From: "Mickaël Salaün" <mic@digikod.net>
To: Matthieu Buffet <matthieu@buffet.re>
Cc: "Günther Noack" <gnoack@google.com>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>
Subject: Re: [RFC PATCH v1 5/7] samples/landlock: Add sandboxer UDP access control
Date: Fri, 4 Oct 2024 17:04:23 +0200 [thread overview]
Message-ID: <20241004.ohc2aeYei1oo@digikod.net> (raw)
In-Reply-To: <20240916122230.114800-6-matthieu@buffet.re>
On Mon, Sep 16, 2024 at 02:22:28PM +0200, Matthieu Buffet wrote:
> Add environment variables to control associated access rights:
> (each one takes a list of ports separated by colons, like other
> list options)
>
> - LL_UDP_BIND
> - LL_UDP_CONNECT
> - LL_UDP_RECVMSG
> - LL_UDP_SENDMSG
>
> Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
> ---
> samples/landlock/sandboxer.c | 88 ++++++++++++++++++++++++++++++++----
> 1 file changed, 80 insertions(+), 8 deletions(-)
>
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> index 08704504dc51..dadd30dad712 100644
> --- a/samples/landlock/sandboxer.c
> +++ b/samples/landlock/sandboxer.c
> @@ -55,6 +55,10 @@ static inline int landlock_restrict_self(const int ruleset_fd,
> #define ENV_FS_RW_NAME "LL_FS_RW"
> #define ENV_TCP_BIND_NAME "LL_TCP_BIND"
> #define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT"
> +#define ENV_UDP_BIND_NAME "LL_UDP_BIND"
> +#define ENV_UDP_CONNECT_NAME "LL_UDP_CONNECT"
> +#define ENV_UDP_RECVMSG_NAME "LL_UDP_RECVMSG"
> +#define ENV_UDP_SENDMSG_NAME "LL_UDP_SENDMSG"
> #define ENV_DELIMITER ":"
>
> static int parse_path(char *env_path, const char ***const path_list)
> @@ -219,7 +223,7 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd,
>
> /* clang-format on */
>
> -#define LANDLOCK_ABI_LAST 5
> +#define LANDLOCK_ABI_LAST 6
>
> static void print_help(const char *prog)
> {
> @@ -247,11 +251,25 @@ static void print_help(const char *prog)
> "to allow nothing, e.g. %s=\"\"):\n",
> ENV_TCP_BIND_NAME);
> fprintf(stderr,
> - "* %s: list of ports allowed to bind (server).\n",
> + "* %s: list of TCP ports allowed to bind (server)\n",
> ENV_TCP_BIND_NAME);
> fprintf(stderr,
> - "* %s: list of ports allowed to connect (client).\n",
> + "* %s: list of TCP ports allowed to connect (client)\n",
> ENV_TCP_CONNECT_NAME);
> + fprintf(stderr,
> + "* %s: list of UDP ports allowed to bind (client: set as "
> + "source port/server: listen on port)\n",
> + ENV_UDP_BIND_NAME);
> + fprintf(stderr,
> + "* %s: list of UDP ports allowed to connect (client: set as "
> + "destination port/server: only receive from one client)\n",
> + ENV_UDP_CONNECT_NAME);
> + fprintf(stderr,
> + "* %s: list of UDP ports allowed to send to (client/server)\n",
> + ENV_UDP_SENDMSG_NAME);
> + fprintf(stderr,
> + "* %s: list of UDP ports allowed to recv from (client/server)\n",
> + ENV_UDP_RECVMSG_NAME);
> fprintf(stderr,
> "\n"
> "Example:\n"
> @@ -259,9 +277,12 @@ static void print_help(const char *prog)
> "%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
