diff mbox series

[v7,9/9] landlock: Document IOCTL support

Message ID 20231201143042.3276833-10-gnoack@google.com (mailing list archive)
State Handled Elsewhere
Delegated to: Paul Moore
Headers show
Series Landlock: IOCTL support | expand

Commit Message

Günther Noack Dec. 1, 2023, 2:30 p.m. UTC
In the paragraph above the fallback logic, use the shorter phrasing
from the landlock(7) man page.

Signed-off-by: Günther Noack <gnoack@google.com>
---
 Documentation/userspace-api/landlock.rst | 74 +++++++++++++++++++-----
 1 file changed, 59 insertions(+), 15 deletions(-)

Comments

Jeff Xu Dec. 1, 2023, 7:55 p.m. UTC | #1
On Fri, Dec 1, 2023 at 6:41 AM Günther Noack <gnoack@google.com> wrote:
>
> In the paragraph above the fallback logic, use the shorter phrasing
> from the landlock(7) man page.
>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
>  Documentation/userspace-api/landlock.rst | 74 +++++++++++++++++++-----
>  1 file changed, 59 insertions(+), 15 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 2e3822677061..68498ca64dc9 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -75,7 +75,8 @@ to be explicit about the denied-by-default access rights.
>              LANDLOCK_ACCESS_FS_MAKE_BLOCK |
>              LANDLOCK_ACCESS_FS_MAKE_SYM |
>              LANDLOCK_ACCESS_FS_REFER |
> -            LANDLOCK_ACCESS_FS_TRUNCATE,
> +            LANDLOCK_ACCESS_FS_TRUNCATE |
> +            LANDLOCK_ACCESS_FS_IOCTL,
>          .handled_access_net =
>              LANDLOCK_ACCESS_NET_BIND_TCP |
>              LANDLOCK_ACCESS_NET_CONNECT_TCP,
> @@ -84,10 +85,10 @@ to be explicit about the denied-by-default access rights.
>  Because we may not know on which kernel version an application will be
>  executed, it is safer to follow a best-effort security approach.  Indeed, we
>  should try to protect users as much as possible whatever the kernel they are
> -using.  To avoid binary enforcement (i.e. either all security features or
> -none), we can leverage a dedicated Landlock command to get the current version
> -of the Landlock ABI and adapt the handled accesses.  Let's check if we should
> -remove access rights which are only supported in higher versions of the ABI.
> +using.
> +
> +To be compatible with older Linux versions, we detect the available Landlock ABI
> +version, and only use the available subset of access rights:
>
>  .. code-block:: c
>
> @@ -113,6 +114,10 @@ remove access rights which are only supported in higher versions of the ABI.
>          ruleset_attr.handled_access_net &=
>              ~(LANDLOCK_ACCESS_NET_BIND_TCP |
>                LANDLOCK_ACCESS_NET_CONNECT_TCP);
> +        __attribute__((fallthrough));
> +    case 4:
> +        /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
> +        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
>      }
>
>  This enables to create an inclusive ruleset that will contain our rules.
> @@ -224,6 +229,7 @@ access rights per directory enables to change the location of such directory
>  without relying on the destination directory access rights (except those that
>  are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
>  documentation).
> +
>  Having self-sufficient hierarchies also helps to tighten the required access
>  rights to the minimal set of data.  This also helps avoid sinkhole directories,
>  i.e.  directories where data can be linked to but not linked from.  However,
> @@ -317,18 +323,24 @@ It should also be noted that truncating files does not require the
>  system call, this can also be done through :manpage:`open(2)` with the flags
>  ``O_RDONLY | O_TRUNC``.
>
> -When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE``
> -right is associated with the newly created file descriptor and will be used for
> -subsequent truncation attempts using :manpage:`ftruncate(2)`.  The behavior is
> -similar to opening a file for reading or writing, where permissions are checked
> -during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
> +The truncate right is associated with the opened file (see below).
> +
> +Rights associated with file descriptors
> +---------------------------------------
> +
> +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
> +``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file
> +descriptor and will be used for subsequent truncation and ioctl attempts using
> +:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar to
> +opening a file for reading or writing, where permissions are checked during
> +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
>  :manpage:`write(2)` calls.
>
> -As a consequence, it is possible to have multiple open file descriptors for the
> -same file, where one grants the right to truncate the file and the other does
> -not.  It is also possible to pass such file descriptors between processes,
> -keeping their Landlock properties, even when these processes do not have an
> -enforced Landlock ruleset.
> +As a consequence, it is possible to have multiple open file descriptors
> +referring to the same file, where one grants the truncate or ioctl right and the
> +other does not.  It is also possible to pass such file descriptors between
> +processes, keeping their Landlock properties, even when these processes do not
> +have an enforced Landlock ruleset.
>
I understand the "passing fd between process ", but not the " multiple
open fds referring to the same file, with different permission", are
those fds all opened within the same domain ?

