From patchwork Fri Jun 23 14:43:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13290760 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A3FBEB64DD for ; Fri, 23 Jun 2023 14:44:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231572AbjFWOoJ (ORCPT ); Fri, 23 Jun 2023 10:44:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39796 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231769AbjFWOoE (ORCPT ); Fri, 23 Jun 2023 10:44:04 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 68FEB1BD6 for ; Fri, 23 Jun 2023 07:43:39 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-bd5059e5347so4309923276.0 for ; Fri, 23 Jun 2023 07:43:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687531418; x=1690123418; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=9/UqCyxOi6pEB3p/clvC6xeYuOhn2xyeOxUnD9vu6fo=; b=53rKp8DijAsW4TqdCjoN2CvS+aiuSzosjOmYzfruYzsQfwHMUSVtNTUgMs8U1bvdnR F8bMluZYKh2cagi7HXdZ6G5i6i7fBbBcko7hiUFiXKrOU90/44YvEx4xXzl5VNLdGnQK Zx0UH4rcXvFN03Bzbp2UUWngVzHKJqg9Qa+mAm0l38jBZjVuRuhxCe3XhHvgTXslGzIN hWIhC2FDKKNA8aQaqVO/XbfSWc/IUIzgUuF0c8QlTZbpdp9xw76yD5mbFhpVSSDplR7D IyMK/Beuu8CO5Ok7Rgmap0dbrAjHmwRWgrPkJ/u1jiDMBg1AzXpqYp3YY1ul9qnGdrwU FH8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687531418; x=1690123418; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9/UqCyxOi6pEB3p/clvC6xeYuOhn2xyeOxUnD9vu6fo=; b=kU0ZEEoTXWGuKtkDo02K/+5qAYIlCZIVXgZ/HTxXce8xi77tI7OyYRa06YZqNJ9cdC LxGgIubFzX2nKnJR4CYOvCbRLiDGZDHQUw8zvjCi3Ckcpvm3ShPV04HXqIi4fb5yIB9b b3+ZmKtYrHAydxTdOv9thCSBPiWvaPAPgpy8MoOi6Cisrzd2CpftEOTGAYTMsNK6ye9x grTGUjJ1QfyFDiRXmFHArcuRrwrxRNwi5CHfAzXj2DT17ZGTqDhjfYvdKOxdAmoYYFQ9 Pb2Wa8WaxLEA+8cJ1/Z8AAtkJVw+HaYTnm0b53hbR0VWgvD0VKS2N0FU6eGLhBpqz/jU 7LWg== X-Gm-Message-State: AC+VfDyzgjqG7OALms+Tzjd5U/fyjSpFQkiJb/KGWiZmlkOYuOS+MFAh Vp0comPP+qQLNW0OKnd7I2EO/nYP0lAwSqVLfZkd4242fQFP9F/2S0Xu3eKOeKncAhS3MOnnOEC kaO+AVw6bbpsftrHTAwJ9C9YjJwqVsc4bjQe/k3Ao6LqG3GQ2CaaFQdQjxazlO30ZBTgpuKsAHR /haLDj3w== X-Google-Smtp-Source: ACHHUZ64N3w6ZZi29DfV91ESEl4ZVypB3pvaFdMa1FuMx2QW8kAHMBMdRLl+WH+5BU1teFxsX/KIqwrFPNY= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:8b55:dee0:6991:c318]) (user=gnoack job=sendgmr) by 2002:a05:6902:561:b0:bad:2b06:da3 with SMTP id a1-20020a056902056100b00bad2b060da3mr9361801ybt.3.1687531418465; Fri, 23 Jun 2023 07:43:38 -0700 (PDT) Date: Fri, 23 Jun 2023 16:43:24 +0200 In-Reply-To: <20230623144329.136541-1-gnoack@google.com> Message-Id: <20230623144329.136541-2-gnoack@google.com> Mime-Version: 1.0 References: <20230623144329.136541-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 1/6] landlock: Increment Landlock ABI version to 4 From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Increment the Landlock ABI version in preparation for the ioctl feature. Signed-off-by: Günther Noack --- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 245cc650a4dc..c70fc9e6fe9e 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -129,7 +129,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 3 +#define LANDLOCK_ABI_VERSION 4 /** * sys_landlock_create_ruleset - Create a new ruleset diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 792c3f0a59b4..646f778dfb1e 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(3, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(4, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, From patchwork Fri Jun 23 14:43:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13290761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA605EB64D7 for ; Fri, 23 Jun 2023 14:44:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232195AbjFWOoM (ORCPT ); Fri, 23 Jun 2023 