Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict TCP Fast Open connection #41

Open
sm1ling-knight opened this issue Oct 7, 2024 · 1 comment
Open

Restrict TCP Fast Open connection #41

sm1ling-knight opened this issue Oct 7, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@sm1ling-knight
Copy link

TCP Fast Open (TFO) is TCP protocol optimization method that allows the server to start sending data immediately after receiving the initial SYN packet from the client (1st step of the 3-way handshake).

There are two ways to initiate TFO connection in Linux (both related to TCP sockets):

  1. Set TCP_FASTOPEN_CONNECT socket option and call connect(2).
  2. Call sendmsg(2) with MSG_FASTOPEN flag. This performs an implicit connection by calling __inet_stream_connect() in tcp_sendmsg_fastopen().

This implicit connection cannot be controlled with connect(2) LSM hook, and it is not controlled by any LSM in the sendmsg(2) hook. Moreover, I haven't found if this case has been discussed before (for any LSM). Please, share if you know any.

Since Landlock has TCP-specific access control, I suppose the TFO case is not fully covered as it should be. If so, I suggest the following ways to provide related restriction:

  1. Consider the connection with MSG_FASTOPEN as a bug, provide dedicated patch-fix.
  2. Consider restriction of TFO as an improvement, fix documentation by pointing that TFO is not completely restricted and implement restriction with an another patchset.

First way may look better in terms of API simplicity.

Since TFO connection should be fast, implementation may (and probably will) require a performance evaluation (possibly with #24).
@l0kod
Copy link
Member

l0kod commented Oct 8, 2024

  1. Call sendmsg(2) with MSG_FASTOPEN flag. This performs an implicit connection by calling __inet_stream_connect() in tcp_sendmsg_fastopen().

Good catch!

This implicit connection cannot be controlled with connect(2) LSM hook, and it is not controlled by any LSM in the sendmsg(2) hook. Moreover, I haven't found if this case has been discussed before (for any LSM). Please, share if you know any.

Since Landlock has TCP-specific access control, I suppose the TFO case is not fully covered as it should be. If so, I suggest the following ways to provide related restriction:

  1. Consider the connection with MSG_FASTOPEN as a bug, provide dedicated patch-fix.

The LANDLOCK_ACCESS_NET_CONNECT_TCP should cover the case with sendmsg(2) and MSG_FASTOPEN, otherwise it is indeed a bug.

Calling security_socket_connect() in tcp_sendmsg_fastopen() should fix it.

  1. Consider restriction of TFO as an improvement, fix documentation by pointing that TFO is not completely restricted and implement restriction with an another patchset.

I'm not sure of what could be controlled. connect makes sense to developers, probably not fastopen.

@l0kod l0kod added the bug Something isn't working label Oct 8, 2024
@l0kod l0kod added this to Landlock Oct 8, 2024
@l0kod l0kod moved this to Ready in Landlock Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Landlock
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@l0kod @sm1ling-knight