From: "Konstantin Meskhidze (A)" <konstantin.meskhidze@huawei.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: <willemdebruijn.kernel@gmail.com>, <gnoack3000@gmail.com>,
<linux-security-module@vger.kernel.org>, <netdev@vger.kernel.org>,
<netfilter-devel@vger.kernel.org>,
<anton.sirazetdinov@huawei.com>
Subject: Re: [PATCH v7 04/18] landlock: move helper functions
Date: Sat, 10 Sep 2022 19:50:21 +0300 [thread overview]
Message-ID: <71a51eaa-7c6b-edfa-b397-2597c06b32db@huawei.com> (raw)
In-Reply-To: <2299f034-e6f2-051c-97e3-bf93a0916a50@digikod.net>
9/6/2022 11:07 AM, Mickaël Salaün пишет:
> You can make the subject more informative with "landlock: Move
> unmask_layers() and init_layer_masks()".
>
Ok. Thanks.
>
> On 29/08/2022 19:03, Konstantin Meskhidze wrote:
>> This patch moves unmask_layers() and init_layer_masks() helpers
>> to ruleset.c to share with landlock network implementation in
>> following commits.
>>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> ---
>>
>> Changes since v6:
>> * Moves get_handled_accesses() helper from ruleset.c back to fs.c,
>> cause it's not used in coming network commits.
>>
>> Changes since v5:
>> * Splits commit.
>> * Moves init_layer_masks() and get_handled_accesses() helpers
>> to ruleset.c and makes then non-static.
>> * Formats code with clang-format-14.
>>
>> ---
>> security/landlock/fs.c | 85 -------------------------------------
>> security/landlock/ruleset.c | 84 ++++++++++++++++++++++++++++++++++++
>> security/landlock/ruleset.h | 10 +++++
>> 3 files changed, 94 insertions(+), 85 deletions(-)
>>
>> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
>> index cca87fcd222d..b03d6153f628 100644
>> --- a/security/landlock/fs.c
>> +++ b/security/landlock/fs.c
>> @@ -215,60 +215,6 @@ find_rule(const struct landlock_ruleset *const domain,
>> return rule;
>> }
>>
>> -/*
>> - * @layer_masks is read and may be updated according to the access request and
>> - * the matching rule.
>> - *
>> - * Returns true if the request is allowed (i.e. relevant layer masks for the
>> - * request are empty).
>> - */
>> -static inline bool
>> -unmask_layers(const struct landlock_rule *const rule,
>> - const access_mask_t access_request,
>> - layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
>> -{
>> - size_t layer_level;
>> -
>> - if (!access_request || !layer_masks)
>> - return true;
>> - if (!rule)
>> - return false;
>> -
>> - /*
>> - * An access is granted if, for each policy layer, at least one rule
>> - * encountered on the pathwalk grants the requested access,
>> - * regardless of its position in the layer stack. We must then check
>> - * the remaining layers for each inode, from the first added layer to
>> - * the last one. When there is multiple requested accesses, for each
>> - * policy layer, the full set of requested accesses may not be granted
>> - * by only one rule, but by the union (binary OR) of multiple rules.
>> - * E.g. /a/b <execute> + /a <read> => /a/b <execute + read>
>> - */
>> - for (layer_level = 0; layer_level < rule->num_layers; layer_level++) {
>> - const struct landlock_layer *const layer =
>> - &rule->layers[layer_level];
>> - const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
>> - const unsigned long access_req = access_request;
>> - unsigned long access_bit;
>> - bool is_empty;
>> -
>> - /*
>> - * Records in @layer_masks which layer grants access to each
>> - * requested access.
>> - */
>> - is_empty = true;
>> - for_each_set_bit(access_bit, &access_req,
>> - ARRAY_SIZE(*layer_masks)) {
>> - if (layer->access & BIT_ULL(access_bit))
>> - (*layer_masks)[access_bit] &= ~layer_bit;
>> - is_empty = is_empty && !(*layer_masks)[access_bit];
>> - }
>> - if (is_empty)
>> - return true;
>> - }
>> - return false;
>> -}
>> -
>> /*
>> * Allows access to pseudo filesystems that will never be mountable (e.g.
