From: "Mickaël Salaün" <mic@digikod.net>
To: "Konstantin Meskhidze (A)" <konstantin.meskhidze@huawei.com>
Cc: artem.kuzin@huawei.com, gnoack3000@gmail.com,
willemdebruijn.kernel@gmail.com, yusongping@huawei.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] landlock: Fix and test network AF inconsistencies
Date: Thu, 17 Aug 2023 17:36:53 +0200 [thread overview]
Message-ID: <20230817.Jeeb9buaf9oa@digikod.net> (raw)
In-Reply-To: <110dc71f-ff83-b87f-10ae-7f6f9bd7c1df@huawei.com>
On Thu, Aug 17, 2023 at 05:13:28PM +0300, Konstantin Meskhidze (A) wrote:
>
>
> 8/17/2023 4:00 PM, Mickaël Salaün пишет:
> > Check af_family consistency while handling AF_UNSPEC specifically.
> >
> > This patch should be squashed into the "Network support for Landlock"
> > v11 patch series.
>
> Thank you so much.
> Can I find this patch in
> https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux ???
It is now in the landlock-net-v11 branch.
> >
> > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > ---
> > security/landlock/net.c | 29 ++++-
> > tools/testing/selftests/landlock/net_test.c | 124 +++++++++++++-------
> > 2 files changed, 108 insertions(+), 45 deletions(-)
> >
> > diff --git a/security/landlock/net.c b/security/landlock/net.c
> > index f8d2be53ac0d..ea5373f774f9 100644
> > --- a/security/landlock/net.c
> > +++ b/security/landlock/net.c
> > @@ -80,11 +80,11 @@ static int check_socket_access(struct socket *const sock,
> > if (WARN_ON_ONCE(domain->num_layers < 1))
> > return -EACCES;
> > - /* Checks if it's a TCP socket. */
> > + /* Checks if it's a (potential) TCP socket. */
> > if (sock->type != SOCK_STREAM)
> > return 0;
> > - /* Checks for minimal header length. */
> > + /* Checks for minimal header length to safely read sa_family. */
> > if (addrlen < offsetofend(struct sockaddr, sa_family))
> > return -EINVAL;
> > @@ -106,7 +106,6 @@ static int check_socket_access(struct socket *const sock,
> > return 0;
> > }
> > - /* Specific AF_UNSPEC handling. */
> > if (address->sa_family == AF_UNSPEC) {
> > /*
> > * Connecting to an address with AF_UNSPEC dissolves the TCP
> > @@ -114,6 +113,10 @@ static int check_socket_access(struct socket *const sock,
> > * connection while retaining the socket object (i.e., the file
> > * descriptor). As for dropping privileges, closing
> > * connections is always allowed.
> > + *
> > + * For a TCP access control system, this request is legitimate.
> > + * Let the network stack handle potential inconsistencies and
> > + * return -EINVAL if needed.
> > */
> > if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
> > return 0;
> > @@ -124,14 +127,34 @@ static int check_socket_access(struct socket *const sock,
> > * INADDR_ANY (cf. __inet_bind). Checking the address is
> > * required to not wrongfully return -EACCES instead of
> > * -EAFNOSUPPORT.
> > + *
> > + * We could return 0 and let the network stack handle these
> > + * checks, but it is safer to return a proper error and test
> > + * consistency thanks to kselftest.
> > */
> > if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
> > + /* addrlen has already been checked for AF_UNSPEC. */
> > const struct sockaddr_in *const sockaddr =
> > (struct sockaddr_in *)address;
> > + if (sock->sk->__sk_common.skc_family != AF_INET)
> > + return -EINVAL;
> > +
> > if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
> > return -EAFNOSUPPORT;
> > }
> > + } else {
> > + /*
> > + * Checks sa_family consistency to not wrongfully return
> > + * -EACCES instead of -EINVAL. Valid sa_family changes are
> > + * only (from AF_INET or AF_INET6) to AF_UNSPEC.
