[RFC PATCH v3 0/8] landlock: Add UDP access control support

[Matthieu Buffet <matthieu@buffet.re>]

Hi Mickaël, Günther, Mikhail, Konstantin,

Here is v3 of UDP support for Landlock. My apologies for the delay, I've
had to deal with unrelated problems. All feedback from v1/v2 should be
merged, thanks again for taking the time to review them.

I based these patches on linux-mic/next commit 1a3cedbdc156 ("landlock:
Fix wrong type usage") plus my previous patch "landlock: Fix TCP
handling of short AF_UNSPEC addresses" to avoid adding UDP with already
known bugs, duplicated from TCP. I waited a bit to get feedback on that
patch and no one yelled, so I hope it's acceptable, tell me if it's not.
Link: https://lore.kernel.org/linux-security-module/20251027190726.626244-4-matthieu@buffet.re/

Changes since v2
================
Link: https://lore.kernel.org/all/20241214184540.3835222-1-matthieu@buffet.re/
- removed support for sending datagrams with explicit destination
  address of family AF_UNSPEC, which allowed to bypass restrictions with
  a race condition
- rebased on linux-mic/next => add support for auditing
- fixed mistake in selftests when using unspec_srv variables, which were
  implicitly of type SOCK_STREAM and did not actually test UDP code
- add tests for IPPROTO_IP
- improved docs, split off TCP-related refactoring into another commit

Changes since v1
================
Link: https://lore.kernel.org/all/20240916122230.114800-1-matthieu@buffet.re/
- recvmsg hook is gone and sendmsg hook doesn't apply to connected
  sockets anymore, to improve performance
- don't add a get_addr_port() helper function, which required a weird
  "am I in IPv4 or IPv6 context" to avoid a addrlen > sizeof(struct
  sockaddr_in) check in connect(AF_UNSPEC) IPv6 context. A helper was
  useful when ports also needed to be read in a recvmsg() hook, now it
  is just a simple switch case in the sendmsg() hook, more readable
- rename sendmsg access right to LANDLOCK_ACCESS_NET_UDP_SENDTO
- reorder hook prologue for consistency: check domain, then type and
  family
- add additional selftests cases around minimal address length
- update documentation

All important cases should have a selftest now. lcov gives me net.c
going from 91.9% lines/82.5% branches to 93.4% lines/87% branches.
Thank you for taking the time to read this!

Closes: https://github.com/landlock-lsm/linux/issues/10

Matthieu Buffet (8):
  landlock: Minor reword of docs for TCP access rights
  landlock: Refactor TCP socket type check
  landlock: Add UDP bind+connect access control
  selftests/landlock: Add UDP bind/connect tests
  landlock: Add UDP sendmsg access control
  selftests/landlock: Add tests for UDP sendmsg
  samples/landlock: Add sandboxer UDP access control
  landlock: Add documentation for UDP support

 Documentation/userspace-api/landlock.rst     |  94 ++-
 include/uapi/linux/landlock.h                |  46 +-
 samples/landlock/sandboxer.c                 |  58 +-
 security/landlock/audit.c                    |   3 +
 security/landlock/limits.h                   |   2 +-
 security/landlock/net.c                      | 119 +++-
 security/landlock/syscalls.c                 |   2 +-
 tools/testing/selftests/landlock/base_test.c |   2 +-
 tools/testing/selftests/landlock/net_test.c  | 691 ++++++++++++++++---
 9 files changed, 869 insertions(+), 148 deletions(-)


base-commit: 1a3cedbdc156e100eb1a5208a8562a3265c35d87
prerequisite-patch-id: 22051d5d4076a87481b22798c127ce84e219ca97
prerequisite-patch-id: 37a1b44596a2d861ba91989edb1d7aac005931d6
prerequisite-patch-id: c7be1c906699a2590ab7112cdf2ab6892178ec07
-- 
2.47.3