[0/2] Forbid illegitimate binding via listen(2)

Message ID	20240408094747.1761850-1-ivanov.mikhail1@huawei-partners.com (mailing list archive)
Headers	show Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7347739FDD; Mon, 8 Apr 2024 09:48:46 +0000 (UTC) From: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> To: <mic@digikod.net> CC: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>, <linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>, <artem.kuzin@huawei.com>, <konstantin.meskhidze@huawei.com> Subject: [PATCH 0/2] Forbid illegitimate binding via listen(2) Date: Mon, 8 Apr 2024 17:47:45 +0800 Message-ID: <20240408094747.1761850-1-ivanov.mikhail1@huawei-partners.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	Forbid illegitimate binding via listen(2) \| expand [0/2] Forbid illegitimate binding via listen(2) [1/2] landlock: Add hook on socket_listen() [2/2] selftests/landlock: Create 'listen_zero', 'deny_listen_zero' tests

Message ID

20240408094747.1761850-1-ivanov.mikhail1@huawei-partners.com (mailing list archive)

Headers

From: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
To: <mic@digikod.net>
CC: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>,
	<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
	<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
	<artem.kuzin@huawei.com>, <konstantin.meskhidze@huawei.com>
Subject: [PATCH 0/2] Forbid illegitimate binding via listen(2)
Date: Mon, 8 Apr 2024 17:47:45 +0800
Message-ID: <20240408094747.1761850-1-ivanov.mikhail1@huawei-partners.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

Forbid illegitimate binding via listen(2) | expand

Message

Mikhail Ivanov April 8, 2024, 9:47 a.m. UTC

listen(2) can be called without explicit bind(2) call. For a TCP socket
it would result in assigning random port(in some range) to this socket
by the kernel. If Landlock sandbox supports LANDLOCK_ACCESS_NET_BIND_TCP,
this may lead to implicit access to a prohibited (by Landlock sandbox)
port. Malicious sandboxed process can accidentally impersonate a
legitimate server process (if listen(2) assigns it a server port number).

Patch adds hook on socket_listen() that prevents such scenario by checking
LANDLOCK_ACCESS_NET_BIND_TCP access for port 0.

Few tests were added to cover this case.

Code coverage(gcov):
* security/landlock:
lines......: 94.5% (745 of 788 lines)
functions..: 97.1% (100 of 103 functions)

Ivanov Mikhail (2):
  landlock: Add hook on socket_listen()
  selftests/landlock: Create 'listen_zero', 'deny_listen_zero' tests

 security/landlock/net.c                     | 104 +++++++++++++++++---
 tools/testing/selftests/landlock/net_test.c |  89 +++++++++++++++++
 2 files changed, 177 insertions(+), 16 deletions(-)

Comments

Mickaël Salaün June 19, 2024, 12:20 p.m. UTC | #1

Could you please send a v2 for this patch? I'd like this issue to be
fixed, especially before any other Landlock feature get merged.

On Mon, Apr 08, 2024 at 05:47:45PM +0800, Ivanov Mikhail wrote:
> listen(2) can be called without explicit bind(2) call. For a TCP socket
> it would result in assigning random port(in some range) to this socket
> by the kernel. If Landlock sandbox supports LANDLOCK_ACCESS_NET_BIND_TCP,
> this may lead to implicit access to a prohibited (by Landlock sandbox)
> port. Malicious sandboxed process can accidentally impersonate a
> legitimate server process (if listen(2) assigns it a server port number).
> 
> Patch adds hook on socket_listen() that prevents such scenario by checking
> LANDLOCK_ACCESS_NET_BIND_TCP access for port 0.
> 
> Few tests were added to cover this case.
> 
> Code coverage(gcov):
> * security/landlock:
> lines......: 94.5% (745 of 788 lines)
> functions..: 97.1% (100 of 103 functions)
> 
> Ivanov Mikhail (2):
>   landlock: Add hook on socket_listen()
>   selftests/landlock: Create 'listen_zero', 'deny_listen_zero' tests
> 
>  security/landlock/net.c                     | 104 +++++++++++++++++---
>  tools/testing/selftests/landlock/net_test.c |  89 +++++++++++++++++
>  2 files changed, 177 insertions(+), 16 deletions(-)
> 
> -- 
> 2.34.1
> 
>