> > + *
> > + * We could return 0 and let the network stack handle this
> > + * check, but it is safer to return a proper error and test
> > + * consistency thanks to kselftest.
> > + */
> > + if (address->sa_family != sock->sk->__sk_common.skc_family)
> > + return -EINVAL;
> > }
> > id.key.data = (__force uintptr_t)port;
> > diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
> > index 12dc127ea7d1..504a26c63fd9 100644
> > --- a/tools/testing/selftests/landlock/net_test.c
> > +++ b/tools/testing/selftests/landlock/net_test.c
> > @@ -233,7 +233,7 @@ static int connect_variant(const int sock_fd,
> > FIXTURE(protocol)
> > {
> > - struct service_fixture srv0, srv1, srv2, unspec_any, unspec_srv0;
> > + struct service_fixture srv0, srv1, srv2, unspec_any0, unspec_srv0;
> > };
> > FIXTURE_VARIANT(protocol)
> > @@ -257,8 +257,8 @@ FIXTURE_SETUP(protocol)
> > ASSERT_EQ(0, set_service(&self->unspec_srv0, prot_unspec, 0));
> > - ASSERT_EQ(0, set_service(&self->unspec_any, prot_unspec, 0));
> > - self->unspec_any.ipv4_addr.sin_addr.s_addr = htonl(INADDR_ANY);
> > + ASSERT_EQ(0, set_service(&self->unspec_any0, prot_unspec, 0));
> > + self->unspec_any0.ipv4_addr.sin_addr.s_addr = htonl(INADDR_ANY);
> > setup_loopback(_metadata);
> > };
> > @@ -615,20 +615,18 @@ TEST_F(protocol, connect)
> > // Kernel FIXME: tcp_sandbox_with_ipv6_tcp and tcp_sandbox_with_unix_stream
> > TEST_F(protocol, bind_unspec)
> > {
> > + const struct landlock_ruleset_attr ruleset_attr = {
> > + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
> > + };
> > + const struct landlock_net_service_attr tcp_bind = {
> > + .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
> > + .port = self->srv0.port,
> > + };
> > int bind_fd, ret;
> > if (variant->sandbox == TCP_SANDBOX) {
> > - const struct landlock_ruleset_attr ruleset_attr = {
> > - .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP,
> > - };
> > - const struct landlock_net_service_attr tcp_bind = {
> > - .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
> > - .port = self->srv0.port,
> > - };
> > - int ruleset_fd;
> > -
> > - ruleset_fd = landlock_create_ruleset(&ruleset_attr,
> > - sizeof(ruleset_attr), 0);
> > + const int ruleset_fd = landlock_create_ruleset(
> > + &ruleset_attr, sizeof(ruleset_attr), 0);
> > ASSERT_LE(0, ruleset_fd);
> > /* Allows bind. */
> > @@ -642,8 +640,8 @@ TEST_F(protocol, bind_unspec)
> > bind_fd = socket_variant(&self->srv0);
> > ASSERT_LE(0, bind_fd);
> > - /* Binds on AF_UNSPEC/INADDR_ANY. */
> > - ret = bind_variant(bind_fd, &self->unspec_any);
> > + /* Allowed bind on AF_UNSPEC/INADDR_ANY. */
> > + ret = bind_variant(bind_fd, &self->unspec_any0);
> > if (variant->prot.domain == AF_INET) {
> > EXPECT_EQ(0, ret)
> > {
> > @@ -655,6 +653,33 @@ TEST_F(protocol, bind_unspec)
> > }
> > EXPECT_EQ(0, close(bind_fd));
> > + if (variant->sandbox == TCP_SANDBOX) {
> > + const int ruleset_fd = landlock_create_ruleset(