> "%s=\"9418\" "
> "%s=\"80:443\" "
> + "%s=\"0\" "
> + "%s=\"53\" "
> "%s bash -i\n\n",
> ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
> - ENV_TCP_CONNECT_NAME, prog);
> + ENV_TCP_CONNECT_NAME, ENV_UDP_RECVMSG_NAME,
> + ENV_UDP_SENDMSG_NAME, prog);
> fprintf(stderr,
> "This sandboxer can use Landlock features "
> "up to ABI version %d.\n",
> @@ -280,7 +301,11 @@ int main(const int argc, char *const argv[], char *const *const envp)
> struct landlock_ruleset_attr ruleset_attr = {
> .handled_access_fs = access_fs_rw,
> .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
> - LANDLOCK_ACCESS_NET_CONNECT_TCP,
> + LANDLOCK_ACCESS_NET_CONNECT_TCP |
> + LANDLOCK_ACCESS_NET_BIND_UDP |
> + LANDLOCK_ACCESS_NET_CONNECT_UDP |
> + LANDLOCK_ACCESS_NET_RECVMSG_UDP |
> + LANDLOCK_ACCESS_NET_SENDMSG_UDP,
> };
>
> if (argc < 2) {
> @@ -354,6 +379,14 @@ int main(const int argc, char *const argv[], char *const *const envp)
> "provided by ABI version %d (instead of %d).\n",
> LANDLOCK_ABI_LAST, abi);
> __attribute__((fallthrough));
> + case 5:
> + /* Removes UDP support for ABI < 6 */
> + ruleset_attr.handled_access_net &=
> + ~(LANDLOCK_ACCESS_NET_BIND_UDP |
> + LANDLOCK_ACCESS_NET_CONNECT_UDP |
> + LANDLOCK_ACCESS_NET_RECVMSG_UDP |
> + LANDLOCK_ACCESS_NET_SENDMSG_UDP);
> + __attribute__((fallthrough));
This hunk should go just after the "scoped" field cleanup and before the
hint. This way the hint is always printed if the current ABI is not the
last (known) one. This hunk should then start with a fullthrough
attribute.
> case LANDLOCK_ABI_LAST:
> break;
> default:
> @@ -366,18 +399,42 @@ int main(const int argc, char *const argv[], char *const *const envp)
> access_fs_ro &= ruleset_attr.handled_access_fs;
> access_fs_rw &= ruleset_attr.handled_access_fs;
>
> - /* Removes bind access attribute if not supported by a user. */
> + /* Removes TCP bind access attribute if not supported by a user. */
You can send a separate patch with these comment fixes.
> env_port_name = getenv(ENV_TCP_BIND_NAME);
> if (!env_port_name) {
> ruleset_attr.handled_access_net &=
> ~LANDLOCK_ACCESS_NET_BIND_TCP;
> }
> - /* Removes connect access attribute if not supported by a user. */
> + /* Removes TCP connect access attribute if not supported by a user. */
> env_port_name = getenv(ENV_TCP_CONNECT_NAME);
> if (!env_port_name) {
> ruleset_attr.handled_access_net &=
> ~LANDLOCK_ACCESS_NET_CONNECT_TCP;
> }
> + /* Removes UDP bind access attribute if not supported by a user. */
> + env_port_name = getenv(ENV_UDP_BIND_NAME);
> + if (!env_port_name) {
> + ruleset_attr.handled_access_net &=
> + ~LANDLOCK_ACCESS_NET_BIND_UDP;
> + }
> + /* Removes UDP bind access attribute if not supported by a user. */
> + env_port_name = getenv(ENV_UDP_CONNECT_NAME);
> + if (!env_port_name) {
> + ruleset_attr.handled_access_net &=
> + ~LANDLOCK_ACCESS_NET_CONNECT_UDP;
> + }
> + /* Removes UDP recv access attribute if not supported by a user. */
> + env_port_name = getenv(ENV_UDP_RECVMSG_NAME);
