Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction

[RFC PATCH v2 0/8] Fix non-TCP restriction and inconsistency of TCP errors · Mikhail Ivanov <hidden> · 2024-10-17
[RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions · Mikhail Ivanov <hidden> · 2024-10-17
Re: [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions · Mikhail Ivanov <hidden> · 2024-10-17
Re: [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2024-10-17
Re: [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions · Mikhail Ivanov <hidden> · 2024-11-06
Re: [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions · Mickaël Salaün <mic@digikod.net> · 2024-12-04
[RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-10-17
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2024-10-17
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-10-18
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-10-31
RE: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · David Laight <hidden> · 2024-11-08
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-04
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-12
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-12-13
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2025-01-24
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2025-01-27
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2025-01-27
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2025-01-28
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2025-01-28
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2025-01-29
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2025-01-30
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Matthieu Baerts <matttbe@kernel.org> · 2025-01-30
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2025-01-31
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-04
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-04
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-12-09
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-10
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-10
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-12-11
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-12
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-12-13
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mickaël Salaün <mic@digikod.net> · 2024-12-04
Re: [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction · Mikhail Ivanov <hidden> · 2024-12-09
[RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation · Mikhail Ivanov <hidden> · 2024-10-17
Re: [RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation · Mickaël Salaün <mic@digikod.net> · 2024-12-10
Re: [RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation · Mikhail Ivanov <hidden> · 2024-12-11
[RFC PATCH v2 4/8] selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP · Mikhail Ivanov <hidden> · 2024-10-17
[RFC PATCH v2 8/8] selftests/landlock: Test that SCTP actions are not restricted · Mikhail Ivanov <hidden> · 2024-10-17
[RFC PATCH v2 5/8] selftests/landlock: Test that MPTCP actions are not restricted · Mikhail Ivanov <hidden> · 2024-10-17
[RFC PATCH v2 6/8] selftests/landlock: Test consistency of errors for TCP actions · Mikhail Ivanov <hidden> · 2024-10-17
Re: [RFC PATCH v2 6/8] selftests/landlock: Test consistency of errors for TCP actions · Mickaël Salaün <mic@digikod.net> · 2024-12-10
Re: [RFC PATCH v2 6/8] selftests/landlock: Test consistency of errors for TCP actions · Mikhail Ivanov <hidden> · 2024-12-11
[RFC PATCH v2 2/8] landlock: Make network stack layer checks explicit for each TCP action · Mikhail Ivanov <hidden> · 2024-10-17

From: Mikhail Ivanov <hidden>
Date: 2025-01-31 11:04:57
Also in: linux-nfs, mptcp, netdev, netfilter-devel

On 1/29/2025 5:51 PM, Mickaël Salaün wrote:>>>>>>> On 28/01/2025 11:56, 
Mikhail Ivanov wrote:

[...]

quoted

* IPv6 -> IPv4 transformation for TCP and UDP sockets withon
      IPV6_ADDRFORM. Can be controlled with setsockopt() security hook.

According to the man page: "It is allowed only for IPv6 sockets that are
connected and bound to a v4-mapped-on-v6 address."

This compatibility feature makes sense from user space point of view and
should not result in an error because of Landlock.

IPV6_ADDRFORM is useful to pass IPv6 sockets binded and connected to
v4-mapped-on-v6 addresses to pure IPv4 applications [1].

I just realized we first need to consider restriction of IPv4 access
for IPv4/v6 dual stack. It's possible to communicate with IPv4 peer
using IPv6 socket (on client or server side) that is mapped on
v4-mapped-on-v6 address (RFC 3493 [2]). If socket access rights provide
separate control over IPv6 and IPv4, v4-mapped-on-v6 looks like possible
bypass of IPv4 restriction and violation of the least astonishment
principle.

This can be controlled with IPV6_V6ONLY socket option or with
net.ipv6.bindv6only sysctl knob. Restriction with sysctl knob is applied
globally and may break some dual-stack dependent applications.

I'm currently trying to collect real-world examples in which user may
want to allow IPv6-only communication in a sandboxed environment.
Theoretically, this can be seen as unprivileged reduction of attack
surface for IPv6-only programs in dual-stack network (disallow to open
IPv4 connections and communicate with loopback via IPv4 stack).

Earlier, it was also discussed about possible security issues on the
userland side related to different address representation and address
filtering [3]. But, I don't really think these are the good examples for
the motivation.

If the v4-mapped-on-v6 addressing control is deemed reasonable, it
should be better implemented with a new access right for
LANDLOCK_RULE_NET_PORT rather than a part of socket creation control.

[1] https://man7.org/linux/man-pages/man7/ipv6.7.html
[2] https://datatracker.ietf.org/doc/html/rfc3493#section-3.7
[3] https://lwn.net/Articles/688462/

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help