diff mbox series

[v4,6/7] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL

Message ID 20231103155717.78042-7-gnoack@google.com (mailing list archive)
State Handled Elsewhere
Headers show
Series Landlock: IOCTL support | expand

Commit Message

Günther Noack Nov. 3, 2023, 3:57 p.m. UTC 
Add ioctl support to the Landlock sample tool.

The ioctl right is grouped with the read-write rights in the sample
tool, as some ioctl requests provide features that mutate state.

Signed-off-by: Günther Noack <gnoack@google.com>
---
 samples/landlock/sandboxer.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Comments

kernel test robot Nov. 4, 2023, 1:50 a.m. UTC | #1 
Hi Günther,

kernel test robot noticed the following build errors:

[auto build test ERROR on f12f8f84509a084399444c4422661345a15cc713]

url:    https://github.com/intel-lab-lkp/linux/commits/G-nther-Noack/landlock-Optimize-the-number-of-calls-to-get_access_mask-slightly/20231104-000659
base:   f12f8f84509a084399444c4422661345a15cc713
patch link:    https://lore.kernel.org/r/20231103155717.78042-7-gnoack%40google.com
patch subject: [PATCH v4 6/7] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL
config: x86_64-randconfig-011-20231104 (https://download.01.org/0day-ci/archive/20231104/202311040923.tlGduM5r-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20231104/202311040923.tlGduM5r-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311040923.tlGduM5r-lkp@intel.com/

All error/warnings (new ones prefixed by >>):

   samples/landlock/sandboxer.c: In function 'main':
>> samples/landlock/sandboxer.c:332:2: error: duplicate case value
     332 |  case LANDLOCK_ABI_LAST:
         |  ^~~~
   samples/landlock/sandboxer.c:322:2: note: previously used here
     322 |  case 4:
         |  ^~~~
>> samples/landlock/sandboxer.c:331:3: warning: attribute 'fallthrough' not preceding a case label or default label
     331 |   __attribute__((fallthrough));
         |   ^~~~~~~~~~~~~


