New discussions and RFCs should also include netdev and netfilter
mailing lists. For people new to Landlock, the goal is to enable
unprivileged processes (and then potentially malicious ones) to limit
their own network access (i.e. create a security sandbox for themselves).
Thinking more about network access control for Landlock use case, here
are better suggestions:
On 14/12/2021 12:51, Mickaël Salaün wrote:
On 14/12/2021 04:49, Konstantin Meskhidze wrote:
Hi Mickaёl.
I've been thinking about your reply:
4. Kernel objects.
For filesystem restrictions inodes objects are used to tie landlock
rules.
But for socket operations it's preferred to use task_struct object of
a process, cause sockets' inodes are created just after
security_socket_create() hook is called, and if its needed to have
some restriction rule for creating sockets, this rule can't be tied
to a socket inode cause there is no any has been created at the hook's
catching moment, see the sock_create_lite() function below:
- For the file system, we use inodes to identify hierarchies. We can't
- safely rely on stateless objects (e.g. path strings) because the file
- system changes, and then the rules must change with it.
- To identify network objects (from the user point of view), we can rely
- on stateless rule definitions because they may be absolute (i.e. IP
- address), e.g. sandbox process creating a new connection or
receveing an
- UDP packet. It is not be the case with UNIX socket if they are come
from
- a path (i.e. inode) though. In this case we'll have to use the existing
- file system identification mechanism and probably extend the current FS
- access rights.
- A sandbox is a set of processes handled as "subjects". Generic inet
- rules should not be tied to processes (for now) but on
subnets/protocols.
In current Landlock version inodes are the objects to tie rules to.
For network you are saying that we can rely on stateless rule
definitions and
rules should be tied to subnets/protocols, not to processes'
task_struct objects.
Cause Landlock architecture requires all rules to be tied to a different
kernel objects, and when LSM hooks are caught there must be search
procedure completed in a ruleset's red-black tree structure:
kernel_object -> landlock_object <- landlock_rule
<-----landlock_ruleset
What kind of kernel objects do you mean by subnets/protocols?
Do you suggest using sockets' inodes in this case or using network rules
without to be tied to any kernel object?
The subnets/protocols is the definition provided when creating a rule
(i.e. the object from the user point of view), but the kernel may relies
on other internal representations. I guess datagram packets would need
to be matched against IP/port everytime they are received by a sandboxed
process, but tagging sockets or their underlying inodes for stream
connections make sense.
I don't have experience in the network LSM hooks though, any input is
welcome.
socket_inode -> landlock_object <- landlock_rule
<-----landlock_ruleset
OR
landlock_object <- landlock_rule <-----landlock_ruleset
-----Original Message-----
From: Mickaël Salaün <mic@xxxxxxxxxxx>
Sent: Monday, December 13, 2021 4:30 PM
To: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
Cc: linux-security-module@xxxxxxxxxxxxxxx; yusongping
<yusongping@xxxxxxxxxx>; Artem Kuzin <artem.kuzin@xxxxxxxxxx>
Subject: Re: [RFC PATCH 0/2] Landlock network PoC implementation
Hi Konstantin,
On 10/12/2021 08:21, Konstantin Meskhidze wrote:
[...]
To sum up, for IPv4 restrictions, we need a new rule type identified
with LANDLOCK_RULE_NET_CIDR4. This will handle a new
struct landlock_net_cidr4_attr {
__u64 allowed_access;
__u32 address; // IPv4
__u8 prefix; // From 0 to 32
__u8 type; // SOCK_DGRAM, SOCK_STREAM
__u16 port;
} __attribute__((packed));
// https://datatracker.ietf.org/doc/html/rfc4632
IP addresses (and subnets) should not be part of a rule, at least for
now. Indeed, IP addresses are tied either to the system architecture
(e.g. container configuration), the local network or Internet, hence
moving targets not controlled by application developers. Moreover, from
a kernel point of view, it is more complex to check and handle subnets,
which are most of the time tied to the Netfilter infrastructure, not
suitable for Landlock because of its unprivileged nature.
On the other side, protocols such as TCP and their associated ports are
normalized and are tied to an application semantic (e.g. TCP/443 for HTTPS).
There is other advantages to exclude subnets from this type of rules for
now (e.g. they could be composed with protocols/ports), but that may
come later.
I then think that a first MVP to bring network access control support to
Landlock should focus only on TCP and related ports (i.e. services). I
propose to not use my previous definition of landlock_net_cidr4_attr but
to have a landlock_net_service_attr instead:
struct landlock_net_service_attr {
__u64 allowed_access; // LANDLOCK_NET_*_TCP
__u16 port;
} __attribute__((packed));
This attribute should handle IPv4 and IPv6 indistinguishably.
[...]
Accesses/suffixes should be:
- CREATE
- ACCEPT
- BIND
- LISTEN
- CONNECT
- RECEIVE (RECEIVE_FROM and SEND_TO should not be needed)
- SEND
- SHUTDOWN
- GET_OPTION (GETSOCKOPT)
- SET_OPTION (SETSOCKOPT)
For now, the only access rights should be LANDLOCK_ACCESS_NET_BIND_TCP
and LANDLOCK_ACCESS_NET_CONNECT_TCP (tie to two LSM hooks with struct
sockaddr).
These attribute and access right changes reduce the scope of the network
access control and make it simpler but still really useful. Datagram
(e.g. UDP, which could add BIND_UDP and SEND_UDP) sockets will be more
complex to restrict correctly and should then come in another patch
series, once TCP is supported.