From: "Mickaël Salaün" <mic@digikod.net>
To: Jann Horn <jannh@google.com>
Cc: "James Morris" <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Andy Lutomirski" <luto@amacapital.net>,
"Anton Ivanov" <anton.ivanov@cambridgegreys.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Jeff Dike" <jdike@addtoit.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Kees Cook" <keescook@chromium.org>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Richard Weinberger" <richard@nod.at>,
"Shuah Khan" <shuah@kernel.org>,
"Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>,
"Kernel Hardening" <kernel-hardening@lists.openwall.com>,
"Linux API" <linux-api@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"kernel list" <linux-kernel@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
"Mickaël Salaün" <mic@linux.microsoft.com>
Subject: Re: [PATCH v22 02/12] landlock: Add ruleset and domain management
Date: Thu, 29 Oct 2020 10:35:24 +0100 [thread overview]
Message-ID: <c52342ee-cf5c-e4d6-145e-0080fc07bc91@digikod.net> (raw)
In-Reply-To: <CAG48ez1j9KELLconr2RTmzt6j7QkY-wKC+8fn-rsG+wfxFJ=jg@mail.gmail.com>
On 29/10/2020 02:05, Jann Horn wrote:
> On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün <mic@digikod.net> wrote:
>> A Landlock ruleset is mainly a red-black tree with Landlock rules as
>> nodes. This enables quick update and lookup to match a requested access
>> e.g., to a file. A ruleset is usable through a dedicated file
>> descriptor (cf. following commit implementing syscalls) which enables a
>> process to create and populate a ruleset with new rules.
>>
>> A domain is a ruleset tied to a set of processes. This group of rules
>> defines the security policy enforced on these processes and their future
>> children. A domain can transition to a new domain which is the
>> intersection of all its constraints and those of a ruleset provided by
>> the current process. This modification only impact the current process.
>> This means that a process can only gain more constraints (i.e. lose
>> accesses) over time.
>>
>> Cc: James Morris <jmorris@namei.org>
>> Cc: Jann Horn <jannh@google.com>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>
> Reviewed-by: Jann Horn <jannh@google.com>
Thanks.
>
> with some nits:
>
> [...]
>> +static struct landlock_ruleset *create_ruleset(void)
>> +{
>> + struct landlock_ruleset *new_ruleset;
>> +
>> + new_ruleset = kzalloc(sizeof(*new_ruleset), GFP_KERNEL_ACCOUNT);
>> + if (!new_ruleset)
>> + return ERR_PTR(-ENOMEM);
>> + refcount_set(&new_ruleset->usage, 1);
>> + mutex_init(&new_ruleset->lock);
>> + /*
>> + * root = RB_ROOT
>
> This should probably be done explicitly, even though it's currently a
> no-op, in case the implementation of RB_ROOT changes in the future.
OK, I'll do it for RB_ROOT.
>
>> + * hierarchy = NULL
>> + * nb_rules = 0
>> + * nb_layers = 0
>> + * fs_access_mask = 0
>> + */
>> + return new_ruleset;
>> +}
> [...]
>> +/**
>> + * landlock_insert_rule - Insert a rule in a ruleset
>> + *
>> + * @ruleset: The ruleset to be updated.
>> + * @rule: Read-only payload to be inserted (not own by this function).
>
> s/own/owned/
OK
>
>> + * @is_merge: If true, intersects access rights and updates the rule's layers
>> + * (e.g. merge two rulesets), else do a union of access rights and
>> + * keep the rule's layers (e.g. extend a ruleset)
>> + *
>> + * Assumptions:
>> + *
>> + * - An inserted rule cannot be removed.
>> + * - The underlying kernel object must be held by the caller.
>> + */
>> +int landlock_insert_rule(struct landlock_ruleset *const ruleset,
>> + struct landlock_rule *const rule, const bool is_merge)
> [...]
>> +static int merge_ruleset(struct landlock_ruleset *const dst,
>> + struct landlock_ruleset *const src)
>> +{
>> + struct landlock_rule *walker_rule, *next_rule;
>> + int err = 0;
>> +
>> + might_sleep();
>> + if (!src)
>> + return 0;
>> + /* Only merge into a domain. */
>> + if (WARN_ON_ONCE(!dst || !dst->hierarchy))
>> + return -EFAULT;
>> +
>> + mutex_lock(&dst->lock);
>> + mutex_lock_nested(&src->lock, 1);
>
> Maybe add a comment like this above these two lines? "Ruleset locks
> are ordered by time of ruleset creation; dst is newer than src."