vim +332 samples/landlock/sandboxer.c

903cfe8a7aa889 Mickaël Salaün       2022-09-23  209  
ba84b0bf5a164f Mickaël Salaün       2021-04-22  210  int main(const int argc, char *const argv[], char *const *const envp)
ba84b0bf5a164f Mickaël Salaün       2021-04-22  211  {
ba84b0bf5a164f Mickaël Salaün       2021-04-22  212  	const char *cmd_path;
ba84b0bf5a164f Mickaël Salaün       2021-04-22  213  	char *const *cmd_argv;
76b902f874ff4d Mickaël Salaün       2022-05-06  214  	int ruleset_fd, abi;
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  215  	char *env_port_name;
76b902f874ff4d Mickaël Salaün       2022-05-06  216  	__u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ,
76b902f874ff4d Mickaël Salaün       2022-05-06  217  	      access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE;
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  218  
ba84b0bf5a164f Mickaël Salaün       2021-04-22  219  	struct landlock_ruleset_attr ruleset_attr = {
76b902f874ff4d Mickaël Salaün       2022-05-06  220  		.handled_access_fs = access_fs_rw,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  221  		.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  222  				      LANDLOCK_ACCESS_NET_CONNECT_TCP,
ba84b0bf5a164f Mickaël Salaün       2021-04-22  223  	};
ba84b0bf5a164f Mickaël Salaün       2021-04-22  224  
ba84b0bf5a164f Mickaël Salaün       2021-04-22  225  	if (argc < 2) {
81709f3dccacf4 Mickaël Salaün       2022-05-06  226  		fprintf(stderr,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  227  			"usage: %s=\"...\" %s=\"...\" %s=\"...\" %s=\"...\"%s "
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  228  			"<cmd> [args]...\n\n",
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  229  			ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  230  			ENV_TCP_CONNECT_NAME, argv[0]);
81709f3dccacf4 Mickaël Salaün       2022-05-06  231  		fprintf(stderr,
81709f3dccacf4 Mickaël Salaün       2022-05-06  232  			"Launch a command in a restricted environment.\n\n");
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  233  		fprintf(stderr,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  234  			"Environment variables containing paths and ports "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  235  			"each separated by a colon:\n");
81709f3dccacf4 Mickaël Salaün       2022-05-06  236  		fprintf(stderr,
81709f3dccacf4 Mickaël Salaün       2022-05-06  237  			"* %s: list of paths allowed to be used in a read-only way.\n",
ba84b0bf5a164f Mickaël Salaün       2021-04-22  238  			ENV_FS_RO_NAME);
81709f3dccacf4 Mickaël Salaün       2022-05-06  239  		fprintf(stderr,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  240  			"* %s: list of paths allowed to be used in a read-write way.\n\n",
ba84b0bf5a164f Mickaël Salaün       2021-04-22  241  			ENV_FS_RW_NAME);
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  242  		fprintf(stderr,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  243  			"Environment variables containing ports are optional "
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  244  			"and could be skipped.\n");
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  245  		fprintf(stderr,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  246  			"* %s: list of ports allowed to bind (server).\n",
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  247  			ENV_TCP_BIND_NAME);
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  248  		fprintf(stderr,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  249  			"* %s: list of ports allowed to connect (client).\n",
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  250  			ENV_TCP_CONNECT_NAME);
81709f3dccacf4 Mickaël Salaün       2022-05-06  251  		fprintf(stderr,
81709f3dccacf4 Mickaël Salaün       2022-05-06  252  			"\nexample:\n"
ba84b0bf5a164f Mickaël Salaün       2021-04-22  253  			"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  254  			"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  255  			"%s=\"9418\" "
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  256  			"%s=\"80:443\" "
903cfe8a7aa889 Mickaël Salaün       2022-09-23  257  			"%s bash -i\n\n",
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  258  			ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  259  			ENV_TCP_CONNECT_NAME, argv[0]);
903cfe8a7aa889 Mickaël Salaün       2022-09-23  260  		fprintf(stderr,
903cfe8a7aa889 Mickaël Salaün       2022-09-23  261  			"This sandboxer can use Landlock features "
903cfe8a7aa889 Mickaël Salaün       2022-09-23  262  			"up to ABI version %d.\n",
903cfe8a7aa889 Mickaël Salaün       2022-09-23  263  			LANDLOCK_ABI_LAST);
ba84b0bf5a164f Mickaël Salaün       2021-04-22  264  		return 1;
ba84b0bf5a164f Mickaël Salaün       2021-04-22  265  	}
ba84b0bf5a164f Mickaël Salaün       2021-04-22  266  
76b902f874ff4d Mickaël Salaün       2022-05-06  267  	abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
76b902f874ff4d Mickaël Salaün       2022-05-06  268  	if (abi < 0) {
ba84b0bf5a164f Mickaël Salaün       2021-04-22  269  		const int err = errno;
ba84b0bf5a164f Mickaël Salaün       2021-04-22  270  
76b902f874ff4d Mickaël Salaün       2022-05-06  271  		perror("Failed to check Landlock compatibility");
ba84b0bf5a164f Mickaël Salaün       2021-04-22  272  		switch (err) {
ba84b0bf5a164f Mickaël Salaün       2021-04-22  273  		case ENOSYS:
81709f3dccacf4 Mickaël Salaün       2022-05-06  274  			fprintf(stderr,
81709f3dccacf4 Mickaël Salaün       2022-05-06  275  				"Hint: Landlock is not supported by the current kernel. "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  276  				"To support it, build the kernel with "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  277  				"CONFIG_SECURITY_LANDLOCK=y and prepend "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  278  				"\"landlock,\" to the content of CONFIG_LSM.\n");