> + if (!env_port_name) {
> + ruleset_attr.handled_access_net &=
> + ~LANDLOCK_ACCESS_NET_RECVMSG_UDP;
> + }
> + /* Removes UDP send access attribute if not supported by a user. */
> + env_port_name = getenv(ENV_UDP_SENDMSG_NAME);
> + if (!env_port_name) {
> + ruleset_attr.handled_access_net &=
> + ~LANDLOCK_ACCESS_NET_SENDMSG_UDP;
> + }
>
> ruleset_fd =
> landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
> @@ -392,7 +449,6 @@ int main(const int argc, char *const argv[], char *const *const envp)
> if (populate_ruleset_fs(ENV_FS_RW_NAME, ruleset_fd, access_fs_rw)) {
> goto err_close_ruleset;
> }
> -
> if (populate_ruleset_net(ENV_TCP_BIND_NAME, ruleset_fd,
> LANDLOCK_ACCESS_NET_BIND_TCP)) {
> goto err_close_ruleset;
> @@ -401,6 +457,22 @@ int main(const int argc, char *const argv[], char *const *const envp)
> LANDLOCK_ACCESS_NET_CONNECT_TCP)) {
> goto err_close_ruleset;
> }
> + if (populate_ruleset_net(ENV_UDP_BIND_NAME, ruleset_fd,
> + LANDLOCK_ACCESS_NET_BIND_UDP)) {
> + goto err_close_ruleset;
> + }
> + if (populate_ruleset_net(ENV_UDP_CONNECT_NAME, ruleset_fd,
> + LANDLOCK_ACCESS_NET_CONNECT_UDP)) {
> + goto err_close_ruleset;
> + }
> + if (populate_ruleset_net(ENV_UDP_RECVMSG_NAME, ruleset_fd,
> + LANDLOCK_ACCESS_NET_RECVMSG_UDP)) {
> + goto err_close_ruleset;
> + }
> + if (populate_ruleset_net(ENV_UDP_SENDMSG_NAME, ruleset_fd,
> + LANDLOCK_ACCESS_NET_SENDMSG_UDP)) {
> + goto err_close_ruleset;
> + }
>
> if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
> perror("Failed to restrict privileges");
> --
> 2.39.5
>
>
next prev parent reply other threads:[~2024-10-04 15:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-16 12:22 [RFC PATCH v1 0/7] landlock: Add UDP access control support Matthieu Buffet
2024-09-16 12:22 ` [RFC PATCH v1 1/7] samples/landlock: Fix port parsing in sandboxer Matthieu Buffet
2024-09-20 13:38 ` Mickaël Salaün
2024-09-23 15:24 ` Mikhail Ivanov
2024-09-16 12:22 ` [RFC PATCH v1 2/7] samples/landlock: Clarify option parsing behaviour Matthieu Buffet
2024-09-20 13:38 ` Mickaël Salaün
2024-09-16 12:22 ` [RFC PATCH v1 3/7] landlock: Add UDP bind+connect access control Matthieu Buffet
2024-09-20 13:39 ` Mickaël Salaün
2024-09-16 12:22 ` [RFC PATCH v1 4/7] landlock: Add UDP send+recv " Matthieu Buffet
2024-09-21 10:23 ` Mickaël Salaün
2024-10-19 12:47 ` Matthieu Buffet
2024-10-21 9:57 ` Mickaël Salaün
2024-09-16 12:22 ` [RFC PATCH v1 5/7] samples/landlock: Add sandboxer UDP " Matthieu Buffet
2024-10-04 15:04 ` Mickaël Salaün [this message]
2024-09-16 12:22 ` [RFC PATCH v1 6/7] selftests/landlock: Adapt existing tests for UDP Matthieu Buffet
2024-09-16 12:22 ` [RFC PATCH v1 7/7] selftests/landlock: Add UDP sendmsg/recvmsg tests Matthieu Buffet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241004.ohc2aeYei1oo@digikod.net \
--to=mic@digikod.net \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthieu@buffet.re \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).