Received: by 2002:ab2:715a:0:b0:1fd:c064:50c with SMTP id l26csp117464lqm; Mon, 10 Jun 2024 14:57:01 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXkW0iItkpaTRfWxUL3Xi24lUGJLgEdhwqE9zysmN6nf/86GI4fe3E1DB1wEgF7dtjd6X/PchP9pk3PwgpvcR5vTx7Nv/JC0I7LRd+PKg== X-Google-Smtp-Source: AGHT+IGZqCBJ4knVZz07kIFcRnXNE70HbLOzViISWHfh87H00NsQWLpSf8QkAm+JQhL5q9sVtcHK X-Received: by 2002:a05:6e02:2183:b0:375:b45c:d8f1 with SMTP id e9e14a558f8ab-375b45cdb0cmr6817155ab.25.1718056620808; Mon, 10 Jun 2024 14:57:00 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718056620; cv=pass; d=google.com; s=arc-20160816; b=Hl96rmH7oAL8skgSBnzwT3qb5t2jc7PY83hluTYfk6RNenwJ/FkAw+BTK+iD3pdvG4 1PSVimKCe88jwsYXbj3HMRE5POawoWxmVCQI+etLpuN73MopF2GvIJuMWrgu0QIfGRtP fucwAbfEj+DnHmwdbeBOw6z/7i3a3UvqtxjOSQrC1yoTmKmqAP4zQGNTOMBqOyknB727 vlf+N/lrpcIFEAEqc4xbp7z961GH7AAlxUCSg4Ul633OoTPYG+j4Ulu/likKDC8sO4fv 0g+fabGDxnUiNztphHOIR46wu/YD/bSxuDMcPKniGt8vGKaxGt9NIiAMqnG1z6GZOz0m 3urw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=eksTqXwNHrouSTPFhnmFlzzMzUPXkraejJkVTgCmu2Y=; fh=pxJNy1WvFDAN7NnBi93i1+wUyvg7lX6r6ep3wODNQJs=; b=0hy5/TzpwnhS7INO4aipDkTSDQCBpxqi3Wg5o0jUcPgdItBcIGHmku0wMpGDCigMWl mMCwRm1/R6LScmDi9n31LytnhBXpcdpVn+cL04VifQOReq58EeREIqPjzkpT6vixU1zJ y/CfU8rRa7hlxu0eUQ99u3rEuk9VlXpXUg2fchX1haRp1epL9el0vghv38Zylr9+xSvs ziUOcewWdlHycg0/tG5FYeoETSqyHUNyxw44+uPr8l1zO0Sur4BnMxOQVGWuxrEk7TTq bVawdOmSfRh2oy1YNt5mdmpm6PUR/TI8yFu/mxFHMgJbbDeEnPSFdqOSNtjR4q7jqqwn eEOg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="kq/6plVs"; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-208947-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-208947-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 41be03b00d2f7-6de297e1196si8405183a12.761.2024.06.10.14.57.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 10 Jun 2024 14:57:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-208947-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b="kq/6plVs"; arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com); spf=pass (google.com: domain of linux-kernel+bounces-208947-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-208947-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id D190D286EA8 for ; Mon, 10 Jun 2024 21:50:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E31C014F9EA; Mon, 10 Jun 2024 21:50:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kq/6plVs" Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78F6114F132 for ; Mon, 10 Jun 2024 21:50:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718056203; cv=none; b=b+UGm8JBS0yypUqe3n7I5qldizWaF57bNdovDxeMO1ufXBw/MvOPwKI7iPwrJDDR+fi+1fxJcIiOa2pKZfvB2Uuk4SJ8IHrBoN0kjjyrsSf0+w8tA0psBXGQOsogS3vpuQZ5mBBa1uvaorAhcv497AbeecVBlLUT92a0CsikIx8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718056203; c=relaxed/simple; bh=aK+MvmAA8kIOyIRHZX1xsB92zhAqy/GTi5BmrSTv5XA=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Bz/9A7P2fkmmVy0S81HXygO2o9QtymbWOxLcbGqtZFn+nYxlRUaQDd2RswIebzm5vDL9QMWUqXBuI4snNLrN7pvk9hVGT5J0WWua/3rDzdZbI+7oWOaYYRuwqlcWgA4r+gtK0tkzhP9E9I7QsG/sZe5Sf2KaiCV3up3rmbx+RGI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=kq/6plVs; arc=none smtp.client-ip=209.85.208.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Received: by mail-ed1-f49.google.com with SMTP id 4fb4d7f45d1cf-57c8bd6b655so7251a12.0 for ; Mon, 10 Jun 2024 14:50:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1718056200; x=1718661000; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eksTqXwNHrouSTPFhnmFlzzMzUPXkraejJkVTgCmu2Y=; b=kq/6plVsRZ6oo66v8nVl5OXkCnnrRNuBXdQHHKKD7UiNlyko4L78ORAq7cdrEMI7wa Y8p1jgmSBtY1lLT1kWaPF74NBdLYMhaQx6FRDips1IENSp+F7+527X3HJ23290XPHO9j c34bcNZGtWGLR0Y0jr/pii8HY4Wbx5AHuuDxdNjS69kjLKddj0D5LAolhaz5qV+OZlPR muxekwYRon/7rzlJVOyTDUWCMjyUw71WtwpoVISkbjASmm09FXdyZEiIDt7vMrN+0Wq1 sf0D0uwL+SdtLe3Q1u0IfIpzfwttT4xrXV06veFH0p7BcOakpe718MX4UdIR0of3N9No YWTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718056200; x=1718661000; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eksTqXwNHrouSTPFhnmFlzzMzUPXkraejJkVTgCmu2Y=; b=wVbY7/rwfu9tb/kipMie1YwXXnHXtFzaaHzWlLML6KiXgYRWbs9za73FAgw4ySDCmv n9+H3RBl/8/yPGwHItkJWX7+zSwaYtDp6UUlMsPoiMJ0m8ErHlKg6TtntyhFXh4PGQUz Hf9AYc4EYVtFbNmH/uroKl4YqpnLNBdoHS/EuujwnyjTAao+9PVOUbVGOM98sNnVpVIe sJMf7fd4i6sJY/92Ev/d3hMO83HqDAqBmkOZYGJAgW7ACCnYzo9LaYmq0Iu8yS2X0DDx 4jo9F2C7zlNh9KTOhRrO6O5f/f4ZcZlEqnp1TF4FGxIpIRE3VbJzrbIFRKrnLW2ydLTo /8YA== X-Forwarded-Encrypted: i=1; AJvYcCW7EyuuvkN5bWlZsdiPKbvkMsb/qTNVStxq6aHo2eR4EcLi/oGvVKkd96HuATc4nvm0kUeISgk3arrNTQ7TZnS2NoPnp5CrkWPCV4a3 X-Gm-Message-State: AOJu0Yy3bkAeSmK8eZ1PywE58AAjjLUHJx5Q65CPg5bxSK4XYQZ0Vp20 dpUGwOzbe7TXkSnchyJfTPDwSDc3AcDJKjVo1+d62YWbG5jNrPU3EfHfWBPsQmoazBOP4Rb/QDq qerrh7cYJcTQ52T3r1dQJBr48B4VakbjeM+Mn X-Received: by 2002:a05:6402:746:b0:57c:93b9:1f34 with SMTP id 4fb4d7f45d1cf-57c93b91fc2mr3662a12.0.1718056199485; Mon, 10 Jun 2024 14:49:59 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240610.Aifee5ingugh@digikod.net> In-Reply-To: <20240610.Aifee5ingugh@digikod.net> From: Jann Horn Date: Mon, 10 Jun 2024 23:49:21 +0200 Message-ID: Subject: Re: [PATCH v3] landlock: Add abstract unix socket connect restriction To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Tahera Fahimi , =?UTF-8?Q?G=C3=BCnther_Noack?= , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , outreachy@lists.linux.dev, netdev@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jun 10, 2024 at 6:36=E2=80=AFPM Micka=C3=ABl Sala=C3=BCn wrote: > On Fri, Jun 07, 2024 at 01:41:39PM -0600, Tahera Fahimi wrote: > > On Fri, Jun 07, 2024 at 10:28:35AM +0200, G=C3=BCnther Noack wrote: > > > Is it intentional that you are both restricting the connection and th= e sending > > > with the same flag (security_unix_may_send)? If an existing Unix Dom= ain Socket > > > gets passed in to a program from the outside (e.g. as stdout), should= n't it > > > still be possible that the program enables a Landlock policy and then= still > > > writes to it? (Does that work? Am I mis-reading the patch?) > > If a passed socket is already connected, then a write/send should work. If I'm reading unix_dgram_sendmsg() correctly, we'll always hit security_unix_may_send() for any UNIX socket type other than SOCK_SEQPACKET (meaning SOCK_STREAM and SOCK_DGRAM), even if the socket is already connected, and then we'll do the landlock check. That's probably not the intended behavior for Landlock, unless I'm misreading the code? Maybe to get nice semantics it's necessary to add a parameter to security_unix_may_send() that says whether the destination address came from the caller or from the socket?