From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
James Morris <jmorris@namei.org>,
Paul Moore <paul@paul-moore.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-fsdevel@vger.kernel.org,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Subject: Re: [PATCH v8 3/9] landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed()
Date: Sat, 8 Oct 2022 09:54:39 +0200 [thread overview]
Message-ID: <Y0Esvz32Kw5iKFFr@nuc> (raw)
In-Reply-To: <16f036ca-fd68-2e89-2ceb-0b9e211a4b23@digikod.net>
On Wed, Oct 05, 2022 at 08:54:08PM +0200, Mickaël Salaün wrote:
> On 01/10/2022 17:49, Günther Noack wrote:
> > * Rename it to is_access_to_paths_allowed()
> > * Make it return true iff the access is allowed
> > * Calculate the EXDEV/EACCES error code in the one place where it's needed
>
> Can you please replace these bullet points with (one-sentence) paragraphs?
Done.
> > Suggested-by: Mickaël Salaün <mic@digikod.net>
> > Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> > ---
> > security/landlock/fs.c | 89 +++++++++++++++++++++---------------------
> > 1 file changed, 44 insertions(+), 45 deletions(-)
> >
> > diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> > index a9dbd99d9ee7..083dd3d359de 100644
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
> > @@ -430,7 +430,7 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
> > }
> > /**
> > - * check_access_path_dual - Check accesses for requests with a common path
> > + * is_access_to_paths_allowed - Check accesses for requests with a common path
> > *
> > * @domain: Domain to check against.
> > * @path: File hierarchy to walk through.
> > @@ -465,14 +465,10 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
> > * allow the request.
> > *
> > * Returns:
> > - * - 0 if the access request is granted;
> > - * - -EACCES if it is denied because of access right other than
> > - * LANDLOCK_ACCESS_FS_REFER;
> > - * - -EXDEV if the renaming or linking would be a privileged escalation
> > - * (according to each layered policies), or if LANDLOCK_ACCESS_FS_REFER is
> > - * not allowed by the source or the destination.
> > + * - true if the access request is granted;
> > + * - false otherwise
>
> Missing final dot.
Done.
> > */
> > -static int check_access_path_dual(
> > +static bool is_access_to_paths_allowed(
> > const struct landlock_ruleset *const domain,
> > const struct path *const path,
> > const access_mask_t access_request_parent1,
> > @@ -492,17 +488,17 @@ static int check_access_path_dual(
> > (*layer_masks_child2)[LANDLOCK_NUM_ACCESS_FS] = NULL;
> > if (!access_request_parent1 && !access_request_parent2)
> > - return 0;
> > + return true;
> > if (WARN_ON_ONCE(!domain || !path))
> > - return 0;
> > + return true;
> > if (is_nouser_or_private(path->dentry))
> > - return 0;
> > + return true;
> > if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1))
> > - return -EACCES;
> > + return false;
> > if (unlikely(layer_masks_parent2)) {
> > if (WARN_ON_ONCE(!dentry_child1))
> > - return -EACCES;
> > + return false;
> > /*
> > * For a double request, first check for potential privilege
> > * escalation by looking at domain handled accesses (which are
> > @@ -513,7 +509,7 @@ static int check_access_path_dual(
> > is_dom_check = true;
> > } else {
> > if (WARN_ON_ONCE(dentry_child1 || dentry_child2))
> > - return -EACCES;
> > + return false;
> > /* For a simple request, only check for requested accesses. */
> > access_masked_parent1 = access_request_parent1;
> > access_masked_parent2 = access_request_parent2;
> > @@ -622,24 +618,7 @@ static int check_access_path_dual(
> > }
> > path_put(&walker_path);
> > - if (allowed_parent1 && allowed_parent2)
> > - return 0;
> > -
> > - /*
> > - * This prioritizes EACCES over EXDEV for all actions, including
> > - * renames with RENAME_EXCHANGE.
> > - */
> > - if (likely(is_eacces(layer_masks_parent1, access_request_parent1) ||
> > - is_eacces(layer_masks_parent2, access_request_parent2)))
> > - return -EACCES;
> > -
> > - /*
> > - * Gracefully forbids reparenting if the destination directory
> > - * hierarchy is not a superset of restrictions of the source directory
> > - * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the
> > - * source or the destination.
> > - */
> > - return -EXDEV;
> > + return allowed_parent1 && allowed_parent2;
> > }
> > static inline int check_access_path(const struct landlock_ruleset *const domain,
> > @@ -649,8 +628,10 @@ static inline int check_access_path(const struct landlock_ruleset *const domain,
> > layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
> > access_request = init_layer_masks(domain, access_request, &layer_masks);
> > - return check_access_path_dual(domain, path, access_request,
> > - &layer_masks, NULL, 0, NULL, NULL);
> > + if (is_access_to_paths_allowed(domain, path, access_request,
> > + &layer_masks, NULL, 0, NULL, NULL))
> > + return 0;
> > + return -EACCES;
> > }
> > static inline int current_check_access_path(const struct path *const path,
> > @@ -711,8 +692,9 @@ static inline access_mask_t maybe_remove(const struct dentry *const dentry)
> > * file. While walking from @dir to @mnt_root, we record all the domain's
> > * allowed accesses in @layer_masks_dom.
