[PATCH v5 0/6] landlock: Add UDP access control support

[Matthieu Buffet <matthieu@buffet.re>]

Hi,

This is V5 (hopefully final) of UDP access control in Landlock. It has
very few changes compared to v4, described below, all feedback given so
far should be in there (if not that's a mistake on my part). It adds
only two access rights, to restrict configuring local and remote
addresses on UDP sockets. The one that restricts setting a remote
address also controls sending datagrams to explicit remote addresses
-ignoring any remote address preset on the socket-. The one that
restricts binding to a local port also applies when the kernel
auto-binds an ephemeral port.

Changes v1->v2
==============
- recvmsg hook is gone and sendmsg hook doesn't apply when sending to a
  remote address pre-set on socket, to improve performance
- don't add a get_addr_port() helper function, which required a weird
  "am I in IPv4 or IPv6 context"
- reorder hook prologue for consistency: check domain, then type and
  family

Changes v2->v3
==============
- removed support for sending datagrams with explicit destination
  address of family AF_UNSPEC, which allowed to bypass restrictions with
  a race condition
- rebased on linux-mic/next => add support for auditing
- fixed mistake in selftests when using unspec_srv variables, which were
  implicitly of type SOCK_STREAM and did not actually test UDP code
- add tests for IPPROTO_IP
- improved docs, split off TCP-related refactoring

Changes v3->v4
==============
- merge LANDLOCK_ACCESS_NET_CONNECT_UDP and
  LANDLOCK_ACCESS_NET_SENDTO_UDP into
  LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP (everything that might set the
  destination of a datagram)
- make LANDLOCK_ACCESS_NET_BIND_UDP apply when kernel is about to
  auto-bind an ephemeral port for the caller. Block it if policy would
  not allow an explicit call to bind(0)
- only deny sending AF_UNSPEC datagrams on IPv6 sockets, where there is
  a risk of the address family changing midway

Changes v4->v5
==============
- fix unmarked racy socket address family accesses
- fix improper bind(0) autobind access check when connecting to AF_UNSPEC
- fix example code structure in documentation to match pattern of usage
  used in the rest of the code
- fix bad copy-pastes in selftests, and some unimportant variable types
- squash LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP commits
- add a small help note in sandboxer to point out the need to allow
  binding a source port when emitting, to reduce surprises if people
  try to get a feeling of the feature through sandboxer before reading
  the docs

v1:
Link: https://lore.kernel.org/all/20240916122230.114800-1-matthieu@buffet.re/
v2:
Link: https://lore.kernel.org/all/20241214184540.3835222-1-matthieu@buffet.re/
v3:
Link: https://lore.kernel.org/all/20251212163704.142301-1-matthieu@buffet.re/
v4:
Link: https://lore.kernel.org/all/20260502124306.3975990-1-matthieu@buffet.re/

Based on https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
9ea6fb415fc8 ("selftests/landlock: Explicitly disable audit in teardowns")
from branch next.
All lines added are covered with selftests (net.c goes from 93.1% to 95.3%
line coverage).

Closes: https://github.com/landlock-lsm/linux/issues/10

Matthieu Buffet (6):
  landlock: Add UDP bind() access control
  landlock: Add UDP send+connect access control
  selftests/landlock: Add tests for UDP bind/connect
  selftests/landlock: Add tests for UDP send
  samples/landlock: Add sandboxer UDP access control
  landlock: Add documentation for UDP support

 Documentation/userspace-api/landlock.rst     |   91 +-
 include/uapi/linux/landlock.h                |   35 +-
 samples/landlock/sandboxer.c                 |   41 +-
 security/landlock/audit.c                    |    3 +
 security/landlock/limits.h                   |    2 +-
 security/landlock/net.c                      |  155 ++-
 security/landlock/syscalls.c                 |    2 +-
 tools/testing/selftests/landlock/base_test.c |    4 +-
 tools/testing/selftests/landlock/net_test.c  | 1166 ++++++++++++++++--
 9 files changed, 1353 insertions(+), 146 deletions(-)


base-commit: 9ea6fb415fc8b535da91dadd74f948d96ba3d41d
-- 
2.47.3