Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756797AbZLRDaP (ORCPT ); Thu, 17 Dec 2009 22:30:15 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754576AbZLRDaL (ORCPT ); Thu, 17 Dec 2009 22:30:11 -0500 Received: from lists.laptop.org ([18.85.2.145]:58071 "EHLO mail.laptop.org" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752721AbZLRDaJ (ORCPT ); Thu, 17 Dec 2009 22:30:09 -0500 Date: Thu, 17 Dec 2009 22:32:01 -0500 From: Michael Stone To: Mark Seaborn Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Bryan Donlan , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , "Eric W. Biederman" , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?iso-8859-1?Q?Am=E9rico?= Wang , Michael Stone Subject: [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v2) Message-ID: <20091218033201.GC23514@heat> References: <20091218030056.GC3047@heat> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20091218030056.GC3047@heat> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3544 Lines: 96 Explain the purpose, interface, and semantics of the prctl(PR_{GET,SET}_network) facility. Also reference some example userland clients. Signed-off-by: Michael Stone --- Documentation/prctl/network.txt | 72 +++++++++++++++++++++++++++++++++++++++ 1 files changed, 72 insertions(+), 0 deletions(-) create mode 100644 Documentation/prctl/network.txt diff --git a/Documentation/prctl/network.txt b/Documentation/prctl/network.txt new file mode 100644 index 0000000..b337722 --- /dev/null +++ b/Documentation/prctl/network.txt @@ -0,0 +1,72 @@ +Purpose +------- + +Daniel Bernstein has observed [1] that security-conscious userland processes +may benefit from the ability to irrevocably remove their ability to create, +bind, connect to, or send messages except in the case of previously connected +sockets or AF_UNIX filesystem sockets. + +This facility is particularly attractive to security platforms like OLPC +Bitfrost [2] and to isolation programs like Rainbow [3] and Plash [4] because: + + * it integrates well with standard techniques for writing privilege-separated + Unix programs + + * it integrates well with the need to perform limited socket I/O, e.g., when + running X clients + + * it's available to unprivileged programs + + * it's a discretionary feature available to all of distributors, + administrators, authors, and users + + * its effect is entirely local, rather than global (like netfilter) + + * it's simple enough to have some hope of being used correctly + +Implementation +-------------- + +After considering implementations based on the Linux Security Module (LSM) +framework, on SELinux in particular, on network namespaces (CLONE_NEWNET), and +on direct modification of the kernel syscall and task_struct APIs, we came to +the conclusion that the best way to implement this feature was to extend the +prctl() framework with a new pair of options named PR_{GET,SET}_NETWORK. These +options cause prctl() to read or modify "current->network". + +Semantics +--------- + +current->network is a flags field which is preserved across all variants of +fork() and exec(). + +Writes which attempt to clear bits in current->network return -EPERM. + +The default value for current->network is named PR_NETWORK_OFF and is defined +to be 0. + +Presently, only one flag is defined: PR_NETWORK_OFF. + +More flags may be defined in the future if they become needed. + +Attempts to set undefined flags result in -EINVAL. + +When PR_NETWORK_OFF is set, implementations of syscalls which may be used by +the current process to perform autonomous networking will return -EPERM. For +example, calls to socket(), bind(), connect(), sendmsg(), and ptrace() will +return -EPERM except for cases we are manipulating an AF_UNIX socket whose name +does not begin with \0 or, in the case of sendmsg(), unless we are manipulating +a previously connected socket, i.e. one with + + msg.msg_name == NULL && msg.msg_namelen == 0 + +or, in the case of ptrace(), we are ptracing() a process which has all of our +own networking restriction flags set. + +References +---------- + +[1]: http://cr.yp.to/unix/disablenetwork.html +[2]: http://wiki.laptop.org/go/OLPC_Bitfrost +[3]: http://wiki.laptop.org/go/Rainbow +[4]: http://plash.beasts.org/ -- 1.6.6.rc1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/