public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Michael Stone <michael@laptop.org>
To: linux-kernel@vger.kernel.org
Cc: Michael Stone <michael@laptop.org>
Subject: [PATCH] Security: Document RLIMIT_NETWORK.
Date: Sat, 12 Dec 2009 22:30:03 -0500	[thread overview]
Message-ID: <20091213033003.GA4369@heat> (raw)
In-Reply-To: <1260674379-4262-1-git-send-email-michael@laptop.org>

Signed-off-by: Michael Stone <michael@laptop.org>
---
  Documentation/rlimit_network.txt |   55 ++++++++++++++++++++++++++++++++++++++
  1 files changed, 55 insertions(+), 0 deletions(-)
  create mode 100644 Documentation/rlimit_network.txt

diff --git a/Documentation/rlimit_network.txt b/Documentation/rlimit_network.txt
new file mode 100644
index 0000000..3307866
--- /dev/null
+++ b/Documentation/rlimit_network.txt
@@ -0,0 +1,55 @@
+Purpose
+-------
+
+Daniel Bernstein has observed [1] that security-conscious userland processes
+may benefit from the ability to irrevocably remove their ability to create,
+bind, connect to, or send messages except in the case of previously connected
+sockets or AF_UNIX filesystem sockets.
+
+This facility is particularly attractive to security platforms like OLPC
+Bitfrost [2] and to isolation programs like Rainbow [3] and Plash [4] because:
+
+  * it integrates well with standard techniques for writing privilege-separated
+    Unix programs
+
+  * it integrates well with the need to perform limited socket I/O, e.g., when
+    running X clients
+
+  * it's available to unprivileged programs
+
+  * it's a discretionary feature available to all of distributors,
+    administrators, authors, and users
+
+  * its effect is entirely local, rather than global (like netfilter)
+
+  * it's simple enough to have some hope of being used correctly
+
+Implementation
+--------------
+
+After considering implementations based on the Linux Security Module (LSM)
+framework, on SELinux in particular, on network namespaces (CLONE_NEWNET), and
+on direct modification of the kernel syscall and task_struct APIs, we came to
+the conclusion that the best way to implement this feature was to extend the
+resource limits framework with a new RLIMIT_NETWORK field and to modify the
+implementations of the relevant socket calls to return -EPERM when
+
+  current->signal->rlim[RLIMIT_NETWORK].rlim_cur == 0
+
+unless we are manipulating an AF_UNIX socket whose name does not begin with \0
+or, in the case of sendmsg(), unless we are manipulating a previously connected
+socket, i.e. one with
+
+  msg.msg_name == NULL && msg.msg_namelen == 0
+
+Finally, in response to criticism from Alan Cox, we insert a similar access
+check into __ptrace_may_access() to prevent processes which have dropped their
+networking privileges from performing network I/O by ptracing other processes.
+
+References
+----------
+
+[1]: http://cr.yp.to/unix/disablenetwork.html
+[2]: http://wiki.laptop.org/go/OLPC_Bitfrost
+[3]: http://wiki.laptop.org/go/Rainbow
+[4]: http://plash.beasts.org/
-- 
1.5.6.5


  parent reply	other threads:[~2009-12-13  3:35 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-13  3:19 Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13  3:26 ` [PATCH] Security: Implement RLIMIT_NETWORK Michael Stone
2009-12-13  3:30 ` Michael Stone [this message]
2009-12-13  3:44 ` Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13  5:09   ` setrlimit(RLIMIT_NETWORK) vs. prctl(???) Michael Stone
2009-12-13  5:20     ` Ulrich Drepper
2009-12-15  5:33       ` Michael Stone
2009-12-16 15:30         ` Michael Stone
2009-12-16 15:32           ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Michael Stone
2009-12-16 15:59             ` Andi Kleen
2009-12-17  1:25               ` Michael Stone
2009-12-17  8:52                 ` Andi Kleen
     [not found]                 ` <fb69ef3c0912170906t291a37c4r6c4758ddc7dd300b@mail.gmail.com>
2009-12-17 17:14                   ` Andi Kleen
2009-12-17 22:58                     ` Mark Seaborn
2009-12-18  3:00                       ` Michael Stone
2009-12-18  3:29                         ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v2) Michael Stone
2009-12-18  4:43                           ` Valdis.Kletnieks
2009-12-18 15:46                           ` Alan Cox
2009-12-18 16:33                             ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-18 17:20                               ` Alan Cox
2009-12-18 17:47                                 ` Eric W. Biederman
2009-12-24  6:13                                   ` Michael Stone
2009-12-24 12:37                                     ` Eric W. Biederman
2009-12-24  1:42                               ` [PATCH 0/3] Discarding networking privilege via LSM Michael Stone
2009-12-24  1:44                                 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v3) Michael Stone
2009-12-24  4:38                                   ` Samir Bellabes
2009-12-24  5:44                                     ` Michael Stone
2009-12-24  5:51                                     ` Tetsuo Handa
2009-12-24  1:45                                 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v3) Michael Stone
2009-12-24  1:45                                 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v3) Michael Stone
2009-12-25 17:09                               ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Pavel Machek
2009-12-18  3:31                         ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v2) Michael Stone
2009-12-18  3:57                           ` Eric W. Biederman
2009-12-18  3:32                         ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v2) Michael Stone
2009-12-18 17:49                         ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Stephen Hemminger
2009-12-19 12:02                           ` David Wagner
2009-12-19 12:29                             ` Alan Cox
2009-12-20 17:53                         ` Mark Seaborn
2009-12-17  9:25             ` Américo Wang
2009-12-17 16:28               ` Michael Stone
2009-12-17 17:23             ` Randy Dunlap
2009-12-17 17:25               ` Randy Dunlap
2009-12-16 15:32           ` [PATCH] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics Michael Stone
2009-12-17 19:18             ` Eric W. Biederman
2009-12-16 15:32           ` [PATCH] Security: Document prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-13  8:32   ` Network isolation with RLIMIT_NETWORK, cont'd Rémi Denis-Courmont
2009-12-13 13:44     ` Michael Stone
2009-12-13 10:05   ` Eric W. Biederman
2009-12-13 14:21     ` Michael Stone
     [not found]       ` <fb69ef3c0912170931l5cbf0e3dh81c88e6502651042@mail.gmail.com>
2009-12-17 18:24         ` Bryan Donlan
2009-12-17 19:35           ` Bernie Innocenti
2009-12-17 19:53             ` Bryan Donlan
2009-12-17 19:23         ` Bernie Innocenti
2009-12-17 17:52     ` Andi Kleen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091213033003.GA4369@heat \
    --to=michael@laptop.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox