search

landlock-lsm / linux

Linux kernel - See Landlock issues
https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git/
Other
36 stars 9 forks source link

Restrict TCP Fast Open connection #41

Open sm1ling-knight opened 2 weeks ago

sm1ling-knight commented 2 weeks ago

TCP Fast Open (TFO) is TCP protocol optimization method that allows the server to start sending data immediately after receiving the initial SYN packet from the client (1st step of the 3-way handshake).

There are two ways to initiate TFO connection in Linux (both related to TCP sockets):

  1. Set TCP_FASTOPEN_CONNECT socket option and call connect(2).
  2. Call sendmsg(2) with MSG_FASTOPEN flag. This performs an implicit connection by calling __inet_stream_connect() in tcp_sendmsg_fastopen().

This implicit connection cannot be controlled with connect(2) LSM hook, and it is not controlled by any LSM in the sendmsg(2) hook. Moreover, I haven't found if this case has been discussed before (for any LSM). Please, share if you know any.

Since Landlock has TCP-specific access control, I suppose the TFO case is not fully covered as it should be. If so, I suggest the following ways to provide related restriction:

  1. Consider the connection with MSG_FASTOPEN as a bug, provide dedicated patch-fix.
  2. Consider restriction of TFO as an improvement, fix documentation by pointing that TFO is not completely restricted and implement restriction with an another patchset.

First way may look better in terms of API simplicity.

Since TFO connection should be fast, implementation may (and probably will) require a performance evaluation (possibly with #24).

l0kod commented 2 weeks ago
  1. Call sendmsg(2) with MSG_FASTOPEN flag. This performs an implicit connection by calling __inet_stream_connect() in tcp_sendmsg_fastopen().

Good catch!

This implicit connection cannot be controlled with connect(2) LSM hook, and it is not controlled by any LSM in the sendmsg(2) hook. Moreover, I haven't found if this case has been discussed before (for any LSM). Please, share if you know any.

Since Landlock has TCP-specific access control, I suppose the TFO case is not fully covered as it should be. If so, I suggest the following ways to provide related restriction:

  1. Consider the connection with MSG_FASTOPEN as a bug, provide dedicated patch-fix.

The LANDLOCK_ACCESS_NET_CONNECT_TCP should cover the case with sendmsg(2) and MSG_FASTOPEN, otherwise it is indeed a bug.

Calling security_socket_connect() in tcp_sendmsg_fastopen() should fix it.

  1. Consider restriction of TFO as an improvement, fix documentation by pointing that TFO is not completely restricted and implement restriction with an another patchset.

I'm not sure of what could be controlled. connect makes sense to developers, probably not fastopen.