From: "Günther Noack" <gnoack@google.com>
To: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
willemdebruijn.kernel@gmail.com, gnoack3000@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, yusongping@huawei.com,
artem.kuzin@huawei.com, konstantin.meskhidze@huawei.com
Subject: Re: [PATCH 1/2] landlock: Add hook on socket_listen()
Date: Mon, 1 Jul 2024 17:47:17 +0200 [thread overview]
Message-ID: <ZoLPhQ4eyl0H_oSQ@google.com> (raw)
In-Reply-To: <bd2622cf-27e2-dbb6-735a-0adf6c79b339@huawei-partners.com>
On Mon, Jul 01, 2024 at 04:10:27PM +0300, Ivanov Mikhail wrote:
> Thanks for the great explanation! We're on the same page.
>
> Considering that binding to ephemeral ports can be done not only with
> bind() or listen(), I think your approach is more correct.
> Restricting any possible binding to ephemeral ports just using
> LANDLOCK_ACCESS_NET_BIND_TCP wouldn't allow sandboxed processes
> to deny listen() without pre-binding (which is quite unsafe) and
> use connect() in the usuall way (without pre-binding).
>
> Controlling ephemeral ports allocation for listen() can be done in the
> same way as for LANDLOCK_ACCESS_NET_BIND_TCP in the patch with
> LANDLOCK_ACCESS_NET_LISTEN_TCP access right implementation.
That sounds good, yes! 👍
> I'm only concerned about controlling the auto-binding for other
> operations (such as connect() and sendto() for UDP). As I said, I think
> this can also be useful: users will be able to control which processes
> are allowed to use ephemeral ports from ip_local_port_range and which
> are not, and they must assign ports for each operation explicitly. If
> you agree that such control is reasonable, we'll probably have to
> consider some API changes, since such control is currently not possible.
>
> We should clarify this before I send a patch with the
> LANDLOCK_ACCESS_NET_LISTEN_TCP implementation. WDYT?
LANDLOCK_ACCESS_NET_LISTEN_TCP seems like the most important to me.
For connect() and sendto(), I think the access rights are less urgent:
connect(): We already have LANDLOCK_ACCESS_NET_CONNECT_TCP, but that one is
getting restricted for the *remote* port number.
(a) I think it would be possible to do the same for the *local* port number, by
introducing a separate LANDLOCK_ACCESS_NET_CONNECT_TCP_LOCALPORT right.
(Yes, the name is absolutely horrible, this is just for the example :))
hook_socket_connect() would then need to do both a check for the remote
port using LANDLOCK_ACCESS_NET_CONNECT_TCP, as it already does today, as
well as a check for the (previously bound?) local port using
LANDLOCK_ACCESS_NET_CONNECT_TCP_LOCALPORT.
So I think it is extensible in that direction, in principle, even though I
don't currently have a good name for that access right. :)
(b) Compared to what LANDLOCK_ACCESS_NET_BIND_TCP already restricts, a
hypothetical LANDLOCK_ACCESS_NET_CONNECT_TCP_LOCALPORT right would only
additionally restrict the use of ephemeral ports. I'm currently having a
hard time seeing what an attacker could do with that (use up all ephemeral
ports?).
sendto(): I think this is not relevant yet, because as the documentation said,
ephemeral ports are only handed out when sendto() is used with datagram (UDP)
sockets.
Once Landlock starts having UDP support, this would become relevant, but for
this patch set, I think that the TCP server use case as discussed further above
in this thread is very compelling.
Thanks,
—Günther
next prev parent reply other threads:[~2024-07-01 15:47 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-08 9:47 [PATCH 0/2] Forbid illegitimate binding via listen(2) Ivanov Mikhail
2024-04-08 9:47 ` [PATCH 1/2] landlock: Add hook on socket_listen() Ivanov Mikhail
2024-04-30 13:36 ` Mickaël Salaün
2024-04-30 16:52 ` Mickaël Salaün
2024-05-13 12:15 ` Ivanov Mikhail
2024-05-17 15:22 ` Mickaël Salaün
2024-06-19 19:05 ` Günther Noack
2024-06-20 8:00 ` Mickaël Salaün
2024-06-28 16:51 ` Ivanov Mikhail
2024-07-01 10:16 ` Günther Noack
2024-07-01 13:10 ` Ivanov Mikhail
2024-07-01 15:47 ` Günther Noack [this message]
2024-07-02 12:43 ` Ivanov Mikhail
2024-04-08 9:47 ` [PATCH 2/2] selftests/landlock: Create 'listen_zero', 'deny_listen_zero' tests Ivanov Mikhail
2024-04-30 13:36 ` Mickaël Salaün
2024-05-13 12:18 ` Ivanov Mikhail
2024-06-19 12:20 ` [PATCH 0/2] Forbid illegitimate binding via listen(2) Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZoLPhQ4eyl0H_oSQ@google.com \
--to=gnoack@google.com \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).