On Tue, May 16, 2023 at 12:13:35AM +0800, Konstantin Meskhidze wrote: > This commit adds network rules support in the ruleset management > helpers and the landlock_create_ruleset syscall. > Refactor user space API to support network actions. Add new network > access flags, network rule and network attributes. Increment Landlock > ABI version. Expand access_masks_t to u32 to be sure network access > rights can be stored. Implement socket_bind() and socket_connect() > LSM hooks, which enables to restrict TCP socket binding and connection > to specific ports. > > Co-developed-by: Mickaël Salaün <mic@xxxxxxxxxxx> > Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx> > --- [...] > diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c > index 8a54e87dbb17..5cb0a1bc6ec0 100644 > --- a/security/landlock/syscalls.c > +++ b/security/landlock/syscalls.c [...] > +static int add_rule_net_service(struct landlock_ruleset *ruleset, > + const void __user *const rule_attr) > +{ > +#if IS_ENABLED(CONFIG_INET) We should define two add_rule_net_service() functions according to IS_ENABLED(CONFIG_INET) instead of changing the body of the only function. The second function would only return -EAFNOSUPPORT. This cosmetic change would make the code cleaner. > + struct landlock_net_service_attr net_service_attr; > + int res; > + access_mask_t mask; > + > + /* Copies raw user space buffer, only one type for now. */ > + res = copy_from_user(&net_service_attr, rule_attr, > + sizeof(net_service_attr)); > + if (res) > + return -EFAULT; > + > + /* > + * Informs about useless rule: empty allowed_access (i.e. deny rules) > + * are ignored by network actions. > + */ > + if (!net_service_attr.allowed_access) > + return -ENOMSG; > + > + /* > + * Checks that allowed_access matches the @ruleset constraints > + * (ruleset->access_masks[0] is automatically upgraded to 64-bits). > + */ > + mask = landlock_get_net_access_mask(ruleset, 0); > + if ((net_service_attr.allowed_access | mask) != mask) > + return -EINVAL; > + > + /* Denies inserting a rule with port 0 or higher than 65535. */ > + if ((net_service_attr.port == 0) || (net_service_attr.port > U16_MAX)) > + return -EINVAL; > + > + /* Imports the new rule. */ > + return landlock_append_net_rule(ruleset, net_service_attr.port, > + net_service_attr.allowed_access); > +#else /* IS_ENABLED(CONFIG_INET) */ > + return -EAFNOSUPPORT; > +#endif /* IS_ENABLED(CONFIG_INET) */ > +}