From patchwork Fri Jul 19 15:06:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13737369 Received: from smtp-bc0b.mail.infomaniak.ch (smtp-bc0b.mail.infomaniak.ch [45.157.188.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0DE4714535F for ; Fri, 19 Jul 2024 15:06:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.11 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721401616; cv=none; b=pDTNpRINt3xxzcGDPKlunXH303gIKGrzAt9B2HdHjL0LFbCrZZUJpQtBoh2Us4UIRGe/Q9hN6FmubRkgMjaw3V7EJW7kdk7kevrkmTddddgsUZkVZY3kguuF8aX/Z8WH/MppfylSSDieK+7sBG0aJZSCm6zfvw58MJoZ6ifZzpc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721401616; c=relaxed/simple; bh=kADlIJlgL0PtH6xamTShU02YuFjeQvkBz3WQ+QSyA+g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Vge8JyuopPLed/aHvcjxUGPhtzN3umdIkkoW/HVWNtjmCPEjSJ/5m8cQMRnQia1YPDnWap15NE4NxTgLI7nTo+c1qrD49qeEjvVJBn8RkYu679UmwbTXP4k3XxI1PqtZV1BZfjrzm39eh7iAHunsBVslXjDN4ZTCwHEi+UyJSwg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=usuUl5s+; arc=none smtp.client-ip=45.157.188.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="usuUl5s+" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4WQY11354Szhx2; Fri, 19 Jul 2024 17:06:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1721401605; bh=Cnjhb1PfZ2PnvwlsA5/2Egjh5Wo4KWAUx42MC+Pl8co=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=usuUl5s+Zf8zF7dWvWNP6L87CbkRvD8mX7SA8lY/q36Y0hAGIOQN4kfEq55qLnEfY p3DOlFJQI0FD/9kcTh2q3c3qsR2m0xd17dAuWZ1vrSIj4kEsE6KW0ffVsYVQX2XCDV IbI+qK8igGyZmWFMz86Dk7vpebhXmjKJoPpqB8Tc= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4WQY106Mndzw76; Fri, 19 Jul 2024 17:06:44 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: =?utf-8?q?G=C3=BCnther_Noack?= , Ivanov Mikhail , Konstantin Meskhidze , Paul Moore Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Casey Schaufler , Jeff Xu , Kees Cook , "Serge E . Hallyn" , Shervin Oloumi , Tahera Fahimi , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, stable@vger.kernel.org Subject: [RFC PATCH v1 1/3] landlock: Use socket's domain instead of current's domain Date: Fri, 19 Jul 2024 17:06:16 +0200 Message-ID: <20240719150618.197991-2-mic@digikod.net> In-Reply-To: <20240719150618.197991-1-mic@digikod.net> References: <20240719150618.197991-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha Before this change, network restrictions were enforced according to the calling thread's Landlock domain, leading to potential inconsistent results when the same socket was used by different threads or processes (with different domains). This change fixes such access control inconsistency by enforcing the socket's Landlock domain instead of the caller's Landlock domain. Socket's Landlock domain is inherited from the thread that created this socket. This means that a socket created without sandboxing will be free to connect and bind without limitation. This also means that a socket created by a sandboxed thread will inherit the thread's policy, which will be enforced on this socket even when used by another thread or passed to another process. The initial rationale [1] was that a socket does not directly grants access to data, but it is an object used to define an access (e.g. connection to a peer). Contrary to my initial assumption, we can identify to which protocol/port a newly created socket can give access to with the socket's file->f_cred inherited from its creator. Moreover, from a kernel point of view, especially for shared objects, we need a more consistent access model. This means that the same action on the same socket performed by different threads will have the same effect. This follows the same approach as for file descriptors tied to the file system (e.g. LANDLOCK_ACCESS_FS_TRUNCATE). One potential risk of this