From affa120fca6ca1ad49d2ebc3d3dba76b1829a67e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Noack?= Date: Sun, 13 Oct 2024 23:06:35 +0200 Subject: [PATCH] fix networking support We did not do a proper config downgrade in best effort mode for the network access rights. This shadowed another bug in the definition of the PathBeneathAttr struct, whose port number was wrongly passed using 16 instead of 64 bits (probably carried over from an earlier version of the kernel patch). --- landlock/config.go | 5 +++-- landlock/net_opt.go | 7 ++++++- landlock/restrict_downgrade_test.go | 21 +++++++++++++++++++++ landlock/syscall/landlock.go | 2 +- 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/landlock/config.go b/landlock/config.go index 2fda1f7..430920d 100644 --- a/landlock/config.go +++ b/landlock/config.go @@ -291,7 +291,8 @@ func (c Config) compatibleWithABI(abi abiInfo) bool { // restrictTo returns a config that is a subset of c and which is compatible with the given ABI. func (c Config) restrictTo(abi abiInfo) Config { return Config{ - handledAccessFS: c.handledAccessFS.intersect(abi.supportedAccessFS), - bestEffort: true, + handledAccessFS: c.handledAccessFS.intersect(abi.supportedAccessFS), + handledAccessNet: c.handledAccessNet.intersect(abi.supportedAccessNet), + bestEffort: true, } } diff --git a/landlock/net_opt.go b/landlock/net_opt.go index 0de167d..6aa0bd9 100644 --- a/landlock/net_opt.go +++ b/landlock/net_opt.go @@ -44,10 +44,15 @@ func (n NetRule) compatibleWithConfig(c Config) bool { } func (n NetRule) addToRuleset(rulesetFD int, c Config) error { + if n.access == 0 { + // Adding this to the ruleset would be a no-op + // and result in an error. + return nil + } flags := 0 attr := &ll.NetPortAttr{ AllowedAccess: uint64(n.access), - Port: n.port, + Port: uint64(n.port), } return ll.LandlockAddNetPortRule(rulesetFD, attr, flags) } diff --git a/landlock/restrict_downgrade_test.go b/landlock/restrict_downgrade_test.go index e545931..d867091 100644 --- a/landlock/restrict_downgrade_test.go +++ b/landlock/restrict_downgrade_test.go @@ -96,3 +96,24 @@ func TestDowngradeAccessFS(t *testing.T) { }) } } + +func TestDowngradeNetwork(t *testing.T) { + cfg := Config{handledAccessNet: ll.AccessNetConnectTCP} + abi := abiInfos[3] // does not have networking support + rules := []Rule{ConnectTCP(53)} + gotCfg, _ := downgrade(cfg, rules, abi) + + if gotCfg.handledAccessNet != 0 { + t.Errorf("downgrade to v3 should remove networking support, but resulted in %v", gotCfg) + } +} + +func TestDowngradeNoop(t *testing.T) { + cfg := V5.BestEffort() + abi := abiInfos[5] + gotCfg, _ := downgrade(cfg, []Rule{}, abi) + + if gotCfg != cfg { + t.Errorf("downgrade should have been a no-op.\n got %v,\nwant %v", gotCfg, cfg) + } +} diff --git a/landlock/syscall/landlock.go b/landlock/syscall/landlock.go index 72b2886..ca2fc17 100644 --- a/landlock/syscall/landlock.go +++ b/landlock/syscall/landlock.go @@ -75,5 +75,5 @@ type PathBeneathAttr struct { // NetPortAttr specifies which ports can be used for what. type NetPortAttr struct { AllowedAccess uint64 - Port uint16 + Port uint64 }