From patchwork Fri Jun 23 14:43:29 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= <gnoack@google.com>
X-Patchwork-Id: 13290765
Return-Path: <linux-security-module-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 08989EB64D7
	for <linux-security-module@archiver.kernel.org>;
 Fri, 23 Jun 2023 14:45:05 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232261AbjFWOpE (ORCPT
        <rfc822;linux-security-module@archiver.kernel.org>);
        Fri, 23 Jun 2023 10:45:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40692 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232290AbjFWOod (ORCPT
        <rfc822;linux-security-module@vger.kernel.org>);
        Fri, 23 Jun 2023 10:44:33 -0400
Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com
 [IPv6:2607:f8b0:4864:20::114a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E34022D68
        for <linux-security-module@vger.kernel.org>;
 Fri, 23 Jun 2023 07:43:55 -0700 (PDT)
Received: by mail-yw1-x114a.google.com with SMTP id
 00721157ae682-56ff7b4feefso9581157b3.0
        for <linux-security-module@vger.kernel.org>;
 Fri, 23 Jun 2023 07:43:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1687531435; x=1690123435;
        h=content-transfer-encoding:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Kdm54Rz+m33IoLUpgO0/e3RXUFPHZ/9x2zIzUzsArVc=;
        b=Kr3FDs0egiiiEEbnbbgw5lSNj+XGC+p9j3WLq8sOjyGZFkHbO55x3dyQF+46jtJChl
         TUlaNKL1WzrisX/prUZwLqPvayhtV4oV3vpduFD5zYkfyWAbH0urMGQ4T2gJVwyOkYb3
         bC5GP3eaYsjB9XbKGGlUOygrN8N3juknr8os2HkBr5zBI9hx7Vd2QSWdv3ewgNO48BEC
         hsVIxKFdSSKbgnDSKf5K4SO5B0MIIbuN2yXnRLQLnOsg3T79uWlChPbzoh7N9ALf7Vgx
         YpGTIW0C/xuwv+N53YPuEmdX9BPZIwFW+zOKbGS83JJWOkOzlO5nAjCmSQNktF/Fy+py
         +ErA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687531435; x=1690123435;
        h=content-transfer-encoding:cc:to:from:subject:references
         :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=Kdm54Rz+m33IoLUpgO0/e3RXUFPHZ/9x2zIzUzsArVc=;
        b=PUpsEYj23PsAUUJq495C+OxItzLLlpyk3+NEfGTz2Z1h+vV/WA0FUbuu2cn2OfVZN8
         BIKQCCyVW54R9uMr01PIzJUoa+fqVwQGkA4JkWdKJ3JQlybRcEcc5wOtcOdGvC7NDYMD
         CFXO3aYZJHpg0s5xOscZ8C7YVEADgUrUVcTtlU0rpITQWAfAn4ESYr4hn3RlrKBS5cFm
         eHxySiKTchHG7q7N1qT/Ji9qI0D51AQsf/mVpfTNsKlNgSm2jL/pAy5gdnPnWmhPabRt
         my+WFv77zdpVnChlqaVgyhcNeNKYzQgEQvWs1VHnj8tM+r5Q3oGKqIrCecUOe0ozRVq+
         PIbA==
X-Gm-Message-State: AC+VfDzEESmSluanxV+0YJcPCsnPJkmXGnE6MgjhWXkfKAT7KMqhpCEN
        aAKN+7oxxJwiQ9L1TLThxwPDpWM2kRAvbkF4pYnivot8qDgokPm7KnIFXOy39I4cbKL19sfCGHH
        BLu9w22UH3k+CiKnzxeoxlX5TswPeF239+yMgMKATIVK1Dy0hgkr8k/mmvD0Zigy6UF7oH1pTQb
        prwaVHYA==
X-Google-Smtp-Source: 
 ACHHUZ4wlB7BEjXlcYwmQHZSRL6PB3Q3JUhNMlPeWL9i6Xz1QRVALBzXJTcQBYnS7rXYAzhngYDhtxkzZHs=
X-Received: from sport.zrh.corp.google.com
 ([2a00:79e0:9d:4:8b55:dee0:6991:c318])
 (user=gnoack job=sendgmr) by 2002:a81:bd11:0:b0:54f:b56a:cd0f with SMTP id
 b17-20020a81bd11000000b0054fb56acd0fmr9747144ywi.3.1687531434911; Fri, 23 Jun
 2023 07:43:54 -0700 (PDT)
Date: Fri, 23 Jun 2023 16:43:29 +0200
In-Reply-To: <20230623144329.136541-1-gnoack@google.com>
Message-Id: <20230623144329.136541-7-gnoack@google.com>
Mime-Version: 1.0
References: <20230623144329.136541-1-gnoack@google.com>
X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog
Subject: [PATCH v2 6/6] landlock: Document ioctl support
From: " =?utf-8?q?G=C3=BCnther_Noack?= " <gnoack@google.com>
To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?=
	=?utf-8?q?=C3=BCn?= " <mic@digikod.net>
Cc: Jeff Xu <jeffxu@google.com>, Jorge Lucangeli Obes <jorgelo@chromium.org>,
 Allen Webb <allenwebb@google.com>, Dmitry Torokhov <dtor@google.com>,
 Paul Moore <paul@paul-moore.com>,
 Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
 linux-fsdevel@vger.kernel.org,
 " =?utf-8?q?G=C3=BCnther_Noack?= " <gnoack@google.com>
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>

