Re: [PATCH v4 3/7] landlock: Add UDP send access control

Netdev List
 help / color / mirror / Atom feed

From: "Mickaël Salaün" <mic@digikod.net>
To: Matthieu Buffet <matthieu@buffet.re>
Cc: "Günther Noack" <gnoack@google.com>,
	linux-security-module@vger.kernel.org,
	"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
	konstantin.meskhidze@huawei.com, "Tingmao Wang" <m@maowtm.org>,
	netdev@vger.kernel.org, "Paul Moore" <paul@paul-moore.com>
Subject: Re: [PATCH v4 3/7] landlock: Add UDP send access control
Date: Fri, 22 May 2026 23:10:53 +0200	[thread overview]
Message-ID: <20260522.Shi4UuKeH6ch@digikod.net> (raw)
In-Reply-To: <20260502124306.3975990-4-matthieu@buffet.re>

On Sat, May 02, 2026 at 02:43:02PM +0200, Matthieu Buffet wrote:
> Add the second half of LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP: control the
> ability to specify an explicit destination when sending a datagram, to
> override any remote peer set on a UDP socket (in sendto(), sendmsg(), and
> sendmmsg()). It will make the right useful for clients which want to
> send datagrams while specifying a destination address each time.
> 
> Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
> ---
>  include/uapi/linux/landlock.h |  4 ++
>  security/landlock/net.c       | 70 ++++++++++++++++++++++++++++++++---
>  2 files changed, 68 insertions(+), 6 deletions(-)
> 
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index 22c8cc63f30e..b147223efc97 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -396,6 +396,10 @@ struct landlock_net_port_attr {
>   *   - or grant %LANDLOCK_ACCESS_NET_BIND_UDP on a specific port, and
>   *     call :manpage:`bind(2)` on that port before trying to
>   *     :manpage:`connect(2)` or send datagrams.
> + *
> + * .. note:: Sending datagrams to an ``AF_UNSPEC`` destination address
> + *   family is not supported for IPv6 UDP sockets: you will need to use a
> + *   ``NULL`` address instead.
>   */
>  /* clang-format off */
>  #define LANDLOCK_ACCESS_NET_BIND_TCP			(1ULL << 0)
> diff --git a/security/landlock/net.c b/security/landlock/net.c
> index 045881f81295..8a53aebdb8c6 100644
> --- a/security/landlock/net.c
> +++ b/security/landlock/net.c
> @@ -44,7 +44,8 @@ int landlock_append_net_rule(struct landlock_ruleset *const ruleset,
>  static int current_check_access_socket(struct socket *const sock,
>  				       struct sockaddr *const address,
>  				       const int addrlen,
> -				       access_mask_t access_request)
> +				       access_mask_t access_request,
> +				       bool connecting)
>  {
>  	__be16 port;
>  	struct layer_access_masks layer_masks = {};
> @@ -69,7 +70,8 @@ static int current_check_access_socket(struct socket *const sock,
>  	switch (address->sa_family) {
>  	case AF_UNSPEC:
>  		if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP ||
> -		    access_request == LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP) {
> +		    (access_request == LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP &&
> +		     connecting)) {
>  			/*
>  			 * Connecting to an address with AF_UNSPEC dissolves
>  			 * the remote association while retaining the socket
> @@ -82,6 +84,35 @@ static int current_check_access_socket(struct socket *const sock,
>  			 * inconsistencies and return -EINVAL if needed.
>  			 */
>  			return 0;
> +		} else if (access_request ==
> +			   LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP) {
> +			if (sock->sk->__sk_common.skc_family == AF_INET6) {
> +				/*
> +				 * We cannot allow sending UDP datagrams to an
> +				 * explicit AF_UNSPEC address on IPv6 sockets,
> +				 * even if AF_UNSPEC is treated as "no address"
> +				 * on such sockets (so it should always be allowed).
> +				 * That's because the socket's family can change under
> +				 * our feet (if another thread calls setsockopt(IPV6_ADDRFORM))
> +				 * to IPv4, which would then treat AF_UNSPEC as
> +				 * AF_INET.
> +				 */
> +				audit_net.family = AF_UNSPEC;

I sent this patch and I just merged it in my tree:
https://lore.kernel.org/all/20260406143717.1815792-11-mic@digikod.net/

Günther, could you please take a look at this patch too?

For consistency, we need to add `audit_net.sk = sock->sk;` here.