change is for unsandboxed processes to send socket file descriptors to sandboxed processes, which could give unrestricted network access to the sandboxed process (by reconfigure the socket). While it makes sense for processes to transfer (AF_UNIX) socketpairs, which is OK because they can only exchange data between themselves, it should be rare for processes to legitimately pass other kind of sockets (e.g. AF_INET). Another potential risk of this approach is socket file descriptor leaks. This is the same risk as with regular file descriptor leaks giving access to the content of a file, which is well known and documented. This could be mitigated with a future complementary restriction on received or inherited file descriptors. One interesting side effect of this new approach is that a process can create a socket that will only allow to connect to a set of ports. This can be done by creating a thread, sandboxing it, creating a socket, and using the related file descriptor (in the same process). Passing this restricted socket to a more sandboxed process makes it possible to have a more dynamic security policy. This new approach aligns with SELinux and Smack instead of AppArmor and Tomoyo. It is also in line with capability-based security mechanisms such as Capsicum. This slight semantic change is important for current and future Landlock's consistency, and it must be backported. Current tests are still OK because this behavior wasn't covered. A following commit adds new tests. Cc: Günther Noack Cc: Ivanov Mikhail Cc: Konstantin Meskhidze Cc: Paul Moore Cc: Tahera Fahimi Cc: # 6.7.x: 088e2efaf3d2: landlock: Simplify current_check_access_socket() Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") Link: https://lore.kernel.org/r/263c1eb3-602f-57fe-8450-3f138581bee7@digikod.net [1] Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240719150618.197991-2-mic@digikod.net --- security/landlock/net.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/security/landlock/net.c b/security/landlock/net.c index c8bcd29bde09..78e027a74819 100644 --- a/security/landlock/net.c +++ b/security/landlock/net.c @@ -50,10 +50,11 @@ get_raw_handled_net_accesses(const struct landlock_ruleset *const domain) return access_dom; } -static const struct landlock_ruleset *get_current_net_domain(void) +static const struct landlock_ruleset * +get_socket_net_domain(const struct socket *const sock) { const struct landlock_ruleset *const dom = - landlock_get_current_domain(); + landlock_cred(sock->file->f_cred)->domain; if (!dom || !get_raw_handled_net_accesses(dom)) return NULL; @@ -61,10 +62,9 @@ static const struct landlock_ruleset *get_current_net_domain(void) return dom; } -static int current_check_access_socket(struct socket *const sock, - struct sockaddr *const address, - const int addrlen, - access_mask_t access_request) +static int check_access_socket(struct socket *const sock, + struct sockaddr *const address, + const int addrlen, access_mask_t access_request) { __be16 port; layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {}; @@ -72,7 +72,7 @@ static int current_check_access_socket(struct socket *const sock, struct landlock_id id = { .type = LANDLOCK_KEY_NET_PORT, }; - const struct landlock_ruleset *const dom = get_current_net_domain(); + const struct landlock_ruleset *const dom = get_socket_net_domain(sock); if (!dom) return 0; @@ -175,16 +175,16 @@ static int current_check_access_socket(struct socket *const sock, static int hook_socket_bind(struct socket *const sock, struct sockaddr *const address, const int addrlen) { - return current_check_access_socket(sock, address, addrlen, - LANDLOCK_ACCESS_NET_BIND_TCP); + return check_access_socket(sock, address, addrlen, + LANDLOCK_ACCESS_NET_BIND_TCP); } static int hook_socket_connect(struct socket *const sock, struct sockaddr *const address, const int addrlen) { - return current_check_access_socket(sock, address, addrlen, - LANDLOCK_ACCESS_NET_CONNECT_TCP); + return check_access_socket(sock, address, addrlen, + LANDLOCK_ACCESS_NET_CONNECT_TCP); } static struct security_hook_list landlock_hooks[] __ro_after_init = { From patchwork Fri Jul 19 15:06:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13737368 Received: from smtp-bc0c.mail.infomaniak.ch (smtp-bc0c.mail.infomaniak.ch [45.157.188.