Revision tags: v6.6.25, v6.6.24, v6.6.23, v6.6.16, v6.6.15, v6.6.14 |
|
#
854357db |
| 23-Jan-2024 |
Hu Yadi <hu.yadi@h3c.com> |
selftests/landlock: Fix fs_test build with old libc
[ Upstream commit 40b7835e74e0383be308d528c5e0e41b3bf72ade ]
One issue comes up while building selftest/landlock/fs_test on my side (gcc 7.3/glib
selftests/landlock: Fix fs_test build with old libc
[ Upstream commit 40b7835e74e0383be308d528c5e0e41b3bf72ade ]
One issue comes up while building selftest/landlock/fs_test on my side (gcc 7.3/glibc-2.28/kernel-4.19).
gcc -Wall -O2 -isystem fs_test.c -lcap -o selftests/landlock/fs_test fs_test.c:4575:9: error: initializer element is not constant .mnt = mnt_tmp, ^~~~~~~
Signed-off-by: Hu Yadi <hu.yadi@h3c.com> Suggested-by: Jiao <jiaoxupo@h3c.com> Reviewed-by: Berlin <berlin@h3c.com> Link: https://lore.kernel.org/r/20240124022908.42100-1-hu.yadi@h3c.com Fixes: 04f9070e99a4 ("selftests/landlock: Add tests for pseudo filesystems") [mic: Factor out mount's data string and make mnt_tmp static] Signed-off-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
show more ...
|
Revision tags: v6.6.13, v6.6.12, v6.6.11, v6.6.10, v6.6.9, v6.6.8, v6.6.7, v6.6.6, v6.6.5, v6.6.4, v6.6.3, v6.6.2, v6.5.11, v6.6.1, v6.5.10, v6.6, v6.5.9, v6.5.8, v6.5.7, v6.5.6, v6.5.5, v6.5.4, v6.5.3, v6.5.2, v6.1.51, v6.5.1, v6.1.50 |
|
#
2a201549 |
| 30-Aug-2023 |
Ding Xiang <dingxiang@cmss.chinamobile.com> |
selftests/landlock: Fix a resource leak
The opened file should be closed before return, otherwise resource leak will occur.
Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com> Link: https://
selftests/landlock: Fix a resource leak
The opened file should be closed before return, otherwise resource leak will occur.
Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com> Link: https://lore.kernel.org/r/20230830101148.3738-1-dingxiang@cmss.chinamobile.com Fixes: 3de64b656b3c ("selftests/landlock: Add supports_filesystem() helper") Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
Revision tags: v6.5, v6.1.49, v6.1.48, v6.1.46, v6.1.45, v6.1.44, v6.1.43, v6.1.42, v6.1.41, v6.1.40, v6.1.39, v6.1.38, v6.1.37, v6.1.36, v6.4, v6.1.35, v6.1.34 |
|
#
35ca4239 |
| 12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add hostfs tests
Add tests for the hostfs filesystems to make sure it has a consistent inode management, which is required for Landlock's file hierarchy identification. This add
selftests/landlock: Add hostfs tests
Add tests for the hostfs filesystems to make sure it has a consistent inode management, which is required for Landlock's file hierarchy identification. This adds 5 new tests for layout3_fs with the hostfs variant.
Add hostfs to the new (architecture-specific) config.um file.
The hostfs filesystem, only available for an User-Mode Linux kernel, is special because we cannot explicitly mount it. The layout3_fs.hostfs variant tests are skipped if the current test directory is not backed by this filesystem.
The layout3_fs.hostfs.tag_inode_dir_child and layout3_fs.hostfs.tag_inode_file tests pass thanks to a previous commit fixing hostfs inode management. Without this fix, the deny-by-default policy would apply and all access requests would be denied.
Link: https://lore.kernel.org/r/20230612191430.339153-7-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
04f9070e |
| 12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for pseudo filesystems
Add generic and read-only tests for 6 pseudo filesystems to make sure they have a consistent inode management, which is required for Landlock's f
selftests/landlock: Add tests for pseudo filesystems
Add generic and read-only tests for 6 pseudo filesystems to make sure they have a consistent inode management, which is required for Landlock's file hierarchy identification: - tmpfs - ramfs - cgroup2 - proc - sysfs
Update related kernel configuration to support these new filesystems, remove useless CONFIG_SECURITY_PATH, and sort all entries. If these filesystems are not supported by the kernel running tests, the related tests are skipped.
