www.infradead.org Git - users/hch/configfs.git/commit

author	Matthieu Buffet <matthieu@buffet.re>
	Sat, 19 Oct 2024 15:15:32 +0000 (17:15 +0200)
committer	Mickaël Salaün <mic@digikod.net>
	Tue, 22 Oct 2024 18:43:41 +0000 (20:43 +0200)
commit	387285530d1d4bdba8c5dff5aeabd8d71638173f
tree	cf22f61bcda366a1af21b82e9e721bdad684b204	tree
parent	dad2f20715163e80aab284fb092efc8c18bf97c7	commit \| diff

samples/landlock: Fix port parsing in sandboxer

If you want to specify that no port can be bind()ed, you would think
(looking quickly at both help message and code) that setting
LL_TCP_BIND="" would do it.

However the code splits on ":" then applies atoi(), which does not allow
checking for errors. Passing an empty string returns 0, which is
interpreted as "allow bind(0)", which means bind to any ephemeral port.
This bug occurs whenever passing an empty string or when leaving a
trailing/leading colon, making it impossible to completely deny bind().

To reproduce:
export LL_FS_RO="/" LL_FS_RW="" LL_TCP_BIND=""
./sandboxer strace -e bind nc -n -vvv -l -p 0
Executing the sandboxed command...
bind(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
Listening on 0.0.0.0 37629

Use strtoull(3) instead, which allows error checking. Check that the
entire string has been parsed correctly without overflows/underflows,
but not that the __u64 (the type of struct landlock_net_port_attr.port)
is a valid __u16 port: that is already done by the kernel.

Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions")
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20241019151534.1400605-2-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>