| Message ID | 20221001154908.49665-4-gnoack3000@gmail.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | landlock: truncate support | expand |
Great! On 01/10/2022 17:49, Günther Noack wrote: > * Rename it to is_access_to_paths_allowed() > * Make it return true iff the access is allowed > * Calculate the EXDEV/EACCES error code in the one place where it's needed Can you please replace these bullet points with (one-sentence) paragraphs? > > Suggested-by: Mickaël Salaün <mic@digikod.net> > Signed-off-by: Günther Noack <gnoack3000@gmail.com> > --- > security/landlock/fs.c | 89 +++++++++++++++++++++--------------------- > 1 file changed, 44 insertions(+), 45 deletions(-) > > diff --git a/security/landlock/fs.c b/security/landlock/fs.c > index a9dbd99d9ee7..083dd3d359de 100644 > --- a/security/landlock/fs.c > +++ b/security/landlock/fs.c > @@ -430,7 +430,7 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], > } > > /** > - * check_access_path_dual - Check accesses for requests with a common path > + * is_access_to_paths_allowed - Check accesses for requests with a common path > * > * @domain: Domain to check against. > * @path: File hierarchy to walk through. > @@ -465,14 +465,10 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], > * allow the request. > * > * Returns: > - * - 0 if the access request is granted; > - * - -EACCES if it is denied because of access right other than > - * LANDLOCK_ACCESS_FS_REFER; > - * - -EXDEV if the renaming or linking would be a privileged escalation > - * (according to each layered policies), or if LANDLOCK_ACCESS_FS_REFER is > - * not allowed by the source or the destination. > + * - true if the access request is granted; > + * - false otherwise Missing final dot. > */ > -static int check_access_path_dual( > +static bool is_access_to_paths_allowed( > const struct landlock_ruleset *const domain, > const struct path *const path, > const access_mask_t access_request_parent1, > @@ -492,17 +488,17 @@ static int check_access_path_dual( > (*layer_masks_child2)[LANDLOCK_NUM_ACCESS_FS] = NULL; > > if (!access_request_parent1 && !access_request_parent2) > - return 0; > + return true; > if (WARN_ON_ONCE(!domain || !path)) > - return 0; > + return true; > if (is_nouser_or_private(path->dentry)) > - return 0; > + return true; > if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1)) > - return -EACCES; > + return false; > > if (unlikely(layer_masks_parent2)) { > if (WARN_ON_ONCE(!dentry_child1)) > - return -EACCES; > + return false; > /* > * For a double request, first check for potential privilege > * escalation by looking at domain handled accesses (which are > @@ -513,7 +509,7 @@ static int check_access_path_dual( > is_dom_check = true; > } else { > if (WARN_ON_ONCE(dentry_child1 || dentry_child2)) > - return -EACCES; > + return false; > /* For a simple request, only check for requested accesses. */ > access_masked_parent1 = access_request_parent1; > access_masked_parent2 = access_request_parent2; > @@ -622,24 +618,7 @@ static int check_access_path_dual( > } > path_put(&walker_path); > > - if (allowed_parent1 && allowed_parent2) > - return 0; > - > - /* > - * This prioritizes EACCES over EXDEV for all actions, including > - * renames with RENAME_EXCHANGE. > - */ > - if (likely(is_eacces(layer_masks_parent1, access_request_parent1) || > - is_eacces(layer_masks_parent2, access_request_parent2))) > - return -EACCES; > - > - /* > - * Gracefully forbids reparenting if the destination directory > - * hierarchy is not a superset of restrictions of the source directory > - * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the > - * source or the destination. > - */ > - return -EXDEV; > + return allowed_parent1 && allowed_parent2; > } > > static inline int check_access_path(const struct landlock_ruleset *const domain, > @@ -649,8 +628,10 @@ static inline int check_access_path(const struct landlock_ruleset *const domain, > layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; > > access_request = init_layer_masks(domain, access_request, &layer_masks); > - return check_access_path_dual(domain, path, access_request, > - &layer_masks, NULL, 0, NULL, NULL); > + if (is_access_to_paths_allowed(domain, path, access_request, > + &layer_masks, NULL, 0, NULL, NULL)) > + return 0; > + return -EACCES; > } > > static inline int current_check_access_path(const struct path *const path, > @@ -711,8 +692,9 @@ static inline access_mask_t maybe_remove(const struct dentry *const dentry) > * file. While walking from @dir to @mnt_root, we record all the domain's > * allowed accesses in @layer_masks_dom. > * > - * This is similar to check_access_path_dual() but much simpler because it only > - * handles walking on the same mount point and only check one set of accesses. > + * This is similar to is_access_to_paths_allowed() but much simpler because it > + * only handles walking on the same mount point and only checks one set of > + * accesses. > * > * Returns: > * - true if all the domain access rights are allowed for @dir; > @@ -857,10 +839,11 @@ static int current_check_refer_path(struct dentry *const old_dentry, > access_request_parent1 = init_layer_masks( > dom, access_request_parent1 | access_request_parent2, > &layer_masks_parent1); > - return check_access_path_dual(dom, new_dir, > - access_request_parent1, > - &layer_masks_parent1, NULL, 0, > - NULL, NULL); > + if (is_access_to_paths_allowed( > + dom, new_dir, access_request_parent1, > + &layer_masks_parent1, NULL, 0, NULL, NULL)) > + return 0; > + return -EACCES; > } > > access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER; > @@ -886,11 +869,27 @@ static int current_check_refer_path(struct dentry *const old_dentry, > * parent access rights. This will be useful to compare with the > * destination parent access rights. > */ > - return check_access_path_dual(dom, &mnt_dir, access_request_parent1, > - &layer_masks_parent1, old_dentry, > - access_request_parent2, > - &layer_masks_parent2, > - exchange ? new_dentry : NULL); > + if (is_access_to_paths_allowed( > + dom, &mnt_dir, access_request_parent1, &layer_masks_parent1, > + old_dentry, access_request_parent2, &layer_masks_parent2, > + exchange ? new_dentry : NULL)) > + return 0; > + > + /* > + * This prioritizes EACCES over EXDEV for all actions, including > + * renames with RENAME_EXCHANGE. > + */ > + if (likely(is_eacces(&layer_masks_parent1, access_request_parent1) || > + is_eacces(&layer_masks_parent2, access_request_parent2))) > + return -EACCES; > + > + /* > + * Gracefully forbids reparenting if the destination directory > + * hierarchy is not a superset of restrictions of the source directory > + * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the > + * source or the destination. > + */ > + return -EXDEV; > } > > /* Inode hooks */
On Wed, Oct 05, 2022 at 08:54:08PM +0200, Mickaël Salaün wrote: > On 01/10/2022 17:49, Günther Noack wrote: > > * Rename it to is_access_to_paths_allowed() > > * Make it return true iff the access is allowed > > * Calculate the EXDEV/EACCES error code in the one place where it's needed > > Can you please replace these bullet points with (one-sentence) paragraphs? Done. > > Suggested-by: Mickaël Salaün <mic@digikod.net> > > Signed-off-by: Günther Noack <gnoack3000@gmail.com> > > --- > > security/landlock/fs.c | 89 +++++++++++++++++++++--------------------- > > 1 file changed, 44 insertions(+), 45 deletions(-) > > > > diff --git a/security/landlock/fs.c b/security/landlock/fs.c > > index a9dbd99d9ee7..083dd3d359de 100644 > > --- a/security/landlock/fs.c > > +++ b/security/landlock/fs.c > > @@ -430,7 +430,7 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], > > } > > /** > > - * check_access_path_dual - Check accesses for requests with a common path > > + * is_access_to_paths_allowed - Check accesses for requests with a common path > > * > > * @domain: Domain to check against. > > * @path: File hierarchy to walk through. > > @@ -465,14 +465,10 