[RFC PATCH v1 00/10] Socket type control for Landlock

Ivanov Mikhail <ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx> · Mon, 8 Apr 2024 17:39:17 +0800

Patchset implements new type of Landlock rule, that restricts actions for
sockets of any protocol. Such restriction would be useful to ensure
that a sandboxed process uses only necessary protocols.
See [2] for more cases.

The rules store information about the socket family(aka domain) and type.

struct landlock_socket_attr {
	__u64 allowed_access;
	int domain; // see socket(2)
	int type; // see socket(2)
}

Patchset currently implements rule only for socket_create() method, but
other necessary rules will also be impemented. [1]

Code coverage(gcov) report with the launch of all the landlock selftests:
* security/landlock:
lines......: 94.7% (784 of 828 lines)
functions..: 97.2% (105 of 108 functions)

* security/landlock/socket.c:
lines......: 100.0% (33 of 33 lines)
functions..: 100.0% (5 of 5 functions)

[1] https://lore.kernel.org/all/b8a2045a-e7e8-d141-7c01-bf47874c7930@xxxxxxxxxxx/
[2] https://lore.kernel.org/all/ZJvy2SViorgc+cZI@xxxxxxxxxx/

Ivanov Mikhail (10):
  landlock: Support socket access-control
  landlock: Add hook on socket_create()
  selftests/landlock: Create 'create' test
  selftests/landlock: Create 'socket_access_rights' test
  selftests/landlock: Create 'rule_with_unknown_access' test
  selftests/landlock: Create 'rule_with_unhandled_access' test
  selftests/landlock: Create 'inval' test
  selftests/landlock: Create 'ruleset_overlap' test
  selftests/landlock: Create 'ruleset_with_unknown_access' test
  samples/landlock: Support socket protocol restrictions

 include/uapi/linux/landlock.h                 |  49 ++
 samples/landlock/sandboxer.c                  | 149 +++++-
 security/landlock/Makefile                    |   2 +-
 security/landlock/limits.h                    |   5 +
 security/landlock/net.c                       |   2 +-
 security/landlock/ruleset.c                   |  35 +-
 security/landlock/ruleset.h                   |  44 +-
 security/landlock/setup.c                     |   2 +
 security/landlock/socket.c                    | 115 +++++
 security/landlock/socket.h                    |  19 +
 security/landlock/syscalls.c                  |  55 ++-
 tools/testing/selftests/landlock/base_test.c  |   2 +-
 .../testing/selftests/landlock/socket_test.c  | 457 ++++++++++++++++++
 13 files changed, 910 insertions(+), 26 deletions(-)
 create mode 100644 security/landlock/socket.c
 create mode 100644 security/landlock/socket.h
 create mode 100644 tools/testing/selftests/landlock/socket_test.c

-- 
2.34.1