Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial networking support #55

Merged
merged 4 commits into from
Jun 12, 2024
Merged

Add initial networking support #55

merged 4 commits into from
Jun 12, 2024

Conversation

l0kod
Copy link
Member

@l0kod l0kod commented Jan 10, 2024

Linux 6.7 adds an initial Landlock network support with TCP bind and connect restrictions.

@l0kod l0kod force-pushed the tcp branch 2 times, most recently from eff6566 to ca536b0 Compare January 24, 2024 15:57
@l0kod l0kod mentioned this pull request Jan 24, 2024
Merged
@l0kod l0kod closed this Jan 24, 2024
@l0kod l0kod reopened this Jan 24, 2024
@l0kod l0kod mentioned this pull request Jan 31, 2024
Closed
@l0kod l0kod force-pushed the tcp branch 4 times, most recently from 2469121 to 4ea35a2 Compare February 13, 2024 15:14
@l0kod l0kod mentioned this pull request Apr 2, 2024
Closed
@l0kod l0kod mentioned this pull request May 31, 2024
Merged
@l0kod l0kod force-pushed the tcp branch 2 times, most recently from 9afb670 to 1bebfdd Compare May 31, 2024 15:26
@l0kod l0kod mentioned this pull request May 31, 2024
Merged
@l0kod l0kod mentioned this pull request Jun 3, 2024
Merged
@l0kod l0kod marked this pull request as ready for review June 3, 2024 12:52
@l0kod
Copy link
Member Author

l0kod commented Jun 3, 2024

I still need to address a few TODOs but the main changes should work fine.

I'd like to leverage the type system for the port check (instead of the runtime check) but I'm still thinking about a proper API.

@l0kod
Copy link
Member Author

l0kod commented Jun 10, 2024
edited
Loading

I'd like to leverage the type system for the port check (instead of the runtime check) but I'm still thinking about a proper API.

I switched to u16 ports and removed the PortOverflow error. We'll add new methods with other integer types (and related overflow error) if needed.

l0kod added 2 commits June 11, 2024 17:01
@l0kod
src,ci: Handle Landlock ABI v4
c1fef29 
Prepare crate for networking support, and run all tests against Linux
6.7.1 that supports Landlock ABI 4

Signed-off-by: Mickaël Salaün <mic@digikod.net>
@l0kod
net: Handle TCP bind and connect access rights
5e8b4a4 
Add the AccessNet::BindTcp and AccessNet::ConnectTcp rights.

Add ruleset_created_handle_access_net test to check that handled and
actual access rights are consistent according to the Landlock ABI.

Rename the ruleset_created_handle_access_or test to
ruleset_created_handle_access_fs.

It should be noted that handle_access(AccessNet::from_all(ABI::V3))
returns an error because of the empty access bitflags.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
@l0kod
net: Add NetPort rule
f112bf8 
The NetPort type enables us to create network port rules leveraging
Landlock ABI 4.

Only 16-bit ports are allowed by the type system, which remove the need
for overflow check and error.

Add related tests, and handle E2BIG when the handled_access_net field is
set and the running kernel does not support it.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
@l0kod
sandboxer: Add TCP bind and connect support
d645052 
Bump to Landlock ABI v4.

Tested that this sandbox doesn't restrict TCP:
  LL_FS_RO=/ LL_FS_RW=/ \
    cargo run --example=sandboxer bash -i

Tested that this sandbox restrict bind and connect ports:
  LL_FS_RO=/ LL_FS_RW=/ LL_TCP_BIND="2000" LL_TCP_CONNECT="3000:4000" \
    cargo run --example=sandboxer bash -i

Test commands (with different ports):
  socat tcp-listen:2000 stdio
  date | socat stdio tcp-connect:127.1:2000

Signed-off-by: Mickaël Salaün <mic@digikod.net>
@l0kod l0kod merged commit d645052 into landlock-lsm:main Jun 12, 2024
14 checks passed
@l0kod l0kod deleted the tcp branch June 12, 2024 07:54
@l0kod
Copy link
Member Author

l0kod commented Jun 12, 2024

I'll release a new version of this crate tomorrow if no issue is reported.

@l0kod
Copy link
Member Author

l0kod commented Jun 19, 2024

That was a long ride, but it's now published! 🥳

As you can see, this was due to some refactoring to generalize the internal library code for the new class of access rights and rule (network). This investment will greatly simplify the implementation of future changes.

As described in the changelog, you'll need to update Cargo.toml with the 0.4.0 version of this crate.

@l0kod l0kod mentioned this pull request Jun 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@l0kod