10:44:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232171AbjFWOoE (ORCPT ); Fri, 23 Jun 2023 10:44:04 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4FC61BFC for ; Fri, 23 Jun 2023 07:43:42 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-bb0d11a56abso1001932276.2 for ; Fri, 23 Jun 2023 07:43:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687531422; x=1690123422; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=qYy5fQURVzrf21RPiZ2pjS+KRs6Wq6G+dHPCrMSb3zQ=; b=1wp86LoyBViT81BjBGzKWJSTtPC05qZ78NrbMJjidxKwm/18n1rrzj1Ttrcl+5MJy+ +DphEFxdMGhmFxYjRMxP6TQIelbQUfgVmsTx0Xw8ywAAArzMLe7zqZgtObNdgAP4Upt3 /RIG8C5sr+9p4NBIeBSmW22pF7LZQlxP1nzQv9qwvbJvN1ZDSCUsquSVxwaw7ab0Xeuz 8XjpY7XsOjDbk/O7BmKtz6qYwJ9ArlFy66qZVb2zEFruZ8QcO8Z240FmybIRIAVacyNY ir1vT9dBkueZ+Mtl1dzKrrr5wM5lfE17+vhHjSeOTqoVF/geFtc6Adi7kaSFIIhuPWqC cGqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687531422; x=1690123422; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=qYy5fQURVzrf21RPiZ2pjS+KRs6Wq6G+dHPCrMSb3zQ=; b=JYr/zxHNf3VTx48Q81STvME3V8qiJT65I0eB6+9FPwrNiOw+tXhqvqlMHMHD/LvkHW HLTbp1KgNi5lTVemBuD8pC61n1Bxm7wAfVAD60E4HCXOkpAlDAFTlmv4qyVj8xGVD79Y olWOZNyayfZqajpS7lWG9PjecJjs4KfIUvQjUunao1Hu+2NpOc8eUDgDybacclDc0cLa 4/VMyncilv2Cq2lEMYjoyOhzgR0jX7jKxm7vsOcqR0wnxT2ZQd5VzwbzAyIoRKrY7zC/ qpLQ7D32nThMoHiZdBPNG5ml/fhgxmgKtss4sS66nxrSisWjyT8EdhFRMkC2niAvyPtr 70FQ== X-Gm-Message-State: AC+VfDzjAj/bemU+NZwhcJ6M2QsBYhuRUODqEptjDw45IbkWo8e0lZyK b0CIQ4YfgyOo2lBy34Zd1WDkzIS8MgdNEC7s5f88ynl20ST+jEhl3IFY7vpP6vdSqotfKqFZQYQ A2pb4gPbQXc5bSbHX1zNvCjlwOwd3UEzDe1X+5P2dEZrJPmfTfki+qap4fF3z7AECIyLk9SNcja 1athunDg== X-Google-Smtp-Source: ACHHUZ4+ZnIYlSN87gv7zA7J83vQYckc04xHouEBLlzeWYdrUvG6i9fStoDYpJs+VeSzi66wCzKs3p0Gti4= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:8b55:dee0:6991:c318]) (user=gnoack job=sendgmr) by 2002:a25:b1a3:0:b0:bd6:7609:40a3 with SMTP id h35-20020a25b1a3000000b00bd6760940a3mr9632657ybj.12.1687531421782; Fri, 23 Jun 2023 07:43:41 -0700 (PDT) Date: Fri, 23 Jun 2023 16:43:25 +0200 In-Reply-To: <20230623144329.136541-1-gnoack@google.com> Message-Id: <20230623144329.136541-3-gnoack@google.com> Mime-Version: 1.0 References: <20230623144329.136541-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 2/6] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Like the truncate right, this right is associated with a file descriptor at the time of open(2), and gets respected even when the file descriptor is used outside of the thread which it was originally created in. In particular, this happens for the commonly inherited file descriptors stdin, stdout and stderr, if these are bound to a tty. This means that programs using tty ioctls can drop the ioctl access right, but continue using these ioctls on the already opened input and output file descriptors. Signed-off-by: Günther Noack --- include/uapi/linux/landlock.h | 19 ++++++++++++------- security/landlock/fs.c | 21 +++++++++++++++++++-- security/landlock/limits.h | 2 +- tools/testing/selftests/landlock/fs_test.c | 5 +++-- 4 files changed, 35 insertions(+), 12 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 81d09ef9aa50..57de1dc5869e 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -102,12 +102,16 @@ struct landlock_path_beneath_attr { * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with - * ``O_TRUNC``. Whether an opened file can be truncated with - * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the - * same way as read and write permissions are checked during - * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and - * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the - * third version of the Landlock ABI. + * ``O_TRUNC``. This