>> * sockfs, pipefs), but can still be reachable through
>> @@ -303,37 +249,6 @@ get_handled_accesses(const struct landlock_ruleset *const domain)
>> return access_dom;
>> }
>>
>> -static inline access_mask_t
>> -init_layer_masks(const struct landlock_ruleset *const domain,
>> - const access_mask_t access_request,
>> - layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
>> -{
>> - access_mask_t handled_accesses = 0;
>> - size_t layer_level;
>> -
>> - memset(layer_masks, 0, sizeof(*layer_masks));
>> - /* An empty access request can happen because of O_WRONLY | O_RDWR. */
>> - if (!access_request)
>> - return 0;
>> -
>> - /* Saves all handled accesses per layer. */
>> - for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
>> - const unsigned long access_req = access_request;
>> - unsigned long access_bit;
>> -
>> - for_each_set_bit(access_bit, &access_req,
>> - ARRAY_SIZE(*layer_masks)) {
>> - if (landlock_get_fs_access_mask(domain, layer_level) &
>> - BIT_ULL(access_bit)) {
>> - (*layer_masks)[access_bit] |=
>> - BIT_ULL(layer_level);
>> - handled_accesses |= BIT_ULL(access_bit);
>> - }
>> - }
>> - }
>> - return handled_accesses;
>> -}
>> -
>> /*
>> * Check that a destination file hierarchy has more restrictions than a source
>> * file hierarchy. This is only used for link and rename actions.
>> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
>> index 3a5ef356aaa3..671a95e2a345 100644
>> --- a/security/landlock/ruleset.c
>> +++ b/security/landlock/ruleset.c
>> @@ -564,3 +564,87 @@ landlock_find_rule(const struct landlock_ruleset *const ruleset,
>> }
>> return NULL;
>> }
>> +
>> +/*
>> + * @layer_masks is read and may be updated according to the access request and
>> + * the matching rule.
>> + *
>> + * Returns true if the request is allowed (i.e. relevant layer masks for the
>> + * request are empty).
>> + */
>> +bool unmask_layers(const struct landlock_rule *const rule,
>> + const access_mask_t access_request,
>> + layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
>> +{
>> + size_t layer_level;
>> +
>> + if (!access_request || !layer_masks)
>> + return true;
>> + if (!rule)
>> + return false;
>> +
>> + /*
>> + * An access is granted if, for each policy layer, at least one rule
>> + * encountered on the pathwalk grants the requested access,
>> + * regardless of its position in the layer stack. We must then check
>> + * the remaining layers for each inode, from the first added layer to
>> + * the last one. When there is multiple requested accesses, for each
>> + * policy layer, the full set of requested accesses may not be granted
>> + * by only one rule, but by the union (binary OR) of multiple rules.
>> + * E.g. /a/b <execute> + /a <read> => /a/b <execute + read>
>> + */
>> + for (layer_level = 0; layer_level < rule->num_layers; layer_level++) {
>> + const struct landlock_layer *const layer =
>> + &rule->layers[layer_level];
>> + const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
>> + const unsigned long access_req = access_request;
>> + unsigned long access_bit;
>> + bool is_empty;
>> +
>> + /*
>> + * Records in @layer_masks which layer grants access to each
>> + * requested access.
>> + */
>> + is_empty = true;
>> + for_each_set_bit(access_bit, &access_req,
>> + ARRAY_SIZE(*layer_masks)) {
>> + if (layer->access & BIT_ULL(access_bit))
>> + (*layer_masks)[access_bit] &= ~layer_bit;
>> + is_empty = is_empty && !(*layer_masks)[access_bit];
>> + }
>> + if (is_empty)
>> + return true;
>> + }
>> + return false;
>> +}
>> +
>> +access_mask_t
>> +init_layer_masks(const struct landlock_ruleset *const domain,
>> + const access_mask_t access_request,
>> + layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
>> +{
>> + access_mask_t handled_accesses = 0;
>> + size_t layer_level;
>> +
>> + memset(layer_masks, 0, sizeof(*layer_masks));
>> + /* An empty access request can happen because of O_WRONLY | O_RDWR. */
>> + if (!access_request)
>> + return 0;
>> +
>> + /* Saves all handled accesses per layer. */
>> + for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
>> + const unsigned long access_req = access_request;
>> + unsigned long access_bit;
>> +
>> + for_each_set_bit(access_bit, &access_req,
>> + ARRAY_SIZE(*layer_masks)) {
>> + if (landlock_get_fs_access_mask(domain, layer_level) &
>> + BIT_ULL(access_bit)) {
>> + (*layer_masks)[access_bit] |=
>> + BIT_ULL(layer_level);
>> + handled_accesses |= BIT_ULL(access_bit);
>> + }
>> + }
>> + }
>> + return handled_accesses;
>> +}
>> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
>> index bb1408cc8dd2..d7d9b987829c 100644
>> --- a/security/landlock/ruleset.h
>> +++ b/security/landlock/ruleset.h
>> @@ -235,4 +235,14 @@ landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
>> LANDLOCK_SHIFT_ACCESS_FS) &
>> LANDLOCK_MASK_ACCESS_FS;
>> }
>> +
>> +bool unmask_layers(const struct landlock_rule *const rule,
>> + const access_mask_t access_request,
>> + layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]);
>> +
>> +access_mask_t
>> +init_layer_masks(const struct landlock_ruleset *const domain,
>> + const access_mask_t access_request,
>> + layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS]);
>> +
>> #endif /* _SECURITY_LANDLOCK_RULESET_H */
>> --
>> 2.25.1
>>
> .
next prev parent reply other threads:[~2022-09-10 16:50 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-29 17:03 [PATCH v7 00/18] Network support for Landlock Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 01/18] landlock: rename access mask Konstantin Meskhidze
2022-09-06 8:06 ` Mickaël Salaün
2022-09-09 10:42 ` Konstantin Meskhidze (A)
2022-09-12 17:16 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 02/18] landlock: refactor landlock_find_rule/insert_rule Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-09 10:48 ` Konstantin Meskhidze (A)
2022-09-12 17:17 ` Mickaël Salaün
2022-10-12 8:37 ` Konstantin Meskhidze (A)
2022-10-12 10:06 ` Mickaël Salaün
2022-10-12 11:13 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 03/18] landlock: refactor merge/inherit_ruleset functions Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-09 14:53 ` Konstantin Meskhidze (A)
2022-09-12 17:17 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 04/18] landlock: move helper functions Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-10 16:50 ` Konstantin Meskhidze (A) [this message]
2022-08-29 17:03 ` [PATCH v7 05/18] landlock: refactor " Konstantin Meskhidze
2022-09-06 8:07 ` Mickaël Salaün
2022-09-10 17:20 ` Konstantin Meskhidze (A)
2022-09-12 17:18 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 06/18] landlock: refactor landlock_add_rule syscall Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 07/18] landlock: user space API network support Konstantin Meskhidze
2022-09-06 8:08 ` Mickaël Salaün
2022-09-10 17:25 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 08/18] landlock: add network rules support Konstantin Meskhidze
2022-09-06 8:08 ` Mickaël Salaün
2022-09-10 18:27 ` Konstantin Meskhidze (A)
2022-09-12 17:18 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 09/18] landlock: implement TCP network hooks Konstantin Meskhidze
2022-09-06 8:08 ` Mickaël Salaün
2022-09-10 20:28 ` Konstantin Meskhidze (A)
2022-09-12 17:18 ` Mickaël Salaün
2022-08-29 17:03 ` [PATCH v7 10/18] seltests/landlock: move helper function Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:29 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 11/18] seltests/landlock: add tests for bind() hooks Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:47 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 12/18] seltests/landlock: add tests for connect() hooks Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 13/18] seltests/landlock: add AF_UNSPEC family test Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:48 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 14/18] seltests/landlock: add rules overlapping test Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:49 ` Konstantin Meskhidze (A)
2022-08-29 17:03 ` [PATCH v7 15/18] seltests/landlock: add ruleset expanding test Konstantin Meskhidze
2022-08-29 17:03 ` [PATCH v7 16/18] seltests/landlock: add invalid input data test Konstantin Meskhidze
2022-09-06 8:09 ` Mickaël Salaün
2022-09-10 20:51 ` Konstantin Meskhidze (A)
2022-09-12 17:22 ` Mickaël Salaün
2022-10-10 10:37 ` Mickaël Salaün
2022-10-11 7:55 ` Konstantin Meskhidze (A)
2022-10-11 8:32 ` Mickaël Salaün
2022-08-29 17:04 ` [PATCH v7 17/18] samples/landlock: add network demo Konstantin Meskhidze
2022-09-06 8:10 ` Mickaël Salaün
2022-09-10 20:59 ` Konstantin Meskhidze (A)
2022-09-12 17:23 ` Mickaël Salaün
2022-08-29 17:04 ` [PATCH v7 18/18] landlock: Document Landlock's network support Konstantin Meskhidze
2022-09-06 8:12 ` Mickaël Salaün
2022-09-10 21:14 ` Konstantin Meskhidze (A)
2022-09-12 17:23 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=71a51eaa-7c6b-edfa-b397-2597c06b32db@huawei.com \
--to=konstantin.meskhidze@huawei.com \
--cc=anton.sirazetdinov@huawei.com \
--cc=gnoack3000@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).