Expanding variants, this adds 25 new tests for layout3_fs: - tag_inode_dir_parent - tag_inode_dir_mnt - tag_inode_dir_child - tag_inode_dir_file - release_inodes
Test coverage for security/landlock with kernel debug code: - 94.7% of 835 lines according to gcc/gcov-12 - 93.0% of 852 lines according to gcc/gcov-13
Test coverage for security/landlock without kernel debug code: - 95.5% of 624 lines according to gcc/gcov-12 - 93.1% of 641 lines according to gcc/gcov-13
Link: https://lore.kernel.org/r/20230612191430.339153-6-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
55ab3fbe |
| 12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Make mounts configurable
Add a new struct mnt_opt to define a mount point with the mount_opt() helper. This doesn't change tests but prepare for the next commit.
Link: https://
selftests/landlock: Make mounts configurable
Add a new struct mnt_opt to define a mount point with the mount_opt() helper. This doesn't change tests but prepare for the next commit.
Link: https://lore.kernel.org/r/20230612191430.339153-5-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
3de64b65 |
| 12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add supports_filesystem() helper
Replace supports_overlayfs() with supports_filesystem() to be able to check several filesystems. This will be useful in a following commit.
Onl
selftests/landlock: Add supports_filesystem() helper
Replace supports_overlayfs() with supports_filesystem() to be able to check several filesystems. This will be useful in a following commit.
Only check for overlay filesystem once in the setup step, and then rely on self->skip_test.
Cc: Guenter Roeck <groeck@chromium.org> Cc: Jeff Xu <jeffxu@google.com> Link: https://lore.kernel.org/r/20230612191430.339153-4-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
592efeb4 |
| 12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Don't create useless file layouts
Add and use a layout0 test fixture to not populate the tmpfs filesystem if it is not required for tests: unknown_access_rights, proc_nsfs, unpri
selftests/landlock: Don't create useless file layouts
Add and use a layout0 test fixture to not populate the tmpfs filesystem if it is not required for tests: unknown_access_rights, proc_nsfs, unpriv and max_layers.
This doesn't change these tests but it speeds up their setup and makes them less prone to error. This prepare the ground for a next commit.
Link: https://lore.kernel.org/r/20230612191430.339153-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
Revision tags: v6.1.33, v6.1.32, v6.1.31, v6.1.30, v6.1.29, v6.1.28, v6.1.27, v6.1.26, v6.3, v6.1.25, v6.1.24, v6.1.23, v6.1.22, v6.1.21, v6.1.20, v6.1.19, v6.1.18, v6.1.17, v6.1.16, v6.1.15, v6.1.14, v6.1.13, v6.2, v6.1.12, v6.1.11, v6.1.10, v6.1.9, v6.1.8, v6.1.7, v6.1.6 |
|
#
366617a6 |
| 12-Jan-2023 |
Jeff Xu <jeffxu@google.com> |
selftests/landlock: Skip overlayfs tests when not supported
overlayfs may be disabled in the kernel configuration, causing related tests to fail. Check that overlayfs is supported at runtime, so we
selftests/landlock: Skip overlayfs tests when not supported
overlayfs may be disabled in the kernel configuration, causing related tests to fail. Check that overlayfs is supported at runtime, so we can skip layout2_overlay.* accordingly.
Signed-off-by: Jeff Xu <jeffxu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230113053229.1281774-2-jeffxu@google.com [mic: Reword comments and constify variables] Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
Revision tags: v6.1.5, v6.0.19, v6.0.18, v6.1.4, v6.1.3, v6.0.17, v6.1.2, v6.0.16, v6.1.1, v6.0.15, v6.0.14, v6.0.13, v6.1, v6.0.12, v6.0.11, v6.0.10, v5.15.80, v6.0.9, v5.15.79, v6.0.8, v5.15.78, v6.0.7, v5.15.77, v5.15.76, v6.0.6, v6.0.5, v5.15.75, v6.0.4, v6.0.3 |
|
#
0d8c658b |
| 18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test ftruncate on FDs created by memfd_create(2)
All file descriptors that are truncatable need to have the Landlock access rights set correctly on the file's Landlock security b
selftests/landlock: Test ftruncate on FDs created by memfd_create(2)
All file descriptors that are truncatable need to have the Landlock access rights set correctly on the file's Landlock security blob. This is also the case for files that are opened by other means than open(2).