> > + &ruleset_attr, sizeof(ruleset_attr), 0);
> > + ASSERT_LE(0, ruleset_fd);
> > +
> > + /* Denies bind. */
> > + enforce_ruleset(_metadata, ruleset_fd);
> > + EXPECT_EQ(0, close(ruleset_fd));
> > + }
> > +
> > + bind_fd = socket_variant(&self->srv0);
> > + ASSERT_LE(0, bind_fd);
> > +
> > + /* Denied bind on AF_UNSPEC/INADDR_ANY. */
> > + ret = bind_variant(bind_fd, &self->unspec_any0);
> > + if (variant->prot.domain == AF_INET) {
> > + if (is_restricted(&variant->prot, variant->sandbox)) {
> > + EXPECT_EQ(-EACCES, ret);
> > + } else {
> > + EXPECT_EQ(0, ret);
> > + }
> > + } else {
> > + EXPECT_EQ(-EINVAL, ret);
> > + }
> > + EXPECT_EQ(0, close(bind_fd));
> > +
> > + /* Checks bind with AF_UNSPEC and the loopback address. */
> > bind_fd = socket_variant(&self->srv0);
> > ASSERT_LE(0, bind_fd);
> > ret = bind_variant(bind_fd, &self->unspec_srv0);
> > @@ -671,34 +696,16 @@ TEST_F(protocol, bind_unspec)
> > TEST_F(protocol, connect_unspec)
> > {
> > + const struct landlock_ruleset_attr ruleset_attr = {
> > + .handled_access_net = LANDLOCK_ACCESS_NET_CONNECT_TCP,
> > + };
> > + const struct landlock_net_service_attr tcp_connect = {
> > + .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
> > + .port = self->srv0.port,
> > + };
> > int bind_fd, client_fd, status;
> > pid_t child;
> > - if (variant->sandbox == TCP_SANDBOX) {
> > - const struct landlock_ruleset_attr ruleset_attr = {
> > - .handled_access_net = LANDLOCK_ACCESS_NET_CONNECT_TCP,
> > - };
> > - const struct landlock_net_service_attr tcp_connect = {
> > - .allowed_access = LANDLOCK_ACCESS_NET_CONNECT_TCP,
> > - .port = self->srv0.port,
> > - };
> > - int ruleset_fd;
> > -
> > - ruleset_fd = landlock_create_ruleset(&ruleset_attr,
> > - sizeof(ruleset_attr), 0);
> > - ASSERT_LE(0, ruleset_fd);
> > -
> > - /* Allows connect. */
> > - ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
> > - LANDLOCK_RULE_NET_SERVICE,
> > - &tcp_connect, 0));
> > - enforce_ruleset(_metadata, ruleset_fd);
> > - EXPECT_EQ(0, close(ruleset_fd));
> > - }
> > -
> > - /* Generic connection tests. */
> > - test_bind_and_connect(_metadata, &self->srv0, false, false);
> > -
> > /* Specific connection tests. */
> > bind_fd = socket_variant(&self->srv0);
> > ASSERT_LE(0, bind_fd);
> > @@ -726,8 +733,22 @@ TEST_F(protocol, connect_unspec)
> > EXPECT_EQ(0, ret);
> > }
> > + if (variant->sandbox == TCP_SANDBOX) {
> > + const int ruleset_fd = landlock_create_ruleset(
> > + &ruleset_attr, sizeof(ruleset_attr), 0);
> > + ASSERT_LE(0, ruleset_fd);
> > +
> > + /* Allows connect. */
> > + ASSERT_EQ(0,
> > + landlock_add_rule(ruleset_fd,
> > + LANDLOCK_RULE_NET_SERVICE,
> > + &tcp_connect, 0));
> > + enforce_ruleset(_metadata, ruleset_fd);
> > + EXPECT_EQ(0, close(ruleset_fd));
> > + }
> > +
> > /* Disconnects already connected socket, or set peer. */
> > - ret = connect_variant(connect_fd, &self->unspec_any);
> > + ret = connect_variant(connect_fd, &self->unspec_any0);