access right is available since the third version of the + * Landlock ABI. + * - %LANDLOCK_ACCESS_FS_IOCTL: Invoke :manpage:`ioctl(2)` on the opened file. + * This access right is available since the fourth version of the Landlock + * ABI. + * + * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used + * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as + * read and write permissions are checked during :manpage:`open(2)` using + * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. * * A directory can receive access rights related to files or directories. The * following access right is applied to the directory itself, and the @@ -168,7 +172,7 @@ struct landlock_path_beneath_attr { * accessible through these syscall families: :manpage:`chdir(2)`, * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, - * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. + * :manpage:`fcntl(2)`, :manpage:`access(2)`. * Future Landlock evolutions will enable to restrict them. */ /* clang-format off */ @@ -187,6 +191,7 @@ struct landlock_path_beneath_attr { #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#define LANDLOCK_ACCESS_FS_IOCTL (1ULL << 15) /* clang-format on */ #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 1c0c198f6fdb..017863696610 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -147,7 +147,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ /* @@ -1207,7 +1208,8 @@ static int hook_file_open(struct file *const file) { layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; access_mask_t open_access_request, full_access_request, allowed_access; - const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL; const struct landlock_ruleset *const dom = landlock_get_current_domain(); @@ -1280,6 +1282,20 @@ static int hook_file_truncate(struct file *const file) return -EACCES; } +static int hook_file_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + /* + * It is the access rights at the time of opening the file which + * determine whether ioctl can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (landlock_file(file)->allowed_access & LANDLOCK_ACCESS_FS_IOCTL) + return 0; + return -EACCES; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1302,6 +1318,7 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security), LSM_HOOK_INIT(file_open, hook_file_open), LSM_HOOK_INIT(file_truncate, hook_file_truncate), + LSM_HOOK_INIT(file_ioctl, hook_file_ioctl), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 82288f0e9e5e..40d8f17698b6 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -18,7 +18,7 @@ #define LANDLOCK_MAX_NUM_LAYERS 16 #define LANDLOCK_MAX_NUM_RULES U32_MAX -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1) #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 83d565569512..09dd1eaac8a9 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -523,9 +523,10 @@ TEST_F_FORK(layout1, inval) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) -#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE +#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL #define ACCESS_ALL ( \ ACCESS_FILE | \ From patchwork Fri Jun 23 14:43:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13290762 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F870C0015E for ; Fri, 23 Jun 2023 14:44:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232069AbjFWOod (ORCPT ); Fri, 23 Jun 2023 10:44:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231888AbjFWOoG (ORCPT ); Fri, 23 Jun 2023 10:44:06 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 200AE2711 for ; Fri, 23 Jun 2023 07:43:45 