From: "Mickaël Salaün" <mic@digikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: willemdebruijn.kernel@gmail.com, gnoack3000@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, artem.kuzin@huawei.com
Subject: Re: [PATCH v8 01/12] landlock: Make ruleset's access masks more generic
Date: Thu, 17 Nov 2022 19:41:00 +0100 [thread overview]
Message-ID: <94ed4212-c093-9c5c-089f-e9e4097e5bd6@digikod.net> (raw)
In-Reply-To: <20221021152644.155136-2-konstantin.meskhidze@huawei.com>
On 21/10/2022 17:26, Konstantin Meskhidze wrote:
> To support network type rules, this modification renames ruleset's
> access masks and modifies it's type to access_masks_t. This patch
> adds filesystem helper functions to add and get filesystem mask.
>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> ---
>
> Changes since v7:
> * Refactors commit message.
>
> Changes since v6:
> * Adds a new access_masks_t for struct ruleset.
> * Renames landlock_set_fs_access_mask() to landlock_add_fs_access_mask()
> because it OR values.
> * Makes landlock_add_fs_access_mask() more resilient incorrect values.
> * Refactors landlock_get_fs_access_mask().
>
> Changes since v6:
> * Adds a new access_masks_t for struct ruleset.
> * Renames landlock_set_fs_access_mask() to landlock_add_fs_access_mask()
> because it OR values.
> * Makes landlock_add_fs_access_mask() more resilient incorrect values.
> * Refactors landlock_get_fs_access_mask().
>
> Changes since v5:
> * Changes access_mask_t to u32.
> * Formats code with clang-format-14.
>
> Changes since v4:
> * Deletes struct landlock_access_mask.
>
> Changes since v3:
> * Splits commit.
> * Adds get_mask, set_mask helpers for filesystem.
> * Adds new struct landlock_access_mask.
>
> ---
> security/landlock/fs.c | 10 +++++-----
> security/landlock/limits.h | 1 +
> security/landlock/ruleset.c | 17 +++++++++--------
> security/landlock/ruleset.h | 35 +++++++++++++++++++++++++++++++----
> security/landlock/syscalls.c | 7 ++++---
> 5 files changed, 50 insertions(+), 20 deletions(-)
>
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index adcea0fe7e68..0d57c6479d29 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -178,9 +178,9 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> return -EINVAL;
>
> /* Transforms relative access rights to absolute ones. */
> - access_rights |=
> - LANDLOCK_MASK_ACCESS_FS &
> - ~(ruleset->fs_access_masks[0] | ACCESS_INITIALLY_DENIED);
> + access_rights |= LANDLOCK_MASK_ACCESS_FS &
> + ~(landlock_get_fs_access_mask(ruleset, 0) |
> + ACCESS_INITIALLY_DENIED);
> object = get_inode_object(d_backing_inode(path->dentry));
> if (IS_ERR(object))
> return PTR_ERR(object);
> @@ -294,7 +294,7 @@ get_handled_accesses(const struct landlock_ruleset *const domain)
> size_t layer_level;
>
> for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
> - access_dom |= domain->fs_access_masks[layer_level];
> + access_dom |= landlock_get_fs_access_mask(domain, layer_level);
> return access_dom & LANDLOCK_MASK_ACCESS_FS;
You can remove `& LANDLOCK_MASK_ACCESS_FS` here because it is now part
of landlock_get_fs_access_mask().
> }
>
> @@ -336,7 +336,7 @@ init_layer_masks(const struct landlock_ruleset *const domain,
> * access rights.