> > if (self->srv0.protocol.domain == AF_UNIX &&
> > self->srv0.protocol.type == SOCK_STREAM) {
> > EXPECT_EQ(-EINVAL, ret);
> > @@ -744,6 +765,25 @@ TEST_F(protocol, connect_unspec)
> > EXPECT_EQ(0, ret);
> > }
> > + if (variant->sandbox == TCP_SANDBOX) {
> > + const int ruleset_fd = landlock_create_ruleset(
> > + &ruleset_attr, sizeof(ruleset_attr), 0);
> > + ASSERT_LE(0, ruleset_fd);
> > +
> > + /* Denies connect. */
> > + enforce_ruleset(_metadata, ruleset_fd);
> > + EXPECT_EQ(0, close(ruleset_fd));
> > + }
> > +
> > + ret = connect_variant(connect_fd, &self->unspec_any0);
> > + if (self->srv0.protocol.domain == AF_UNIX &&
> > + self->srv0.protocol.type == SOCK_STREAM) {
> > + EXPECT_EQ(-EINVAL, ret);
> > + } else {
> > + /* Always allowed to disconnect. */
> > + EXPECT_EQ(0, ret);
> > + }
> > +
> > EXPECT_EQ(0, close(connect_fd));
> > _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE);
> > return;
next prev parent reply other threads:[~2023-08-17 15:37 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-15 16:13 [PATCH v11 00/12] Network support for Landlock Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 01/12] landlock: Make ruleset's access masks more generic Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 02/12] landlock: Allow filesystem layout changes for domains without such rule type Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 03/12] landlock: Refactor landlock_find_rule/insert_rule Konstantin Meskhidze
2023-06-26 18:40 ` Mickaël Salaün
2023-07-01 14:37 ` Konstantin Meskhidze (A)
2023-06-26 18:58 ` Mickaël Salaün
2023-07-01 14:38 ` Konstantin Meskhidze (A)
2023-07-06 14:34 ` Mickaël Salaün
2023-07-10 12:30 ` Konstantin Meskhidze (A)
2023-05-15 16:13 ` [PATCH v11 04/12] landlock: Refactor merge/inherit_ruleset functions Konstantin Meskhidze
2023-06-26 18:40 ` Mickaël Salaün
2023-07-01 14:52 ` Konstantin Meskhidze (A)
2023-07-05 10:16 ` Mickaël Salaün
2023-07-05 10:36 ` Konstantin Meskhidze (A)
2023-05-15 16:13 ` [PATCH v11 05/12] landlock: Move and rename layer helpers Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 06/12] landlock: Refactor " Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 07/12] landlock: Refactor landlock_add_rule() syscall Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 08/12] landlock: Add network rules and TCP hooks support Konstantin Meskhidze
2023-06-26 18:41 ` Mickaël Salaün
2023-07-01 14:54 ` Konstantin Meskhidze (A)
2023-06-26 18:57 ` Mickaël Salaün
2023-07-03 10:36 ` Konstantin Meskhidze (A)
2023-07-03 17:06 ` Mickaël Salaün
2023-07-04 12:37 ` Konstantin Meskhidze (A)
2023-06-27 16:14 ` Mickaël Salaün
2023-06-29 14:04 ` Mickaël Salaün
2023-07-03 10:44 ` Konstantin Meskhidze (A)
2023-07-03 10:43 ` Konstantin Meskhidze (A)
2023-06-27 19:48 ` Günther Noack
2023-07-03 12:39 ` Konstantin Meskhidze (A)
2023-08-03 14:12 ` Mickaël Salaün
2023-08-03 14:13 ` Konstantin Meskhidze (A)