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-5704e551e8bso10399187b3.3 for ; Fri, 23 Jun 2023 07:43:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687531425; x=1690123425; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=UzVf4AQ2Gj+vEw9k0OpeO1MnttP8JRzBxK8284Th/Bs=; b=Rz5mgT4t49UyyDXzm7g/diB2I5T3vJPW+XLqYYgq1VHa8Ft9nKOc7ri3YoHMXsYOhL F7kSW9wSNEWe8BEIleC+ZdwGAeE+zVvdOVXxl26FTioHggOFiFVSp396I8xJgO76VBB4 05knMdp8g3p2lxXlevvRuha8DaJ1mx8V+A9oIZh59e7rD3A9zyqy3fV4LWRRwTQLMkqX pOgPgJpVlDRYSGWWa18nAaZqY+sBmL283PQMvbQ04lQF3MZBu2CajuRmuHcpE36EjsZ4 e6b60gddjQv2U95AXgXS6kdGDz8yJh3PhYnsmmRjlKOtkWrsUWcIwb5AVTTSiC+0zrzN RtqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687531425; x=1690123425; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=UzVf4AQ2Gj+vEw9k0OpeO1MnttP8JRzBxK8284Th/Bs=; b=TJjdqDVL24uumGv+xRhpTbTtFN3EI5eTKRBSLY4VZv9UorMi8sFJdI5w28IIJHVZa5 M1bSy8PjDVwOZPTe+ZpuGdaYg9lihtrh8Wjk+WrmetB1m7ZQCSBOAdmaFvop/JRkqadu oTGTvNtA/s3/pXJZyW0s9c5m90CMFOcw5V1V4hLBhkEaucMtLOLsaY49z1Rmrlgyhs6B UM8frBYPWlOAGshdgW7ugNFtI2qXqtkAQGyERIo0kNg0X3bGB1kz4buBwma9c9ASgcyl J+v1lj/dqEAynK0oipigeEIJaOKFU5lDL+rqKWf1+J8yASoICWCmMI+LobXQwN6Rnppz 7jxA== X-Gm-Message-State: AC+VfDyHTM+2jFLqPsqew/5EjQzou4qoVXQjmMk7FtuzoZr/ydU3Z3y+ bTwNlMMFoDyrBLofzTaQlLksEKCVnGHq3nI4qCZPYgYUdWye5/0rOuHtH2hF/mMVGWsKM7UJAJo ssQvzm214HzIjW9yHG56DUV9P9MRKolXOsh5/6ELZubWGm1SVkru1MKOqdSRi8dZD3NblKabUgt PjQtLTpw== X-Google-Smtp-Source: ACHHUZ5L1Rbyg5OV+PIAv1YSaAvjSV37tCLvlzItTQR5LJBllU3DnqDdfuYMp/9i72ghGwmqJMPeNPRq05Y= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:8b55:dee0:6991:c318]) (user=gnoack job=sendgmr) by 2002:a81:ca0c:0:b0:559:e97a:cb21 with SMTP id p12-20020a81ca0c000000b00559e97acb21mr8800943ywi.9.1687531425115; Fri, 23 Jun 2023 07:43:45 -0700 (PDT) Date: Fri, 23 Jun 2023 16:43:26 +0200 In-Reply-To: <20230623144329.136541-1-gnoack@google.com> Message-Id: <20230623144329.136541-4-gnoack@google.com> Mime-Version: 1.0 References: <20230623144329.136541-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 3/6] selftests/landlock: Test ioctl support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Exercise the use of Landlock's ioctl restriction: If ioctl is restricted, the use of ioctl fails with a freshly opened /dev/tty file. Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 62 ++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 09dd1eaac8a9..0f0899768fe7 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3732,6 +3732,68 @@ TEST(memfd_ftruncate) ASSERT_EQ(0, close(fd)); } +/* + * Invokes ioctl(2) and returns its errno or 0. + * The provided fd needs to be a tty for this to work. + */ +static int test_tty_ioctl(int fd) +{ + struct winsize ws; + + if (ioctl(fd, TIOCGWINSZ, &ws) < 0) + return errno; + return 0; +} + +/* + * Attempt ioctl on /dev/tty0 and /dev/tty1, + * with file descriptors opened before and after landlocking. + */ +TEST_F_FORK(layout0, ioctl) +{ + const struct rule rules[] = { + { + .path = "/dev/tty1", + .access = LANDLOCK_ACCESS_FS_IOCTL, + }, + /* Implicitly: No ioctl access on /dev/tty0. */ + {}, + }; + const __u64 handled = LANDLOCK_ACCESS_FS_IOCTL; + int ruleset_fd; + int old_tty0_fd, tty0_fd, tty1_fd; + + old_tty0_fd = open("/dev/tty0", O_RDWR); + ASSERT_LE(0, old_tty0_fd); + + /* Checks that ioctl works before landlocking. */ + EXPECT_EQ(0, test_tty_ioctl(old_tty0_fd)); + + /* Enable Landlock. */ + ruleset_fd = create_ruleset(_metadata, handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* Checks that ioctl with existing FD works after landlocking. */ + EXPECT_EQ(0, test_tty_ioctl(old_tty0_fd)); + + /* Checks that same ioctl fails when file is opened after landlocking. */ + tty0_fd = open("/dev/tty0", O_RDWR); + ASSERT_LE(0, tty0_fd); + EXPECT_EQ(EACCES, test_tty_ioctl(tty0_fd)); + + /* Checks that same ioctl fails when file is opened after landlocking. */ + tty1_fd = open("/dev/tty1", O_RDWR); + ASSERT_LE(0, tty1_fd); + EXPECT_EQ(0, test_tty_ioctl(tty1_fd)); + + /* Close all TTY file descriptors. */ + ASSERT_EQ(0, close(old_tty0_fd)); + ASSERT_EQ(0, close(tty0_fd)); + ASSERT_EQ(0, close(tty1_fd)); +} + /* clang-format off */ FIXTURE(layout1_bind) {}; /* clang-format on */ From patchwork Fri Jun 23 14:43:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13290763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21647C0015E for ; Fri, 23 Jun 2023 14:44:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232097AbjFWOou (ORCPT ); Fri, 23 Jun 2023 10:44:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231228AbjFWOoJ (ORCPT ); Fri, 23 Jun 2023 10:44:09 -0400 Received: from mail-yb1-xb4a.google.com (mail-yb1-xb4a.google.com [IPv6:2607:f8b0:4864:20::b4a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77F03294D for ; Fri, 23 Jun 2023 07:43:49 -0700 (PDT) Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-beb64c0d603so1162722276.1 for ; Fri, 23 Jun 2023 07:43:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687531428; x=1690123428; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=SP+6dk3xB1XlJuOJxY1FrVHQ3rRmrxh3vILamkrvgf8=; b=j+3NUH4LJriS6po9aPjHeXdGyCfXXDMbiZ5Rp712V9Z9ssFjBzyB3/Rov0F376qy7Y kTHw7zZRryFXk8RAfi3LfPPIDOqcHJRBNHVAh9+e9sodnpwIjIppFrpzvm+cuPZ+5IWs EBsFJiY74SZoiYStECb/TXOYUmr+nE9cCuZ/hTvtLTCt9PocKKEmGPJGZDukW4pAyaD7 YJ7F5ZRwlF8UH11Yz4UKZwzRp2wAM02Q2/UhiypDyAeSxAKKAXk1TICz0WKeybFZHPaG sCywh97r/35ngGLov82Fl0ILqfTYh0ruZbxGCrRW8WOusqhiVN/XtOnqtq907JHNhIeQ ZQqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687531428; x=1690123428; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=SP+6dk3xB1XlJuOJxY1FrVHQ3rRmrxh3vILamkrvgf8=; b=dSWDJgzcxwhcGNOt3AoF7cU2MjSEZeCX0UYIAYzr+mDgZdZyQUkOF+tbJcSsuGKBKi fhDz2/NjtzEzwsbF83hpxPZAJum2d55cBd8Ky8sQGI5JIPPCiD687AH883iLe4HLc2Ce xNTL32f/O89KVOmSsETqA/NGk0LtG0kZQmqjjL42aF9gDlSxP/YeKV5iP3llluGXnkwy lL806w20hCNqsWQ0eYi6ks6pKzp62feN6XmeXk64clySX1NNoG1K/l4da61OxTQh3B06 3WLAHN9ijla4bHo4ZMwjjUWWhFN8qUPq9TzOjrpNPkGTLuGEUjk8HWXS6icZLk+LuSpV V32g== X-Gm-Message-State: AC+VfDwUb4Z6Ys8T5SkwLuVc4tcAb/Mz4wI7jfRr6JZP7URj3jjMyObA jD5WkBkqi4qlkRBOHn9BhQvtEIeumfjHTat+ocA8PcwcguAkDPBbZq+3b9XgGxNocrGdpQV83Xs yYEI3ErXH2OtGCmSK+JXzFp2KOe1oZdvvOoRtdWLOxpmKKKZEEXU00Bz99vkR0BCcp0O29X1hxL 6RFxQ/tA== X-Google-Smtp-Source: ACHHUZ7aQ74QGDcNmrQ1N+LygwBLvUtpw67QHb8jFWORcyo2oGPmcfBIwwYBF2t6+Y/TOO3wDaSyX7XPfuI= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:8b55:dee0:6991:c318]) (user=gnoack job=sendgmr) by 2002:a05:6902:86:b0:bc7:4714:182e with SMTP id h6-20020a056902008600b00bc74714182emr3685630ybs.3.1687531428196; Fri, 23 Jun 2023 07:43:48 -0700 (PDT) Date: Fri, 23 Jun 2023 16:43:27 +0200 In-Reply-To: <20230623144329.136541-1-gnoack@google.com> Message-Id: <20230623144329.136541-5-gnoack@google.com> Mime-Version: 1.0 References: <20230623144329.136541-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 4/6] selftests/landlock: Test ioctl with memfds From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Because the ioctl right is associated with the opened file, we expect that it will work with files which are opened by means other than open(2). Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 0f0899768fe7..ebd93e895775 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3716,18 +3716,20 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes) ASSERT_EQ(0, close(socket_fds[1])); } -TEST(memfd_ftruncate) +TEST(memfd_ftruncate_and_ioctl) { - int fd; + int fd, n; fd = memfd_create("name", MFD_CLOEXEC); ASSERT_LE(0, fd); /* - * Checks that ftruncate is permitted on file descriptors that are - * created in ways other than open(2). + * Checks that operations associated with the opened file + * (ftruncate, ioctl) are permitted on file descriptors that + * are created in ways other than open(2). */ EXPECT_EQ(0, test_ftruncate(fd)); + EXPECT_EQ(0, ioctl(fd, FIONREAD, &n)); ASSERT_EQ(0, close(fd)); } From patchwork Fri Jun 23 14:43:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13290764 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B9D2EB64DD for ; Fri, 23 Jun 2023 14:44:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232255AbjFWOov (ORCPT ); Fri, 23 Jun 2023 10:44:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232254AbjFWOoV (ORCPT ); Fri, 23 Jun 2023 10:44:21 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1D0C2961 for ; Fri, 23 Jun 2023 07:43:52 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-56ffa565092so10456047b3.2 for ; Fri, 23 Jun 2023 07:43:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687531431; x=1690123431; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=4ldydpS+kKCqw7pjyMr2oDwYIVs3m8dRPb+QBqBl/PQ=; b=QnNZpV9A1GzVWhS8LGM7I9unsf1mmge/3YU6lInAZ4vvPM88STLC8cjhMxf3xI1D5+ qMGwQqBtfPeDdiM+b7XM2f7disCu5hnl1PZwAlp9HBLpBJ8Xdm1uQnaRY7UrYhSrQ24D etYZKypP1ASViqSZGW/Z5WPjjCKZ9z6/lyz3LD6ZtRBER5JMbz/BMHxOu4x/TH6PSejy oq7ntw37z7dbKZkoyLypWJvsbxFYTfIJHmWgwK2GQey+gWOQNEQlDQnFU5L4lzI95d0S p8dmZnPbdH0tYt7+8qzkYWhiqG8cxEI+rlZzqvRWXBuyTKV0cg8EBHT7iT3gsWFf0k+W FTMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687531431; x=1690123431; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4ldydpS+kKCqw7pjyMr2oDwYIVs3m8dRPb+QBqBl/PQ=; b=F+wj2jUHhFKWEqaZyBt0nP86dSGvKi7XMyxBVOg8nahUcHw2uhuXZagAb5og6Z9BR1 bG7oybDNLDtcEyucNqTAelX3OLaB/x24qRBeF6tKM2qncjcsJ2MmGKg3nuA551/TJsxI mO/fmhIeVuRQfaELH9H74E8lLRT0DPhsvgqKeVGVXKmhyzUmCQSNRxoOBdiYy8huPpKe nx0ClwAbKNfoKNkH+BH85VtwTZA8g/ca049bscckYJsx4l3v9N4h8/5/edmfU4jkUDrl aP070X/s8vZxPVp8XY3ptG7MH6p9WbTO5PaGBPGN8lowUHtGhfO++vkxdDzARIfhoEl0 4NmA== X-Gm-Message-State: AC+VfDyXrp+rL7DWz9/6ViXqgtPtNw7N5p+WRfip4UFqv+XgJav1yHf3 DHQp6GGkiEp/RUJb22B768vz2lg0+l/h1RQIFZj9lvlmMYeov3Csg+wsQ+3J8iwlGWXxbtizQCi xSks7pk8P0Bo63u+J5crjmvJKyeP2fzIjMgcKNb+lms33knGj4+sPRzkzCGfxAr4eZZ9PB9S05D fC+cVuiA== X-Google-Smtp-Source: ACHHUZ401tRoVCak4f99OWh882MFvXdUVKVDovg5nKphtP3uRv/Rg2lyMPyXwHJA0OaDPkuyfP/tdBekZWI= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:8b55:dee0:6991:c318]) (user=gnoack job=sendgmr) by 2002:a81:e703:0:b0:56c:f8b7:d4f7 with SMTP id x3-20020a81e703000000b0056cf8b7d4f7mr8586947ywl.6.1687531431688; Fri, 23 Jun 2023 07:43:51 -0700 (PDT) Date: Fri, 23 Jun 2023 16:43:28 +0200 In-Reply-To: <20230623144329.136541-1-gnoack@google.com> Message-Id: <20230623144329.136541-6-gnoack@google.com> Mime-Version: 1.0 References: <20230623144329.136541-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 5/6] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Add ioctl support to the Landlock sample tool. The ioctl right is grouped with the read-write rights in the sample tool, as some ioctl requests provide features that mutate state. Signed-off-by: Günther Noack --- samples/landlock/sandboxer.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index e2056c8b902c..c70d96d15c70 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -77,7 +77,8 @@ static int parse_path(char *env_path, const char ***const path_list) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ @@ -162,11 +163,12 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ LANDLOCK_ACCESS_FS_REFER | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ -#define LANDLOCK_ABI_LAST 3 +#define LANDLOCK_ABI_LAST 4 int main(const int argc, char *const argv[], char *const *const envp) { @@ -255,6 +257,10 @@ int main(const int argc, char *const argv[], char *const *const envp) case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + __attribute__((fallthrough)); + case 3: + /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 4 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL; fprintf(stderr, "Hint: You should update the running kernel " From patchwork Fri Jun 23 14:43:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13290765 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08989EB64D7 for ; Fri, 23 Jun 2023 14:45:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232261AbjFWOpE (ORCPT ); Fri, 23 Jun 2023 10:45:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232290AbjFWOod (ORCPT ); Fri, 23 Jun 2023 10:44:33 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E34022D68 for ; Fri, 23 Jun 2023 07:43:55 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-56ff7b4feefso9581157b3.0 for ; Fri, 23 Jun 2023 07:43:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687531435; x=1690123435; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=Kdm54Rz+m33IoLUpgO0/e3RXUFPHZ/9x2zIzUzsArVc=; b=Kr3FDs0egiiiEEbnbbgw5lSNj+XGC+p9j3WLq8sOjyGZFkHbO55x3dyQF+46jtJChl TUlaNKL1WzrisX/prUZwLqPvayhtV4oV3vpduFD5zYkfyWAbH0urMGQ4T2gJVwyOkYb3 bC5GP3eaYsjB9XbKGGlUOygrN8N3juknr8os2HkBr5zBI9hx7Vd2QSWdv3ewgNO48BEC hsVIxKFdSSKbgnDSKf5K4SO5B0MIIbuN2yXnRLQLnOsg3T79uWlChPbzoh7N9ALf7Vgx YpGTIW0C/xuwv+N53YPuEmdX9BPZIwFW+zOKbGS83JJWOkOzlO5nAjCmSQNktF/Fy+py +ErA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687531435; x=1690123435; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Kdm54Rz+m33IoLUpgO0/e3RXUFPHZ/9x2zIzUzsArVc=; b=PUpsEYj23PsAUUJq495C+OxItzLLlpyk3+NEfGTz2Z1h+vV/WA0FUbuu2cn2OfVZN8 BIKQCCyVW54R9uMr01PIzJUoa+fqVwQGkA4JkWdKJ3JQlybRcEcc5wOtcOdGvC7NDYMD CFXO3aYZJHpg0s5xOscZ8C7YVEADgUrUVcTtlU0rpITQWAfAn4ESYr4hn3RlrKBS5cFm eHxySiKTchHG7q7N1qT/Ji9qI0D51AQsf/mVpfTNsKlNgSm2jL/pAy5gdnPnWmhPabRt my+WFv77zdpVnChlqaVgyhcNeNKYzQgEQvWs1VHnj8tM+r5Q3oGKqIrCecUOe0ozRVq+ PIbA== X-Gm-Message-State: AC+VfDzEESmSluanxV+0YJcPCsnPJkmXGnE6MgjhWXkfKAT7KMqhpCEN aAKN+7oxxJwiQ9L1TLThxwPDpWM2kRAvbkF4pYnivot8qDgokPm7KnIFXOy39I4cbKL19sfCGHH BLu9w22UH3k+CiKnzxeoxlX5TswPeF239+yMgMKATIVK1Dy0hgkr8k/mmvD0Zigy6UF7oH1pTQb prwaVHYA== X-Google-Smtp-Source: ACHHUZ4wlB7BEjXlcYwmQHZSRL6PB3Q3JUhNMlPeWL9i6Xz1QRVALBzXJTcQBYnS7rXYAzhngYDhtxkzZHs= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:8b55:dee0:6991:c318]) (user=gnoack job=sendgmr) by 2002:a81:bd11:0:b0:54f:b56a:cd0f with SMTP id b17-20020a81bd11000000b0054fb56acd0fmr9747144ywi.3.1687531434911; Fri, 23 Jun 2023 07:43:54 -0700 (PDT) Date: Fri, 23 Jun 2023 16:43:29 +0200 In-Reply-To: <20230623144329.136541-1-gnoack@google.com> Message-Id: <20230623144329.136541-7-gnoack@google.com> Mime-Version: 1.0 References: <20230623144329.136541-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Subject: [PATCH v2 6/6] landlock: Document ioctl support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: In the paragraph above the fallback logic, use the shorter phrasing from the landlock(7) man page. Signed-off-by: Günther Noack --- Documentation/userspace-api/landlock.rst | 52 ++++++++++++++++-------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index d8cd8cd9ce25..bff3b4a9df3d 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -61,18 +61,17 @@ the need