New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add the Landlock network rule type and access rights #4266
Conversation
Thanks for the PR! Note that you also need to adjust the |
Hmm, indeed. Is there any way to make new fields optional for syzkaller? The Landlock syscalls use extended attributes (i.e. struct pointer + size). Would it be OK if I swap the size |
Add the new lanlock_net_port_attr struct and related LANDLOCK_ACCESS_NET_{BIND,CONNECT}_TCP flags for TCP access control. Add landlock_ruleset_attr's handled_access_net field and fix handled_access_fs name. Update tests with the new landlock_ruleset_attr's handled_access_net field. Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
For such programs, syzkaller would still expect you to explicitly set values for all fields (even if it be I see you've already figured out how to update the tests anyway. |
…rnel/git/mic/linux Pull landlock updates from Mickaël Salaün: "A Landlock ruleset can now handle two new access rights: LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP. When handled, the related actions are denied unless explicitly allowed by a Landlock network rule for a specific port. The related patch series has been reviewed for almost two years, it has evolved a lot and we now have reached a decent design, code and testing. The refactored kernel code and the new test helpers also bring the foundation to support more network protocols. Test coverage for security/landlock is 92.4% of 710 lines according to gcc/gcov-13, and it was 93.1% of 597 lines before this series. The decrease in coverage is due to code refactoring to make the ruleset management more generic (i.e. dealing with inodes and ports) that also added new WARN_ON_ONCE() checks not possible to test from user space. syzkaller has been updated accordingly [4], and such patched instance (tailored to Landlock) has been running for a month, covering all the new network-related code [5]" Link: https://lore.kernel.org/r/20231026014751.414649-1-konstantin.meskhidze@huawei.com [1] Link: https://lore.kernel.org/r/CAHC9VhS1wwgH6NNd+cJz4MYogPiRV8NyPDd1yj5SpaxeUB4UVg@mail.gmail.com [2] Link: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next-history.git/commit/?id=c8dc5ee69d3a [3] Link: google/syzkaller#4266 [4] Link: https://storage.googleapis.com/syzbot-assets/82e8608dec36/ci-upstream-linux-next-kasan-gce-root-ab577164.html#security%2flandlock%2fnet.c [5] * tag 'landlock-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: selftests/landlock: Add tests for FS topology changes with network rules landlock: Document network support samples/landlock: Support TCP restrictions selftests/landlock: Add network tests selftests/landlock: Share enforce_ruleset() helper landlock: Support network rules with TCP bind and connect landlock: Refactor landlock_add_rule() syscall landlock: Refactor layer helpers landlock: Move and rename layer helpers landlock: Refactor merge/inherit_ruleset helpers landlock: Refactor landlock_find_rule/insert_rule helpers landlock: Allow FS topology changes for domains without such rule type landlock: Make ruleset's access masks more generic
Add the new lanlock_net_port_attr struct and related LANDLOCK_ACCESS_NET_{BIND,CONNECT}_TCP flags for TCP access control.
Add landlock_ruleset_attr's handled_access_net field and fix handled_access_fs name.
This network support is not merged into mainline yet but I pushed it to -next: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/include/uapi/linux/landlock.h
The UAPI should not change, only some kernel code cleanup is required: https://lore.kernel.org/all/20230920092641.832134-1-konstantin.meskhidze@huawei.com/
Running this on my side (with targeted syscalls) lead to 90% coverage of the new security/landlock/net.c file without any help from custom tests.
Cc @BoardzMaster