Can we have a pseudocode to help understanding ?

-Jeff
Günther Noack Dec. 8, 2023, 12:47 p.m. UTC | #2
Hello Jeff!

On Fri, Dec 01, 2023 at 11:55:03AM -0800, Jeff Xu wrote:
> On Fri, Dec 1, 2023 at 6:41 AM Günther Noack <gnoack@google.com> wrote:
> > +Rights associated with file descriptors
> > +---------------------------------------
> > +
> > +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
> > +``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file
> > +descriptor and will be used for subsequent truncation and ioctl attempts using
> > +:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar to
> > +opening a file for reading or writing, where permissions are checked during
> > +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
> >  :manpage:`write(2)` calls.
> >
> > -As a consequence, it is possible to have multiple open file descriptors for the
> > -same file, where one grants the right to truncate the file and the other does
> > -not.  It is also possible to pass such file descriptors between processes,
> > -keeping their Landlock properties, even when these processes do not have an
> > -enforced Landlock ruleset.
> > +As a consequence, it is possible to have multiple open file descriptors
> > +referring to the same file, where one grants the truncate or ioctl right and the
> > +other does not.  It is also possible to pass such file descriptors between
> > +processes, keeping their Landlock properties, even when these processes do not
> > +have an enforced Landlock ruleset.
> >
> I understand the "passing fd between process ", but not the " multiple
> open fds referring to the same file, with different permission", are
> those fds all opened within the same domain ?
> 
> Can we have a pseudocode to help understanding ?

It's a little bit expanding the scope here, as the documentation existed alredy
prior to the patch set, but it's a fair comment that this paragraph is not clear
enough.  I tried to rephrase it.  Maybe this is better:

  As a consequence, it is possible that a process has multiple open file
  descriptors referring to the same file, but Landlock enforces different things
  when operating with these file descriptors.  This can happen when a Landlock
  ruleset gets enforced and the process keeps file descriptors which were opened
  both before and after the enforcement.  It is also possible to pass such file
  descriptors between processes, keeping their Landlock properties, even when
  some of the involved processes do not have an enforced Landlock ruleset.

Some example code to clarify:

One way that this can happen is:

  (1) fd1 = open("foobar.txt", O_RDWR)
  (2) enforce_landlock(forbid all ioctls)
  (3) fd2 = open("foobar.txt", O_RDWR)

  ==> You now have fd1 and fd2 referring to the same file on disk,
      but you can only do ioctls on it through fd1, but not through fd2.

Or, using SCM_RIGHTS (unix(7)):

  (1) Process 1: Listen on Unix socket
  (2) Process 2: Enforce Landlock so that ioctls are forbidden
  (3) Process 2: fd = open("foobar.txt", O_RDWR)
  (4) Process 2: send fd to Process 1
  (5) Process 1: receive fd

  ==> Process 1 can not do ioctls on the received fd,
      as configured by the Landlock policy enforced in Process 2

Or, simply by inheriting file descriptors through execve:

  (1) Parent process/main thread: Spawn thread t
    (t.1) Enforce Landlock so that ioctls are forbidden
          (This policy is local to the thread)
    (t.2) fd = open("foobar.txt", O_RDWR)
  (2) Parent process/main thread: join (exit) thread t
  (3) Parent process/main thread: execve and inherit fd!

  ==> The child process can not use ioctls with the inherited fd,
      as configured by the Landlock policy before

The same is also possible with the truncation right.