> +				landlock_init_layer_masks(
> +					subject->domain, access_request,
> +					&layer_masks, LANDLOCK_KEY_NET_PORT);
> +				landlock_log_denial(
> +					subject,
> +					&(struct landlock_request){
> +						.type = LANDLOCK_REQUEST_NET_ACCESS,
> +						.audit.type =
> +							LSM_AUDIT_DATA_NET,
> +						.audit.u.net = &audit_net,
> +						.access = access_request,
> +						.layer_masks = &layer_masks,
> +					});
> +				return -EACCES;
> +			}
>  		} else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP ||
>  			   access_request == LANDLOCK_ACCESS_NET_BIND_UDP) {
>  			/*
> @@ -124,7 +155,10 @@ static int current_check_access_socket(struct socket *const sock,
>  		} else {
>  			WARN_ON_ONCE(1);
>  		}
> -		/* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
> +		/*
> +		 * For bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket and
> +		 * for sending to AF_UNSPEC addresses on IPv4 socket.
> +		 */
>  		fallthrough;
>  	case AF_INET: {
>  		const struct sockaddr_in *addr4;
> @@ -257,7 +291,7 @@ static int current_check_autobind_udp_socket(struct socket *const sock)
>  
>  	return current_check_access_socket(sock, (struct sockaddr *)&port0,
>  					   sizeof(port0),
> -					   LANDLOCK_ACCESS_NET_BIND_UDP);
> +					   LANDLOCK_ACCESS_NET_BIND_UDP, false);
>  }
>  
>  static int hook_socket_bind(struct socket *const sock,
> @@ -273,7 +307,7 @@ static int hook_socket_bind(struct socket *const sock,
>  		return 0;
>  
>  	return current_check_access_socket(sock, address, addrlen,
> -					   access_request);
> +					   access_request, false);
>  }
>  
>  static int hook_socket_connect(struct socket *const sock,
> @@ -291,7 +325,7 @@ static int hook_socket_connect(struct socket *const sock,
>  		return 0;
>  
>  	ret = current_check_access_socket(sock, address, addrlen,
> -					  access_request);
> +					  access_request, true);
>  
>  	if (ret == 0 && sk_is_udp(sock->sk))
>  		ret = current_check_autobind_udp_socket(sock);
> @@ -299,9 +333,33 @@ static int hook_socket_connect(struct socket *const sock,
>  	return ret;
>  }
>  
> +static int hook_socket_sendmsg(struct socket *const sock,
> +			       struct msghdr *const msg, const int size)
> +{
> +	struct sockaddr *const address = msg->msg_name;
> +	const int addrlen = msg->msg_namelen;
> +	access_mask_t access_request;
> +	int ret = 0;
> +
> +	if (sk_is_udp(sock->sk))
> +		access_request = LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP;
> +	else
> +		return 0;
> +
> +	if (address != NULL)
> +		ret = current_check_access_socket(sock, address, addrlen,
> +						  access_request, false);
> +
> +	if (ret == 0)
> +		ret = current_check_autobind_udp_socket(sock);
> +
> +	return ret;
> +}
> +
>  static struct security_hook_list landlock_hooks[] __ro_after_init = {
>  	LSM_HOOK_INIT(socket_bind, hook_socket_bind),
>  	LSM_HOOK_INIT(socket_connect, hook_socket_connect),
> +	LSM_HOOK_INIT(socket_sendmsg, hook_socket_sendmsg),
>  };
>  
>  __init void landlock_add_net_hooks(void)
> -- 
> 2.39.5
>

next prev parent reply	other threads:[~2026-05-22 21:11 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-02 12:42 [PATCH v4 0/7] landlock: Add UDP access control support Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 1/7] landlock: Add UDP bind() access control Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 2/7] landlock: Add UDP connect() " Matthieu Buffet
2026-05-22 21:10   ` Mickaël Salaün
2026-05-22 21:18   ` Mickaël Salaün
2026-05-02 12:43 ` [PATCH v4 3/7] landlock: Add UDP send " Matthieu Buffet
2026-05-22 21:10   ` Mickaël Salaün [this message]
2026-05-02 12:43 ` [PATCH v4 4/7] selftests/landlock: Add UDP bind/connect tests Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 5/7] selftests/landlock: Add tests for sendmsg() Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 6/7] samples/landlock: Add sandboxer UDP access control Matthieu Buffet
2026-05-02 12:43 ` [PATCH v4 7/7] landlock: Add documentation for UDP support Matthieu Buffet
2026-05-22 21:11   ` Mickaël Salaün
2026-05-06 15:33 ` [PATCH v4 0/7] landlock: Add UDP access control support Günther Noack
2026-05-07 22:11   ` Matthieu Buffet
2026-05-22 21:08 ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260522.Shi4UuKeH6ch@digikod.net \
    --to=mic@digikod.net \
    --cc=gnoack@google.com \
    --cc=ivanov.mikhail1@huawei-partners.com \
    --cc=konstantin.meskhidze@huawei.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=matthieu@buffet.re \
    --cc=netdev@vger.kernel.org \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox