Skip to content

Commit

Permalink
fix networking support
Browse files Browse the repository at this point in the history
We did not do a proper config downgrade in best effort mode for the
network access rights.  This shadowed another bug in the definition of
the PathBeneathAttr struct, whose port number was wrongly passed using
16 instead of 64 bits (probably carried over from an earlier version
of the kernel patch).
  • Loading branch information
gnoack committed Oct 13, 2024
1 parent 0aa0045 commit affa120
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 4 deletions.
5 changes: 3 additions & 2 deletions landlock/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,8 @@ func (c Config) compatibleWithABI(abi abiInfo) bool {
// restrictTo returns a config that is a subset of c and which is compatible with the given ABI.
func (c Config) restrictTo(abi abiInfo) Config {
return Config{
handledAccessFS: c.handledAccessFS.intersect(abi.supportedAccessFS),
bestEffort: true,
handledAccessFS: c.handledAccessFS.intersect(abi.supportedAccessFS),
handledAccessNet: c.handledAccessNet.intersect(abi.supportedAccessNet),
bestEffort: true,
}
}
7 changes: 6 additions & 1 deletion landlock/net_opt.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,15 @@ func (n NetRule) compatibleWithConfig(c Config) bool {
}

func (n NetRule) addToRuleset(rulesetFD int, c Config) error {
if n.access == 0 {
// Adding this to the ruleset would be a no-op
// and result in an error.
return nil
}
flags := 0
attr := &ll.NetPortAttr{
AllowedAccess: uint64(n.access),
Port: n.port,
Port: uint64(n.port),
}
return ll.LandlockAddNetPortRule(rulesetFD, attr, flags)
}
Expand Down
21 changes: 21 additions & 0 deletions landlock/restrict_downgrade_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,3 +96,24 @@ func TestDowngradeAccessFS(t *testing.T) {
})
}
}

func TestDowngradeNetwork(t *testing.T) {
cfg := Config{handledAccessNet: ll.AccessNetConnectTCP}
abi := abiInfos[3] // does not have networking support
rules := []Rule{ConnectTCP(53)}
gotCfg, _ := downgrade(cfg, rules, abi)

if gotCfg.handledAccessNet != 0 {
t.Errorf("downgrade to v3 should remove networking support, but resulted in %v", gotCfg)
}
}

func TestDowngradeNoop(t *testing.T) {
cfg := V5.BestEffort()
abi := abiInfos[5]
gotCfg, _ := downgrade(cfg, []Rule{}, abi)

if gotCfg != cfg {
t.Errorf("downgrade should have been a no-op.\n got %v,\nwant %v", gotCfg, cfg)
}
}
2 changes: 1 addition & 1 deletion landlock/syscall/landlock.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,5 +75,5 @@ type PathBeneathAttr struct {
// NetPortAttr specifies which ports can be used for what.
type NetPortAttr struct {
AllowedAccess uint64
Port uint16
Port uint64
}

0 comments on commit affa120

Please sign in to comment.