Test coverage for security/landlock is 94.7% of 838 lines according to gcc/gcov-11.
Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-10-gnoack3000@gmail.com [mic: Add test coverage in commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
a1a202a5 |
| 18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test FD passing from restricted to unrestricted processes
A file descriptor created in a restricted process carries Landlock restrictions with it which will apply even if the sam
selftests/landlock: Test FD passing from restricted to unrestricted processes
A file descriptor created in a restricted process carries Landlock restrictions with it which will apply even if the same opened file is used from an unrestricted process.
This change extracts suitable FD-passing helpers from base_test.c and moves them to common.h. We use the fixture variants from the ftruncate fixture to exercise the same scenarios as in the open_and_ftruncate test, but doing the Landlock restriction and open() in a different process than the ftruncate() call.
Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-9-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
41729af2 |
| 18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test open() and ftruncate() in multiple scenarios
This test uses multiple fixture variants to exercise a broader set of scnenarios.
Signed-off-by: Günther Noack <gnoack3000@gmai
selftests/landlock: Test open() and ftruncate() in multiple scenarios
This test uses multiple fixture variants to exercise a broader set of scnenarios.
Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-7-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
225351ab |
| 18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test file truncation support
These tests exercise the following truncation operations:
* truncate() (truncate by path) * ftruncate() (truncate by file descriptor) * open with th
selftests/landlock: Test file truncation support
These tests exercise the following truncation operations:
* truncate() (truncate by path) * ftruncate() (truncate by file descriptor) * open with the O_TRUNC flag * special case: creat(), which is open with O_CREAT|O_WRONLY|O_TRUNC.
in the following scenarios:
* Files with read, write and truncate rights. * Files with read and truncate rights. * Files with the truncate right. * Files without the truncate right.
In particular, the following scenarios are enforced with the test:
* open() with O_TRUNC requires the truncate right, if it truncates a file. open() already checks security_path_truncate() in this case, and it required no additional check in the Landlock LSM's file_open hook. * creat() requires the truncate right when called with an existing filename. * creat() does *not* require the truncate right when it's creating a new file. * ftruncate() requires that the file was opened by a thread that had the truncate right for the file at the time of open(). (The rights are carried along with the opened file.)
Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-6-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
b9f5ce27 |
| 18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
landlock: Support file truncation
Introduce the LANDLOCK_ACCESS_FS_TRUNCATE flag for file truncation.
This flag hooks into the path_truncate, file_truncate and file_alloc_security LSM hooks and cov
landlock: Support file truncation
Introduce the LANDLOCK_ACCESS_FS_TRUNCATE flag for file truncation.
This flag hooks into the path_truncate, file_truncate and file_alloc_security LSM hooks and covers file truncation using truncate(2), ftruncate(2), open(2) with O_TRUNC, as well as creat().
This change also increments the Landlock ABI version, updates corresponding selftests, and updates code documentation to document the flag.
In security/security.c, allocate security blobs at pointer-aligned offsets. This fixes the problem where one LSM's security blob can shift another LSM's security blob to an unaligned address (reported by Nathan Chancellor).
The following operations are restricted:
open(2): requires the LANDLOCK_ACCESS_FS_TRUNCATE right if a file gets implicitly truncated as part of the open() (e.g. using O_TRUNC).
Notable special cases: * open(..., O_RDONLY|O_TRUNC) can truncate files as well in Linux * open() with O_TRUNC does *not* need the TRUNCATE right when it creates a new file.
truncate(2) (on a path): requires the LANDLOCK_ACCESS_FS_TRUNCATE right.
ftruncate(2) (on a file): requires that the file had the TRUNCATE right when it was previously opened. File descriptors acquired by other means than open(2) (e.g. memfd_create(2)) continue to support truncation with ftruncate(2).
