Here is the beginning of the thread:
https://lore.kernel.org/linux-security-module/a1769c4239ee4e8aadb65f9ebb6061d8@xxxxxxxxxx/
On 17/12/2021 22:29, Willem de Bruijn wrote:
On Fri, Dec 17, 2021 at 4:38 AM Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
[...]
Accesses/suffixes should be:
- CREATE
- ACCEPT
- BIND
- LISTEN
- CONNECT
- RECEIVE (RECEIVE_FROM and SEND_TO should not be needed)
- SEND
- SHUTDOWN
- GET_OPTION (GETSOCKOPT)
- SET_OPTION (SETSOCKOPT)
For now, the only access rights should be LANDLOCK_ACCESS_NET_BIND_TCP
and LANDLOCK_ACCESS_NET_CONNECT_TCP (tie to two LSM hooks with struct
sockaddr).
These attribute and access right changes reduce the scope of the network
access control and make it simpler but still really useful. Datagram
(e.g. UDP, which could add BIND_UDP and SEND_UDP) sockets will be more
complex to restrict correctly and should then come in another patch
series, once TCP is supported.
Thanks for cc:ing the netdev list. I miss some of context, assume that
limits are configured on a socket basis.
One practical use-case I had for voluntary relinquish of privileges:
do not allow connect AF_UNSPEC. This is a little-used feature that
allows an already established connection to disconnect and create a
new connection. Without this option, it is possible for a privileged
process to create connections and hand those off to a less privileged
process. Also, do not allow listen calls, to avoid elevating a socket
to a listener.
Thanks for the heads up. connect + AF_UNSPEC is a nice trick but the
security_socket_connect() hook should handle that, and then the
LANDOCK_ACCESS_NET_CONNECT_TCP right too. This should be part of tests
though.