In the paragraph above the fallback logic, use the shorter phrasing
from the landlock(7) man page.

Signed-off-by: Günther Noack <gnoack@google.com>
---
 Documentation/userspace-api/landlock.rst | 52 ++++++++++++++++--------
 1 file changed, 35 insertions(+), 17 deletions(-)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index d8cd8cd9ce25..bff3b4a9df3d 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -61,18 +61,17 @@ the need to be explicit about the denied-by-default access rights.
             LANDLOCK_ACCESS_FS_MAKE_BLOCK |
             LANDLOCK_ACCESS_FS_MAKE_SYM |
             LANDLOCK_ACCESS_FS_REFER |
-            LANDLOCK_ACCESS_FS_TRUNCATE,
+            LANDLOCK_ACCESS_FS_TRUNCATE |
+            LANDLOCK_ACCESS_FS_IOCTL,
     };
 
 Because we may not know on which kernel version an application will be
 executed, it is safer to follow a best-effort security approach.  Indeed, we
 should try to protect users as much as possible whatever the kernel they are
-using.  To avoid binary enforcement (i.e. either all security features or
-none), we can leverage a dedicated Landlock command to get the current version
-of the Landlock ABI and adapt the handled accesses.  Let's check if we should
-remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE``
-access rights, which are only supported starting with the second and third
-version of the ABI.
+using.
+
+To be compatible with older Linux versions, we detect the available Landlock ABI
+version, and only use the available subset of access rights:
 
 .. code-block:: c
 
@@ -92,6 +91,9 @@ version of the ABI.
     case 2:
         /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
         ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+    case 3:
+        /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 4 */
+        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
     }
 
 This enables to create an inclusive ruleset that will contain our rules.
@@ -190,6 +192,7 @@ access rights per directory enables to change the location of such directory
 without relying on the destination directory access rights (except those that
 are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
 documentation).
+
 Having self-sufficient hierarchies also helps to tighten the required access
 rights to the minimal set of data.  This also helps avoid sinkhole directories,
 i.e.  directories where data can be linked to but not linked from.  However,
@@ -283,18 +286,24 @@ It should also be noted that truncating files does not require the
 system call, this can also be done through :manpage:`open(2)` with the flags
 ``O_RDONLY | O_TRUNC``.
 
-When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE``
-right is associated with the newly created file descriptor and will be used for
-subsequent truncation attempts using :manpage:`ftruncate(2)`.  The behavior is
-similar to opening a file for reading or writing, where permissions are checked
-during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
+The truncate right is associated with the opened file (see below).
+
+Rights associated with file descriptors
+---------------------------------------
+
+When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
+``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file
+descriptor and will be used for subsequent truncation and ioctl attempts using
+:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`.  The behavior is similar to
+opening a file for reading or writing, where permissions are checked during
+:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
 :manpage:`write(2)` calls.
 
-As a consequence, it is possible to have multiple open file descriptors for the
-same file, where one grants the right to truncate the file and the other does
-not.  It is also possible to pass such file descriptors between processes,
-keeping their Landlock properties, even when these processes do not have an
-enforced Landlock ruleset.
+As a consequence, it is possible to have multiple open file descriptors
+referring to the same file, where one grants the truncate or ioctl right and the
+other does not.  It is also possible to pass such file descriptors between
+processes, keeping their Landlock properties, even when these processes do not
+have an enforced Landlock ruleset.
 
 Compatibility
 =============
@@ -451,6 +460,15 @@ always allowed when using a kernel that only supports the first or second ABI.
 Starting with the Landlock ABI version 3, it is now possible to securely control
 truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.
 
+Ioctl (ABI < 4)
+---------------
+
+Ioctl operations could not be denied before the fourth Landlock ABI, so ioctl is
+always allowed when using a kernel that only supports an earlier ABI.
+
+Starting with the Landlock ABI version 4, it is possible to restrict the use of
+ioctl using the new ``LANDLOCK_ACCESS_FS_IOCTL`` access right.
+
 .. _kernel_support:
 
 Kernel support