From: "Mickaël Salaün" <mic@digikod.net>
To: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
Cc: willemdebruijn.kernel@gmail.com, gnoack3000@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, yusongping@huawei.com,
artem.kuzin@huawei.com, konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH v1 2/9] landlock: Support TCP listen access-control
Date: Thu, 1 Aug 2024 18:01:25 +0200 [thread overview]
Message-ID: <20240801.eeBaiB4Ijion@digikod.net> (raw)
In-Reply-To: <7c8ed332-c4ec-81e7-a94a-e1b62d820dd3@huawei-partners.com>
On Thu, Aug 01, 2024 at 06:34:41PM +0300, Mikhail Ivanov wrote:
> 8/1/2024 5:45 PM, Mickaël Salaün wrote:
> > On Thu, Aug 01, 2024 at 10:52:25AM +0300, Mikhail Ivanov wrote:
> > > 7/31/2024 9:30 PM, Mickaël Salaün wrote:
> > > > On Sun, Jul 28, 2024 at 08:25:55AM +0800, Mikhail Ivanov wrote:
> > > > > LANDLOCK_ACCESS_NET_BIND_TCP is useful to limit the scope of "bindable"
> > > > > ports to forbid a malicious sandboxed process to impersonate a legitimate
> > > > > server process. However, bind(2) might be used by (TCP) clients to set the
> > > > > source port to a (legitimate) value. Controlling the ports that can be
> > > > > used for listening would allow (TCP) clients to explicitly bind to ports
> > > > > that are forbidden for listening.
> > > > >
> > > > > Such control is implemented with a new LANDLOCK_ACCESS_NET_LISTEN_TCP
> > > > > access right that restricts listening on undesired ports with listen(2).
> > > > >
> > > > > It's worth noticing that this access right doesn't affect changing
> > > > > backlog value using listen(2) on already listening socket.
> > > > >
> > > > > * Create new LANDLOCK_ACCESS_NET_LISTEN_TCP flag.
> > > > > * Add hook to socket_listen(), which checks whether the socket is allowed
> > > > > to listen on a binded local port.
> > > > > * Add check_tcp_socket_can_listen() helper, which validates socket
> > > > > attributes before the actual access right check.
> > > > > * Update `struct landlock_net_port_attr` documentation with control of
> > > > > binding to ephemeral port with listen(2) description.
> > > > > * Change ABI version to 6.
> > > > >
> > > > > Closes: https://github.com/landlock-lsm/linux/issues/15
> > > > > Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
> > > >
> > > > Thanks for this series!
> > > >
> > > > I cannot apply this patch series though, could you please provide the
> > > > base commit? BTW, this can be automatically put in the cover letter
> > > > with the git format-patch's --base argument.
> > >
> > > base-commit: 591561c2b47b7e7225e229e844f5de75ce0c09ec
> >
> > Thanks, the following commit makes this series to not apply.
>
> Sorry, you mean that the series are succesfully applied, right?
Yes, it works with the commit you provided. I was talking about a next
(logical) commit f4b89d8ce5a8 ("landlock: Various documentation
improvements") which makes your series not apply, but that's OK now.
next prev parent reply other threads:[~2024-08-01 16:01 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-28 0:25 [RFC PATCH v1 0/9] Support TCP listen access-control Mikhail Ivanov
2024-07-28 0:25 ` [RFC PATCH v1 1/9] landlock: Refactor current_check_access_socket() access right check Mikhail Ivanov
2024-07-28 0:25 ` [RFC PATCH v1 2/9] landlock: Support TCP listen access-control Mikhail Ivanov
2024-07-30 8:24 ` Günther Noack
2024-07-31 17:20 ` Mikhail Ivanov
2024-08-01 10:36 ` Günther Noack
2024-08-01 11:45 ` Mikhail Ivanov
2024-07-31 18:30 ` Mickaël Salaün
2024-08-01 7:52 ` Mikhail Ivanov
2024-08-01 14:45 ` Mickaël Salaün
2024-08-01 15:34 ` Mikhail Ivanov
2024-08-01 16:01 ` Mickaël Salaün [this message]
2024-08-01 16:07 ` Mikhail Ivanov
2024-08-01 14:45 ` Mickaël Salaün
2024-08-01 16:04 ` Mikhail Ivanov
2024-07-28 0:25 ` [RFC PATCH v1 3/9] selftests/landlock: Support LANDLOCK_ACCESS_NET_LISTEN_TCP Mikhail Ivanov
2024-07-28 0:25 ` [RFC PATCH v1 4/9] selftests/landlock: Test listening restriction Mikhail Ivanov
2024-07-28 0:25 ` [RFC PATCH v1 5/9] selftests/landlock: Test listen on connected socket Mikhail Ivanov
2024-08-01 14:46 ` Mickaël Salaün
2024-08-01 15:47 ` Mikhail Ivanov
2024-07-28 0:25 ` [RFC PATCH v1 6/9] selftests/landlock: Test listening without explicit bind restriction Mikhail Ivanov
2024-07-28 0:26 ` [RFC PATCH v1 7/9] selftests/landlock: Test listen on ULP socket without clone method Mikhail Ivanov
2024-08-01 15:08 ` Mickaël Salaün
2024-08-01 17:42 ` Mikhail Ivanov
2024-07-28 0:26 ` [RFC PATCH v1 8/9] selftests/landlock: Test changing socket backlog with listen(2) Mikhail Ivanov
2024-07-28 0:26 ` [RFC PATCH v1 9/9] samples/landlock: Support LANDLOCK_ACCESS_NET_LISTEN Mikhail Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801.eeBaiB4Ijion@digikod.net \
--to=mic@digikod.net \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.