From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>, <yusongping@huawei.com>,
<anton.sirazetdinov@huawei.com>
Subject: Re: [PATCH v5 07/15] landlock: add support network rules
Date: Tue, 24 May 2022 11:36:33 +0300 [thread overview]
Message-ID: <3d192ad0-176c-2ec3-454f-972ef8437933@huawei.com> (raw)
In-Reply-To: <2cdd23ed-6184-3264-cf1d-98930f59539d@digikod.net>
5/19/2022 5:42 PM, Mickaël Salaün пишет:
>
> On 19/05/2022 11:27, Konstantin Meskhidze wrote:
>>
>>
>> 5/17/2022 11:27 AM, Mickaël Salaün пишет:
>
> [...]
>
>
>>>>
>>>> @@ -275,21 +281,17 @@ static int get_path_from_fd(const s32 fd,
>>>> struct path *const path)
>>>> return err;
>>>> }
>>>>
>>>> -static int add_rule_path_beneath(const int ruleset_fd, const void
>>>> *const rule_attr)
>>>> +static int add_rule_path_beneath(struct landlock_ruleset *const
>>>> ruleset,
>>>> + const void *const rule_attr)
>>>> {
>>>> struct landlock_path_beneath_attr path_beneath_attr;
>>>> struct path path;
>>>> - struct landlock_ruleset *ruleset;
>>>> int res, err;
>>>> -
>>>> - /* Gets and checks the ruleset. */
>>>> - ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
>>>> - if (IS_ERR(ruleset))
>>>> - return PTR_ERR(ruleset);
>>>> + u32 mask;
>>>>
>>>> /* Copies raw user space buffer, only one type for now. */
>>>> res = copy_from_user(&path_beneath_attr, rule_attr,
>>>> - sizeof(path_beneath_attr));
>>>> + sizeof(path_beneath_attr));
>>>> if (res)
>>>> return -EFAULT;
>>>>
>>>> @@ -298,32 +300,26 @@ static int add_rule_path_beneath(const int
>>>> ruleset_fd, const void *const rule_at
>>>> * are ignored in path walks.
>>>> */
>>>> if (!path_beneath_attr.allowed_access) {
>>>> - err = -ENOMSG;
>>>> - goto out_put_ruleset;
>>>> + return -ENOMSG;
>>>> }
>>>> /*
>>>> * Checks that allowed_access matches the @ruleset constraints
>>>> * (ruleset->access_masks[0] is automatically upgraded to
>>>> 64-bits).
>>>> */
>>>> - if ((path_beneath_attr.allowed_access |
>>>> - landlock_get_fs_access_mask(ruleset, 0)) !=
>>>> - landlock_get_fs_access_mask(ruleset, 0)) {
>>>> - err = -EINVAL;
>>>> - goto out_put_ruleset;
>>>> - }
>>>> + mask = landlock_get_fs_access_mask(ruleset, 0);
>>>> + if ((path_beneath_attr.allowed_access | mask) != mask)
>>>> + return -EINVAL;
>>>>
>>>> /* Gets and checks the new rule. */
>>>> err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
>>>> if (err)
>>>> - goto out_put_ruleset;
>>>> + return err;
>>>>
>>>> /* Imports the new rule. */
>>>> err = landlock_append_fs_rule(ruleset, &path,
>>>> path_beneath_attr.allowed_access);
>>>> path_put(&path);
>>>>
>>>> -out_put_ruleset:
>>>> - landlock_put_ruleset(ruleset);
>>>> return err;
>>>> }
>>>>
>>>> @@ -360,6 +356,7 @@ SYSCALL_DEFINE4(landlock_add_rule,
>>>> const int, ruleset_fd, const enum landlock_rule_type,
>>>> rule_type,
>>>> const void __user *const, rule_attr, const __u32, flags)
>>>> {
>>>> + struct landlock_ruleset *ruleset;
>>>> int err;
>>>>
>>>> if (!landlock_initialized)
>>>> @@ -369,14 +366,20 @@ SYSCALL_DEFINE4(landlock_add_rule,
>>>> if (flags)
>>>> return -EINVAL;
>>>>
>>>> + /* Gets and checks the ruleset. */
>>>> + ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
>>>> + if (IS_ERR(ruleset))
>>>> + return PTR_ERR(ruleset);
>>>
>>> This shouldn't be part of this patch.