> */
> if (BIT_ULL(access_bit) &
> - (domain->fs_access_masks[layer_level] |
> + (landlock_get_fs_access_mask(domain, layer_level) |
> ACCESS_INITIALLY_DENIED)) {
> (*layer_masks)[access_bit] |=
> BIT_ULL(layer_level);
> diff --git a/security/landlock/limits.h b/security/landlock/limits.h
> index 82288f0e9e5e..bafb3b8dc677 100644
> --- a/security/landlock/limits.h
> +++ b/security/landlock/limits.h
> @@ -21,6 +21,7 @@
> #define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE
> #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
> #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS)
> +#define LANDLOCK_SHIFT_ACCESS_FS 0
>
> /* clang-format on */
>
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index 996484f98bfd..1f3188b4e313 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -29,7 +29,7 @@ static struct landlock_ruleset *create_ruleset(const u32 num_layers)
> struct landlock_ruleset *new_ruleset;
>
> new_ruleset =
> - kzalloc(struct_size(new_ruleset, fs_access_masks, num_layers),
> + kzalloc(struct_size(new_ruleset, access_masks, num_layers),
> GFP_KERNEL_ACCOUNT);
> if (!new_ruleset)
> return ERR_PTR(-ENOMEM);
> @@ -40,7 +40,7 @@ static struct landlock_ruleset *create_ruleset(const u32 num_layers)
> /*
> * hierarchy = NULL
> * num_rules = 0
> - * fs_access_masks[] = 0
> + * access_masks[] = 0
> */
> return new_ruleset;
> }
> @@ -55,7 +55,7 @@ landlock_create_ruleset(const access_mask_t fs_access_mask)
> return ERR_PTR(-ENOMSG);
> new_ruleset = create_ruleset(1);
> if (!IS_ERR(new_ruleset))
> - new_ruleset->fs_access_masks[0] = fs_access_mask;
> + landlock_add_fs_access_mask(new_ruleset, fs_access_mask, 0);
> return new_ruleset;
> }
>
> @@ -117,11 +117,12 @@ static void build_check_ruleset(void)
> .num_rules = ~0,
> .num_layers = ~0,
> };
> - typeof(ruleset.fs_access_masks[0]) fs_access_mask = ~0;
> + typeof(ruleset.access_masks[0]) access_masks = ~0;
>
> BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
> BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
> - BUILD_BUG_ON(fs_access_mask < LANDLOCK_MASK_ACCESS_FS);
> + BUILD_BUG_ON(access_masks <
> + (LANDLOCK_MASK_ACCESS_FS << LANDLOCK_SHIFT_ACCESS_FS));
> }
>
> /**
> @@ -281,7 +282,7 @@ static int merge_ruleset(struct landlock_ruleset *const dst,
> err = -EINVAL;
> goto out_unlock;
> }
> - dst->fs_access_masks[dst->num_layers - 1] = src->fs_access_masks[0];
> + dst->access_masks[dst->num_layers - 1] = src->access_masks[0];
>
> /* Merges the @src tree. */
> rbtree_postorder_for_each_entry_safe(walker_rule, next_rule, &src->root,
> @@ -340,8 +341,8 @@ static int inherit_ruleset(struct landlock_ruleset *const parent,
> goto out_unlock;
> }
> /* Copies the parent layer stack and leaves a space for the new layer. */
> - memcpy(child->fs_access_masks, parent->fs_access_masks,
> - flex_array_size(parent, fs_access_masks, parent->num_layers));
> + memcpy(child->access_masks, parent->access_masks,
> + flex_array_size(parent, access_masks, parent->num_layers));
>
> if (WARN_ON_ONCE(!parent->hierarchy)) {
> err = -EINVAL;
> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> index d43231b783e4..f2ad932d396c 100644
> --- a/security/landlock/ruleset.h
> +++ b/security/landlock/ruleset.h
> @@ -25,6 +25,11 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
> /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */
> static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
>
> +/* Ruleset access masks. */
> +typedef u16 access_masks_t;
> +/* Makes sure all ruleset access rights can be stored. */
> +static_assert(BITS_PER_TYPE(access_masks_t) >= LANDLOCK_NUM_ACCESS_FS);
> +
> typedef u16 layer_mask_t;
> /* Makes sure all layers can be checked. */
> static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
> @@ -110,7 +115,7 @@ struct landlock_ruleset {
> * section. This is only used by
> * landlock_put_ruleset_deferred() when @usage reaches zero.
> * The fields @lock, @usage, @num_rules, @num_layers and
> - * @fs_access_masks are then unused.
> + * @access_masks are then unused.