Cc: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Günther Noack <gnoack3000@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> (LSM) Link: https://lore.kernel.org/r/20221018182216.301684-5-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
Revision tags: v6.0.2, v5.15.74, v5.15.73, v6.0.1, v5.15.72, v6.0, v5.15.71, v5.15.70, v5.15.69, v5.15.68, v5.15.67, v5.15.66, v5.15.65 |
|
#
55e55920 |
| 31-Aug-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER
This change fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right when multiple rulesets/domains are stacked. The expect
landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER
This change fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right when multiple rulesets/domains are stacked. The expected behaviour was that an additional ruleset can only restrict the set of permitted operations, but in this particular case, it was potentially possible to re-gain the LANDLOCK_ACCESS_FS_REFER right.
With the introduction of LANDLOCK_ACCESS_FS_REFER, we added the first globally denied-by-default access right. Indeed, this lifted an initial Landlock limitation to rename and link files, which was initially always denied when the source or the destination were different directories.
This led to an inconsistent backward compatibility behavior which was only taken into account if no domain layer were using the new LANDLOCK_ACCESS_FS_REFER right. However, when restricting a thread with a new ruleset handling LANDLOCK_ACCESS_FS_REFER, all inherited parent rulesets/layers not explicitly handling LANDLOCK_ACCESS_FS_REFER would behave as if they were handling this access right and with all their rules allowing it. This means that renaming and linking files could became allowed by these parent layers, but all the other required accesses must also be granted: all layers must allow file removal or creation, and renaming and linking operations cannot lead to privilege escalation according to the Landlock policy. See detailed explanation in commit b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER").
To say it another way, this bug may lift the renaming and linking limitations of the initial Landlock version, and a same ruleset can enforce different restrictions depending on previous or next enforced ruleset (i.e. inconsistent behavior). The LANDLOCK_ACCESS_FS_REFER right cannot give access to data not already allowed, but this doesn't follow the contract of the first Landlock ABI. This fix puts back the limitation for sandboxes that didn't opt-in for this additional right.
For instance, if a first ruleset allows LANDLOCK_ACCESS_FS_MAKE_REG on /dst and LANDLOCK_ACCESS_FS_REMOVE_FILE on /src, renaming /src/file to /dst/file is denied. However, without this fix, stacking a new ruleset which allows LANDLOCK_ACCESS_FS_REFER on / would now permit the sandboxed thread to rename /src/file to /dst/file .
This change fixes the (absolute) rule access rights, which now always forbid LANDLOCK_ACCESS_FS_REFER except when it is explicitly allowed when creating a rule.
Making all domain handle LANDLOCK_ACCESS_FS_REFER was an initial approach but there is two downsides: * it makes the code more complex because we still want to check that a rule allowing LANDLOCK_ACCESS_FS_REFER is legitimate according to the ruleset's handled access rights (i.e. ABI v1 != ABI v2); * it would not allow to identify if the user created a ruleset explicitly handling LANDLOCK_ACCESS_FS_REFER or not, which will be an issue to audit Landlock.
Instead, this change adds an ACCESS_INITIALLY_DENIED list of denied-by-default rights, which (only) contains LANDLOCK_ACCESS_FS_REFER. All domains are treated as if they are also handling this list, but without modifying their fs_access_masks field.
A side effect is that the errno code returned by rename(2) or link(2) *may* be changed from EXDEV to EACCES according to the enforced restrictions. Indeed, we now have the mechanic to identify if an access is denied because of a required right (e.g. LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_REMOVE_FILE) or if it is denied because of missing LANDLOCK_ACCESS_FS_REFER rights. This may result in different errno codes than for the initial Landlock version, but this approach is more consistent and better for rename/link compatibility reasons, and it wasn't possible before (hence no backport to ABI v1). The layout1.rename_file test reflects this change.
Add 4 layout1.refer_denied_by_default* test suites to check that the behavior of a ruleset not handling LANDLOCK_ACCESS_FS_REFER (ABI v1) is unchanged even if another layer handles LANDLOCK_ACCESS_FS_REFER (i.e. ABI v1 precedence). Make sure rule's absolute access rights are correct by testing with and without a matching path. Add test_rename() and test_exchange() helpers.
Extend layout1.inval tests to check that a denied-by-default access right is not necessarily part of a domain's handled access rights.
Test coverage for security/landlock is 95.3% of 599 lines according to gcc/gcov-11.
Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20220831203840.1370732-1-mic@digikod.net Cc: stable@vger.kernel.org [mic: Constify and slightly simplify test helpers] Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
Revision tags: v5.15.64, v5.15.63, v5.15.62, v5.15.61, v5.15.60, v5.15.59, v5.19, v5.15.58, v5.15.57, v5.15.56, v5.15.55, v5.15.54, v5.15.53, v5.15.52, v5.15.51, v5.15.50, v5.15.49, v5.15.48, v5.15.47, v5.15.46, v5.15.45, v5.15.44, v5.15.43, v5.15.42, v5.18, v5.15.41, v5.15.40, v5.15.39, v5.15.38 |
|
#
f4056b92 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add 11 new test suites dedicated to file reparenting
These test suites try to check all edge cases for directory and file renaming or linking involving a new parent directory, wi
selftests/landlock: Add 11 new test suites dedicated to file reparenting
These test suites try to check all edge cases for directory and file renaming or linking involving a new parent directory, with and without LANDLOCK_ACCESS_FS_REFER and other access rights.
layout1: * reparent_refer: Tests simple FS_REFER usage. * reparent_link: Tests a mix of FS_MAKE_REG and FS_REFER with links. * reparent_rename: Tests a mix of FS_MAKE_REG and FS_REFER with renames and RENAME_EXCHANGE. * reparent_exdev_layers_rename1/2: Tests renames with two layers. * reparent_exdev_layers_exchange1/2/3: Tests exchanges with two layers. * reparent_remove: Tests file and directory removal with rename. * reparent_dom_superset: Tests access partial ordering.
layout1_bind: * reparent_cross_mount: Tests FS_REFER propagation across mount points.
Test coverage for security/landlock is 95.4% of 604 lines according to gcc/gcov-11.
Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-9-mic@digikod.net
show more ...
|
#
b91c3e4e |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers to allow sandboxed processes to link and rename file
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers to allow sandboxed processes to link and rename files from and to a specific set of file hierarchies. This access right should be composed with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename, and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename. This lift a Landlock limitation that always denied changing the parent of an inode.
Renaming or linking to the same directory is still always allowed, whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not considered a threat to user data.
However, creating multiple links or renaming to a different parent directory may lead to privilege escalations if not handled properly. Indeed, we must be sure that the source doesn't gain more privileges by being accessible from the destination. This is handled by making sure that the source hierarchy (including the referenced file or directory itself) restricts at least as much the destination hierarchy. If it is not the case, an EXDEV error is returned, making it potentially possible for user space to copy the file hierarchy instead of moving or linking it.
Instead of creating different access rights for the source and the destination, we choose to make it simple and consistent for users. Indeed, considering the previous constraint, it would be weird to require such destination access right to be also granted to the source (to make it a superset). Moreover, RENAME_EXCHANGE would also add to the confusion because of paths being both a source and a destination.
See the provided documentation for additional details.
New tests are provided with a following commit.
Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
show more ...
|
#
8ba0005f |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Fix same-layer rule unions
The original behavior was to check if the full set of requested accesses was allowed by at least a rule of every relevant layer. This didn't take into account r
landlock: Fix same-layer rule unions
The original behavior was to check if the full set of requested accesses was allowed by at least a rule of every relevant layer. This didn't take into account requests for multiple accesses and same-layer rules allowing the union of these accesses in a complementary way. As a result, multiple accesses requested on a file hierarchy matching rules that, together, allowed these accesses, but without a unique rule allowing all of them, was illegitimately denied. This case should be rare in practice and it can only be triggered by the path_rename or file_open hook implementations.
For instance, if, for the same layer, a rule allows execution beneath /a/b and another rule allows read beneath /a, requesting access to read and execute at the same time for /a/b should be allowed for this layer.
This was an inconsistency because the union of same-layer rule accesses was already allowed if requested once at a time anyway.
This fix changes the way allowed accesses are gathered over a path walk. To take into account all these rule accesses, we store in a matrix all layer granting the set of requested accesses, according to the handled accesses. To avoid heap allocation, we use an array on the stack which is 2*13 bytes. A following commit bringing the LANDLOCK_ACCESS_FS_REFER access right will increase this size to reach 112 bytes (2*14*4) in case of link or rename actions.
