From: Michael Stone <michael@laptop.org>
To: linux-kernel@vger.kernel.org
Cc: Michael Stone <michael@laptop.org>
Subject: [PATCH] Security: Document RLIMIT_NETWORK.
Date: Sat, 12 Dec 2009 22:30:03 -0500 [thread overview]
Message-ID: <20091213033003.GA4369@heat> (raw)
In-Reply-To: <1260674379-4262-1-git-send-email-michael@laptop.org>
Signed-off-by: Michael Stone <michael@laptop.org>
---
Documentation/rlimit_network.txt | 55 ++++++++++++++++++++++++++++++++++++++
1 files changed, 55 insertions(+), 0 deletions(-)
create mode 100644 Documentation/rlimit_network.txt
diff --git a/Documentation/rlimit_network.txt b/Documentation/rlimit_network.txt
new file mode 100644
index 0000000..3307866
--- /dev/null
+++ b/Documentation/rlimit_network.txt
@@ -0,0 +1,55 @@
+Purpose
+-------
+
+Daniel Bernstein has observed [1] that security-conscious userland processes
+may benefit from the ability to irrevocably remove their ability to create,
+bind, connect to, or send messages except in the case of previously connected
+sockets or AF_UNIX filesystem sockets.
+
+This facility is particularly attractive to security platforms like OLPC
+Bitfrost [2] and to isolation programs like Rainbow [3] and Plash [4] because:
+
+ * it integrates well with standard techniques for writing privilege-separated
+ Unix programs
+
+ * it integrates well with the need to perform limited socket I/O, e.g., when
+ running X clients
+
+ * it's available to unprivileged programs
+
+ * it's a discretionary feature available to all of distributors,
+ administrators, authors, and users
+
+ * its effect is entirely local, rather than global (like netfilter)
+
+ * it's simple enough to have some hope of being used correctly
+
+Implementation
+--------------
+
+After considering implementations based on the Linux Security Module (LSM)
+framework, on SELinux in particular, on network namespaces (CLONE_NEWNET), and
+on direct modification of the kernel syscall and task_struct APIs, we came to
+the conclusion that the best way to implement this feature was to extend the
+resource limits framework with a new RLIMIT_NETWORK field and to modify the
+implementations of the relevant socket calls to return -EPERM when
+
+ current->signal->rlim[RLIMIT_NETWORK].rlim_cur == 0
+
+unless we are manipulating an AF_UNIX socket whose name does not begin with \0
+or, in the case of sendmsg(), unless we are manipulating a previously connected
+socket, i.e. one with
+
+ msg.msg_name == NULL && msg.msg_namelen == 0
+
+Finally, in response to criticism from Alan Cox, we insert a similar access
+check into __ptrace_may_access() to prevent processes which have dropped their
+networking privileges from performing network I/O by ptracing other processes.
+
+References
+----------
+
+[1]: http://cr.yp.to/unix/disablenetwork.html
+[2]: http://wiki.laptop.org/go/OLPC_Bitfrost
+[3]: http://wiki.laptop.org/go/Rainbow
+[4]: http://plash.beasts.org/
--
1.5.6.5
next prev parent reply other threads:[~2009-12-13 3:35 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-13 3:19 Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13 3:26 ` [PATCH] Security: Implement RLIMIT_NETWORK Michael Stone
2009-12-13 3:30 ` Michael Stone [this message]
2009-12-13 3:44 ` Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13 5:09 ` setrlimit(RLIMIT_NETWORK) vs. prctl(???) Michael Stone
2009-12-13 5:20 ` Ulrich Drepper
2009-12-15 5:33 ` Michael Stone
2009-12-16 15:30 ` Michael Stone
2009-12-16 15:32 ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Michael Stone
2009-12-16 15:59 ` Andi Kleen
2009-12-17 1:25 ` Michael Stone
2009-12-17 8:52 ` Andi Kleen
[not found] ` <fb69ef3c0912170906t291a37c4r6c4758ddc7dd300b@mail.gmail.com>
2009-12-17 17:14 ` Andi Kleen
2009-12-17 22:58 ` Mark Seaborn
2009-12-18 3:00 ` Michael Stone
2009-12-18 3:00 ` Michael Stone
2009-12-18 3:29 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v2) Michael Stone
2009-12-18 4:43 ` Valdis.Kletnieks
2009-12-18 15:46 ` Alan Cox
2009-12-18 16:33 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-18 17:20 ` Alan Cox
2009-12-18 17:47 ` Eric W. Biederman
2009-12-24 6:13 ` Michael Stone
2009-12-24 12:37 ` Eric W. Biederman
2009-12-24 1:42 ` [PATCH 0/3] Discarding networking privilege via LSM Michael Stone
2009-12-24 1:44 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v3) Michael Stone
2009-12-24 4:38 ` Samir Bellabes
2009-12-24 5:44 ` Michael Stone
2009-12-24 5:51 ` Tetsuo Handa
2009-12-24 1:45 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v3) Michael Stone
2009-12-24 1:45 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v3) Michael Stone
2009-12-25 17:09 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Pavel Machek
2009-12-18 3:31 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v2) Michael Stone
2009-12-18 3:57 ` Eric W. Biederman
2009-12-18 3:32 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v2) Michael Stone
2009-12-18 17:49 ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Stephen Hemminger
2009-12-19 12:02 ` David Wagner
2009-12-19 12:29 ` Alan Cox
2009-12-20 17:53 ` Mark Seaborn
2009-12-17 9:25 ` Américo Wang
2009-12-17 16:28 ` Michael Stone
2009-12-17 16:28 ` Michael Stone
2009-12-17 17:23 ` Randy Dunlap
2009-12-17 17:25 ` Randy Dunlap
2009-12-16 15:32 ` [PATCH] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics Michael Stone
2009-12-17 19:18 ` Eric W. Biederman
2009-12-16 15:32 ` [PATCH] Security: Document prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-13 8:32 ` Network isolation with RLIMIT_NETWORK, cont'd Rémi Denis-Courmont
2009-12-13 13:44 ` Michael Stone
2009-12-13 13:44 ` Michael Stone
2009-12-13 10:05 ` Eric W. Biederman
2009-12-13 14:21 ` Michael Stone
2009-12-17 17:31 ` Mark Seaborn
2009-12-17 18:24 ` Bryan Donlan
2009-12-17 19:35 ` Bernie Innocenti
2009-12-17 19:53 ` Bryan Donlan
2009-12-17 19:23 ` Bernie Innocenti
2009-12-17 17:52 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091213033003.GA4369@heat \
--to=michael@laptop.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.