> */
> struct work_struct work_free;
> struct {
> @@ -137,7 +142,7 @@ struct landlock_ruleset {
> */
> u32 num_layers;
> /**
> - * @fs_access_masks: Contains the subset of filesystem
> + * @access_masks: Contains the subset of filesystem
> * actions that are restricted by a ruleset. A domain
> * saves all layers of merged rulesets in a stack
> * (FAM), starting from the first layer to the last
> @@ -148,13 +153,13 @@ struct landlock_ruleset {
> * layers are set once and never changed for the
> * lifetime of the ruleset.
> */
> - access_mask_t fs_access_masks[];
> + access_masks_t access_masks[];
> };
> };
> };
>
> struct landlock_ruleset *
> -landlock_create_ruleset(const access_mask_t fs_access_mask);
> +landlock_create_ruleset(const access_mask_t access_mask);
>
> void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
> void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
> @@ -177,4 +182,26 @@ static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
> refcount_inc(&ruleset->usage);
> }
>
> +static inline void
> +landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
> + const access_mask_t fs_access_mask,
> + const u16 layer_level)
> +{
> + access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS;
> +
> + /* Should already be checked in sys_landlock_create_ruleset(). */
> + WARN_ON_ONCE(fs_access_mask != fs_mask);
> + // TODO: Add tests to check "|=" and not "="
This todo should be done and removed. No more todos must remain.
> + ruleset->access_masks[layer_level] |=
> + (fs_mask << LANDLOCK_SHIFT_ACCESS_FS);
> +}
> +
> +static inline access_mask_t
> +landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
> + const u16 layer_level)
> +{
> + return (ruleset->access_masks[layer_level] >>
> + LANDLOCK_SHIFT_ACCESS_FS) &
> + LANDLOCK_MASK_ACCESS_FS;
> +}
> #endif /* _SECURITY_LANDLOCK_RULESET_H */
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 245cc650a4dc..71aca7f990bc 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -346,10 +346,11 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
> }
> /*
> * Checks that allowed_access matches the @ruleset constraints
> - * (ruleset->fs_access_masks[0] is automatically upgraded to 64-bits).
> + * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
> */
> - if ((path_beneath_attr.allowed_access | ruleset->fs_access_masks[0]) !=
> - ruleset->fs_access_masks[0]) {
> + if ((path_beneath_attr.allowed_access |
> + landlock_get_fs_access_mask(ruleset, 0)) !=
> + landlock_get_fs_access_mask(ruleset, 0)) {
> err = -EINVAL;
> goto out_put_ruleset;
> }
> --
> 2.25.1
>
I'll send a patch to be applied after this one.
next prev parent reply other threads:[~2022-11-17 18:41 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-21 15:26 [PATCH v8 00/12] Network support for Landlock Konstantin Meskhidze
2022-10-21 15:26 ` [PATCH v8 01/12] landlock: Make ruleset's access masks more generic Konstantin Meskhidze
2022-11-17 18:41 ` Mickaël Salaün [this message]
2022-11-28 2:53 ` Konstantin Meskhidze (A)
2022-11-28 20:22 ` Mickaël Salaün
2022-12-02 2:49 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 02/12] landlock: Refactor landlock_find_rule/insert_rule Konstantin Meskhidze
2022-11-17 18:41 ` Mickaël Salaün
2022-11-17 18:55 ` [PATCH] landlock: Allow filesystem layout changes for domains without such rule type Mickaël Salaün
2022-11-18 9:16 ` Mickaël Salaün
2022-11-28 3:04 ` Konstantin Meskhidze (A)
2022-11-28 20:23 ` Mickaël Salaün
2022-12-02 2:50 ` Konstantin Meskhidze (A)
2022-12-24 3:10 ` Konstantin Meskhidze (A)
2022-12-26 21:24 ` Mickaël Salaün
2022-12-27 1:47 ` Konstantin Meskhidze (A)
