Re: [PATCH v8 07/12] landlock: Add network rules support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 28/11/2022 05:01, Konstantin Meskhidze (A) wrote:


11/17/2022 9:43 PM, Mickaël Salaün пишет:

On 21/10/2022 17:26, Konstantin Meskhidze wrote:
This commit adds network rules support in internal landlock functions
(presented in ruleset.c) and landlock_create_ruleset syscall.

…in the ruleset management helpers and the landlock_create_ruleset syscall.


Refactors user space API to support network actions. Adds new network

Refactor…

access flags, network rule and network attributes. Increments Landlock

Increment…

    The commit's message will be fixed. Thank you!

ABI version.

Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
---

Changes since v7:
* Squashes commits.
* Increments ABI version to 4.
* Refactors commit message.
* Minor fixes.

Changes since v6:
* Renames landlock_set_net_access_mask() to landlock_add_net_access_mask()
    because it OR values.
* Makes landlock_add_net_access_mask() more resilient incorrect values.
* Refactors landlock_get_net_access_mask().
* Renames LANDLOCK_MASK_SHIFT_NET to LANDLOCK_SHIFT_ACCESS_NET and use
    LANDLOCK_NUM_ACCESS_FS as value.
* Updates access_masks_t to u32 to support network access actions.
* Refactors landlock internal functions to support network actions with
    landlock_key/key_type/id types.

Changes since v5:
* Gets rid of partial revert from landlock_add_rule
syscall.
* Formats code with clang-format-14.

Changes since v4:
* Refactors landlock_create_ruleset() - splits ruleset and
masks checks.
* Refactors landlock_create_ruleset() and landlock mask
setters/getters to support two rule types.
* Refactors landlock_add_rule syscall add_rule_path_beneath
function by factoring out get_ruleset_from_fd() and
landlock_put_ruleset().

Changes since v3:
* Splits commit.
* Adds network rule support for internal landlock functions.
* Adds set_mask and get_mask for network.
* Adds rb_root root_net_port.

---
   include/uapi/linux/landlock.h                | 49 ++++++++++++++
   security/landlock/limits.h                   |  6 +-
   security/landlock/ruleset.c                  | 55 ++++++++++++++--
   security/landlock/ruleset.h                  | 68 ++++++++++++++++----
   security/landlock/syscalls.c                 | 13 +++-
   tools/testing/selftests/landlock/base_test.c |  2 +-
   6 files changed, 170 insertions(+), 23 deletions(-)

diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index f3223f964691..096b683c6ff3 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -31,6 +31,13 @@ struct landlock_ruleset_attr {
   	 * this access right.
   	 */
   	__u64 handled_access_fs;
+
+	/**
+	 * @handled_access_net: Bitmask of actions (cf. `Network flags`_)
+	 * that is handled by this ruleset and should then be forbidden if no
+	 * rule explicitly allow them.
+	 */
+	__u64 handled_access_net;
   };

   /*
@@ -54,6 +61,11 @@ enum landlock_rule_type {
   	 * landlock_path_beneath_attr .
   	 */
   	LANDLOCK_RULE_PATH_BENEATH = 1,
+	/**
+	 * @LANDLOCK_RULE_NET_SERVICE: Type of a &struct
+	 * landlock_net_service_attr .
+	 */
+	LANDLOCK_RULE_NET_SERVICE = 2,
   };

   /**
@@ -79,6 +91,24 @@ struct landlock_path_beneath_attr {
   	 */
   } __attribute__((packed));

+/**
+ * struct landlock_net_service_attr - TCP subnet definition
+ *
+ * Argument of sys_landlock_add_rule().
+ */
+struct landlock_net_service_attr {
+	/**
+	 * @allowed_access: Bitmask of allowed access network for services
+	 * (cf. `Network flags`_).
+	 */
+	__u64 allowed_access;
+	/**
+	 * @port: Network port.
+	 */
+	__u16 port;

   From an UAPI point of view, I think the port field should be __be16, as
for sockaddr_in->port and other network-related APIs. This will require
some kernel changes to please sparse: make C=2 security/landlock/ must
not print any warning.

    Is sparse a default checker?

You should be able to easily install it with your Linux distro.



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux