From: "Mickaël Salaün" <mic@digikod.net>
To: "Konstantin Meskhidze (A)" <konstantin.meskhidze@huawei.com>
Cc: willemdebruijn.kernel@gmail.com, gnoack3000@gmail.com,
linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, anton.sirazetdinov@huawei.com
Subject: Re: [PATCH v7 08/18] landlock: add network rules support
Date: Mon, 12 Sep 2022 19:18:15 +0200 [thread overview]
Message-ID: <369537f3-78e1-2a4e-c010-d56e29c2f315@digikod.net> (raw)
In-Reply-To: <1563a50e-e345-4abb-1c4d-45284102ca6b@huawei.com>
On 10/09/2022 20:27, Konstantin Meskhidze (A) wrote:
>
>
> 9/6/2022 11:08 AM, Mickaël Salaün пишет:
>>
>> On 29/08/2022 19:03, Konstantin Meskhidze wrote:
>>> This commit adds network rules support in internal landlock functions
>>> (presented in ruleset.c) and landlock_create_ruleset syscall.
>>>
>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>>> ---
>>>
>>> Changes since v6:
>>> * Renames landlock_set_net_access_mask() to landlock_add_net_access_mask()
>>> because it OR values.
>>> * Makes landlock_add_net_access_mask() more resilient incorrect values.
>>> * Refactors landlock_get_net_access_mask().
>>> * Renames LANDLOCK_MASK_SHIFT_NET to LANDLOCK_SHIFT_ACCESS_NET and use
>>> LANDLOCK_NUM_ACCESS_FS as value.
>>> * Updates access_masks_t to u32 to support network access actions.
>>> * Refactors landlock internal functions to support network actions with
>>> landlock_key/key_type/id types.
>>>
>>> Changes since v5:
>>> * Gets rid of partial revert from landlock_add_rule
>>> syscall.
>>> * Formats code with clang-format-14.
>>>
>>> Changes since v4:
>>> * Refactors landlock_create_ruleset() - splits ruleset and
>>> masks checks.
>>> * Refactors landlock_create_ruleset() and landlock mask
>>> setters/getters to support two rule types.
>>> * Refactors landlock_add_rule syscall add_rule_path_beneath
>>> function by factoring out get_ruleset_from_fd() and
>>> landlock_put_ruleset().
>>>
>>> Changes since v3:
>>> * Splits commit.
>>> * Adds network rule support for internal landlock functions.
>>> * Adds set_mask and get_mask for network.
>>> * Adds rb_root root_net_port.
>>>
>>> ---
>>> security/landlock/limits.h | 6 +++++-
>>> security/landlock/ruleset.c | 38 +++++++++++++++++++++++++++++----
>>> security/landlock/ruleset.h | 41 ++++++++++++++++++++++++++++++++++--
>>> security/landlock/syscalls.c | 8 ++++++-
>>> 4 files changed, 85 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/security/landlock/limits.h b/security/landlock/limits.h
>>> index bafb3b8dc677..8a1a6463c64e 100644
>>> --- a/security/landlock/limits.h
>>> +++ b/security/landlock/limits.h
>>> @@ -23,6 +23,10 @@
>>> #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS)
>>> #define LANDLOCK_SHIFT_ACCESS_FS 0
>>>
>>> -/* clang-format on */
>>> +#define LANDLOCK_LAST_ACCESS_NET LANDLOCK_ACCESS_NET_CONNECT_TCP
>>> +#define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1)
>>> +#define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET)
>>> +#define LANDLOCK_SHIFT_ACCESS_NET LANDLOCK_NUM_ACCESS_FS
>>>
>>> +/* clang-format on */
>>> #endif /* _SECURITY_LANDLOCK_LIMITS_H */
>>> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
>>> index 84fcd8eb30d4..442f212039df 100644
>>> --- a/security/landlock/ruleset.c
>>> +++ b/security/landlock/ruleset.c
>>> @@ -36,6 +36,7 @@ static struct landlock_ruleset *create_ruleset(const u32 num_layers)
>>> refcount_set(&new_ruleset->usage, 1);
>>> mutex_init(&new_ruleset->lock);
>>> new_ruleset->root_inode = RB_ROOT;
>>> + new_ruleset->root_net_port = RB_ROOT;
>>> new_ruleset->num_layers = num_layers;
>>> /*
>>> * hierarchy = NULL
>>> @@ -46,16 +47,21 @@ static struct landlock_ruleset *create_ruleset(const u32 num_layers)
>>> }
>>>
>>> struct landlock_ruleset *
>>> -landlock_create_ruleset(const access_mask_t fs_access_mask)
>>> +landlock_create_ruleset(const access_mask_t fs_access_mask,
>>> + const access_mask_t net_access_mask)
>>> {
>>> struct landlock_ruleset *new_ruleset;
>>>
>>> /* Informs about useless ruleset. */
>>> - if (!fs_access_mask)
>>> + if (!fs_access_mask && !net_access_mask)
>>> return ERR_PTR(-ENOMSG);
>>> new_ruleset = create_ruleset(1);
>>> - if (!IS_ERR(new_ruleset))
>>> + if (IS_ERR(new_ruleset))
>>> + return new_ruleset;
>>> + if (fs_access_mask)
>>> landlock_add_fs_access_mask(new_ruleset, fs_access_mask, 0);
>>> + if (net_access_mask)
>>> + landlock_add_net_access_mask(new_ruleset, net_access_mask, 0);
>>> return new_ruleset;
>>> }
>>>
>>> @@ -73,6 +79,8 @@ static inline bool is_object_pointer(const enum landlock_key_type key_type)
>>> switch (key_type) {
>>> case LANDLOCK_KEY_INODE:
>>> return true;
>>> + case LANDLOCK_KEY_NET_PORT:
>>> + return false;
>>> }
>>> WARN_ON_ONCE(1);
>>> return false;
>>> @@ -126,6 +134,9 @@ static inline struct rb_root *get_root(struct landlock_ruleset *const ruleset,
>>> case LANDLOCK_KEY_INODE:
>>> root = &ruleset->root_inode;
>>> break;
>>> + case LANDLOCK_KEY_NET_PORT:
>>> + root = &ruleset->root_net_port;
>>> + break;
>>> }
>>> if (WARN_ON_ONCE(!root))
>>> return ERR_PTR(-EINVAL);
>>> @@ -154,7 +165,9 @@ static void build_check_ruleset(void)
>>> BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
>>> BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
>>> BUILD_BUG_ON(access_masks <
>>> - (LANDLOCK_MASK_ACCESS_FS << LANDLOCK_SHIFT_ACCESS_FS));
>>> + (LANDLOCK_MASK_ACCESS_FS << LANDLOCK_SHIFT_ACCESS_FS) +
>>> + (LANDLOCK_MASK_ACCESS_NET
>>> + << LANDLOCK_SHIFT_ACCESS_NET));
>>> }
>>>
>>> /**
>>> @@ -367,6 +380,11 @@ static int merge_ruleset(struct landlock_ruleset *const dst,
>>> if (err)
>>> goto out_unlock;
>>>
>>> + /* Merges the @src network port tree. */
>>> + err = merge_tree(dst, src, LANDLOCK_KEY_NET_PORT);
>>> + if (err)
>>> + goto out_unlock;
>>> +
>>> out_unlock:
>>> mutex_unlock(&src->lock);
>>> mutex_unlock(&dst->lock);
>>> @@ -419,6 +437,11 @@ static int inherit_ruleset(struct landlock_ruleset *const parent,
>>> if (err)
>>> goto out_unlock;
>>>
>>> + /* Copies the @parent network port tree. */
>>> + err = inherit_tree(parent, child, LANDLOCK_KEY_NET_PORT);
>>> + if (err)
>>> + goto out_unlock;
>>> +
>>> if (WARN_ON_ONCE(child->num_layers <= parent->num_layers)) {
>>> err = -EINVAL;
>>> goto out_unlock;
>>> @@ -451,6 +474,9 @@ static void free_ruleset(struct landlock_ruleset *const ruleset)
>>> rbtree_postorder_for_each_entry_safe(freeme, next, &ruleset->root_inode,
>>> node)
>>> free_rule(freeme, LANDLOCK_KEY_INODE);
>>> + rbtree_postorder_for_each_entry_safe(freeme, next,
>>> + &ruleset->root_net_port, node)
>>> + free_rule(freeme, LANDLOCK_KEY_NET_PORT);
>>> put_hierarchy(ruleset->hierarchy);
>>> kfree(ruleset);
>>> }
>>> @@ -640,6 +666,10 @@ access_mask_t init_layer_masks(const struct landlock_ruleset *const domain,
>>> get_access_mask = landlock_get_fs_access_mask;
>>> num_access = LANDLOCK_NUM_ACCESS_FS;
>>> break;
>>> + case LANDLOCK_KEY_NET_PORT:
>>> + get_access_mask = landlock_get_net_access_mask;
>>> + num_access = LANDLOCK_NUM_ACCESS_NET;
>>> + break;
>>> default:
>>> WARN_ON_ONCE(1);
>>> return 0;
>>> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
>>> index 2083855bf42d..d456ee90b648 100644
>>> --- a/security/landlock/ruleset.h
>>> +++ b/security/landlock/ruleset.h
>>> @@ -26,7 +26,7 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
>>> static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
>>>
>>> /* Ruleset access masks. */
>>> -typedef u16 access_masks_t;
>>> +typedef u32 access_masks_t;
>>> /* Makes sure all ruleset access rights can be stored. */
>>> static_assert(BITS_PER_TYPE(access_masks_t) >= LANDLOCK_NUM_ACCESS_FS);
>>
>> There is some fixes missing from my patch.
>>
>>
>>>
>>> @@ -66,6 +66,11 @@ enum landlock_key_type {
>>> * keys.
>>> */
>>> LANDLOCK_KEY_INODE = 1,
>>
>>
>> #if IS_ENABLED(CONFIG_INET)
>>
>>> + /**
>>> + * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's
>>> + * node keys.
>>> + */
>>> + LANDLOCK_KEY_NET_PORT = 2,
>>
>> #endif /* IS_ENABLED(CONFIG_INET) */
>>
>> And then all use of LANDLOCK_KEY_NET_PORT should be surrounded by the
>> same check (but not directly in the net.c file).
>
> I checked the branch with your patches: tmp-net
> (7d6cf40a6f81adf607ad3cc17aaa11e256beeea4), but I did not find #if
> IS_ENABLED(CONFIG_INET) surrounding LANDLOCK_KEY_NET_PORT.
You need to write that yourself.
>>
>>
>>> };
>>>
>>> /**
>>> @@ -133,6 +138,12 @@ struct landlock_ruleset {
>>> * reaches zero.
>>> */
>>> struct rb_root root_inode;
>>
>> #if IS_ENABLED(CONFIG_INET)
>>
>>> + /**
>>> + * @root_net_port: Root of a red-black tree containing object nodes
>>> + * for network port. Once a ruleset is tied to a process (i.e. as a domain),
>>> + * this tree is immutable until @usage reaches zero.
>>> + */
>>
>> There is some fixes missing from my patch. Please explain everything
>> that you didn't take.
>
> Sorry. I did merge your patch manually and did not tell the
> difference here. Will be fixed
You can use git diff to be sure to not miss some parts. BTW, tools such
as git cherry-pick, read-tree, diff and "add -p" can save you some time.
>>
>>
>>> + struct rb_root root_net_port;
>>
>>
>> #endif /* IS_ENABLED(CONFIG_INET) */
>>
>> And then all use of root_net_port should be surrounded by the same check.
>
> The same - I did not find #if IS_ENABLED(CONFIG_INET) surrounding
> root_net_port in tmp-net (7d6cf40a6f81adf607ad3cc17aaa11e256beeea4)
>>
>> I think it should be OK to keep all other remaining network references
>> though (e.g. access_masks and the ).
>
> Ok. Thanks.
>>
>>
>>> /**
>>> * @hierarchy: Enables hierarchy identification even when a parent
>>> * domain vanishes. This is needed for the ptrace protection.
>>> @@ -188,7 +199,8 @@ struct landlock_ruleset {
>>> };
>>>
>>> struct landlock_ruleset *
>>> -landlock_create_ruleset(const access_mask_t access_mask);
>>> +landlock_create_ruleset(const access_mask_t access_mask_fs,
>>> + const access_mask_t access_mask_net);
>>>
>>> void landlock_put_ruleset(struct landlock_ruleset *const ruleset);
>>> void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);
>>> @@ -226,6 +238,21 @@ landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
>>> (fs_mask << LANDLOCK_SHIFT_ACCESS_FS);
>>> }
>>>
>>> +/* A helper function to set a network mask. */
>>
>> I already said that this comment is useless, and I removed it in my
>> patch. Please take a closer look at reviews.
>
> Sorry. I missed that in your patch. Will be fixed.
>>
>>
>>> +static inline void
>>> +landlock_add_net_access_mask(struct landlock_ruleset *const ruleset,
>>> + const access_mask_t net_access_mask,
>>> + const u16 layer_level)
>>> +{
>>> + access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET;
>>> +
>>> + /* Should already be checked in sys_landlock_create_ruleset(). */
>>> + WARN_ON_ONCE(net_access_mask != net_mask);
>>> + // TODO: Add tests to check "|=" and not "="
>>> + ruleset->access_masks[layer_level] |=
>>> + (net_mask << LANDLOCK_SHIFT_ACCESS_NET);
>>> +}
>>> +
>>> /* A helper function to get a filesystem mask. */
>>> static inline access_mask_t
>>> landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
>>> @@ -236,6 +263,16 @@ landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
>>> LANDLOCK_MASK_ACCESS_FS;
>>> }
>>>
>>> +/* A helper function to get a network mask. */
>>> +static inline access_mask_t
>>> +landlock_get_net_access_mask(const struct landlock_ruleset *const ruleset,
>>> + const u16 layer_level)
>>> +{
>>> + return (ruleset->access_masks[layer_level] >>
>>> + LANDLOCK_SHIFT_ACCESS_NET) &
>>> + LANDLOCK_MASK_ACCESS_NET;
>>> +}
>>> +
>>
>> This hunk doesn't match my patch.
>
> Do you mean landlock_get_net_access_mask? If yes, there is no diff
> with your patch here.
I removed useless comments, please do a diff (and look at the changes in
the commit messages). Some code also moved.
>>
>>
>>> bool unmask_layers(const struct landlock_rule *const rule,
>>> const access_mask_t access_request,
>>> layer_mask_t (*const layer_masks)[],
>>> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
>>> index ffd5805eddd9..641155f6f6f8 100644
>>> --- a/security/landlock/syscalls.c
>>> +++ b/security/landlock/syscalls.c
>>> @@ -189,8 +189,14 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
>>> LANDLOCK_MASK_ACCESS_FS)
>>> return -EINVAL;
>>>
>>> + /* Checks network content (and 32-bits cast). */
>>> + if ((ruleset_attr.handled_access_net | LANDLOCK_MASK_ACCESS_NET) !=
>>> + LANDLOCK_MASK_ACCESS_NET)
>>> + return -EINVAL;
>>> +
>>> /* Checks arguments and transforms to kernel struct. */
>>> - ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs);
>>> + ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,
>>> + ruleset_attr.handled_access_net);
>>> if (IS_ERR(ruleset))
>>> return PTR_ERR(ruleset);
>>>
>>> --
>>> 2.25.1
>>>
>> .
next prev parent reply other threads:[~2022-09-12 17:18 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-29 17:03 [PATCH v7 00/18] Network support for Landlock Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 01/18] landlock: rename access mask Konstantin Meskhidze
2022-09-06 8:06 ` Mickaël Salaün
2022-09-09 10:42 ` Konstantin Meskhidze (A)
2022-09-12 17:16 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-09 10:48 ` Konstantin Meskhidze (A)
2022-09-12 17:17 ` Mickaël Salaün
2022-10-12 8:37 ` Konstantin Meskhidze (A)
2022-10-12 10:06 ` Mickaël Salaün
2022-10-12 11:13 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 03/18] landlock: refactor merge/inherit_ruleset functions Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-09 14:53 ` Konstantin Meskhidze (A)
2022-09-12 17:17 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 04/18] landlock: move helper functions Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-10 16:50 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 05/18] landlock: refactor " Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-10 17:20 ` Konstantin Meskhidze (A)
2022-09-12 17:18 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 06/18] landlock: refactor landlock_add_rule syscall Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 07/18] landlock: user space API network support Konstantin Meskhidze
2022-09-06 8:08 ` Mickaël Salaün
2022-09-10 17:25 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 08/18] landlock: add network rules support Konstantin Meskhidze
2022-09-06 8:08 ` Mickaël Salaün
2022-09-10 18:27 ` Konstantin Meskhidze (A)
2022-09-12 17:18 ` Mickaël Salaün [this message]
2022-08-29 17:03 ` [PATCH v7 09/18] landlock: implement TCP network hooks Konstantin Meskhidze
2022-09-06 8:08 ` Mickaël Salaün
2022-09-10 20:28 ` Konstantin Meskhidze (A)
2022-09-12 17:18 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 10/18] seltests/landlock: move helper function Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:29 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 11/18] seltests/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:47 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 12/18] seltests/landlock: add tests for connect() hooks Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:48 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 14/18] seltests/landlock: add rules overlapping test Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:49 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 15/18] seltests/landlock: add ruleset expanding test Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 16/18] seltests/landlock: add invalid input data test Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:51 ` Konstantin Meskhidze (A)
2022-09-12 17:22 ` Mickaël Salaün
2022-10-10 10:37 ` Mickaël Salaün
2022-10-11 7:55 ` Konstantin Meskhidze (A)
2022-10-11 8:32 ` Mickaël Salaün
2022-08-29 17:04 ` [PATCH v7 17/18] samples/landlock: add network demo Konstantin Meskhidze
2022-09-06 8:10 ` Mickaël Salaün
2022-09-10 20:59 ` Konstantin Meskhidze (A)
2022-09-12 17:23 ` Mickaël Salaün
2022-08-29 17:04 ` [PATCH v7 18/18] landlock: Document Landlock's network support Konstantin Meskhidze
2022-09-06 8:12 ` Mickaël Salaün
2022-09-10 21:14 ` Konstantin Meskhidze (A)
2022-09-12 17:23 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=369537f3-78e1-2a4e-c010-d56e29c2f315@digikod.net \
--to=mic@digikod.net \
--cc=anton.sirazetdinov@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).