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BD671459F9 for ; Fri, 19 Jul 2024 15:06:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721401616; cv=none; b=GBXR3Jj22j/3d4NQAgmEF09GnCFgYRbZQTldo4kctso2EaawEoV4V5Z1HW4I3wst0DI+H/JnIzaSsZwnu0y6+sYB7WySOsT9hOhi0nEeCBjruo//XabzdMn8/bvL1ux2WlMPBnBdyE/ytTyzNBgIf+C3LyUAgN+XAnKJ/7GUvPs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721401616; c=relaxed/simple; bh=PcyCIGOY6B9EKh/dirdA/OiOx2pplkP5HcNfj4y1MNo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BGX3E1vq3Ew/HgZ9T+4P7XmQCBT6xjzQHN+B+fm1JAsX4sWsIUe/j9WFTrJCYWYeorw2cjcGkg4QqiMIlmvhDsKvhX9wWWVzXbQOyG/Yd6HYbsLfvRV73Ev/t1lGjLKautyBXn6pvX+FQqVK/uplKcwBuAQFkXvm16iNQf7kMdU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=IOdqrYHk; arc=none smtp.client-ip=45.157.188.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="IOdqrYHk" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4WQY123KLczhNp; Fri, 19 Jul 2024 17:06:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1721401606; bh=C4QufuQSQWKLaXnsSOFxYv1MHT16Z/NZ1G5g6Fkr0f0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IOdqrYHkIcVtfZw6cakd92SDVMHoLd/gtP1EKw1esgZm9PC2TV1YpEujcP8Q9JAvL fY4YcrXe+5v+eM1qmf9TYlGNDR5MfiURvQCIiyVi+Bzx7yBX5RrbzJzace/ifSPe6p Y0GlTdPeNN1UhZy+Zmq39xWoDq3RMyYTMjD/GM08= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4WQY116SdDzssk; Fri, 19 Jul 2024 17:06:45 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: =?utf-8?q?G=C3=BCnther_Noack?= , Ivanov Mikhail , Konstantin Meskhidze , Paul Moore Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Casey Schaufler , Jeff Xu , Kees Cook , "Serge E . Hallyn" , Shervin Oloumi , Tahera Fahimi , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, stable@vger.kernel.org Subject: [RFC PATCH v1 2/3] selftests/landlock: Add test for socket's domain Date: Fri, 19 Jul 2024 17:06:17 +0200 Message-ID: <20240719150618.197991-3-mic@digikod.net> In-Reply-To: <20240719150618.197991-1-mic@digikod.net> References: <20240719150618.197991-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha This new ipv4_tcp.socket_domain test checks that the restrictions are tied to the socket at creation time, but not tied to the thread requesting a bind action. Properly close file descriptor in ipv4.with_fs test. Cc: Günther Noack Cc: Ivanov Mikhail Cc: Konstantin Meskhidze Cc: Paul Moore Cc: Tahera Fahimi Cc: stable@vger.kernel.org Fixes: a549d055a22e ("selftests/landlock: Add network tests") Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240719150618.197991-3-mic@digikod.net --- tools/testing/selftests/landlock/net_test.c | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c index f21cfbbc3638..79251e27d26d 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -1579,6 +1579,35 @@ TEST_F(ipv4_tcp, with_fs) bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); ASSERT_LE(0, bind_fd); EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1)); + EXPECT_EQ(0, close(bind_fd)); +} + +TEST_F(ipv4_tcp, socket_domain) +{ + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP, + }; + int ruleset_fd, bind_fd; + + /* Creates socket before sandboxing. */ + bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + ASSERT_LE(0, bind_fd); + + ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Tests port binding with unsandboxed socket. */ + EXPECT_EQ(0, bind_variant(bind_fd, &self->srv1)); + EXPECT_EQ(0, close(bind_fd)); + + /* Tests port binding with new sandboxed socket. */ + bind_fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + ASSERT_LE(0, bind_fd); + EXPECT_EQ(-EACCES, bind_variant(bind_fd, &self->srv1)); + EXPECT_EQ(0, close(bind_fd)); } FIXTURE(port_specific) From patchwork Fri Jul 19 15:06:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 13737370 Received: from smtp-42ad.mail.infomaniak.ch (smtp-42ad.mail.infomaniak.ch [84.16.66.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD174145A1A for ; Fri, 19 Jul 2024 15:06:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721401618; cv=none; b=RM68FSz+FvS9TX2kh/vwZEnMUQpEUSmz3PvIgbdUykCubVUYxRWWBPP93D7frr7ZGNX6gWowjmxS2moF2ZHa/vsFVAmSNofPZbf/7nhWl35wTOnqPpg11Z9b8pPsl6uVQJxcl86wobFaDvwzG733kCziv1Hr2BupR9JKE7likc0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1721401618; c=relaxed/simple; bh=1VRgN9E20Mz0E1cuuygk/Vt16CkssBzZL4IMwdHn5A8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RJabUHUtA3xgWIYSYsMTeoQMwereyUsQNxaPU26DI1+7ilEvhuzXUveSgvJpVkPBON2J5Q310wXahaeg2nYMPJdx1XhDX9rJ1PupkuubOReXhofoWDThnWMwz5q6/yhfkkqSWBSiGCqD5gWaEvqylGZrHEuOoEZ7izQZYxGK9ag= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=zZl6K+7K; arc=none smtp.client-ip=84.16.66.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="zZl6K+7K" Received: from smtp-3-0001.mail.infomaniak.ch (smtp-3-0001.mail.infomaniak.ch [10.4.36.108]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4WQY132qxMzcBS; Fri, 19 Jul 2024 17:06:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1721401607; bh=OBPsO/SKaEeE/YlM+it8OhWEccms0c50naVM5DXA5DM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zZl6K+7KhAbi7bYpDROj72Z4n5CgbrmipVkvzgc99i6WI8wepLoaj7q4hywJa494g KAM8GT55IEH4ZTwDLJe1cqODQ0Nzt+HRzalIKzn1xbQhq2k0s2HoT6H6pWxSLVbV77 Z7E1pqLCdCPFCaZS+mUZ4S3Fs1D7cvlIKCJvo350= Received: from unknown by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4WQY126cp3ztZT; Fri, 19 Jul 2024 17:06:46 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: =?utf-8?q?G=C3=BCnther_Noack?= , Ivanov Mikhail , Konstantin Meskhidze , Paul Moore Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Casey Schaufler , Jeff Xu , Kees Cook , "Serge E . Hallyn" , Shervin Oloumi , Tahera Fahimi , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [RFC PATCH v1 3/3] landlock: Document network restrictions tied to sockets Date: Fri, 19 Jul 2024 17:06:18 +0200 Message-ID: <20240719150618.197991-4-mic@digikod.net> In-Reply-To: <20240719150618.197991-1-mic@digikod.net> References: <20240719150618.197991-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Infomaniak-Routing: alpha The Landlock domain used to restrict operations on a socket is the domain from the thread that created this socket. Cc: Günther Noack Cc: Ivanov Mikhail Cc: Konstantin Meskhidze Cc: Paul Moore Cc: Tahera Fahimi Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20240719150618.197991-4-mic@digikod.net --- Documentation/userspace-api/landlock.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 37dafce8038b..4a9bfff575d5 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -529,7 +529,9 @@ Network support (ABI < 4) Starting with the Landlock ABI version 4, it is now possible to restrict TCP bind and connect actions to only a set of allowed ports thanks to the new ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` -access rights. +access rights. These restrictions are tied to a socket and are inherited from +the sandboxed thread that created this socket. Hence, sockets created before +sandboxing are not restricted. IOCTL (ABI < 5) ---------------