—Günther
Jeff Xu Dec. 8, 2023, 9:58 p.m. UTC | #3
On Fri, Dec 8, 2023 at 4:48 AM Günther Noack <gnoack@google.com> wrote:
>
> Hello Jeff!
>
> On Fri, Dec 01, 2023 at 11:55:03AM -0800, Jeff Xu wrote:
> > On Fri, Dec 1, 2023 at 6:41 AM Günther Noack <gnoack@google.com> wrote:
> > > +Rights associated with file descriptors
> > > +---------------------------------------
> > > +
> > > +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
> > > +``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file
> > > +descriptor and will be used for subsequent truncation and ioctl attempts using
> > > +:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar to
> > > +opening a file for reading or writing, where permissions are checked during
> > > +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
> > >  :manpage:`write(2)` calls.
> > >
> > > -As a consequence, it is possible to have multiple open file descriptors for the
> > > -same file, where one grants the right to truncate the file and the other does
> > > -not.  It is also possible to pass such file descriptors between processes,
> > > -keeping their Landlock properties, even when these processes do not have an
> > > -enforced Landlock ruleset.
> > > +As a consequence, it is possible to have multiple open file descriptors
> > > +referring to the same file, where one grants the truncate or ioctl right and the
> > > +other does not.  It is also possible to pass such file descriptors between
> > > +processes, keeping their Landlock properties, even when these processes do not
> > > +have an enforced Landlock ruleset.
> > >
> > I understand the "passing fd between process ", but not the " multiple
> > open fds referring to the same file, with different permission", are
> > those fds all opened within the same domain ?
> >
> > Can we have a pseudocode to help understanding ?
>
> It's a little bit expanding the scope here, as the documentation existed alredy
> prior to the patch set, but it's a fair comment that this paragraph is not clear
> enough.  I tried to rephrase it.  Maybe this is better:
>
>   As a consequence, it is possible that a process has multiple open file
>   descriptors referring to the same file, but Landlock enforces different things
>   when operating with these file descriptors.  This can happen when a Landlock
>   ruleset gets enforced and the process keeps file descriptors which were opened
>   both before and after the enforcement.  It is also possible to pass such file
>   descriptors between processes, keeping their Landlock properties, even when
>   some of the involved processes do not have an enforced Landlock ruleset.
>
> Some example code to clarify:
>
> One way that this can happen is:
>
>   (1) fd1 = open("foobar.txt", O_RDWR)
>   (2) enforce_landlock(forbid all ioctls)
>   (3) fd2 = open("foobar.txt", O_RDWR)
>
>   ==> You now have fd1 and fd2 referring to the same file on disk,
>       but you can only do ioctls on it through fd1, but not through fd2.
>
> Or, using SCM_RIGHTS (unix(7)):
>
>   (1) Process 1: Listen on Unix socket
>   (2) Process 2: Enforce Landlock so that ioctls are forbidden
>   (3) Process 2: fd = open("foobar.txt", O_RDWR)
>   (4) Process 2: send fd to Process 1
>   (5) Process 1: receive fd
>
>   ==> Process 1 can not do ioctls on the received fd,
>       as configured by the Landlock policy enforced in Process 2
>
> Or, simply by inheriting file descriptors through execve:
>
>   (1) Parent process/main thread: Spawn thread t
>     (t.1) Enforce Landlock so that ioctls are forbidden
>           (This policy is local to the thread)
>     (t.2) fd = open("foobar.txt", O_RDWR)
>   (2) Parent process/main thread: join (exit) thread t
>   (3) Parent process/main thread: execve and inherit fd!
>
>   ==> The child process can not use ioctls with the inherited fd,
>       as configured by the Landlock policy before
>
> The same is also possible with the truncation right.
>
Very helpful. Thanks!
-Jeff

> —Günther
diff mbox series

Patch

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 2e3822677061..68498ca64dc9 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -75,7 +75,8 @@  to be explicit about the denied-by-default access rights.
             LANDLOCK_ACCESS_FS_MAKE_BLOCK |
             LANDLOCK_ACCESS_FS_MAKE_SYM |
             LANDLOCK_ACCESS_FS_REFER |
-            LANDLOCK_ACCESS_FS_TRUNCATE,
+            LANDLOCK_ACCESS_FS_TRUNCATE |
+            LANDLOCK_ACCESS_FS_IOCTL,
         .handled_access_net =
             LANDLOCK_ACCESS_NET_BIND_TCP |
             LANDLOCK_ACCESS_NET_CONNECT_TCP,
@@ -84,10 +85,10 @@  to be explicit about the denied-by-default access rights.
 Because we may not know on which kernel version an application will be
 executed, it is safer to follow a best-effort security approach.  Indeed, we
 should try to protect users as much as possible whatever the kernel they are
-using.  To avoid binary enforcement (i.e. either all security features or
-none), we can leverage a dedicated Landlock command to get the current version
-of the Landlock ABI and adapt the handled accesses.  Let's check if we should
-remove access rights which are only supported in higher versions of the ABI.
+using.
+
+To be compatible with older Linux versions, we detect the available Landlock ABI
+version, and only use the available subset of access rights:
 
