From patchwork Mon Mar 25 13:40:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13602242 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACE5D12C80E for ; Mon, 25 Mar 2024 13:40:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374033; cv=none; b=OvcwjKQBr19rKF/5a4kaz3RyzTF7vjGIZ/g2Nihg/927VY0qVF44oqPazEP5Of4vNTHYlc8kUKhD0Pj4GXjcjDPYdQoeBpW/ATaCz3Z0vyuBG/DFN1hcIFJXH+HShn+EnqmrsB0eTZdIDZTEBAOldpMkxtHA5glPaxwTBiU8B7w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374033; c=relaxed/simple; bh=4g64X2z2I9w1oZROI2GSCgDSQPRm3AXX/Vq984hPUy8=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=A77hcjYwXTBUM4GfugTMADQZYMw6wIMnFWTjVrXpmzpWoIKP/Beql+HtP0Ikz6csyNB1nigthY/nyqk9L5rdVZvd/dAPVXKJ+vbknJAHWwS+KfDycGfvOJ5IMecUnTaPGbKN5lFAcVaGXI06zSwpyRN+HkeW3uzLoK8PyQJ2rwE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TYj8j+Uz; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TYj8j+Uz" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-dd8e82dd47eso5798702276.2 for ; Mon, 25 Mar 2024 06:40:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1711374031; x=1711978831; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=AL+pLtjmOCqOyTizrp229Q3mbwzX+z6isjzKlV0osFY=; b=TYj8j+UzU5vceiXI0PAbPYrM8ns9Rd+ZZbz+qiHRY6zZL1eQE1T81QX1D7ogBjuOvn hTCLEhlfFrzoM/xWPCqoBN1Myx4vuLU7GoYRAomSR1RqSjXTnQvEm4iVBPtpLVeLuHAb 2Ke4mAQFfG/1IUew5ebVMpiZ3NdIEBceInWcJ+hdKA4qLXCn9KEpA97L+qFmcJ5hfO5D /3xSCmdzf/D8kzoqWRG3SHGYc3+NCucWvKudUHnZMxqNnHBNsgvxvvzHO0oD47I2V1Vw q1pnyeAFcYTdM9/2lLaJqi8hxqWkOJ/MASN79i77KIq6eI7L+8BDPf8343SG36czimdv 1agg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711374031; x=1711978831; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=AL+pLtjmOCqOyTizrp229Q3mbwzX+z6isjzKlV0osFY=; b=Xsv/8v5Sqo/R8yebM/VdXKWA9iq78n+jTNfMKyrEUVIWLE04qvjEvnNUekDkTHjhHP iLA2QWpwxAJ7e2ao23qy0YgVUYGYNJmK7nUc5qYWH0NXylzd58RLE/SiDmALSPk8FK49 QLUDztcti+GtcS3JW0CZOwbMLHhbtwWhkl09mQF7zrjZ94fC1KwF3W38Mz0B3LuR+1b4 3j4n8NKvPKz5kWPRcfdoJK/Kuz/DbAgm3Vmr3zNk//pQxqXiA7k7Xgets5ivjSQHSxRL nEmnEsY0eTAH5U6yIimLD6T4h1mLVvBZG8L/GCABrw5BVBz/4iUEJOH5oYczdp5OAlq9 TfkQ== X-Gm-Message-State: AOJu0YyKxVV4X6mja1DzZP1LqbFd/6fQnTD41Z8oCX2aEk3dCcKdcQy/ 18sG0VkZ+lINUyahpKXcWiOkcgWjV4H0rH7RAXR9J9/UGS84vbRaYY+/TAbkkkjObPx/Rio8TWW vfSduDCJR6baEkEMlTLcUPNO2GNSOKWG5W03fXCWCEkZW8SyCyeRKL6aiTcYfHtANmUu2n7csTj lStLmBIhN6y/JWHI0ggDL50BqJt5CFPrVXF7bis9czpkaDst1rN6Rw X-Google-Smtp-Source: AGHT+IEmLONyvtYGybUOCEnnXeQyyFFbJ0hIAh4jktgritw14JAHy3RCayEtj6Qf3eX1vANUcfWRhzrGbXQ= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6902:124a:b0:dcc:6bf0:2eb6 with SMTP id t10-20020a056902124a00b00dcc6bf02eb6mr317474ybu.6.1711374029954; Mon, 25 Mar 2024 06:40:29 -0700 (PDT) Date: Mon, 25 Mar 2024 13:40:04 +0000 In-Reply-To: <20240325134004.4074874-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240325134004.4074874-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog Message-ID: <20240325134004.4074874-10-gnoack@google.com> Subject: [PATCH v12 9/9] landlock: Document IOCTL support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " In the paragraph above the fallback logic, use the shorter phrasing from the landlock(7) man page. Signed-off-by: Günther Noack --- Documentation/userspace-api/landlock.rst | 76 +++++++++++++++++++----- 1 file changed, 61 insertions(+), 15 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 9dd636aaa829..145bd869c684 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -76,7 +76,8 @@ to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | - LANDLOCK_ACCESS_FS_TRUNCATE, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL_DEV, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, @@ -85,10 +86,10 @@ to be explicit about the denied-by-default access rights. Because we may not know on which kernel version an application will be executed, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are -using. To avoid binary enforcement (i.e. either all security features or -none), we can leverage a dedicated Landlock command to get the current version -of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove access rights which are only supported in higher versions of the ABI. +using. + +To be compatible with older Linux versions, we detect the available Landlock ABI +version, and only use the available subset of access rights: .. code-block:: c @@ -114,6 +115,10 @@ remove access rights which are only supported in higher versions of the ABI. ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); + __attribute__((fallthrough)); + case 4: + /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; } This enables to create an inclusive ruleset that will contain our rules. @@ -225,6 +230,7 @@ access rights per directory enables to change the location of such directory without relying on the destination directory access rights (except those that are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER`` documentation). + Having self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, @@ -318,18 +324,26 @@ It should also be noted that truncating files does not require the system call, this can also be done through :manpage:`open(2)` with the flags ``O_RDONLY | O_TRUNC``. -When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` -right is associated with the newly created file descriptor and will be used for -subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is -similar to opening a file for reading or writing, where permissions are checked -during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and +The truncate right is associated with the opened file (see below). + +Rights associated with file descriptors +--------------------------------------- + +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created +file descriptor and will be used for subsequent truncation and ioctl attempts +using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar +to opening a file for reading or writing, where permissions are checked during +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and :manpage:`write(2)` calls. -As a consequence, it is possible to have multiple open file descriptors for the -same file, where one grants the right to truncate the file and the other does -not. It is also possible to pass such file descriptors between processes, -keeping their Landlock properties, even when these processes do not have an -enforced Landlock ruleset. +As a consequence, it is possible that a process has multiple open file +descriptors referring to the same file, but Landlock enforces different things +when operating with these file descriptors. This can happen when a Landlock +ruleset gets enforced and the process keeps file descriptors which were opened +both before and after the enforcement. It is also possible to pass such file +descriptors between processes, keeping their Landlock properties, even when some +of the involved processes do not have an enforced Landlock ruleset. Compatibility ============= @@ -458,6 +472,28 @@ Memory usage Kernel memory allocated to create rulesets is accounted and can be restricted by the Documentation/admin-guide/cgroup-v1/memory.rst. +IOCTL support +------------- + +The ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of +:manpage:`ioctl(2)`, but it only applies to *newly opened* device files. This +means specifically that pre-existing file descriptors like stdin, stdout and +stderr are unaffected. + +Users should be aware that TTY devices have traditionally permitted to control +other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL +commands. Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but +the behavior is configurable for ``TIOCSTI``. + +On older systems, it is therefore recommended to close inherited TTY file +descriptors, or to reopen them from ``/proc/self/fd/*`` without the +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible. + +Landlock's IOCTL support is coarse-grained at the moment, but may become more +fine-grained in the future. Until then, users are advised to establish the +guarantees that they need through the file hierarchy, by only allowing the +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required. + Previous limitations ==================== @@ -495,6 +531,16 @@ bind and connect actions to only a set of allowed ports thanks to the new ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` access rights. +IOCTL (ABI < 5) +--------------- + +IOCTL operations could not be denied before the fifth Landlock ABI, so +:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an +earlier ABI. + +Starting with the Landlock ABI version 5, it is possible to restrict the use of +:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` access right. + .. _kernel_support: Kernel support