ba84b0bf5a164f Mickaël Salaün       2021-04-22  279  			break;
ba84b0bf5a164f Mickaël Salaün       2021-04-22  280  		case EOPNOTSUPP:
81709f3dccacf4 Mickaël Salaün       2022-05-06  281  			fprintf(stderr,
81709f3dccacf4 Mickaël Salaün       2022-05-06  282  				"Hint: Landlock is currently disabled. "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  283  				"It can be enabled in the kernel configuration by "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  284  				"prepending \"landlock,\" to the content of CONFIG_LSM, "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  285  				"or at boot time by setting the same content to the "
ba84b0bf5a164f Mickaël Salaün       2021-04-22  286  				"\"lsm\" kernel parameter.\n");
ba84b0bf5a164f Mickaël Salaün       2021-04-22  287  			break;
ba84b0bf5a164f Mickaël Salaün       2021-04-22  288  		}
ba84b0bf5a164f Mickaël Salaün       2021-04-22  289  		return 1;
ba84b0bf5a164f Mickaël Salaün       2021-04-22  290  	}
903cfe8a7aa889 Mickaël Salaün       2022-09-23  291  
76b902f874ff4d Mickaël Salaün       2022-05-06  292  	/* Best-effort security. */
903cfe8a7aa889 Mickaël Salaün       2022-09-23  293  	switch (abi) {
903cfe8a7aa889 Mickaël Salaün       2022-09-23  294  	case 1:
f6e53fb2d7bd70 Günther Noack        2022-11-07  295  		/*
f6e53fb2d7bd70 Günther Noack        2022-11-07  296  		 * Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2
f6e53fb2d7bd70 Günther Noack        2022-11-07  297  		 *
f6e53fb2d7bd70 Günther Noack        2022-11-07  298  		 * Note: The "refer" operations (file renaming and linking
f6e53fb2d7bd70 Günther Noack        2022-11-07  299  		 * across different directories) are always forbidden when using
f6e53fb2d7bd70 Günther Noack        2022-11-07  300  		 * Landlock with ABI 1.
f6e53fb2d7bd70 Günther Noack        2022-11-07  301  		 *
f6e53fb2d7bd70 Günther Noack        2022-11-07  302  		 * If only ABI 1 is available, this sandboxer knowingly forbids
f6e53fb2d7bd70 Günther Noack        2022-11-07  303  		 * refer operations.
f6e53fb2d7bd70 Günther Noack        2022-11-07  304  		 *
f6e53fb2d7bd70 Günther Noack        2022-11-07  305  		 * If a program *needs* to do refer operations after enabling
f6e53fb2d7bd70 Günther Noack        2022-11-07  306  		 * Landlock, it can not use Landlock at ABI level 1.  To be
f6e53fb2d7bd70 Günther Noack        2022-11-07  307  		 * compatible with different kernel versions, such programs
f6e53fb2d7bd70 Günther Noack        2022-11-07  308  		 * should then fall back to not restrict themselves at all if
f6e53fb2d7bd70 Günther Noack        2022-11-07  309  		 * the running kernel only supports ABI 1.
f6e53fb2d7bd70 Günther Noack        2022-11-07  310  		 */
903cfe8a7aa889 Mickaël Salaün       2022-09-23  311  		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
faeb9197669c23 Günther Noack        2022-10-18  312  		__attribute__((fallthrough));
faeb9197669c23 Günther Noack        2022-10-18  313  	case 2:
faeb9197669c23 Günther Noack        2022-10-18  314  		/* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
faeb9197669c23 Günther Noack        2022-10-18  315  		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  316  		__attribute__((fallthrough));
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  317  	case 3:
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  318  		/* Removes network support for ABI < 4 */
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  319  		ruleset_attr.handled_access_net &=
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  320  			~(LANDLOCK_ACCESS_NET_BIND_TCP |
5e990dcef12eeb Konstantin Meskhidze 2023-10-26  321  			  LANDLOCK_ACCESS_NET_CONNECT_TCP);
c5aa323f1f3126 Günther Noack        2023-11-03  322  	case 4:
c5aa323f1f3126 Günther Noack        2023-11-03  323  		/* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
c5aa323f1f3126 Günther Noack        2023-11-03  324  		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
c5aa323f1f3126 Günther Noack        2023-11-03  325  
903cfe8a7aa889 Mickaël Salaün       2022-09-23  326  		fprintf(stderr,
903cfe8a7aa889 Mickaël Salaün       2022-09-23  327  			"Hint: You should update the running kernel "
903cfe8a7aa889 Mickaël Salaün       2022-09-23  328  			"to leverage Landlock features "
903cfe8a7aa889 Mickaël Salaün       2022-09-23  329  			"provided by ABI version %d (instead of %d).\n",
903cfe8a7aa889 Mickaël Salaün       2022-09-23  330  			LANDLOCK_ABI_LAST, abi);
903cfe8a7aa889 Mickaël Salaün       2022-09-23 @331  		__attribute__((fallthrough));
903cfe8a7aa889 Mickaël Salaün       2022-09-23 @332  	case LANDLOCK_ABI_LAST:
Mickaël Salaün Nov. 16, 2023, 9:50 p.m. UTC | #2 
On Fri, Nov 03, 2023 at 04:57:16PM +0100, Günther Noack wrote:
> Add ioctl support to the Landlock sample tool.
> 
> The ioctl right is grouped with the read-write rights in the sample
> tool, as some ioctl requests provide features that mutate state.
> 
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
>  samples/landlock/sandboxer.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> index 08596c0ef070..a4b2bebaf203 100644
> --- a/samples/landlock/sandboxer.c
> +++ b/samples/landlock/sandboxer.c
> @@ -81,7 +81,8 @@ static int parse_path(char *env_path, const char ***const path_list)
>  	LANDLOCK_ACCESS_FS_EXECUTE | \
>  	LANDLOCK_ACCESS_FS_WRITE_FILE | \
>  	LANDLOCK_ACCESS_FS_READ_FILE | \
> -	LANDLOCK_ACCESS_FS_TRUNCATE)
> +	LANDLOCK_ACCESS_FS_TRUNCATE | \
> +	LANDLOCK_ACCESS_FS_IOCTL)
>  
>  /* clang-format on */
>  
> @@ -199,7 +200,8 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd,
>  	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
>  	LANDLOCK_ACCESS_FS_MAKE_SYM | \
>  	LANDLOCK_ACCESS_FS_REFER | \
> -	LANDLOCK_ACCESS_FS_TRUNCATE)
> +	LANDLOCK_ACCESS_FS_TRUNCATE | \
> +	LANDLOCK_ACCESS_FS_IOCTL)
>  
>  /* clang-format on */
>  