2023-05-15 16:13 ` [PATCH v11 09/12] selftests/landlock: Share enforce_ruleset() Konstantin Meskhidze
2023-05-15 16:13 ` [PATCH v11 10/12] selftests/landlock: Add 11 new test suites dedicated to network Konstantin Meskhidze
2023-07-01 19:07 ` Günther Noack
2023-07-02 8:45 ` Mickaël Salaün
2023-07-03 8:37 ` Konstantin Meskhidze (A)
2023-07-03 9:36 ` Günther Noack
2023-07-06 14:55 ` [PATCH v11.1] " Mickaël Salaün
2023-07-06 16:09 ` Mickaël Salaün
2023-07-10 12:24 ` Konstantin Meskhidze (A)
2023-07-10 16:06 ` Mickaël Salaün
2023-07-12 8:42 ` Konstantin Meskhidze (A)
2023-07-12 7:02 ` Mickaël Salaün
2023-07-12 9:57 ` Konstantin Meskhidze (A)
2023-08-12 14:37 ` Konstantin Meskhidze (A)
2023-08-17 15:08 ` Mickaël Salaün
2023-09-11 10:13 ` Konstantin Meskhidze (A)
2023-09-14 8:08 ` Mickaël Salaün
2023-09-15 8:54 ` Konstantin Meskhidze (A)
2023-09-18 6:56 ` Mickaël Salaün
2023-09-20 10:00 ` Konstantin Meskhidze (A)
2023-08-13 20:09 ` Konstantin Meskhidze (A)
2023-08-17 13:19 ` Mickaël Salaün
2023-08-17 14:04 ` Konstantin Meskhidze (A)
2023-08-17 15:34 ` Mickaël Salaün
2023-08-18 14:05 ` Konstantin Meskhidze (A)
2023-08-11 21:03 ` Konstantin Meskhidze (A)
2023-08-17 12:54 ` Mickaël Salaün
2023-08-17 13:00 ` [PATCH] landlock: Fix and test network AF inconsistencies Mickaël Salaün
2023-08-17 14:13 ` Konstantin Meskhidze (A)
2023-08-17 15:36 ` Mickaël Salaün [this message]
2023-08-18 14:05 ` Konstantin Meskhidze (A)
2023-05-15 16:13 ` [PATCH v11 11/12] samples/landlock: Add network demo Konstantin Meskhidze
2023-06-06 15:17 ` Günther Noack
2023-06-13 10:54 ` Konstantin Meskhidze (A)
2023-06-13 20:38 ` Mickaël Salaün
2023-06-19 14:24 ` Konstantin Meskhidze (A)
2023-06-19 18:19 ` Mickaël Salaün
2023-06-22 8:00 ` Konstantin Meskhidze (A)
2023-06-22 10:18 ` Mickaël Salaün
2023-07-03 12:50 ` Konstantin Meskhidze (A)
2023-07-03 17:09 ` Mickaël Salaün
2023-07-04 12:33 ` Konstantin Meskhidze (A)
2023-07-06 14:35 ` Mickaël Salaün
2023-07-10 12:26 ` Konstantin Meskhidze (A)
2023-05-15 16:13 ` [PATCH v11 12/12] landlock: Document Landlock's network support Konstantin Meskhidze
2023-06-06 14:08 ` Günther Noack
2023-06-07 5:46 ` Jeff Xu
2023-06-13 10:13 ` Konstantin Meskhidze (A)
2023-06-13 20:12 ` Mickaël Salaün
2023-06-22 16:50 ` Mickaël Salaün
2023-06-23 14:35 ` Jeff Xu
2023-07-03 9:04 ` Konstantin Meskhidze (A)
2023-07-03 17:04 ` Mickaël Salaün
2023-06-13 19:56 ` Mickaël Salaün
2023-06-19 14:25 ` Konstantin Meskhidze (A)
2023-06-26 18:59 ` Mickaël Salaün
2023-07-03 10:42 ` Konstantin Meskhidze (A)
2023-06-05 15:02 ` [PATCH v11 00/12] Network support for Landlock Mickaël Salaün
2023-06-06 9:10 ` Konstantin Meskhidze (A)
2023-06-06 9:40 ` Mickaël Salaün
2023-06-19 14:28 ` Konstantin Meskhidze (A)
2023-06-19 18:23 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230817.Jeeb9buaf9oa@digikod.net \
--to=mic@digikod.net \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.