From: "Günther Noack" <gnoack@google.com>
To: Alejandro Colomar <alx@kernel.org>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
linux-man@vger.kernel.org, "Günther Noack" <gnoack@google.com>
Subject: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4
Date: Tue, 23 Jul 2024 10:19:16 +0000 [thread overview]
Message-ID: <20240723101917.90918-2-gnoack@google.com> (raw)
In-Reply-To: <20240723101917.90918-1-gnoack@google.com>
Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
The intent is to bring the man pages mostly in line with the kernel
documentation again. I intentionally did not add networking support to the
usage example in landlock.7 - I feel that in the long run, we would be better
advised to maintain longer example code in the kernel samples.
Closes: <https://github.com/landlock-lsm/linux/issues/32>
Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Reviewed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack@google.com>
---
man/man2/landlock_add_rule.2 | 74 ++++++++++++++++++++++++++----
man/man2/landlock_create_ruleset.2 | 12 ++++-
man/man7/landlock.7 | 23 ++++++++--
3 files changed, 94 insertions(+), 15 deletions(-)
diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
index 7a83bb303..489e9c354 100644
--- a/man/man2/landlock_add_rule.2
+++ b/man/man2/landlock_add_rule.2
@@ -20,15 +20,14 @@ Standard C library
.BI " const void *" rule_attr ", uint32_t " flags );
.fi
.SH DESCRIPTION
-A Landlock rule describes an action on an object.
-An object is currently a file hierarchy,
-and the related filesystem actions
-are defined with a set of access rights.
-This
+A Landlock rule describes an action on an object
+which the process intends to perform.
+A set of rules is aggregated in a ruleset,
+which can then restrict the thread enforcing it, and its future children.
+.P
+The
.BR landlock_add_rule ()
-system call enables adding a new Landlock rule to an existing ruleset
-created with
-.BR landlock_create_ruleset (2).
+system call adds a new Landlock rule to an existing ruleset.
See
.BR landlock (7)
for a global overview.
@@ -42,10 +41,15 @@ identifies the structure type pointed to by
.IR rule_attr .
Currently, Linux supports the following
.I rule_type
-value:
+values:
.TP
.B LANDLOCK_RULE_PATH_BENEATH
-This defines the object type as a file hierarchy.
+For these rules,
+the object is a file hierarchy,
+and the related filesystem actions
+are defined with
+.IR "filesystem access rights" .
+.IP
In this case,
.I rule_attr
points to the following structure:
@@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
flag,
which identifies the parent directory of the file hierarchy or
just a file.
+.TP
+.B LANDLOCK_RULE_NET_PORT
+For these rules,
+the object is a TCP port,
+and the related actions are defined with
+.IR "network access rights" .
+.IP
+In this case,
+.I rule_attr
+points to the following structure:
+.IP
+.in +4n
+.EX
+struct landlock_net_port_attr {
+ __u64 allowed_access;
+ __u64 port;
+};
+.EE
+.in
+.IP
+.i allowed_access
+contains a bitmask of allowed network actions,
+which can be applied on the given port.
+.IP
+.i port
+is the network port in host endianness.
+.IP
+It should be noted that port 0 passed to
+.BR bind (2)
+will bind to an available port from the ephemeral port range.
+This can be configured in the
+.I /proc/sys/net/ipv4/ip_local_port_range
+sysctl (also used for IPv6).
+.IP
+A Landlock rule with port 0
+and the
+.B LANDLOCK_ACCESS_NET_BIND_TCP
+right means that requesting to bind on port 0 is allowed
+and it will automatically translate to binding on the related port range.
.P
.I flags
must be 0.
@@ -89,6 +132,12 @@ is set to indicate the error.
.BR landlock_add_rule ()
can fail for the following reasons:
.TP
+.B EAFNOSUPPORT
+.I rule_type
+is
+.BR LANDLOCK_RULE_NET_PORT ,
+but TCP is not supported by the running kernel.
+.TP
.B EOPNOTSUPP
Landlock is supported by the kernel but disabled at boot time.
.TP
@@ -111,6 +160,11 @@ are only applicable to directories, but
.I \%rule_attr\->parent_fd
does not refer to a directory).
.TP
+.B EINVAL
+In
+.IR \%struct\~landlock_net_port_attr ,
+the port number is greater than 65535.
+.TP
.B ENOMSG
Empty accesses (i.e.,
.I rule_attr\->allowed_access
diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
index 105e9b062..ca635ddbc 100644
--- a/man/man2/landlock_create_ruleset.2
+++ b/man/man2/landlock_create_ruleset.2
@@ -41,6 +41,7 @@ It points to the following structure:
.EX
struct landlock_ruleset_attr {
__u64 handled_access_fs;
+ __u64 handled_access_net;
};
.EE
.in
@@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
in
.BR landlock (7)).
