From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: [PATCH v6 05/17] landlock: refactors helper functions
Date: Tue, 21 Jun 2022 16:23:01 +0800 [thread overview]
Message-ID: <20220621082313.3330667-6-konstantin.meskhidze@huawei.com> (raw)
In-Reply-To: <20220621082313.3330667-1-konstantin.meskhidze@huawei.com>
Adds new rule_type argument to
unmask_layers(), init_layer_masks() and
get_handled_accesses() helper functions.
This modification supports implementing new rule
types in the next landlock versions.
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
---
Changes since v5:
* Splits commit.
* Formats code with clang-format-14.
Changes since v4:
* Refactors init_layer_masks(), get_handled_accesses()
and unmask_layers() functions to support multiple rule types.
* Refactors landlock_get_fs_access_mask() function with
LANDLOCK_MASK_ACCESS_FS mask.
Changes since v3:
* Splits commit.
* Refactors landlock_unmask_layers functions.
---
security/landlock/fs.c | 45 ++++++++++++++++---------
security/landlock/ruleset.c | 67 +++++++++++++++++++++++--------------
security/landlock/ruleset.h | 16 +++++----
3 files changed, 80 insertions(+), 48 deletions(-)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 42fb02141b9c..10f6c67f5c3b 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -400,7 +400,8 @@ static int check_access_path_dual(
* a superset of the meaningful requested accesses).
*/
access_masked_parent1 = access_masked_parent2 =
- get_handled_accesses(domain);
+ get_handled_accesses(domain, LANDLOCK_RULE_PATH_BENEATH,
+ LANDLOCK_NUM_ACCESS_FS);
is_dom_check = true;
} else {
if (WARN_ON_ONCE(dentry_child1 || dentry_child2))
@@ -414,16 +415,22 @@ static int check_access_path_dual(
if (unlikely(dentry_child1)) {
unmask_layers(find_rule(domain, dentry_child1),
init_layer_masks(domain, LANDLOCK_MASK_ACCESS_FS,
- &_layer_masks_child1),
- &_layer_masks_child1);
+ &_layer_masks_child1,
+ sizeof(_layer_masks_child1),
+ LANDLOCK_RULE_PATH_BENEATH),
+ &_layer_masks_child1,
+ ARRAY_SIZE(_layer_masks_child1));
layer_masks_child1 = &_layer_masks_child1;
child1_is_directory = d_is_dir(dentry_child1);
}
if (unlikely(dentry_child2)) {
unmask_layers(find_rule(domain, dentry_child2),
init_layer_masks(domain, LANDLOCK_MASK_ACCESS_FS,
- &_layer_masks_child2),
- &_layer_masks_child2);
+ &_layer_masks_child2,
+ sizeof(_layer_masks_child2),
+ LANDLOCK_RULE_PATH_BENEATH),
+ &_layer_masks_child2,
+ ARRAY_SIZE(_layer_masks_child2));
layer_masks_child2 = &_layer_masks_child2;
child2_is_directory = d_is_dir(dentry_child2);
}
@@ -475,15 +482,16 @@ static int check_access_path_dual(
}
rule = find_rule(domain, walker_path.dentry);
- allowed_parent1 = unmask_layers(rule, access_masked_parent1,
- layer_masks_parent1);
- allowed_parent2 = unmask_layers(rule, access_masked_parent2,
- layer_masks_parent2);
+ allowed_parent1 = unmask_layers(
+ rule, access_masked_parent1, layer_masks_parent1,
+ ARRAY_SIZE(*layer_masks_parent1));
+ allowed_parent2 = unmask_layers(
+ rule, access_masked_parent2, layer_masks_parent2,
+ ARRAY_SIZE(*layer_masks_parent2));
/* Stops when a rule from each layer grants access. */
if (allowed_parent1 && allowed_parent2)
break;
-
jump_up:
if (walker_path.dentry == walker_path.mnt->mnt_root) {
if (follow_up(&walker_path)) {
@@ -539,7 +547,9 @@ static inline int check_access_path(const struct landlock_ruleset *const domain,
{
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
- access_request = init_layer_masks(domain, access_request, &layer_masks);
+ access_request = init_layer_masks(domain, access_request, &layer_masks,
+ sizeof(layer_masks),
+ LANDLOCK_RULE_PATH_BENEATH);
return check_access_path_dual(domain, path, access_request,
&layer_masks, NULL, 0, NULL, NULL);
}
@@ -623,7 +633,8 @@ static bool collect_domain_accesses(
return true;
access_dom = init_layer_masks(domain, LANDLOCK_MASK_ACCESS_FS,
- layer_masks_dom);
+ layer_masks_dom, sizeof(*layer_masks_dom),
+ LANDLOCK_RULE_PATH_BENEATH);
dget(dir);
while (true) {
@@ -631,7 +642,8 @@ static bool collect_domain_accesses(
/* Gets all layers allowing all domain accesses. */
if (unmask_layers(find_rule(domain, dir), access_dom,
- layer_masks_dom)) {
+ layer_masks_dom,
+ ARRAY_SIZE(*layer_masks_dom))) {
/*
* Stops when all handled accesses are allowed by at
* least one rule in each layer.