2022-11-28 3:02 ` Konstantin Meskhidze (A)
2022-11-28 20:25 ` Mickaël Salaün
2022-12-02 2:51 ` Konstantin Meskhidze (A)
2022-11-22 17:17 ` [PATCH v8 02/12] landlock: Refactor landlock_find_rule/insert_rule Mickaël Salaün
2022-11-28 3:06 ` Konstantin Meskhidze (A)
2022-11-28 2:58 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 03/12] landlock: Refactor merge/inherit_ruleset functions Konstantin Meskhidze
2022-11-17 18:41 ` Mickaël Salaün
2022-11-28 3:07 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 04/12] landlock: Move unmask_layers() and init_layer_masks() Konstantin Meskhidze
2022-11-17 18:42 ` Mickaël Salaün
2022-11-28 3:25 ` Konstantin Meskhidze (A)
2022-11-28 20:25 ` Mickaël Salaün
2022-12-02 2:52 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 05/12] landlock: Refactor " Konstantin Meskhidze
2022-11-17 18:42 ` Mickaël Salaün
2022-11-28 3:30 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 06/12] landlock: Refactor landlock_add_rule() syscall Konstantin Meskhidze
2022-11-17 18:42 ` Mickaël Salaün
2022-11-28 3:32 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 07/12] landlock: Add network rules support Konstantin Meskhidze
2022-11-17 18:43 ` Mickaël Salaün
2022-11-28 4:01 ` Konstantin Meskhidze (A)
2022-11-28 20:26 ` Mickaël Salaün
2022-12-02 2:54 ` Konstantin Meskhidze (A)
2023-01-03 12:44 ` Konstantin Meskhidze (A)
2023-01-04 11:41 ` Konstantin Meskhidze (A)
2023-01-06 19:22 ` Mickaël Salaün
2023-01-09 7:59 ` Konstantin Meskhidze (A)
2023-01-09 8:58 ` Dan Carpenter
2023-01-09 9:26 ` Konstantin Meskhidze (A)
2023-01-09 10:20 ` Dan Carpenter
2023-01-09 11:39 ` Konstantin Meskhidze (A)
2023-01-09 11:53 ` Dan Carpenter
2023-01-09 12:18 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 08/12] landlock: Implement TCP network hooks Konstantin Meskhidze
2022-11-17 18:43 ` Mickaël Salaün
2022-11-28 8:21 ` Konstantin Meskhidze (A)
2022-11-28 21:00 ` Mickaël Salaün
2022-12-02 3:13 ` Konstantin Meskhidze (A)
2022-12-02 13:01 ` Mickaël Salaün
2022-12-05 2:55 ` Konstantin Meskhidze (A)
2022-12-05 13:18 ` Mickaël Salaün
2023-01-05 8:57 ` Konstantin Meskhidze (A)
2023-01-06 19:30 ` Mickaël Salaün
2023-01-09 8:07 ` Konstantin Meskhidze (A)
2023-01-09 12:38 ` Mickaël Salaün
2023-01-10 4:45 ` Konstantin Meskhidze (A)
2023-01-10 17:24 ` Mickaël Salaün
2023-01-11 1:54 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 09/12] selftests/landlock: Share enforce_ruleset() Konstantin Meskhidze
2022-11-17 18:43 ` Mickaël Salaün
2022-11-28 4:02 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 10/12] selftests/landlock: Add 10 new test suites dedicated to network Konstantin Meskhidze
2023-01-09 12:46 ` Mickaël Salaün
2023-01-10 5:03 ` Konstantin Meskhidze (A)
2023-01-10 17:40 ` Mickaël Salaün
2023-01-11 1:52 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 11/12] samples/landlock: Add network demo Konstantin Meskhidze
2022-11-16 14:25 ` Mickaël Salaün
2022-11-28 2:49 ` Konstantin Meskhidze (A)
2022-11-28 20:26 ` Mickaël Salaün
2022-12-02 2:48 ` Konstantin Meskhidze (A)
2023-01-05 3:46 ` Konstantin Meskhidze (A)
2023-01-06 19:34 ` Mickaël Salaün
2023-01-09 7:57 ` Konstantin Meskhidze (A)
2022-10-21 15:26 ` [PATCH v8 12/12] landlock: Document Landlock's network support Konstantin Meskhidze
2022-11-17 18:44 ` Mickaël Salaün
2022-11-28 6:44 ` Konstantin Meskhidze (A)
2022-11-28 20:26 ` Mickaël Salaün
2022-12-02 3:14 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94ed4212-c093-9c5c-089f-e9e4097e5bd6@digikod.net \
--to=mic@digikod.net \
--cc=artem.kuzin@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.