> > *
> > - * This is similar to check_access_path_dual() but much simpler because it only
> > - * handles walking on the same mount point and only check one set of accesses.
> > + * This is similar to is_access_to_paths_allowed() but much simpler because it
> > + * only handles walking on the same mount point and only checks one set of
> > + * accesses.
> > *
> > * Returns:
> > * - true if all the domain access rights are allowed for @dir;
> > @@ -857,10 +839,11 @@ static int current_check_refer_path(struct dentry *const old_dentry,
> > access_request_parent1 = init_layer_masks(
> > dom, access_request_parent1 | access_request_parent2,
> > &layer_masks_parent1);
> > - return check_access_path_dual(dom, new_dir,
> > - access_request_parent1,
> > - &layer_masks_parent1, NULL, 0,
> > - NULL, NULL);
> > + if (is_access_to_paths_allowed(
> > + dom, new_dir, access_request_parent1,
> > + &layer_masks_parent1, NULL, 0, NULL, NULL))
> > + return 0;
> > + return -EACCES;
> > }
> > access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER;
> > @@ -886,11 +869,27 @@ static int current_check_refer_path(struct dentry *const old_dentry,
> > * parent access rights. This will be useful to compare with the
> > * destination parent access rights.
> > */
> > - return check_access_path_dual(dom, &mnt_dir, access_request_parent1,
> > - &layer_masks_parent1, old_dentry,
> > - access_request_parent2,
> > - &layer_masks_parent2,
> > - exchange ? new_dentry : NULL);
> > + if (is_access_to_paths_allowed(
> > + dom, &mnt_dir, access_request_parent1, &layer_masks_parent1,
> > + old_dentry, access_request_parent2, &layer_masks_parent2,
> > + exchange ? new_dentry : NULL))
> > + return 0;
> > +
> > + /*
> > + * This prioritizes EACCES over EXDEV for all actions, including
> > + * renames with RENAME_EXCHANGE.
> > + */
> > + if (likely(is_eacces(&layer_masks_parent1, access_request_parent1) ||
> > + is_eacces(&layer_masks_parent2, access_request_parent2)))
> > + return -EACCES;
> > +
> > + /*
> > + * Gracefully forbids reparenting if the destination directory
> > + * hierarchy is not a superset of restrictions of the source directory
> > + * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the
> > + * source or the destination.
> > + */
> > + return -EXDEV;
> > }
> > /* Inode hooks */
--
next prev parent reply other threads:[~2022-10-08 7:54 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-01 15:48 [PATCH v8 0/9] landlock: truncate support Günther Noack
2022-10-01 15:49 ` [PATCH v8 1/9] security: Create file_truncate hook from path_truncate hook Günther Noack
2022-10-05 18:53 ` Mickaël Salaün
2022-10-08 7:45 ` Günther Noack
2022-10-06 1:10 ` Paul Moore
2022-10-01 15:49 ` [PATCH v8 2/9] selftests/landlock: Locally define __maybe_unused Günther Noack
2022-10-05 18:53 ` Mickaël Salaün
2022-10-08 7:47 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 3/9] landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed() Günther Noack
2022-10-05 18:54 ` Mickaël Salaün
2022-10-08 7:54 ` Günther Noack [this message]
2022-10-01 15:49 ` [PATCH v8 4/9] landlock: Support file truncation Günther Noack
2022-10-04 19:56 ` Nathan Chancellor
2022-10-05 18:52 ` Mickaël Salaün
2022-10-06 20:19 ` Günther Noack
2022-10-05 18:55 ` Mickaël Salaün
2022-10-08 8:08 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 5/9] selftests/landlock: Selftests for file truncation support Günther Noack
2022-10-01 15:49 ` [PATCH v8 6/9] selftests/landlock: Test open() and ftruncate() in multiple scenarios Günther Noack
2022-10-05 18:56 ` Mickaël Salaün
2022-10-01 15:49 ` [PATCH v8 7/9] selftests/landlock: Test FD passing from a Landlock-restricted to an unrestricted process Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:25 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 8/9] samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:47 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 9/9] landlock: Document Landlock's file truncation support Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:49 ` Günther Noack
2022-10-05 19:18 ` [PATCH v8 0/9] landlock: truncate support Mickaël Salaün
2022-10-08 10:20 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0Esvz32Kw5iKFFr@nuc \
--to=gnoack3000@gmail.com \
--cc=jmorris@namei.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).