>>>
>> I agree. I will move it into another patch.
>
> To be clear, it is kind of a partial revert of patch 5/15.
Yep. Thank you for noticing that.
> .
next prev parent reply other threads:[~2022-05-24 8:36 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-16 15:20 [PATCH v5 00/15] Network support for Landlock Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 01/15] landlock: access mask renaming Konstantin Meskhidze
2022-05-17 8:12 ` Mickaël Salaün
2022-05-18 9:16 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 02/15] landlock: landlock_find/insert_rule refactoring Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 03/15] landlock: merge and inherit function refactoring Konstantin Meskhidze
2022-05-17 8:14 ` Mickaël Salaün
2022-05-18 9:18 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 04/15] landlock: helper functions refactoring Konstantin Meskhidze
2022-05-16 17:14 ` Mickaël Salaün
2022-05-16 17:43 ` Konstantin Meskhidze
2022-05-16 18:28 ` Mickaël Salaün
2022-05-18 9:14 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 05/15] landlock: landlock_add_rule syscall refactoring Konstantin Meskhidze
2022-05-17 8:04 ` Mickaël Salaün
2022-05-17 8:10 ` Mickaël Salaün
2022-05-19 9:24 ` Konstantin Meskhidze
2022-05-19 9:23 ` Konstantin Meskhidze
2022-05-19 14:37 ` Mickaël Salaün
2022-05-24 8:35 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 06/15] landlock: user space API network support Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 07/15] landlock: add support network rules Konstantin Meskhidze
2022-05-17 8:27 ` Mickaël Salaün
2022-05-19 9:27 ` Konstantin Meskhidze
2022-05-19 14:42 ` Mickaël Salaün
2022-05-24 8:36 ` Konstantin Meskhidze [this message]
2022-05-16 15:20 ` [PATCH v5 08/15] landlock: TCP network hooks implementation Konstantin Meskhidze
2022-05-17 8:51 ` Mickaël Salaün
2022-05-19 11:40 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 09/15] seltests/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-05-16 21:11 ` Mickaël Salaün
2022-05-19 12:10 ` Konstantin Meskhidze
2022-05-19 14:29 ` Mickaël Salaün
2022-05-24 8:34 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 10/15] seltests/landlock: add tests for connect() hooks Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 11/15] seltests/landlock: connect() with AF_UNSPEC tests Konstantin Meskhidze
2022-05-17 8:55 ` Mickaël Salaün
2022-05-19 12:31 ` Konstantin Meskhidze
2022-05-19 15:00 ` Mickaël Salaün
2022-05-24 8:40 ` Konstantin Meskhidze
2022-05-19 15:02 ` Mickaël Salaün
2022-05-24 8:42 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 12/15] seltests/landlock: rules overlapping test Konstantin Meskhidze
2022-05-16 17:41 ` Mickaël Salaün
2022-05-19 12:24 ` Konstantin Meskhidze
2022-05-19 15:04 ` Mickaël Salaün
2022-05-24 8:55 ` Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 13/15] seltests/landlock: ruleset expanding test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 14/15] seltests/landlock: invalid user input data test Konstantin Meskhidze
2022-05-16 15:20 ` [PATCH v5 15/15] samples/landlock: adds network demo Konstantin Meskhidze
2022-05-17 9:19 ` Mickaël Salaün
2022-05-19 13:33 ` Konstantin Meskhidze
2022-05-19 15:09 ` Mickaël Salaün
2022-05-24 8:41 ` Konstantin Meskhidze
2022-05-20 10:48 ` [PATCH v5 00/15] Network support for Landlock - UDP discussion Mickaël Salaün
2022-05-25 9:41 ` Konstantin Meskhidze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d192ad0-176c-2ec3-454f-972ef8437933@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.