OK
>
> Also, maybe s/1/SINGLE_DEPTH_NESTING/.
OK
>
>
>> + /*
>> + * Makes a new layer, but only increments the number of layers after
>> + * the rules are inserted.
>> + */
>> + if (dst->nb_layers == sizeof(walker_rule->layers) * BITS_PER_BYTE) {
>> + err = -E2BIG;
>> + goto out_unlock;
>> + }
>> + dst->fs_access_mask |= src->fs_access_mask;
>> +
>> + /* Merges the @src tree. */
>> + rbtree_postorder_for_each_entry_safe(walker_rule, next_rule,
>> + &src->root, node) {
>> + err = landlock_insert_rule(dst, walker_rule, true);
>> + if (err)
>> + goto out_unlock;
>> + }
>> + dst->nb_layers++;
>> +
>> +out_unlock:
>> + mutex_unlock(&src->lock);
>> + mutex_unlock(&dst->lock);
>> + return err;
>> +}
> [...]
>> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> [...]
>> +struct landlock_rule {
>> + /**
>> + * @node: Node in the red-black tree.
>
> s/the red-black tree/the ruleset's red-black tree/
OK
>
>> + */
>> + struct rb_node node;
>> + /**
>> + * @object: Pointer to identify a kernel object (e.g. an inode). This
>> + * is used as a key for this ruleset element. This pointer is set once
>> + * and never modified. It always point to an allocated object because
>
> s/point/points/
OK
>
>> + * each rule increment the refcount of there object.
>
> s/increment/increments/
> s/there/its/
OK
>
>> + */
>> + struct landlock_object *object;
>> + /**
>> + * @layers: Bitfield to identify the layers which resulted to @access
>> + * from different consecutive intersections.
>> + */
>> + u64 layers;
>> + /**
>> + * @access: Bitfield of allowed actions on the kernel object. They are
>> + * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ). This
>> + * may be the result of the merged access rights (boolean AND) from
>> + * multiple layers referring to the same object.
>> + */
>> + u32 access;
>> +};
>> +
>> +/**
>> + * struct landlock_hierarchy - Node in a ruleset hierarchy
>> + */
>> +struct landlock_hierarchy {
>> + /**
>> + * @parent: Pointer to the parent node, or NULL if it is a root Lanlock
>
> nit: Landlock
Thanks :)
>
>> + * domain.
>> + */
>> + struct landlock_hierarchy *parent;
>> + /**
>> + * @usage: Number of potential children domains plus their parent
>> + * domain.
>> + */
>> + refcount_t usage;
>> +};
>> +
>> +/**
>> + * struct landlock_ruleset - Landlock ruleset
>> + *
>> + * This data structure must contains unique entries, be updatable, and quick to
>
> s/contains/contain/
OK
>
>> + * match an object.
>> + */
>> +struct landlock_ruleset {
>> + /**
>> + * @root: Root of a red-black tree containing &struct landlock_rule
>> + * nodes.
>
> Maybe add: "Once the ruleset is installed on a process, this tree is
> immutable until @usage reaches zero."
Right.
>
>> + */
>> + struct rb_root root;
>> + /**
>> + * @hierarchy: Enables hierarchy identification even when a parent
>> + * domain vanishes. This is needed for the ptrace protection.
>> + */
>> + struct landlock_hierarchy *hierarchy;
>> + union {
>> + /**
>> + * @work_free: Enables to free a ruleset within a lockless
>> + * section. This is only used by
>> + * landlock_put_ruleset_deferred() when @usage reaches zero.
>> + * The fields @lock, @usage, @nb_layers, @nb_rules and
>> + * @fs_access_mask are then unused.
>> + */
>> + struct work_struct work_free;
>> + struct {
>> + /**
>> + * @lock: Guards against concurrent modifications of
>> + * @root, if @usage is greater than zero.
>> + */
>> + struct mutex lock;
>> + /**
>> + * @usage: Number of processes (i.e. domains) or file
>> + * descriptors referencing this ruleset.
