summaryrefslogtreecommitdiff
path: root/scripts/gdb/linux/kasan.py
diff options
context:
space:
mode:
authorMikhail Ivanov <ivanov.mikhail1@huawei-partners.com>2025-02-05 17:36:49 +0800
committerMickaël Salaün <mic@digikod.net>2025-02-14 09:23:09 +0100
commit854277e2cc8c75dc3c216c82e72523258fcf65b9 (patch)
treec864a6d4a48dbfc8f129977c2037756cda07f4d2 /scripts/gdb/linux/kasan.py
parent192b7ff29b1fb0335a9b9107991e6286f462f361 (diff)
landlock: Fix non-TCP sockets restriction
Use sk_is_tcp() to check if socket is TCP in bind(2) and connect(2) hooks. SMC, MPTCP, SCTP protocols are currently restricted by TCP access rights. The purpose of TCP access rights is to provide control over ports that can be used by userland to establish a TCP connection. Therefore, it is incorrect to deny bind(2) and connect(2) requests for a socket of another protocol. However, SMC, MPTCP and RDS implementations use TCP internal sockets to establish communication or even to exchange packets over a TCP connection [1]. Landlock rules that configure bind(2) and connect(2) usage for TCP sockets should not cover requests for sockets of such protocols. These protocols have different set of security issues and security properties, therefore, it is necessary to provide the userland with the ability to distinguish between them (eg. [2]). Control over TCP connection used by other protocols can be achieved with upcoming support of socket creation control [3]. [1] https://lore.kernel.org/all/62336067-18c2-3493-d0ec-6dd6a6d3a1b5@huawei-partners.com/ [2] https://lore.kernel.org/all/20241204.fahVio7eicim@digikod.net/ [3] https://lore.kernel.org/all/20240904104824.1844082-1-ivanov.mikhail1@huawei-partners.com/ Closes: https://github.com/landlock-lsm/linux/issues/40 Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect") Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> Link: https://lore.kernel.org/r/20250205093651.1424339-2-ivanov.mikhail1@huawei-partners.com [mic: Format commit message to 72 columns] Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'scripts/gdb/linux/kasan.py')
0 files changed, 0 insertions, 0 deletions