#define LANDLOCK_ABI_LAST 5

> @@ -317,6 +319,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
>  		ruleset_attr.handled_access_net &=
>  			~(LANDLOCK_ACCESS_NET_BIND_TCP |
>  			  LANDLOCK_ACCESS_NET_CONNECT_TCP);

__attribute__((fallthrough));

> +	case 4:
> +		/* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
> +		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
> +
>  		fprintf(stderr,
>  			"Hint: You should update the running kernel "
>  			"to leverage Landlock features "
> -- 
> 2.42.0.869.gea05f2083d-goog
>
Günther Noack Nov. 17, 2023, 10:52 a.m. UTC | #3 
Thanks!  (I see you fixed these two on mic-next already.)

On Thu, Nov 16, 2023 at 04:50:03PM -0500, Micka�l Sala�n wrote:
> On Fri, Nov 03, 2023 at 04:57:16PM +0100, G�nther Noack wrote:
> > Add ioctl support to the Landlock sample tool.
> > 
> > The ioctl right is grouped with the read-write rights in the sample
> > tool, as some ioctl requests provide features that mutate state.
> > 
> > Signed-off-by: G�nther Noack <gnoack@google.com>
> > ---
> >  samples/landlock/sandboxer.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> > 
> > diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> > index 08596c0ef070..a4b2bebaf203 100644
> > --- a/samples/landlock/sandboxer.c
> > +++ b/samples/landlock/sandboxer.c
> > @@ -81,7 +81,8 @@ static int parse_path(char *env_path, const char ***const path_list)
> >  	LANDLOCK_ACCESS_FS_EXECUTE | \
> >  	LANDLOCK_ACCESS_FS_WRITE_FILE | \
> >  	LANDLOCK_ACCESS_FS_READ_FILE | \
> > -	LANDLOCK_ACCESS_FS_TRUNCATE)
> > +	LANDLOCK_ACCESS_FS_TRUNCATE | \
> > +	LANDLOCK_ACCESS_FS_IOCTL)
> >  
> >  /* clang-format on */
> >  
> > @@ -199,7 +200,8 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd,
> >  	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
> >  	LANDLOCK_ACCESS_FS_MAKE_SYM | \
> >  	LANDLOCK_ACCESS_FS_REFER | \
> > -	LANDLOCK_ACCESS_FS_TRUNCATE)
> > +	LANDLOCK_ACCESS_FS_TRUNCATE | \
> > +	LANDLOCK_ACCESS_FS_IOCTL)
> >  
> >  /* clang-format on */
> >  
> 
> #define LANDLOCK_ABI_LAST 5
> 
> > @@ -317,6 +319,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
> >  		ruleset_attr.handled_access_net &=
> >  			~(LANDLOCK_ACCESS_NET_BIND_TCP |
> >  			  LANDLOCK_ACCESS_NET_CONNECT_TCP);
> 
> __attribute__((fallthrough));
> 
> > +	case 4:
> > +		/* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
> > +		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
> > +
> >  		fprintf(stderr,
> >  			"Hint: You should update the running kernel "
> >  			"to leverage Landlock features "
> > -- 
> > 2.42.0.869.gea05f2083d-goog
> >
diff mbox series

Patch

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 08596c0ef070..a4b2bebaf203 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -81,7 +81,8 @@  static int parse_path(char *env_path, const char ***const path_list)
 	LANDLOCK_ACCESS_FS_EXECUTE | \
 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
 	LANDLOCK_ACCESS_FS_READ_FILE | \
-	LANDLOCK_ACCESS_FS_TRUNCATE)
+	LANDLOCK_ACCESS_FS_TRUNCATE | \
+	LANDLOCK_ACCESS_FS_IOCTL)
 
 /* clang-format on */
 
@@ -199,7 +200,8 @@  static int populate_ruleset_net(const char *const env_var, const int ruleset_fd,
 	LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
 	LANDLOCK_ACCESS_FS_MAKE_SYM | \
 	LANDLOCK_ACCESS_FS_REFER | \
-	LANDLOCK_ACCESS_FS_TRUNCATE)
+	LANDLOCK_ACCESS_FS_TRUNCATE | \
+	LANDLOCK_ACCESS_FS_IOCTL)
 
 /* clang-format on */
 
@@ -317,6 +319,10 @@  int main(const int argc, char *const argv[], char *const *const envp)
 		ruleset_attr.handled_access_net &=
 			~(LANDLOCK_ACCESS_NET_BIND_TCP |
 			  LANDLOCK_ACCESS_NET_CONNECT_TCP);
+	case 4:
+		/* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
+		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
+
 		fprintf(stderr,
 			"Hint: You should update the running kernel "
 			"to leverage Landlock features "