landlock-lsm
Fix SCTP bind/connect mishandling
SCTP is connection-oriented protocol that can be used to establish one-to-many and one-to-one communication between endpoints.
One-to-one style can be used by specifying AF_INET family, SOCK_STREAM type and IPPROTO_SCTP protocol value in the socket(2):
int sctp_client_fd;
sctp_client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP);
Current implementation of LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP allows to restrict bind/connect actions for both classic TCP sockets and SCTP sockets.
SCTP allows to bind and connect sockets not only with bind(2), connect(2), but also with setsockopt(3p). Options SCTP_SOCKOPT_CONNECT*, SCTP_SOCKOPT_BIND*, ... (Cf. SCTP) are provided for this purpose.
For example:
setsockopt(sctp_client_fd, IPPROTO_SCTP, SCTP_SOCKOPT_CONNECTX, &addr, sizeof(addr));
It is not possible to restrict such calls using LANDLOCK_ACCESS_NET_BIND_TCP, LANDLOCK_ACCESS_NET_CONNECT_TCP which leads to inconsistency of Landlock behavior.
There are a few ways to fix this issue:
- Change behavior of TCP access rights so that they check only classic TCP sockets (with
protocol=0). - Implement restriction of SCTP bind/connect via setsockopt(3p). This can be done by adding a hook on
security_sctp_bind_connect(Cf. net/sctp/socket.c).
Well spotted! That restriction on SCTP sockets should be considered a bug because the LANDLOCK_ACCESS_NET_BIND_TCP (and the related documentation) is explicitly about TCP, not SCTP. We need a fix and related tests for that, and they should be backported. Do you want to work on that? It might be easier to first merge this fix (because of the backport) and then merge your work on socket creation (I'll review it too).
Complementary to this fix, it would be nice to be able to control SCTP sockets with a new LANDLOCK_ACCESS_NET_BIND_SCTP that would also handle binding via setsockopt(), but should come with another patch series.
Hello Mickaël!
I'd like to implement dedicated patch-fix. Please assign this issue to me.