.IP
+.I handled_access_net
+is a bitmask of handled network actions
+(see
+.B Network actions
+in
+.BR landlock (7)).
+.IP
This structure defines a set of
.IR "handled access rights" ,
a set of actions on different object types,
@@ -143,8 +151,8 @@ was not a valid address.
.TP
.B ENOMSG
Empty accesses (i.e.,
-.I attr\->handled_access_fs
-is 0).
+.I attr
+did not specify any access rights to restrict).
.SH STANDARDS
Linux.
.SH HISTORY
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 652054f15..52876a3de 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -189,6 +189,19 @@ If multiple requirements are not met, the
error code takes precedence over
.BR EXDEV .
.\"
+.SS Network flags
+These flags enable to restrict a sandboxed process
+to a set of network actions.
+This is supported since the Landlock ABI version 4.
+.P
+The following access rights apply to TCP port numbers:
+.TP
+.B LANDLOCK_ACCESS_NET_BIND_TCP
+Bind a TCP socket to a local port.
+.TP
+.B LANDLOCK_ACCESS_NET_CONNECT_TCP
+Connect an active TCP socket to a remote port.
+.\"
.SS Layers of file path access rights
Each time a thread enforces a ruleset on itself,
it updates its Landlock domain with a new layer of policy.
@@ -339,6 +352,9 @@ _ _ _
2 5.19 LANDLOCK_ACCESS_FS_REFER
_ _ _
3 6.2 LANDLOCK_ACCESS_FS_TRUNCATE
+_ _ _
+4 6.7 LANDLOCK_ACCESS_NET_BIND_TCP
+\^ \^ LANDLOCK_ACCESS_NET_CONNECT_TCP
.TE
.P
Users should use the Landlock ABI version rather than the kernel version
@@ -439,9 +455,10 @@ and only use the available subset of access rights:
* numbers hardcoded to keep the example short.
*/
__u64 landlock_fs_access_rights[] = {
- (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1, /* v1 */
- (LANDLOCK_ACCESS_FS_REFER << 1) \- 1, /* v2: add "refer" */
- (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, /* v3: add "truncate" */
+ (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1, /* v1 */
+ (LANDLOCK_ACCESS_FS_REFER << 1) \- 1, /* v2: add "refer" */
+ (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, /* v3: add "truncate" */
+ (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, /* v4: TCP support */
};
\&
int abi = landlock_create_ruleset(NULL, 0,
--
2.45.2.1089.g2a221341d9-goog
next prev parent reply other threads:[~2024-07-23 10:19 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-23 10:19 [PATCH v3 0/2] landlock*: Bring documentation up to date Günther Noack
2024-07-23 10:19 ` Günther Noack [this message]
2024-07-23 13:03 ` [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4 Alejandro Colomar
2024-07-24 14:19 ` Günther Noack
2024-07-24 14:31 ` Alejandro Colomar
2024-07-24 14:51 ` Günther Noack
2024-07-24 14:54 ` Alejandro Colomar
2024-07-31 9:43 ` Günther Noack
2024-07-31 9:51 ` Alejandro Colomar
2024-08-06 8:38 ` Konstantin Meskhidze (A)
2024-08-06 10:19 ` Alejandro Colomar
2024-08-06 10:34 ` Konstantin Meskhidze (A)
2024-08-08 9:28 ` Günther Noack
2024-08-21 15:30 ` Konstantin Meskhidze (A)
2024-08-21 16:37 ` Günther Noack
2024-08-22 8:46 ` Konstantin Meskhidze (A)
2024-08-21 21:54 ` Alejandro Colomar
2024-08-22 8:47 ` Konstantin Meskhidze (A)
2024-07-23 10:19 ` [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL) Günther Noack
2024-07-31 10:58 ` Alejandro Colomar
2024-07-31 11:40 ` Günther Noack
2024-07-31 11:58 ` Alejandro Colomar
2024-08-07 12:09 ` Konstantin Meskhidze (A)
2024-08-08 10:09 ` Günther Noack
2024-08-16 12:37 ` Alejandro Colomar
2024-08-21 13:26 ` Konstantin Meskhidze (A)
2024-08-21 14:06 ` Alejandro Colomar
2024-08-21 15:24 ` Konstantin Meskhidze (A)
2024-08-21 13:30 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240723101917.90918-2-gnoack@google.com \
--to=gnoack@google.com \
--cc=alx@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox