From: "Günther Noack" <gnoack@google.com>
To: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
Cc: mic@digikod.net, willemdebruijn.kernel@gmail.com,
gnoack3000@gmail.com, linux-security-module@vger.kernel.org,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
yusongping@huawei.com, artem.kuzin@huawei.com,
konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH v1 01/10] landlock: Support socket access-control
Date: Mon, 8 Apr 2024 21:49:13 +0200 [thread overview]
Message-ID: <ZhRKOTmoAOuwkujB@google.com> (raw)
In-Reply-To: <20240408093927.1759381-2-ivanov.mikhail1@huawei-partners.com>
Hello!
Just zooming in on what I think are the most high level questions here,
so that we get the more dramatic changes out of the way early, if needed.
On Mon, Apr 08, 2024 at 05:39:18PM +0800, Ivanov Mikhail wrote:
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index 25c8d7677..8551ade38 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -37,6 +37,13 @@ struct landlock_ruleset_attr {
> * rule explicitly allow them.
> */
> __u64 handled_access_net;
> +
> + /**
> + * @handled_access_net: Bitmask of actions (cf. `Socket flags`_)
^^^
Typo
> + * that is handled by this ruleset and should then be forbidden if no
> + * rule explicitly allow them.
> + */
> + __u64 handled_access_socket;
What is your rationale for introducing and naming this additional field?
I am not convinced that "socket" is the right name to use in this field,
but it is well possible that I'm missing some context.
* If we introduce this additional field in the landlock_ruleset_attr, which
other socket-related operations will go in the remaining 63 bits? (I'm having
a hard time coming up with so many of them.)
* Should this have a more general name than "socket", so that other planned
features from the bug tracker [1] fit in?
The other alternative is of course to piggy back on the existing
handled_access_net field, whose name already is pretty generic.
For that, I believe we would need to clarify in struct landlock_net_port_attr
which exact values are permitted there.
I imagine you have considered this approach? Are there more reasons why this
was ruled out, which I am overlooking?
[1] https://github.com/orgs/landlock-lsm/projects/1/views/1
> @@ -244,4 +277,20 @@ struct landlock_net_port_attr {
> #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
> #define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
> /* clang-format on */
> +
> +/**
> + * DOC: socket_acess
> + *
> + * Socket flags
> + * ~~~~~~~~~~~~~~~~
Mega-Nit: This ~~~ underline should only be as long as the text above it ;-)
You might want to fix it for the "Network Flags" headline as well.
> + *
> + * These flags enable to restrict a sandboxed process to a set of
> + * socket-related actions for specific protocols. This is supported
> + * since the Landlock ABI version 5.
> + *
> + * - %LANDLOCK_ACCESS_SOCKET_CREATE: Create a socket
> + */
> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> index c7f152678..f4213db09 100644
> --- a/security/landlock/ruleset.h
> +++ b/security/landlock/ruleset.h
> @@ -92,6 +92,12 @@ enum landlock_key_type {
> * node keys.
> */
> LANDLOCK_KEY_NET_PORT,
> +
> + /**
> + * @LANDLOCK_KEY_SOCKET: Type of &landlock_ruleset.root_socket's
> + * node keys.
> + */
> + LANDLOCK_KEY_SOCKET,
> };
>
> /**
> @@ -177,6 +183,15 @@ struct landlock_ruleset {
> struct rb_root root_net_port;
> #endif /* IS_ENABLED(CONFIG_INET) */
>
> + /**
> + * @root_socket: Root of a red-black tree containing &struct
> + * landlock_rule nodes with socket type, described by (domain, type)
> + * pair (see socket(2)). Once a ruleset is tied to a
> + * process (i.e. as a domain), this tree is immutable until @usage
> + * reaches zero.
> + */
> + struct rb_root root_socket;
The domain is a value between 0 and 45,
and the socket type is one of 1, 2, 3, 4, 5, 6, 10.
The bounds of these are defined with AF_MAX (include/linux/socket.h) and
SOCK_MAX (include/linux/net.h).
Why don't we just combine these two numbers into an index and create a big bit
vector here, like this:
socket_type_mask_t socket_domains[AF_MAX];
socket_type_mask_t would need to be typedef'd to u16 and ideally have a static
check to test that it has more bits than SOCK_MAX.
Then you can look up whether a socket creation is permitted by checking:
/* assuming appropriate bounds checks */
if (dom->socket_domains[domain] & (1 << type)) { /* permitted */ }
and merging the socket_domains of two domains would be a bitwise-AND.
(We can also cram socket_type_mask_t in a u8 but it would require mapping the
existing socket types onto a different number space.)
As I said before, I am very excited to see this patch.
I think this will unlock a tremendous amount of use cases for many programs,
especially for programs that do not use networking at all, which can now lock
themselves down to guarantee that with a sandbox.
Thank you very much for looking into it!
—Günther
next prev parent reply other threads:[~2024-04-08 19:49 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-08 9:39 [RFC PATCH v1 00/10] Socket type control for Landlock Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 01/10] landlock: Support socket access-control Ivanov Mikhail
2024-04-08 19:49 ` Günther Noack [this message]
2024-04-11 15:16 ` Ivanov Mikhail
2024-04-12 15:22 ` Günther Noack
2024-04-12 15:41 ` Mickaël Salaün
2024-04-12 15:46 ` Mickaël Salaün
2024-05-16 13:59 ` Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 02/10] landlock: Add hook on socket_create() Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 03/10] selftests/landlock: Create 'create' test Ivanov Mikhail
2024-04-08 13:08 ` Günther Noack
2024-04-11 15:58 ` Ivanov Mikhail
2024-05-08 10:38 ` Mickaël Salaün
2024-05-16 13:54 ` Ivanov Mikhail
2024-05-17 15:24 ` Mickaël Salaün
2024-04-08 9:39 ` [RFC PATCH v1 04/10] selftests/landlock: Create 'socket_access_rights' test Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 05/10] selftests/landlock: Create 'rule_with_unknown_access' test Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 06/10] selftests/landlock: Create 'rule_with_unhandled_access' test Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 07/10] selftests/landlock: Create 'inval' test Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 08/10] selftests/landlock: Create 'ruleset_overlap' test Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 09/10] selftests/landlock: Create 'ruleset_with_unknown_access' test Ivanov Mikhail
2024-04-08 9:39 ` [RFC PATCH v1 10/10] samples/landlock: Support socket protocol restrictions Ivanov Mikhail
2024-04-08 13:12 ` [RFC PATCH v1 00/10] Socket type control for Landlock Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZhRKOTmoAOuwkujB@google.com \
--to=gnoack@google.com \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.