From: "Günther Noack" <gnoack@google.com>
To: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
Cc: mic@digikod.net, willemdebruijn.kernel@gmail.com,
gnoack3000@gmail.com, linux-security-module@vger.kernel.org,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
yusongping@huawei.com, artem.kuzin@huawei.com,
konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH v3 14/19] selftests/landlock: Test socketpair(2) restriction
Date: Wed, 18 Sep 2024 15:47:26 +0200 [thread overview]
Message-ID: <ZurZ7nuRRl0Zf2iM@google.com> (raw)
In-Reply-To: <20240904104824.1844082-15-ivanov.mikhail1@huawei-partners.com>
On Wed, Sep 04, 2024 at 06:48:19PM +0800, Mikhail Ivanov wrote:
> Add test that checks the restriction on socket creation using
> socketpair(2).
>
> Add `socket_creation` fixture to configure sandboxing in tests in
> which different socket creation actions are tested.
>
> Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
> ---
> .../testing/selftests/landlock/socket_test.c | 101 ++++++++++++++++++
> 1 file changed, 101 insertions(+)
>
> diff --git a/tools/testing/selftests/landlock/socket_test.c b/tools/testing/selftests/landlock/socket_test.c
> index 8fc507bf902a..67db0e1c1121 100644
> --- a/tools/testing/selftests/landlock/socket_test.c
> +++ b/tools/testing/selftests/landlock/socket_test.c
> @@ -738,4 +738,105 @@ TEST_F(packet_protocol, alias_restriction)
> EXPECT_EQ(0, test_socket_variant(&self->prot_tested));
> }
>
> +static int test_socketpair(int family, int type, int protocol)
> +{
> + int fds[2];
> + int err;
> +
> + err = socketpair(family, type | SOCK_CLOEXEC, protocol, fds);
> + if (err)
> + return errno;
> + /*
> + * Mixing error codes from close(2) and socketpair(2) should not lead to
> + * any (access type) confusion for this test.
> + */
> + if (close(fds[0]) != 0)
> + return errno;
> + if (close(fds[1]) != 0)
> + return errno;
> + return 0;
> +}
> +
> +FIXTURE(socket_creation)
> +{
> + bool sandboxed;
> + bool allowed;
> +};
> +
> +FIXTURE_VARIANT(socket_creation)
> +{
> + bool sandboxed;
> + bool allowed;
> +};
> +
> +FIXTURE_SETUP(socket_creation)
> +{
> + self->sandboxed = variant->sandboxed;
> + self->allowed = variant->allowed;
> +
> + setup_loopback(_metadata);
> +};
> +
> +FIXTURE_TEARDOWN(socket_creation)
> +{
> +}
> +
> +/* clang-format off */
> +FIXTURE_VARIANT_ADD(socket_creation, no_sandbox) {
> + /* clang-format on */
> + .sandboxed = false,
> +};
> +
> +/* clang-format off */
> +FIXTURE_VARIANT_ADD(socket_creation, sandbox_allow) {
> + /* clang-format on */
> + .sandboxed = true,
> + .allowed = true,
> +};
> +
> +/* clang-format off */
> +FIXTURE_VARIANT_ADD(socket_creation, sandbox_deny) {
> + /* clang-format on */
> + .sandboxed = true,
> + .allowed = false,
> +};
> +
> +TEST_F(socket_creation, socketpair)
> +{
> + const struct landlock_ruleset_attr ruleset_attr = {
> + .handled_access_socket = LANDLOCK_ACCESS_SOCKET_CREATE,
> + };
> + struct landlock_socket_attr unix_socket_create = {
> + .allowed_access = LANDLOCK_ACCESS_SOCKET_CREATE,
> + .family = AF_UNIX,
> + .type = SOCK_STREAM,
> + };
> + int ruleset_fd;
> +
> + if (self->sandboxed) {
> + ruleset_fd = landlock_create_ruleset(&ruleset_attr,
> + sizeof(ruleset_attr), 0);
> + ASSERT_LE(0, ruleset_fd);
> +
> + if (self->allowed) {
> + ASSERT_EQ(0, landlock_add_rule(ruleset_fd,
> + LANDLOCK_RULE_SOCKET,
> + &unix_socket_create, 0));
> + }
> + enforce_ruleset(_metadata, ruleset_fd);
> + ASSERT_EQ(0, close(ruleset_fd));
> + }
> +
> + if (!self->sandboxed || self->allowed) {
> + /*
> + * Tries to create sockets when ruleset is not established
> + * or protocol is allowed.
> + */
> + EXPECT_EQ(0, test_socketpair(AF_UNIX, SOCK_STREAM, 0));
> + } else {
> + /* Tries to create sockets when protocol is restricted. */
> + EXPECT_EQ(EACCES, test_socketpair(AF_UNIX, SOCK_STREAM, 0));
> + }
I am torn on whether socketpair() should be denied at all --
* on one hand, the created sockets are connected to each other
and the creating process can only talk to itself (or pass one of them on),
which seems legitimate and harmless.
* on the other hand, it *does* create two sockets, and
if they are datagram sockets, it it probably currently possible
to disassociate them with connect(AF_UNSPEC).
What are your thoughts on that?
Mickaël, I believe we have also discussed similar questions for pipe(2) in the
past, and you had opinions on that?