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], > > * allow the request. > > * > > * Returns: > > - * - 0 if the access request is granted; > > - * - -EACCES if it is denied because of access right other than > > - * LANDLOCK_ACCESS_FS_REFER; > > - * - -EXDEV if the renaming or linking would be a privileged escalation > > - * (according to each layered policies), or if LANDLOCK_ACCESS_FS_REFER is > > - * not allowed by the source or the destination. > > + * - true if the access request is granted; > > + * - false otherwise > > Missing final dot. Done. > > */ > > -static int check_access_path_dual( > > +static bool is_access_to_paths_allowed( > > const struct landlock_ruleset *const domain, > > const struct path *const path, > > const access_mask_t access_request_parent1, > > @@ -492,17 +488,17 @@ static int check_access_path_dual( > > (*layer_masks_child2)[LANDLOCK_NUM_ACCESS_FS] = NULL; > > if (!access_request_parent1 && !access_request_parent2) > > - return 0; > > + return true; > > if (WARN_ON_ONCE(!domain || !path)) > > - return 0; > > + return true; > > if (is_nouser_or_private(path->dentry)) > > - return 0; > > + return true; > > if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1)) > > - return -EACCES; > > + return false; > > if (unlikely(layer_masks_parent2)) { > > if (WARN_ON_ONCE(!dentry_child1)) > > - return -EACCES; > > + return false; > > /* > > * For a double request, first check for potential privilege > > * escalation by looking at domain handled accesses (which are > > @@ -513,7 +509,7 @@ static int check_access_path_dual( > > is_dom_check = true; > > } else { > > if (WARN_ON_ONCE(dentry_child1 || dentry_child2)) > > - return -EACCES; > > + return false; > > /* For a simple request, only check for requested accesses. */ > > access_masked_parent1 = access_request_parent1; > > access_masked_parent2 = access_request_parent2; > > @@ -622,24 +618,7 @@ static int check_access_path_dual( > > } > > path_put(&walker_path); > > - if (allowed_parent1 && allowed_parent2) > > - return 0; > > - > > - /* > > - * This prioritizes EACCES over EXDEV for all actions, including > > - * renames with RENAME_EXCHANGE. > > - */ > > - if (likely(is_eacces(layer_masks_parent1, access_request_parent1) || > > - is_eacces(layer_masks_parent2, access_request_parent2))) > > - return -EACCES; > > - > > - /* > > - * Gracefully forbids reparenting if the destination directory > > - * hierarchy is not a superset of restrictions of the source directory > > - * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the > > - * source or the destination. > > - */ > > - return -EXDEV; > > + return allowed_parent1 && allowed_parent2; > > } > > static inline int check_access_path(const struct landlock_ruleset *const domain, > > @@ -649,8 +628,10 @@ static inline int check_access_path(const struct landlock_ruleset *const domain, > > layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; > > access_request = init_layer_masks(domain, access_request, &layer_masks); > > - return check_access_path_dual(domain, path, access_request, > > - &layer_masks, NULL, 0, NULL, NULL); > > + if (is_access_to_paths_allowed(domain, path, access_request, > > + &layer_masks, NULL, 0, NULL, NULL)) > > + return 0; > > + return -EACCES; > > } > > static inline int current_check_access_path(const struct path *const path, > > @@ -711,8 +692,9 @@ static inline access_mask_t maybe_remove(const struct dentry *const dentry) > > * file. While walking from @dir to @mnt_root, we record all the domain's > > * allowed accesses in @layer_masks_dom. > > * > > - * This is similar to check_access_path_dual() but much simpler because it only > > - * handles walking on the same mount point and only check one set of accesses. > > + * This is similar to is_access_to_paths_allowed() but much simpler because it > > + * only handles walking on the same mount point and only checks one set of > > + * accesses. > > * > > * Returns: > > * - true if all the domain access rights are allowed for @dir; > > @@ -857,10 +839,11 @@ static int current_check_refer_path(struct dentry *const old_dentry, > > access_request_parent1 = init_layer_masks( > > dom, access_request_parent1 | access_request_parent2, > > &layer_masks_parent1); > > - return check_access_path_dual(dom, new_dir, > > - access_request_parent1, > > - &layer_masks_parent1, NULL, 0, > > - NULL, NULL); > > + if (is_access_to_paths_allowed( > > + dom, new_dir, access_request_parent1, > > + &layer_masks_parent1, NULL, 0, NULL, NULL)) > > + return 0; > > + return -EACCES; > > } > > access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER; > > @@ -886,11 +869,27 @@ static int current_check_refer_path(struct dentry *const old_dentry, > > * parent access rights. This will be useful to compare with the > > * destination parent access rights. > > */ > > - return check_access_path_dual(dom, &mnt_dir, access_request_parent1, > > - &layer_masks_parent1, old_dentry, > > - access_request_parent2, > > - &layer_masks_parent2, > > - exchange ? new_dentry : NULL); > > + if (is_access_to_paths_allowed( > > + dom, &mnt_dir, access_request_parent1, &layer_masks_parent1, > > + old_dentry, access_request_parent2, &layer_masks_parent2, > > + exchange ? new_dentry : NULL)) > > + return 0; > > + > > + /* > > + * This prioritizes EACCES over EXDEV for all actions, including > > + * renames with RENAME_EXCHANGE. > > + */ > > + if (likely(is_eacces(&layer_masks_parent1, access_request_parent1) || > > + is_eacces(&layer_masks_parent2, access_request_parent2))) > > + return -EACCES; > > + > > + /* > > + * Gracefully forbids reparenting if the destination directory > > + * hierarchy is not a superset of restrictions of the source directory > > + * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the > > + * source or the destination. > > + */ > > + return -EXDEV; > > } > > /* Inode hooks */ --
diff --git a/security/landlock/fs.c b/security/landlock/fs.c index a9dbd99d9ee7..083dd3d359de 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -430,7 +430,7 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], } /** - * check_access_path_dual - Check accesses for requests with a common path + * is_access_to_paths_allowed - Check accesses for requests with a common path * * @domain: Domain to check against. * @path: File hierarchy to walk through. @@ -465,14 +465,10 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS], * allow the request. * * Returns: - * - 0 if the access request is granted; - * - -EACCES if it is denied because of access right other than - * LANDLOCK_ACCESS_FS_REFER; - * - -EXDEV if the renaming or linking would be a privileged escalation - * (according to each layered policies), or if LANDLOCK_ACCESS_FS_REFER is - * not allowed by the source or the destination. + * - true if the access request is granted; + * - false otherwise */ -static int check_access_path_dual( +static bool is_access_to_paths_allowed( const struct landlock_ruleset *const domain, const struct path *const path, const access_mask_t access_request_parent1, @@ -492,17 +488,17 @@ static int check_access_path_dual( (*layer_masks_child2)[LANDLOCK_NUM_ACCESS_FS] = NULL; if (!access_request_parent1 && !access_request_parent2) - return 0; + return true; if (WARN_ON_ONCE(!domain || !path)) - return 0; + return true; if (is_nouser_or_private(path->dentry)) - return 0; + return true; if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1)) - return -EACCES; + return false; if (unlikely(layer_masks_parent2)) { if (WARN_ON_ONCE(!dentry_child1)) - return -EACCES; + return false; /* * For a double request, first check for potential privilege * escalation by looking at domain handled accesses (which are @@ -513,7 +509,7 @@ static int check_access_path_dual( is_dom_check = true; } else { if (WARN_ON_ONCE(dentry_child1 || dentry_child2)) - return -EACCES; + return false; /* For a simple request, only check for requested accesses. */ access_masked_parent1 = access_request_parent1; access_masked_parent2 = access_request_parent2; @@ -622,24 +618,7 @@ static int check_access_path_dual( } path_put(&walker_path); - if (allowed_parent1 && allowed_parent2) - return 0; - - /* - * This prioritizes EACCES over EXDEV for all actions, including - * renames with RENAME_EXCHANGE. - */ - if (likely(is_eacces(layer_masks_parent1, access_request_parent1) || - is_eacces(layer_masks_parent2, access_request_parent2))) - return -EACCES; - - /* - * Gracefully forbids reparenting if the destination directory - * hierarchy is not a superset of restrictions of the source directory - * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the - * source or the destination. - */ - return -EXDEV; + return allowed_parent1 && allowed_parent2; } static inline int check_access_path(const struct landlock_ruleset *const domain, @@ -649,8 +628,10 @@ static inline int check_access_path(const struct landlock_ruleset *const domain, layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; access_request = init_layer_masks(domain, access_request, &layer_masks); - return check_access_path_dual(domain, path, access_request, - &layer_masks, NULL, 0, NULL, NULL); + if (is_access_to_paths_allowed(domain, path, access_request, + &layer_masks, NULL, 0, NULL, NULL)) + return 0; + return -EACCES; } static inline int current_check_access_path(const struct path *const path, @@ -711,8 +692,9 @@ static inline access_mask_t maybe_remove(const struct dentry *const dentry) * file. While walking from @dir to @mnt_root, we record all the domain's * allowed accesses in @layer_masks_dom. * - * This is similar to check_access_path_dual() but much simpler because it only - * handles walking on the same mount point and only check one set of accesses. + * This is similar to is_access_to_paths_allowed() but much simpler because it + * only handles walking on the same mount point and only checks one set of + * accesses. * * Returns: * - true if all the domain access rights are allowed for @dir; @@ -857,10 +839,11 @@ static int current_check_refer_path(struct dentry *const old_dentry, access_request_parent1 = init_layer_masks( dom, access_request_parent1 | access_request_parent2, &layer_masks_parent1); - return check_access_path_dual(dom, new_dir, - access_request_parent1, - &layer_masks_parent1, NULL, 0, - NULL, NULL); + if (is_access_to_paths_allowed( + dom, new_dir, access_request_parent1, + &layer_masks_parent1, NULL, 0, NULL, NULL)) + return 0; + return -EACCES; } access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER; @@ -886,11 +869,27 @@ static int current_check_refer_path(struct dentry *const old_dentry, * parent access rights. This will be useful to compare with the * destination parent access rights. */ - return check_access_path_dual(dom, &mnt_dir, access_request_parent1, - &layer_masks_parent1, old_dentry, - access_request_parent2, - &layer_masks_parent2, - exchange ? new_dentry : NULL); + if (is_access_to_paths_allowed( + dom, &mnt_dir, access_request_parent1, &layer_masks_parent1, + old_dentry, access_request_parent2, &layer_masks_parent2, + exchange ? new_dentry : NULL)) + return 0; + + /* + * This prioritizes EACCES over EXDEV for all actions, including + * renames with RENAME_EXCHANGE. + */ + if (likely(is_eacces(&layer_masks_parent1, access_request_parent1) || + is_eacces(&layer_masks_parent2, access_request_parent2))) + return -EACCES; + + /* + * Gracefully forbids reparenting if the destination directory + * hierarchy is not a superset of restrictions of the source directory + * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the + * source or the destination. + */ + return -EXDEV; } /* Inode hooks */
* Rename it to is_access_to_paths_allowed() * Make it return true iff the access is allowed * Calculate the EXDEV/EACCES error code in the one place where it's needed Suggested-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Günther Noack <gnoack3000@gmail.com> --- security/landlock/fs.c | 89 +++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 45 deletions(-)