From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<artem.kuzin@huawei.com>
Subject: [PATCH v14 11/12] samples/landlock: Support TCP restrictions
Date: Thu, 26 Oct 2023 09:47:50 +0800 [thread overview]
Message-ID: <20231026014751.414649-12-konstantin.meskhidze@huawei.com> (raw)
In-Reply-To: <20231026014751.414649-1-konstantin.meskhidze@huawei.com>
Add TCP restrictions to the sandboxer demo. It's possible
to allow a sandboxer to bind/connect to a list of particular
ports restricting network actions to the rest of ports.
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
Changes since v13:
* Refactors commit message.
Changes since v12:
* Defines __SANE_USERSPACE_TYPES__ to avoid warnings for PowerPC.
Changes since v11:
* Changes ENV_PATH_TOKEN to ENV_DELIMITER.
* Refactors populate_ruleset_net():
- Deletes parse_port_num() helper.
- Uses strsep() instead of strtok().
* Fixes wrong printf format.
Changes since v10:
* Refactors populate_ruleset_net() helper.
* Code style minor fix.
Changes since v9:
* Deletes ports converting.
* Minor fixes.
Changes since v8:
* Convert ports to __be16.
* Minor fixes.
Changes since v7:
* Removes network support if ABI < 4.
* Removes network support if not set by a user.
Changes since v6:
* Removes network support if ABI < 3.
Changes since v5:
* Makes network ports sandboxing optional.
* Fixes some logic errors.
* Formats code with clang-format-14.
Changes since v4:
* Adds ENV_TCP_BIND_NAME "LL_TCP_BIND" and
ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT" variables
to insert TCP ports.
* Renames populate_ruleset() to populate_ruleset_fs().
* Adds populate_ruleset_net() and parse_port_num() helpers.
* Refactors main() to support network sandboxing.
---
samples/landlock/sandboxer.c | 115 ++++++++++++++++++++++++++++++-----
1 file changed, 100 insertions(+), 15 deletions(-)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index e2056c8b902c..08596c0ef070 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -8,6 +8,8 @@
*/
#define _GNU_SOURCE
+#define __SANE_USERSPACE_TYPES__
+#include <arpa/inet.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/landlock.h>
@@ -51,7 +53,9 @@ static inline int landlock_restrict_self(const int ruleset_fd,
#define ENV_FS_RO_NAME "LL_FS_RO"
#define ENV_FS_RW_NAME "LL_FS_RW"
-#define ENV_PATH_TOKEN ":"
+#define ENV_TCP_BIND_NAME "LL_TCP_BIND"
+#define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT"
+#define ENV_DELIMITER ":"
static int parse_path(char *env_path, const char ***const path_list)
{
@@ -60,13 +64,13 @@ static int parse_path(char *env_path, const char ***const path_list)
if (env_path) {
num_paths++;
for (i = 0; env_path[i]; i++) {
- if (env_path[i] == ENV_PATH_TOKEN[0])
+ if (env_path[i] == ENV_DELIMITER[0])
num_paths++;
}
}
*path_list = malloc(num_paths * sizeof(**path_list));
for (i = 0; i < num_paths; i++)
- (*path_list)[i] = strsep(&env_path, ENV_PATH_TOKEN);
+ (*path_list)[i] = strsep(&env_path, ENV_DELIMITER);
return num_paths;
}
@@ -81,8 +85,8 @@ static int parse_path(char *env_path, const char ***const path_list)
/* clang-format on */
-static int populate_ruleset(const char *const env_var, const int ruleset_fd,
- const __u64 allowed_access)
+static int populate_ruleset_fs(const char *const env_var, const int ruleset_fd,
+ const __u64 allowed_access)
{
int num_paths, i, ret = 1;
char *env_path_name;
@@ -143,6 +147,39 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd,
return ret;
}
+static int populate_ruleset_net(const char *const env_var, const int ruleset_fd,
+ const __u64 allowed_access)
+{
+ int ret = 1;
+ char *env_port_name, *strport;
+ struct landlock_net_port_attr net_port = {
+ .allowed_access = allowed_access,
+ .port = 0,
+ };
+
+ env_port_name = getenv(env_var);
+ if (!env_port_name)
+ return 0;
+ env_port_name = strdup(env_port_name);
+ unsetenv(env_var);
+
+ while ((strport = strsep(&env_port_name, ENV_DELIMITER))) {
+ net_port.port = atoi(strport);
+ if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
+ &net_port, 0)) {
+ fprintf(stderr,
+ "Failed to update the ruleset with port \"%llu\": %s\n",
+ net_port.port, strerror(errno));
+ goto out_free_name;
+ }
+ }
+ ret = 0;
+
+out_free_name:
+ free(env_port_name);
+ return ret;
+}
+
/* clang-format off */
#define ACCESS_FS_ROUGHLY_READ ( \
@@ -166,39 +203,58 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd,
/* clang-format on */
-#define LANDLOCK_ABI_LAST 3
+#define LANDLOCK_ABI_LAST 4
int main(const int argc, char *const argv[], char *const *const envp)
{
const char *cmd_path;
char *const *cmd_argv;
int ruleset_fd, abi;
+ char *env_port_name;
__u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ,
access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE;
+
struct landlock_ruleset_attr ruleset_attr = {
.handled_access_fs = access_fs_rw,
+ .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP,
};
if (argc < 2) {
fprintf(stderr,
- "usage: %s=\"...\" %s=\"...\" %s <cmd> [args]...\n\n",
- ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
+ "usage: %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\"%s "
+ "<cmd> [args]...\n\n",
+ ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
+ ENV_TCP_CONNECT_NAME, argv[0]);
fprintf(stderr,
"Launch a command in a restricted environment.\n\n");
- fprintf(stderr, "Environment variables containing paths, "
- "each separated by a colon:\n");
+ fprintf(stderr,
+ "Environment variables containing paths and ports "
+ "each separated by a colon:\n");
fprintf(stderr,
"* %s: list of paths allowed to be used in a read-only way.\n",
ENV_FS_RO_NAME);
fprintf(stderr,
- "* %s: list of paths allowed to be used in a read-write way.\n",
+ "* %s: list of paths allowed to be used in a read-write way.\n\n",
ENV_FS_RW_NAME);
+ fprintf(stderr,
+ "Environment variables containing ports are optional "
+ "and could be skipped.\n");
+ fprintf(stderr,
+ "* %s: list of ports allowed to bind (server).\n",
+ ENV_TCP_BIND_NAME);
+ fprintf(stderr,
+ "* %s: list of ports allowed to connect (client).\n",
+ ENV_TCP_CONNECT_NAME);
fprintf(stderr,
"\nexample:\n"
"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
+ "%s=\"9418\" "
+ "%s=\"80:443\" "
"%s bash -i\n\n",
- ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
+ ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
+ ENV_TCP_CONNECT_NAME, argv[0]);
fprintf(stderr,
"This sandboxer can use Landlock features "
"up to ABI version %d.\n",
@@ -255,7 +311,12 @@ int main(const int argc, char *const argv[], char *const *const envp)
case 2:
/* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
-
+ __attribute__((fallthrough));
+ case 3:
+ /* Removes network support for ABI < 4 */
+ ruleset_attr.handled_access_net &=
+ ~(LANDLOCK_ACCESS_NET_BIND_TCP |
+ LANDLOCK_ACCESS_NET_CONNECT_TCP);
fprintf(stderr,
"Hint: You should update the running kernel "
"to leverage Landlock features "
@@ -274,18 +335,42 @@ int main(const int argc, char *const argv[], char *const *const envp)
access_fs_ro &= ruleset_attr.handled_access_fs;
access_fs_rw &= ruleset_attr.handled_access_fs;
+ /* Removes bind access attribute if not supported by a user. */
+ env_port_name = getenv(ENV_TCP_BIND_NAME);
+ if (!env_port_name) {
+ ruleset_attr.handled_access_net &=
+ ~LANDLOCK_ACCESS_NET_BIND_TCP;
+ }
+ /* Removes connect access attribute if not supported by a user. */
+ env_port_name = getenv(ENV_TCP_CONNECT_NAME);
+ if (!env_port_name) {
+ ruleset_attr.handled_access_net &=
+ ~LANDLOCK_ACCESS_NET_CONNECT_TCP;
+ }
+
ruleset_fd =
landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
if (ruleset_fd < 0) {
perror("Failed to create a ruleset");
return 1;
}
- if (populate_ruleset(ENV_FS_RO_NAME, ruleset_fd, access_fs_ro)) {
+
+ if (populate_ruleset_fs(ENV_FS_RO_NAME, ruleset_fd, access_fs_ro)) {
+ goto err_close_ruleset;
+ }
+ if (populate_ruleset_fs(ENV_FS_RW_NAME, ruleset_fd, access_fs_rw)) {
goto err_close_ruleset;
}
- if (populate_ruleset(ENV_FS_RW_NAME, ruleset_fd, access_fs_rw)) {
+
+ if (populate_ruleset_net(ENV_TCP_BIND_NAME, ruleset_fd,
+ LANDLOCK_ACCESS_NET_BIND_TCP)) {
+ goto err_close_ruleset;
+ }
+ if (populate_ruleset_net(ENV_TCP_CONNECT_NAME, ruleset_fd,
+ LANDLOCK_ACCESS_NET_CONNECT_TCP)) {
goto err_close_ruleset;
}
+
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
perror("Failed to restrict privileges");
goto err_close_ruleset;
--
2.25.1
next prev parent reply other threads:[~2023-10-26 1:48 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-26 1:47 [PATCH v14 00/12] Network support for Landlock Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 01/12] landlock: Make ruleset's access masks more generic Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 02/12] landlock: Allow FS topology changes for domains without such rule type Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 03/12] landlock: Refactor landlock_find_rule/insert_rule Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 04/12] landlock: Refactor merge/inherit_ruleset functions Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 05/12] landlock: Move and rename layer helpers Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 06/12] landlock: Refactor " Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 07/12] landlock: Refactor landlock_add_rule() syscall Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 08/12] landlock: Add network rules and TCP hooks support Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 09/12] selftests/landlock: Share enforce_ruleset() Konstantin Meskhidze
2023-10-26 1:47 ` [PATCH v14 10/12] selftests/landlock: Add network tests Konstantin Meskhidze
2023-12-19 10:38 ` Muhammad Usama Anjum
2023-12-20 9:17 ` Mickaël Salaün
2023-12-20 11:19 ` Muhammad Usama Anjum
2024-01-11 17:06 ` Mickaël Salaün
2023-10-26 1:47 ` Konstantin Meskhidze [this message]
2023-10-26 1:47 ` [PATCH v14 12/12] landlock: Document network support Konstantin Meskhidze
2023-10-27 13:06 ` [PATCH v14 00/12] Network support for Landlock Mickaël Salaün
2023-10-28 2:07 ` Konstantin Meskhidze (A)
2023-10-27 15:46 ` [PATCH] selftests/landlock: Add tests for FS topology changes with network rules Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231026014751.414649-12-konstantin.meskhidze@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.