On Tue, May 16, 2023 at 12:13:35AM +0800, Konstantin Meskhidze wrote:
> This commit adds network rules support in the ruleset management
> helpers and the landlock_create_ruleset syscall.
> Refactor user space API to support network actions. Add new network
> access flags, network rule and network attributes. Increment Landlock
> ABI version. Expand access_masks_t to u32 to be sure network access
> rights can be stored. Implement socket_bind() and socket_connect()
> LSM hooks, which enables to restrict TCP socket binding and connection
> to specific ports.
>
> Co-developed-by: Mickaël Salaün <mic@xxxxxxxxxxx>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
> ---
[...]
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 8a54e87dbb17..5cb0a1bc6ec0 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
[...]
> +static int add_rule_net_service(struct landlock_ruleset *ruleset,
> + const void __user *const rule_attr)
> +{
> +#if IS_ENABLED(CONFIG_INET)
We should define two add_rule_net_service() functions according to
IS_ENABLED(CONFIG_INET) instead of changing the body of the only
function. The second function would only return -EAFNOSUPPORT. This
cosmetic change would make the code cleaner.
> + struct landlock_net_service_attr net_service_attr;
> + int res;
> + access_mask_t mask;
> +
> + /* Copies raw user space buffer, only one type for now. */
> + res = copy_from_user(&net_service_attr, rule_attr,
> + sizeof(net_service_attr));
> + if (res)
> + return -EFAULT;
> +
> + /*
> + * Informs about useless rule: empty allowed_access (i.e. deny rules)
> + * are ignored by network actions.
> + */
> + if (!net_service_attr.allowed_access)
> + return -ENOMSG;
> +
> + /*
> + * Checks that allowed_access matches the @ruleset constraints
> + * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
> + */
> + mask = landlock_get_net_access_mask(ruleset, 0);
> + if ((net_service_attr.allowed_access | mask) != mask)
> + return -EINVAL;
> +
> + /* Denies inserting a rule with port 0 or higher than 65535. */
> + if ((net_service_attr.port == 0) || (net_service_attr.port > U16_MAX))
> + return -EINVAL;
> +
> + /* Imports the new rule. */
> + return landlock_append_net_rule(ruleset, net_service_attr.port,
> + net_service_attr.allowed_access);
> +#else /* IS_ENABLED(CONFIG_INET) */
> + return -EAFNOSUPPORT;
> +#endif /* IS_ENABLED(CONFIG_INET) */
> +}
