linux-kselftest.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Al Viro <viro@zeniv.linux.org.uk>,
	James Morris <jmorris@namei.org>, Serge Hallyn <serge@hallyn.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"Andy Lutomirski" <luto@amacapital.net>,
	"Jann Horn" <jannh@google.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Shuah Khan" <shuah@kernel.org>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v1 0/4] Landlock filesystem caching
Date: Thu,  1 Jul 2021 00:48:52 +0200	[thread overview]
Message-ID: <20210630224856.1313928-1-mic@digikod.net> (raw)

Hi,

The goal of this patch series is to reduce the performance impact of
walking through a lot of files while being landlocked.  Indeed, because
of the unprivileged nature of Landlock, each file access implies to
check access granted to each directory of the path, which slows down
open time.

Currently, openat(2) calls spend more than 22% of their time in
hook_file_open().  The performance impact for a common worth case
scenario is significantly reduced thanks to this patch series,
theoretically going from O(n) with n as the depth of a path, to O(1)
(cf. benchmarks in the caching patch).

This series adds a new security hook (resolve_path_at) and uses it to
implement access caching in Landlock.  I'm planning to build on top of
that for other improvements (using task's working directory and task's
root directory) but that will require other hook changes.

This new hook is also a first step to be able to securely restrict file
descriptors used for path resolution (e.g. dirfd in openat2).

Caching may be difficult to get right especially for security checks.  I
extended the current tests and I'm still working on new ones.  If you
have test/attack scenarios, please share them.  I would really
appreciate constructive reviews for these critical changes.  This series
can be applied on top of v5.13 .

Regards,

Mickaël Salaün (4):
  fs,security: Add resolve_path_at() hook
  landlock: Add filesystem rule caching
  selftests/landlock: Work in a temporary directory
  selftests/landlock: Check all possible intermediate directories

 fs/namei.c                                 |   9 +
 include/linux/lsm_hook_defs.h              |   2 +
 include/linux/lsm_hooks.h                  |   8 +
 include/linux/security.h                   |   9 +
 security/landlock/cache.h                  |  77 +++++++
 security/landlock/cred.c                   |  15 +-
 security/landlock/cred.h                   |  20 +-
 security/landlock/fs.c                     | 224 +++++++++++++++++++--
 security/landlock/fs.h                     |  29 +++
 security/landlock/setup.c                  |   2 +
 security/security.c                        |   6 +
 tools/testing/selftests/landlock/fs_test.c | 205 ++++++++++++++-----
 12 files changed, 544 insertions(+), 62 deletions(-)
 create mode 100644 security/landlock/cache.h


base-commit: 62fb9874f5da54fdb243003b386128037319b219
-- 
2.32.0


             reply	other threads:[~2021-06-30 22:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-30 22:48 Mickaël Salaün [this message]
2021-06-30 22:48 ` [PATCH v1 1/4] fs,security: Add resolve_path_at() hook Mickaël Salaün
2021-06-30 22:48 ` [PATCH v1 2/4] landlock: Add filesystem rule caching Mickaël Salaün
2021-06-30 22:48 ` [PATCH v1 3/4] selftests/landlock: Work in a temporary directory Mickaël Salaün
2021-06-30 22:48 ` [PATCH v1 4/4] selftests/landlock: Check all possible intermediate directories Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210630224856.1313928-1-mic@digikod.net \
    --to=mic@digikod.net \
    --cc=jannh@google.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).