@@ -747,7 +759,8 @@ static int current_check_refer_path(struct dentry *const old_dentry,
*/
access_request_parent1 = init_layer_masks(
dom, access_request_parent1 | access_request_parent2,
- &layer_masks_parent1);
+ &layer_masks_parent1, sizeof(layer_masks_parent1),
+ LANDLOCK_RULE_PATH_BENEATH);
return check_access_path_dual(dom, new_dir,
access_request_parent1,
&layer_masks_parent1, NULL, 0,
@@ -755,7 +768,9 @@ static int current_check_refer_path(struct dentry *const old_dentry,
}
/* Backward compatibility: no reparenting support. */
- if (!(get_handled_accesses(dom) & LANDLOCK_ACCESS_FS_REFER))
+ if (!(get_handled_accesses(dom, LANDLOCK_RULE_PATH_BENEATH,
+ LANDLOCK_NUM_ACCESS_FS) &
+ LANDLOCK_ACCESS_FS_REFER))
return -EXDEV;
access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER;
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 32ec79d6559a..cbca85f5cc6d 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -578,23 +578,31 @@ landlock_find_rule(const struct landlock_ruleset *const ruleset,
return NULL;
}
-access_mask_t get_handled_accesses(const struct landlock_ruleset *const domain)
+access_mask_t get_handled_accesses(const struct landlock_ruleset *const domain,
+ u16 rule_type, u16 num_access)
{
access_mask_t access_dom = 0;
unsigned long access_bit;
- for (access_bit = 0; access_bit < LANDLOCK_NUM_ACCESS_FS;
- access_bit++) {
- size_t layer_level;
-
- for (layer_level = 0; layer_level < domain->num_layers;
- layer_level++) {
- if (landlock_get_fs_access_mask(domain, layer_level) &
- BIT_ULL(access_bit)) {
- access_dom |= BIT_ULL(access_bit);
- break;
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ for (access_bit = 0; access_bit < LANDLOCK_NUM_ACCESS_FS;
+ access_bit++) {
+ size_t layer_level;
+
+ for (layer_level = 0; layer_level < domain->num_layers;
+ layer_level++) {
+ if (landlock_get_fs_access_mask(domain,
+ layer_level) &
+ BIT_ULL(access_bit)) {
+ access_dom |= BIT_ULL(access_bit);
+ break;
+ }
}
}
+ break;
+ default:
+ break;
}
return access_dom;
}
@@ -608,7 +616,7 @@ access_mask_t get_handled_accesses(const struct landlock_ruleset *const domain)
*/
bool unmask_layers(const struct landlock_rule *const rule,
const access_mask_t access_request,
- layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
+ layer_mask_t (*const layer_masks)[], size_t masks_array_size)
{
size_t layer_level;
@@ -640,8 +648,7 @@ bool unmask_layers(const struct landlock_rule *const rule,
* requested access.
*/
is_empty = true;
- for_each_set_bit(access_bit, &access_req,
- ARRAY_SIZE(*layer_masks)) {
+ for_each_set_bit(access_bit, &access_req, masks_array_size) {
if (layer->access & BIT_ULL(access_bit))
(*layer_masks)[access_bit] &= ~layer_bit;
is_empty = is_empty && !(*layer_masks)[access_bit];
@@ -652,15 +659,16 @@ bool unmask_layers(const struct landlock_rule *const rule,
return false;
}
-access_mask_t
-init_layer_masks(const struct landlock_ruleset *const domain,
- const access_mask_t access_request,
- layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
+access_mask_t init_layer_masks(const struct landlock_ruleset *const domain,
+ const access_mask_t access_request,
+ layer_mask_t (*const layer_masks)[],
+ size_t masks_size, u16 rule_type)
{
access_mask_t handled_accesses = 0;
size_t layer_level;
- memset(layer_masks, 0, sizeof(*layer_masks));
+ memset(layer_masks, 0, masks_size);
+
/* An empty access request can happen because of O_WRONLY | O_RDWR. */
if (!access_request)
return 0;
@@ -670,14 +678,21 @@ init_layer_masks(const struct landlock_ruleset *const domain,
const unsigned long access_req = access_request;
unsigned long access_bit;
- for_each_set_bit(access_bit, &access_req,
- ARRAY_SIZE(*layer_masks)) {
- if (landlock_get_fs_access_mask(domain, layer_level) &
- BIT_ULL(access_bit)) {
- (*layer_masks)[access_bit] |=
- BIT_ULL(layer_level);
- handled_accesses |= BIT_ULL(access_bit);
+ switch (rule_type) {
+ case LANDLOCK_RULE_PATH_BENEATH:
+ for_each_set_bit(access_bit, &access_req,
+ LANDLOCK_NUM_ACCESS_FS) {
+ if (landlock_get_fs_access_mask(domain,
+ layer_level) &
+ BIT_ULL(access_bit)) {
+ (*layer_masks)[access_bit] |=
+ BIT_ULL(layer_level);
+ handled_accesses |= BIT_ULL(access_bit);
+ }
}
+ break;
+ default:
+ return 0;
}
}
return handled_accesses;
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index ea09ab2f27c4..c1cf7cce2cb5 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -193,18 +193,20 @@ static inline u32