>> + */
>> + refcount_t usage;
>> + /**
>> + * @nb_rules: Number of non-overlapping (i.e. not for
>> + * the same object) rules in this ruleset.
>> + */
>> + u32 nb_rules;
>> + /**
>> + * @nb_layers: Number of layers which are used in this
>> + * ruleset. This enables to check that all the layers
>> + * allow an access request. A value of 0 identify a
>
> s/identify/identifies/
OK
>
>
>
>> + * non-merged ruleset (i.e. not a domain).
>> + */
>> + u32 nb_layers;
>> + /**
>> + * @fs_access_mask: Contains the subset of filesystem
>> + * actions which are restricted by a ruleset. This is
>> + * used when merging rulesets and for user space
>> + * backward compatibility (i.e. future-proof). Set
>> + * once and never changed for the lifetime of the
>> + * ruleset.
>> + */
>> + u32 fs_access_mask;
>> + };
>> + };
>> +};
next prev parent reply other threads:[~2020-10-29 9:35 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-27 20:03 [PATCH v22 00/12] Landlock LSM Mickaël Salaün
2020-10-27 20:03 ` [PATCH v22 01/12] landlock: Add object management Mickaël Salaün
2020-10-29 1:05 ` Jann Horn
2020-10-29 9:30 ` Mickaël Salaün
2020-10-30 3:02 ` Jann Horn
2020-11-16 21:26 ` Pavel Machek
2020-11-16 21:36 ` Mickaël Salaün
2020-10-27 20:03 ` [PATCH v22 02/12] landlock: Add ruleset and domain management Mickaël Salaün
2020-10-29 1:05 ` Jann Horn
2020-10-29 9:35 ` Mickaël Salaün [this message]
2020-10-27 20:03 ` [PATCH v22 03/12] landlock: Set up the security framework and manage credentials Mickaël Salaün
2020-10-29 1:06 ` Jann Horn
2020-10-27 20:03 ` [PATCH v22 04/12] landlock: Add ptrace restrictions Mickaël Salaün
2020-10-29 1:06 ` Jann Horn
2020-10-27 20:03 ` [PATCH v22 05/12] LSM: Infrastructure management of the superblock Mickaël Salaün
2020-10-28 5:29 ` James Morris
2020-10-27 20:03 ` [PATCH v22 06/12] fs,security: Add sb_delete hook Mickaël Salaün
2020-10-28 5:30 ` James Morris
2020-10-29 1:06 ` Jann Horn
2020-10-27 20:03 ` [PATCH v22 07/12] landlock: Support filesystem access-control Mickaël Salaün
2020-10-29 1:06 ` Jann Horn
2020-10-29 10:47 ` Mickaël Salaün
2020-11-03 16:03 ` Mickaël Salaün
2020-10-27 20:03 ` [PATCH v22 08/12] landlock: Add syscall implementations Mickaël Salaün
2020-10-29 1:06 ` Jann Horn
2020-10-29 11:30 ` Mickaël Salaün
2020-10-30 3:07 ` Jann Horn
2020-10-30 12:41 ` Mickaël Salaün
2020-10-27 20:03 ` [PATCH v22 09/12] arch: Wire up Landlock syscalls Mickaël Salaün
2020-10-28 5:31 ` James Morris
2020-10-27 20:03 ` [PATCH v22 10/12] selftests/landlock: Add user space tests Mickaël Salaün
2020-10-27 20:03 ` [PATCH v22 11/12] samples/landlock: Add a sandbox manager example Mickaël Salaün
2020-10-27 20:03 ` [PATCH v22 12/12] landlock: Add user and kernel documentation Mickaël Salaün
2020-10-29 1:07 ` Jann Horn
2020-10-29 11:38 ` Mickaël Salaün
2020-10-29 1:05 ` [PATCH v22 00/12] Landlock LSM Jann Horn
2020-10-29 11:40 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c52342ee-cf5c-e4d6-145e-0080fc07bc91@digikod.net \
--to=mic@digikod.net \
--cc=anton.ivanov@cambridgegreys.com \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=jannh@google.com \
--cc=jdike@addtoit.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mic@linux.microsoft.com \
--cc=mtk.manpages@gmail.com \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=vincent.dagonneau@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).