 .. code-block:: c
 
@@ -113,6 +114,10 @@  remove access rights which are only supported in higher versions of the ABI.
         ruleset_attr.handled_access_net &=
             ~(LANDLOCK_ACCESS_NET_BIND_TCP |
               LANDLOCK_ACCESS_NET_CONNECT_TCP);
+        __attribute__((fallthrough));
+    case 4:
+        /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
+        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
     }
 
 This enables to create an inclusive ruleset that will contain our rules.
@@ -224,6 +229,7 @@  access rights per directory enables to change the location of such directory
 without relying on the destination directory access rights (except those that
 are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
 documentation).
+
 Having self-sufficient hierarchies also helps to tighten the required access
 rights to the minimal set of data.  This also helps avoid sinkhole directories,
 i.e.  directories where data can be linked to but not linked from.  However,
@@ -317,18 +323,24 @@  It should also be noted that truncating files does not require the
 system call, this can also be done through :manpage:`open(2)` with the flags
 ``O_RDONLY | O_TRUNC``.
 
-When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE``
-right is associated with the newly created file descriptor and will be used for
-subsequent truncation attempts using :manpage:`ftruncate(2)`.  The behavior is
-similar to opening a file for reading or writing, where permissions are checked
-during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
+The truncate right is associated with the opened file (see below).
+
+Rights associated with file descriptors
+---------------------------------------
+
+When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
+``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file
+descriptor and will be used for subsequent truncation and ioctl attempts using
+:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar to
+opening a file for reading or writing, where permissions are checked during
+:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
 :manpage:`write(2)` calls.
 
-As a consequence, it is possible to have multiple open file descriptors for the
-same file, where one grants the right to truncate the file and the other does
-not.  It is also possible to pass such file descriptors between processes,
-keeping their Landlock properties, even when these processes do not have an
-enforced Landlock ruleset.
+As a consequence, it is possible to have multiple open file descriptors
+referring to the same file, where one grants the truncate or ioctl right and the
+other does not.  It is also possible to pass such file descriptors between
+processes, keeping their Landlock properties, even when these processes do not
+have an enforced Landlock ruleset.
 
 Compatibility
 =============
@@ -457,6 +469,28 @@  Memory usage
 Kernel memory allocated to create rulesets is accounted and can be restricted
 by the Documentation/admin-guide/cgroup-v1/memory.rst.
 
+IOCTL support
+-------------
+
+The ``LANDLOCK_ACCESS_FS_IOCTL`` access right restricts the use of
+:manpage:`ioctl(2)`, but it only applies to newly opened files.  This means
+specifically that pre-existing file descriptors like stdin, stdout and stderr
+are unaffected.
+
+Users should be aware that TTY devices have traditionally permitted to control
+other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL
+commands.  It is therefore recommended to close inherited TTY file descriptors,
+or to reopen them from ``/proc/self/fd/*`` without the
+``LANDLOCK_ACCESS_FS_IOCTL`` right, if possible.  The :manpage:`isatty(3)`
+function checks whether a given file descriptor is a TTY.
+
+Landlock's IOCTL support is coarse-grained at the moment, but may become more
+fine-grained in the future.  Until then, users are advised to establish the
+guarantees that they need through the file hierarchy, by only permitting the
+``LANDLOCK_ACCESS_FS_IOCTL`` right on files where it is really harmless.  In
+cases where you can control the mounts, the ``nodev`` mount option can help to
+rule out that device files can be accessed.
+
 Previous limitations
 ====================
 
@@ -494,6 +528,16 @@  bind and connect actions to only a set of allowed ports thanks to the new
 ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
 access rights.
 
+IOCTL (ABI < 5)
+---------------
+
+IOCTL operations could not be denied before the fifth Landlock ABI, so
+:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
+earlier ABI.
+
+Starting with the Landlock ABI version 5, it is possible to restrict the use of
+:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL`` access right.
+
 .. _kernel_support:
 
 Kernel support