landlock_get_fs_access_mask(const struct landlock_ruleset *ruleset,
u16 mask_level)
{
- return ruleset->access_masks[mask_level];
+ return (ruleset->access_masks[mask_level] & LANDLOCK_MASK_ACCESS_FS);
}
-access_mask_t get_handled_accesses(const struct landlock_ruleset *const domain);
+access_mask_t get_handled_accesses(const struct landlock_ruleset *const domain,
+ u16 rule_type, u16 num_access);
bool unmask_layers(const struct landlock_rule *const rule,
const access_mask_t access_request,
- layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]);
+ layer_mask_t (*const layer_masks)[],
+ size_t masks_array_size);
-access_mask_t
-init_layer_masks(const struct landlock_ruleset *const domain,
- const access_mask_t access_request,
- layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]);
+access_mask_t init_layer_masks(const struct landlock_ruleset *const domain,
+ const access_mask_t access_request,
+ layer_mask_t (*const layer_masks)[],
+ size_t masks_size, u16 rule_type);
#endif /* _SECURITY_LANDLOCK_RULESET_H */
--
2.25.1
next prev parent reply other threads:[~2022-06-21 8:23 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 8:22 [PATCH v6 00/17] Network support for Landlock Konstantin Meskhidze
2022-06-21 8:22 ` [PATCH v6 01/17] landlock: renames access mask Konstantin Meskhidze
2022-07-01 17:08 ` Mickaël Salaün
2022-07-04 9:23 ` Konstantin Meskhidze (A)
2022-07-05 11:29 ` Konstantin Meskhidze (A)
2022-07-05 13:26 ` Mickaël Salaün
2022-07-08 12:56 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 02/17] landlock: refactors landlock_find/insert_rule Konstantin Meskhidze
2022-07-07 16:44 ` Mickaël Salaün
2022-07-08 12:53 ` Konstantin Meskhidze (A)
2022-07-08 13:56 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:20 ` Konstantin Meskhidze (A)
2022-07-08 16:57 ` Mickaël Salaün
2022-07-11 8:16 ` Konstantin Meskhidze (A)
2022-07-08 13:10 ` Konstantin Meskhidze (A)
2022-07-08 13:59 ` Mickaël Salaün
2022-07-08 14:14 ` Konstantin Meskhidze (A)
2022-07-08 14:35 ` Mickaël Salaün
2022-07-11 14:05 ` Konstantin Meskhidze (A)
2022-07-28 14:48 ` Mickaël Salaün
2022-07-07 16:46 ` Mickaël Salaün
2022-07-08 12:54 ` Konstantin Meskhidze (A)
2022-06-21 8:22 ` [PATCH v6 03/17] landlock: refactors merge and inherit functions Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 04/17] landlock: moves helper functions Konstantin Meskhidze
2022-06-21 8:23 ` Konstantin Meskhidze [this message]
2022-06-21 8:23 ` [PATCH v6 06/17] landlock: refactors landlock_add_rule syscall Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 07/17] landlock: user space API network support Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 08/17] landlock: adds support network rules Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 09/17] landlock: implements TCP network hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 10/17] seltests/landlock: moves helper function Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 11/17] seltests/landlock: adds tests for bind() hooks Konstantin Meskhidze
2022-07-28 13:24 ` Mickaël Salaün
2022-06-21 8:23 ` [PATCH v6 12/17] seltests/landlock: adds tests for connect() hooks Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 13/17] seltests/landlock: adds AF_UNSPEC family test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 14/17] seltests/landlock: adds rules overlapping test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 15/17] seltests/landlock: adds ruleset expanding test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 16/17] seltests/landlock: adds invalid input data test Konstantin Meskhidze
2022-06-21 8:23 ` [PATCH v6 17/17] samples/landlock: adds network demo Konstantin Meskhidze
2022-07-27 20:26 ` Mickaël Salaün
2022-07-28 9:21 ` Konstantin Meskhidze (A)
2022-07-26 17:43 ` [PATCH v6 00/17] Network support for Landlock Mickaël Salaün
2022-07-27 19:54 ` Mickaël Salaün
2022-07-28 9:19 ` Konstantin Meskhidze (A)
2022-07-28 9:25 ` Konstantin Meskhidze (A)
2022-07-28 10:12 ` Mickaël Salaün
2022-07-28 11:27 ` Konstantin Meskhidze (A)
2022-07-28 13:17 ` Mickaël Salaün
2022-08-23 9:10 ` Konstantin Meskhidze (A)
2022-08-27 13:30 ` Konstantin Meskhidze (A)
2022-08-29 13:10 ` Mickaël Salaün
2022-07-27 20:21 ` Mickaël Salaün
2022-07-28 9:20 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220621082313.3330667-6-konstantin.meskhidze@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.