From: Al Viro <viro@zeniv.linux.org.uk>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Jann Horn" <jannh@google.com>,
"Kees Cook" <keescook@chromium.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Andy Lutomirski" <luto@amacapital.net>,
"Anton Ivanov" <anton.ivanov@cambridgegreys.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"David Howells" <dhowells@redhat.com>,
"Jeff Dike" <jdike@addtoit.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Richard Weinberger" <richard@nod.at>,
"Shuah Khan" <shuah@kernel.org>,
"Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org,
linux-security-module@vger.kernel.org, x86@kernel.org,
"Mickaël Salaün" <mic@linux.microsoft.com>,
"James Morris" <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v31 07/12] landlock: Support filesystem access-control
Date: Thu, 1 Apr 2021 02:14:45 +0000 [thread overview]
Message-ID: <YGUslUPwp85Zrp4t@zeniv-ca.linux.org.uk> (raw)
In-Reply-To: <d2764451-8970-6cbd-e2bf-254a42244ffc@digikod.net>
On Wed, Mar 31, 2021 at 07:33:50PM +0200, Mickaël Salaün wrote:
> > +static inline u64 unmask_layers(
> > + const struct landlock_ruleset *const domain,
> > + const struct path *const path, const u32 access_request,
> > + u64 layer_mask)
> > +{
> > + const struct landlock_rule *rule;
> > + const struct inode *inode;
> > + size_t i;
> > +
> > + if (d_is_negative(path->dentry))
> > + /* Continues to walk while there is no mapped inode. */
^^^^^
Odd comment, that...
> > +static int check_access_path(const struct landlock_ruleset *const domain,
> > + const struct path *const path, u32 access_request)
> > +{
> > + walker_path = *path;
> > + path_get(&walker_path);
> > + while (true) {
> > + struct dentry *parent_dentry;
> > +
> > + layer_mask = unmask_layers(domain, &walker_path,
> > + access_request, layer_mask);
> > + if (layer_mask == 0) {
> > + /* Stops when a rule from each layer grants access. */
> > + allowed = true;
> > + break;
> > + }
> > +
> > +jump_up:
> > + if (walker_path.dentry == walker_path.mnt->mnt_root) {
> > + if (follow_up(&walker_path)) {
> > + /* Ignores hidden mount points. */
> > + goto jump_up;
> > + } else {
> > + /*
> > + * Stops at the real root. Denies access
> > + * because not all layers have granted access.
> > + */
> > + allowed = false;
> > + break;
> > + }
> > + }
> > + if (unlikely(IS_ROOT(walker_path.dentry))) {
> > + /*
> > + * Stops at disconnected root directories. Only allows
> > + * access to internal filesystems (e.g. nsfs, which is
> > + * reachable through /proc/<pid>/ns/<namespace>).
> > + */
> > + allowed = !!(walker_path.mnt->mnt_flags & MNT_INTERNAL);
> > + break;
> > + }
> > + parent_dentry = dget_parent(walker_path.dentry);
> > + dput(walker_path.dentry);
> > + walker_path.dentry = parent_dentry;
> > + }
> > + path_put(&walker_path);
> > + return allowed ? 0 : -EACCES;
That's a whole lot of grabbing/dropping references... I realize that it's
an utterly tactless question, but... how costly it is? IOW, do you have
profiling data?
> > +/*
> > + * pivot_root(2), like mount(2), changes the current mount namespace. It must
> > + * then be forbidden for a landlocked process.
... and cross-directory rename(2) can change the tree topology. Do you ban that
as well?
[snip]
> > +static int hook_path_rename(const struct path *const old_dir,
> > + struct dentry *const old_dentry,
> > + const struct path *const new_dir,
> > + struct dentry *const new_dentry)
> > +{
> > + const struct landlock_ruleset *const dom =
> > + landlock_get_current_domain();
> > +
> > + if (!dom)
> > + return 0;
> > + /* The mount points are the same for old and new paths, cf. EXDEV. */
> > + if (old_dir->dentry != new_dir->dentry)
> > + /* For now, forbids reparenting. */
> > + return -EACCES;
You do, apparently, and not in a way that would have the userland fall
back to copy+unlink. Lovely... Does e.g. git survive such restriction?
Same question for your average package build...
next prev parent reply other threads:[~2021-04-01 2:16 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-24 19:15 [PATCH v31 00/12] Landlock LSM Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 01/12] landlock: Add object management Mickaël Salaün
2021-03-24 19:34 ` Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 02/12] landlock: Add ruleset and domain management Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 03/12] landlock: Set up the security framework and manage credentials Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 04/12] landlock: Add ptrace restrictions Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 05/12] LSM: Infrastructure management of the superblock Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 06/12] fs,security: Add sb_delete hook Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 07/12] landlock: Support filesystem access-control Mickaël Salaün
2021-03-31 17:33 ` Mickaël Salaün
2021-03-31 17:50 ` Kees Cook
2021-04-01 2:14 ` Al Viro [this message]
2021-04-01 17:12 ` Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 08/12] landlock: Add syscall implementations Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 09/12] arch: Wire up Landlock syscalls Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 11/12] samples/landlock: Add a sandbox manager example Mickaël Salaün
2021-03-24 19:15 ` [PATCH v31 12/12] landlock: Add user and kernel documentation Mickaël Salaün
2021-03-26 4:30 ` Kees Cook
[not found] ` <20210324191520.125779-11-mic@digikod.net>
2021-03-26 4:30 ` [PATCH v31 10/12] selftests/landlock: Add user space tests Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YGUslUPwp85Zrp4t@zeniv-ca.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=anton.ivanov@cambridgegreys.com \
--cc=arnd@arndb.de \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=jannh@google.com \
--cc=jdike@addtoit.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mic@digikod.net \
--cc=mic@linux.microsoft.com \
--cc=mtk.manpages@gmail.com \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
--cc=shuah@kernel.org \
--cc=vincent.dagonneau@ssi.gouv.fr \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).