[v2,0/6] landlock: Add UDP access control support

Message ID	20241214184540.3835222-1-matthieu@buffet.re (mailing list archive)
Headers	show Received: from mx1.buffet.re (mx1.buffet.re [51.83.41.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1392580C02; Sat, 14 Dec 2024 18:53:41 +0000 (UTC) From: Matthieu Buffet <matthieu@buffet.re> To: Mickael Salaun <mic@digikod.net> Cc: Gunther Noack <gnoack@google.com>, Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>, konstantin.meskhidze@huawei.com, Paul Moore <paul@paul-moore.com>, James Morris <jmorris@namei.org>, "Serge E . Hallyn" <serge@hallyn.com>, linux-security-module@vger.kernel.org, netdev@vger.kernel.org, Matthieu Buffet <matthieu@buffet.re> Subject: [PATCH v2 0/6] landlock: Add UDP access control support Date: Sat, 14 Dec 2024 19:45:34 +0100 Message-Id: <20241214184540.3835222-1-matthieu@buffet.re> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	landlock: Add UDP access control support \| expand [v2,0/6] landlock: Add UDP access control support [v2,1/6] landlock: Add UDP bind+connect access control [v2,2/6] selftests/landlock: Adapt existing bind/connect for UDP [v2,3/6] landlock: Add UDP sendmsg access control [v2,4/6] selftests/landlock: Add ACCESS_NET_SENDTO_UDP [v2,5/6] samples/landlock: Add sandboxer UDP access control [v2,6/6] doc: Add landlock UDP support

Message ID

20241214184540.3835222-1-matthieu@buffet.re (mailing list archive)

Headers

From: Matthieu Buffet <matthieu@buffet.re>
To: Mickael Salaun <mic@digikod.net>
Cc: Gunther Noack <gnoack@google.com>,
	Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
	konstantin.meskhidze@huawei.com,
	Paul Moore <paul@paul-moore.com>,
	James Morris <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	linux-security-module@vger.kernel.org,
	netdev@vger.kernel.org,
	Matthieu Buffet <matthieu@buffet.re>
Subject: [PATCH v2 0/6] landlock: Add UDP access control support
Date: Sat, 14 Dec 2024 19:45:34 +0100
Message-Id: <20241214184540.3835222-1-matthieu@buffet.re>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

landlock: Add UDP access control support | expand

Message

Matthieu Buffet Dec. 14, 2024, 6:45 p.m. UTC

Hi Mickael,

Thanks for your comments on the v1 of this patch, I should have everything
fixed so (hopefully) this v2 boils down to something simpler.

This patchset is based on
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
Linux 6.12 (adc218676eef).

This patchset should add basic support to completely block a process
from sending and receiving UDP datagrams, and delegate the right to
send/receive based on remote/local port. It should fit nicely with
the socket creation restrictions WIP (either don't have UDP at all, or
have it with just the rights needed).

@Mikhail: I saw the discussions around TCP error code inconsistencies +
over-restriction, and your patch v1. I took extra care to minimize this
diff size: no unnecessary comment/refactor, especially in
current_check_access_socket(). It should be just what is required for a
basic UDP support without changing error handling in that main function.

The only question that remained open from v1 was about UDP rights naming.
Since there were no strong preferences and the hooks now only handle
sendmsg() if an explicit address is specified, that's now
LANDLOCK_ACCESS_NET_UDP_SENDTO since the name (and prototype with a
destination address parameter) of sendto(3) is closer to these semantics.

Changes since v1 (link below):
- recvmsg hook is gone and sendmsg hook doesn't apply to connected
  sockets anymore, to improve performance
- don't add a get_addr_port() helper function, which required a weird "am
  I in IPv4 or IPv6 context" to avoid a addrlen>sizeof(struct sockaddr_in)
  check in connect(AF_UNSPEC) IPv6 context. A helper was useful when ports
  also needed to be read in a recvmsg() hook, now it's just a simple
  switch case in the sendmsg() hook, more readable
- rename sendmsg access right to LANDLOCK_ACCESS_NET_UDP_SENDTO
- reorder hook prologue for consistency: check domain, then type and
  family
- add additional selftests cases around minimal address length
- update documentation

lcov gives me net.c going from 94% lines/80% functions to 96.6% lines/
85.7% functions

Any feedback welcome!

Link: https://lore.kernel.org/all/20240916122230.114800-1-matthieu@buffet.re/
Closes: https://github.com/landlock-lsm/linux/issues/10

Link: https://lore.kernel.org/all/20241017110454.265818-1-ivanov.mikhail1@huawei-partners.com/
Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>

Matthieu Buffet (6):
  landlock: Add UDP bind+connect access control
  selftests/landlock: Adapt existing bind/connect for UDP
  landlock: Add UDP sendmsg access control
  selftests/landlock: Add ACCESS_NET_SENDTO_UDP
  samples/landlock: Add sandboxer UDP access control
  doc: Add landlock UDP support

 Documentation/userspace-api/landlock.rst     |  84 +++-
 include/uapi/linux/landlock.h                |  67 ++-
 samples/landlock/sandboxer.c                 |  58 ++-
 security/landlock/limits.h                   |   2 +-
 security/landlock/net.c                      | 137 +++++-
 security/landlock/syscalls.c                 |   2 +-
 tools/testing/selftests/landlock/base_test.c |   2 +-
 tools/testing/selftests/landlock/net_test.c  | 455 +++++++++++++++++--
 8 files changed, 715 insertions(+), 92 deletions(-)


base-commit: adc218676eef25575469234709c2d87185ca223a