listen(2) can be called without explicit bind(2) call. For a TCP socket it would result in assigning random port(in some range) to this socket by the kernel. If Landlock sandbox supports LANDLOCK_ACCESS_NET_BIND_TCP, this may lead to implicit access to a prohibited (by Landlock sandbox) port. Malicious sandboxed process can accidentally impersonate a legitimate server process (if listen(2) assigns it a server port number). Patch adds hook on socket_listen() that prevents such scenario by checking LANDLOCK_ACCESS_NET_BIND_TCP access for port 0. Few tests were added to cover this case. Code coverage(gcov): * security/landlock: lines......: 94.5% (745 of 788 lines) functions..: 97.1% (100 of 103 functions) Ivanov Mikhail (2): landlock: Add hook on socket_listen() selftests/landlock: Create 'listen_zero', 'deny_listen_zero' tests security/landlock/net.c | 104 +++++++++++++++++--- tools/testing/selftests/landlock/net_test.c | 89 +++++++++++++++++ 2 files changed, 177 insertions(+), 16 deletions(-) -- 2.34.1
