From: Matthieu Baerts <matttbe@kernel.org>
To: "Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Mickaël Salaün" <mic@digikod.net>
Cc: gnoack@google.com, willemdebruijn.kernel@gmail.com,
matthieu@buffet.re, linux-security-module@vger.kernel.org,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
yusongping@huawei.com, artem.kuzin@huawei.com,
konstantin.meskhidze@huawei.com,
MPTCP Linux <mptcp@lists.linux.dev>,
linux-nfs@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Subject: Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction
Date: Tue, 28 Jan 2025 19:14:02 +0100 [thread overview]
Message-ID: <594263fc-f4e7-43ce-a613-d3f8ebb7f874@kernel.org> (raw)
In-Reply-To: <d3d589c3-a70b-fc6e-e1bb-d221833dfef5@huawei-partners.com>
Hi Mikhail,
Sorry, I didn't follow all the discussions in this thread, but here are
some comments, hoping this can help to clarify the MPTCP case.
On 28/01/2025 11:56, Mikhail Ivanov wrote:
> On 1/27/2025 10:48 PM, Mickaël Salaün wrote:
(...)
>> I'm a bit worried that we miss some of these places (now or in future
>> kernel versions). We'll need a new LSM hook for that.
>>
>> Could you list the current locations?
>
> Currently, I know only about TCP-related transformations:
>
> * SMC can fallback to TCP during connection. TCP connection is used
> (1) to exchange CLC control messages in default case and (2) for the
> communication in the case of fallback. If socket was connected or
> connection failed, socket can not be reconnected again. There is no
> existing security hook to control the fallback case,
>
> * MPTCP uses TCP for communication between two network interfaces in the
> default case and can fallback to plain TCP if remote peer does not
> support MPTCP. AFAICS, there is also no security hook to control the
> fallback transformation,
There are security hooks to control the path creation, but not to
control the "fallback transformation".
Technically, with MPTCP, the userspace will create an IPPROTO_MPTCP
socket. This is only used "internally": to communicate between the
userspace and the kernelspace, but not directly used between network
interfaces. This "external" communication is done via one or multiple
kernel TCP sockets carrying extra TCP options for the mapping. The
userspace cannot directly control these sockets created by the kernel.
In case of fallback, the kernel TCP socket "simply" drop the extra TCP
options needed for MPTCP, and carry on like normal TCP. So on the wire
and in the Linux network stack, it is the same TCP connection, without
the MPTCP options in the TCP header. The userspace continue to
communicate with the same socket.
I'm not sure if there is a need to block the fallback: it means only one
path can be used at a time.
> * IPv6 -> IPv4 transformation for TCP and UDP sockets with
> IPV6_ADDRFORM. Can be controlled with setsockopt() security hook.
>
> As I said before, I wonder if user may want to use SMC or MPTCP and deny
> TCP communication, since he should rely on fallback transformation
> during the connection in the common case. It may be unexpected for
> connect(2) to fail during the fallback due to security politics.
With MPTCP, fallbacks can happen at the beginning of a connection, when
there is only one path. This is done after the userspace's connect(). If
the fallback is blocked, I guess the userspace will get the same errors
as when an open connection is reset.
(Note that on the listener side, the fallback can happen before the
userspace's accept() which can even get an IPPROTO_TCP socket in return)
> Theoretically, any TCP restriction should cause similar SMC and MPTCP
> restriction. If we deny creation of TCP sockets, we should also deny
> creation of SMC and MPTCP sockets. I thought that such dependencies may
> be too complex and it will be better to leave them for the user and not
> provide any transformation control at all. What do you think?
I guess the creation of "kernel" TCP sockets used by MPTCP (and SMC?)
can be restricted, it depends on where this hook is placed I suppose.
(...)
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
next prev parent reply other threads:[~2025-01-28 18:14 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 11:04 [RFC PATCH v2 0/8] Fix non-TCP restriction and inconsistency of TCP errors Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction Mikhail Ivanov
2024-10-17 12:59 ` Matthieu Baerts
2024-10-18 18:08 ` Mickaël Salaün
2024-10-31 16:21 ` Mikhail Ivanov
2024-11-08 17:16 ` David Laight
2024-12-04 19:29 ` Mickaël Salaün
2024-12-12 18:43 ` Mickaël Salaün
2024-12-13 18:19 ` Mikhail Ivanov
2025-01-24 15:02 ` Mickaël Salaün
2025-01-27 12:40 ` Mikhail Ivanov
2025-01-27 19:48 ` Mickaël Salaün
2025-01-28 10:56 ` Mikhail Ivanov
2025-01-28 18:14 ` Matthieu Baerts [this message]
2025-01-29 9:52 ` Mikhail Ivanov
2025-01-29 10:25 ` Matthieu Baerts
2025-01-29 11:02 ` Mikhail Ivanov
2025-01-29 11:33 ` Matthieu Baerts
2025-01-29 11:47 ` Mikhail Ivanov
2025-01-29 11:57 ` Matthieu Baerts
2025-01-29 14:51 ` Mickaël Salaün
2025-01-29 15:44 ` Matthieu Baerts
2025-01-30 9:51 ` Mickaël Salaün
2025-01-30 10:18 ` Matthieu Baerts
2025-01-31 11:04 ` Mikhail Ivanov
2024-12-04 19:27 ` Mickaël Salaün
2024-12-04 19:35 ` Mickaël Salaün
2024-12-09 10:19 ` Mikhail Ivanov
2024-12-10 18:04 ` Mickaël Salaün
2024-12-10 18:05 ` Mickaël Salaün
2024-12-11 15:24 ` Mikhail Ivanov
2024-12-12 18:43 ` Mickaël Salaün
2024-12-13 11:42 ` Mikhail Ivanov
2024-12-04 19:30 ` Mickaël Salaün
2024-12-09 10:19 ` Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 2/8] landlock: Make network stack layer checks explicit for each TCP action Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions Mikhail Ivanov
2024-10-17 11:34 ` Mikhail Ivanov
2024-10-17 12:48 ` Tetsuo Handa
2024-11-06 9:27 ` Mikhail Ivanov
2024-12-04 19:32 ` Mickaël Salaün
2024-10-17 11:04 ` [RFC PATCH v2 4/8] selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 5/8] selftests/landlock: Test that MPTCP actions are not restricted Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 6/8] selftests/landlock: Test consistency of errors for TCP actions Mikhail Ivanov
2024-12-10 18:07 ` Mickaël Salaün
2024-12-11 15:29 ` Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation Mikhail Ivanov
2024-12-10 18:08 ` Mickaël Salaün
2024-12-11 15:30 ` Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 8/8] selftests/landlock: Test that SCTP actions are not restricted Mikhail Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=594263fc-f4e7-43ce-a613-d3f8ebb7f874@kernel.org \
--to=matttbe@kernel.org \
--cc=artem.kuzin@huawei.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthieu@buffet.re \
--cc=mic@digikod.net \
--cc=mptcp@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).