Add a new layout1.layer_rule_unions test to check that accesses from different rules pertaining to the same layer are ORed in a file hierarchy. Also test that it is not the case for rules from different layers.
Reviewed-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20220506161102.525323-5-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
75c542d6 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Reduce the maximum number of layers to 16
The maximum number of nested Landlock domains is currently 64. Because of the following fix and to help reduce the stack size, let's reduce it to
landlock: Reduce the maximum number of layers to 16
The maximum number of nested Landlock domains is currently 64. Because of the following fix and to help reduce the stack size, let's reduce it to 16. This seems large enough for a lot of use cases (e.g. sandboxed init service, spawning a sandboxed SSH service, in nested sandboxed containers). Reducing the number of nested domains may also help to discover misuse of Landlock (e.g. creating a domain per rule).
Add and use a dedicated layer_mask_t typedef to fit with the number of layers. This might be useful when changing it and to keep it consistent with the maximum number of layers.
Reviewed-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20220506161102.525323-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
d1788ad9 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for O_PATH
The O_PATH flag is currently not handled by Landlock. Let's make sure this behavior will remain consistent with the same ruleset over time.
Cc: Shuah Khan
selftests/landlock: Add tests for O_PATH
The O_PATH flag is currently not handled by Landlock. Let's make sure this behavior will remain consistent with the same ruleset over time.
Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-8-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
6a1bdd4a |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Fully test file rename with "remove" access
These tests were missing to check the check_access_path() call with all combinations of maybe_remove(old_dentry) and maybe_remove(new_
selftests/landlock: Fully test file rename with "remove" access
These tests were missing to check the check_access_path() call with all combinations of maybe_remove(old_dentry) and maybe_remove(new_dentry).
Extend layout1.link with a new complementary test and check that REMOVE_FILE is not required to link a file.
Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-7-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
d18955d0 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Extend access right tests to directories
Make sure that all filesystem access rights can be tied to directories.
Rename layout1.file_access_rights to layout1.file_and_dir_access
selftests/landlock: Extend access right tests to directories
Make sure that all filesystem access rights can be tied to directories.
Rename layout1.file_access_rights to layout1.file_and_dir_access_rights to reflect this change.
Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-6-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
c56b3bf5 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for unknown access rights
Make sure that trying to use unknown access rights returns an error.
Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/202205
selftests/landlock: Add tests for unknown access rights
Make sure that trying to use unknown access rights returns an error.
Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-5-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
87129ef1 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Make tests build with old libc
Replace SYS_<syscall> with __NR_<syscall>. Using the __NR_<syscall> notation, provided by UAPI, is useful to build tests on systems without the SY
selftests/landlock: Make tests build with old libc
Replace SYS_<syscall> with __NR_<syscall>. Using the __NR_<syscall> notation, provided by UAPI, is useful to build tests on systems without the SYS_<syscall> definitions.
Replace SYS_pivot_root with __NR_pivot_root, and SYS_move_mount with __NR_move_mount.
Define renameat2() and RENAME_EXCHANGE if they are unknown to old build systems.
Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
371183fa |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Format with clang-format
Let's follow a consistent and documented coding style. Everything may not be to our liking but it is better than tacit knowledge. Moreover, this will h
selftests/landlock: Format with clang-format
Let's follow a consistent and documented coding style. Everything may not be to our liking but it is better than tacit knowledge. Moreover, this will help maintain style consistency between different developers.
This contains only whitespace changes.
Automatically formatted with: clang-format-14 -i tools/testing/selftests/landlock/*.[ch]
Link: https://lore.kernel.org/r/20220506160513.523257-6-mic@digikod.net Cc: stable@vger.kernel.org [mic: Update style according to https://lore.kernel.org/r/02494cb8-2aa5-1769-f28d-d7206f284e5a@digikod.net] Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|
#
135464f9 |
| 06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Normalize array assignment
Add a comma after each array value to make clang-format keep the current array formatting. See the following commit.
Automatically modified with: sed
selftests/landlock: Normalize array assignment
Add a comma after each array value to make clang-format keep the current array formatting. See the following commit.
Automatically modified with: sed -i 's/\t\({}\|NULL\)$/\0,/' tools/testing/selftests/landlock/fs_test.c
Link: https://lore.kernel.org/r/20220506160513.523257-5-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
show more ...
|