(On a much more technical note; consider replacing self->allowed with
self->socketpair_error to directly indicate the expected error? It feels that
this could be more straightforward?)
—Günther
next prev parent reply other threads:[~2024-09-18 13:47 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-04 10:48 [RFC PATCH v3 00/19] Support socket access-control Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 01/19] landlock: " Mikhail Ivanov
2024-09-06 13:09 ` Günther Noack
2024-09-09 7:23 ` Mikhail Ivanov
2024-11-11 16:29 ` Mikhail Ivanov
2024-11-22 17:45 ` Günther Noack
2024-11-25 11:04 ` Mikhail Ivanov
2024-11-27 18:43 ` Mickaël Salaün
2024-11-28 12:01 ` Mikhail Ivanov
2024-11-28 20:52 ` Mickaël Salaün
2024-12-02 11:32 ` Mikhail Ivanov
2024-12-24 16:55 ` Mikhail Ivanov
2025-01-10 11:12 ` Günther Noack
2025-01-10 13:02 ` Mikhail Ivanov
2025-01-10 16:27 ` Günther Noack
2025-01-10 16:55 ` Mikhail Ivanov
2025-01-14 18:31 ` Mickaël Salaün
2025-01-24 12:28 ` Mikhail Ivanov
2025-01-24 14:02 ` Mickaël Salaün
2024-09-04 10:48 ` [RFC PATCH v3 02/19] landlock: Add hook on socket creation Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 03/19] selftests/landlock: Test basic socket restriction Mikhail Ivanov
2024-09-10 9:53 ` Günther Noack
2024-09-04 10:48 ` [RFC PATCH v3 04/19] selftests/landlock: Test adding a rule with each supported access Mikhail Ivanov
2024-09-10 9:53 ` Günther Noack
2024-09-04 10:48 ` [RFC PATCH v3 05/19] selftests/landlock: Test adding a rule for each unknown access Mikhail Ivanov
2024-09-10 9:53 ` Günther Noack
2024-09-04 10:48 ` [RFC PATCH v3 06/19] selftests/landlock: Test adding a rule for unhandled access Mikhail Ivanov
2024-09-10 9:22 ` Günther Noack
2024-09-11 8:19 ` Mikhail Ivanov
2024-09-13 15:04 ` Günther Noack
2024-09-13 16:15 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 07/19] selftests/landlock: Test adding a rule for empty access Mikhail Ivanov
2024-09-18 12:42 ` Günther Noack
2024-09-18 13:03 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 08/19] selftests/landlock: Test overlapped restriction Mikhail Ivanov
2024-09-18 12:42 ` Günther Noack
2024-09-04 10:48 ` [RFC PATCH v3 09/19] selftests/landlock: Test creating a ruleset with unknown access Mikhail Ivanov
2024-09-18 12:44 ` Günther Noack
2024-09-04 10:48 ` [RFC PATCH v3 10/19] selftests/landlock: Test adding a rule with family and type outside the range Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 11/19] selftests/landlock: Test unsupported protocol restriction Mikhail Ivanov
2024-09-18 12:54 ` Günther Noack
2024-09-18 13:36 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 12/19] selftests/landlock: Test that kernel space sockets are not restricted Mikhail Ivanov
2024-09-04 12:45 ` Mikhail Ivanov
2024-09-18 13:00 ` Günther Noack
2024-09-19 10:53 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 13/19] selftests/landlock: Test packet protocol alias Mikhail Ivanov
2024-09-18 13:33 ` Günther Noack
2024-09-18 14:01 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 14/19] selftests/landlock: Test socketpair(2) restriction Mikhail Ivanov
2024-09-18 13:47 ` Günther Noack [this message]
2024-09-23 12:57 ` Mikhail Ivanov
2024-09-25 12:17 ` Mikhail Ivanov
2024-09-27 9:48 ` Günther Noack
2024-09-28 20:06 ` Günther Noack
2024-09-29 17:31 ` Mickaël Salaün
2024-10-03 17:27 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 15/19] selftests/landlock: Test SCTP peeloff restriction Mikhail Ivanov
2024-09-27 14:35 ` Günther Noack
2024-10-03 12:15 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 16/19] selftests/landlock: Test that accept(2) is not restricted Mikhail Ivanov
2024-09-27 14:53 ` Günther Noack
2024-10-03 12:41 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 17/19] samples/landlock: Replace atoi() with strtoull() in populate_ruleset_net() Mikhail Ivanov
2024-09-27 15:12 ` Günther Noack
2024-10-03 12:59 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 18/19] samples/landlock: Support socket protocol restrictions Mikhail Ivanov
2024-10-01 7:56 ` Günther Noack
2024-10-03 13:15 ` Mikhail Ivanov
2024-09-04 10:48 ` [RFC PATCH v3 19/19] landlock: Document socket rule type support Mikhail Ivanov
2024-10-01 7:09 ` Günther Noack
2024-10-03 14:00 ` Mikhail Ivanov
2024-10-03 16:21 ` Günther Noack
2025-04-22 17:19 ` [RFC PATCH v3 00/19] Support socket access-control Mickaël Salaün
2025-04-25 13:58 ` Günther Noack
2025-04-29 11:59 ` Mikhail Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZurZ7nuRRl0Zf2iM@google.com \
--to=gnoack@google.com \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.