSM hooks with struct sockaddr).
>
>>> These attribute and access right changes reduce the scope of the
>>> network access control and make it simpler but still really useful. Datagram (e.g. UDP, which could add BIND_UDP and SEND_UDP) sockets will be more complex to restrict correctly and should then come in another patch series, once TCP is supported.
>
> I think that having access rights like LANDLOCK_ACCESS_NET_CREATE_TCP_SOCKET_DENY/LANDLOCK_ACCESS_NET_CREATE_UDP_SOCKET_DENY might be useful during initialization phase of container/sandbox, cause a user could have the possibility to restrict the creation of some type of sockets at all, and to reduce the attack surface related to security aspect.
> So the logic could be the following:
> 1. Process restricts creation UDP sockets, allows TCP one.
> - LANDLOCK_ACCESS_NET_CREATE_*_SOCKET_DENY rules are tied to process task_struct cause there are no sockets inodes created at this moment.
> 2. Creates necessary number of sockets.
> 3. Restricts sockets' access rights.
> - LANDLOCK_ACCESS_NET_BIND_* / LANDLOCK_ACCESS_NET_CONNECT_* access rights are tied to sockets inodes individually.
>
> Reducing the attack surface on the kernel is valuable but not the primary goal of Landlock. seccomp is designed for this task and a seccomp filters can easily forbid creation of specific sockets. We should consider using > both Landlock and seccomp, and your use case of denying UDP vs. TCP is good.
> Anyway, the LANDLOCK_ACCESS_NET_CREATE_TCP_SOCKET_DENY name in not appropriate. Indeed, mixing "access" and "deny" doesn't make sense. A LANDLOCK_ACCESS_NET_CREATE_TCP access could be useful if > > we can define such TCP socket semantic, e.g. with a port, which is not possible when creating a socket, and it is OK.
I think we can define if it’s a TCP or UDP socket in the moment of its creating using TYPE field in socket(domain, TYPE, protocol) function:
- TCP services use SOCK_STREAM type.
- UDP ones use SOCK_DGRAM type.
So we can have LANDLOCK_ACCESS_NET_CREATE_TCP access rule in TCP socket semantic, and therefore check socket_create(domain, SOCK_STREAM, protocol) hook.
The similar rule( LANDLOCK_ACCESS_NET_CREATE_UPD) could be used for recognizing UDP sockets in future patches.
next prev parent reply other threads:[~2021-12-20 3:52 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 7:21 [RFC PATCH 0/2] Landlock network PoC implementation Konstantin Meskhidze
2021-12-10 16:57 ` Casey Schaufler
2021-12-10 23:01 ` Paul Moore
2021-12-30 6:53 ` Konstantin Meskhidze
2021-12-13 8:29 ` Mickaël Salaün
[not found] ` <12467d8418f04fbf9fd4a456a2a999f1@huawei.com>
2021-12-14 11:51 ` Mickaël Salaün
2021-12-17 9:39 ` Mickaël Salaün
2021-12-17 21:29 ` Willem de Bruijn
2021-12-18 10:59 ` Mickaël Salaün
2021-12-18 8:26 ` Konstantin Meskhidze
2021-12-18 11:01 ` Mickaël Salaün
2021-12-20 3:52 ` Konstantin Meskhidze [this message]
2021-12-21 21:15 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dc1866cec3134c51939a5fa104359b6c@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=artem.kuzin@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).