to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | - LANDLOCK_ACCESS_FS_TRUNCATE, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL, }; Because we may not know on which kernel version an application will be executed, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are -using. To avoid binary enforcement (i.e. either all security features or -none), we can leverage a dedicated Landlock command to get the current version -of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE`` -access rights, which are only supported starting with the second and third -version of the ABI. +using. + +To be compatible with older Linux versions, we detect the available Landlock ABI +version, and only use the available subset of access rights: .. code-block:: c @@ -92,6 +91,9 @@ version of the ABI. case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + case 3: + /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 4 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL; } This enables to create an inclusive ruleset that will contain our rules. @@ -190,6 +192,7 @@ access rights per directory enables to change the location of such directory without relying on the destination directory access rights (except those that are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER`` documentation). + Having self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, @@ -283,18 +286,24 @@ It should also be noted that truncating files does not require the system call, this can also be done through :manpage:`open(2)` with the flags ``O_RDONLY | O_TRUNC``. -When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` -right is associated with the newly created file descriptor and will be used for -subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is -similar to opening a file for reading or writing, where permissions are checked -during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and +The truncate right is associated with the opened file (see below). + +Rights associated with file descriptors +--------------------------------------- + +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and +``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file +descriptor and will be used for subsequent truncation and ioctl attempts using +:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar to +opening a file for reading or writing, where permissions are checked during +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and :manpage:`write(2)` calls. -As a consequence, it is possible to have multiple open file descriptors for the -same file, where one grants the right to truncate the file and the other does -not. It is also possible to pass such file descriptors between processes, -keeping their Landlock properties, even when these processes do not have an -enforced Landlock ruleset. +As a consequence, it is possible to have multiple open file descriptors +referring to the same file, where one grants the truncate or ioctl right and the +other does not. It is also possible to pass such file descriptors between +processes, keeping their Landlock properties, even when these processes do not +have an enforced Landlock ruleset. Compatibility ============= @@ -451,6 +460,15 @@ always allowed when using a kernel that only supports the first or second ABI. Starting with the Landlock ABI version 3, it is now possible to securely control truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right. +Ioctl (ABI < 4) +--------------- + +Ioctl operations could not be denied before the fourth Landlock ABI, so ioctl is +always allowed when using a kernel that only supports an earlier ABI. + +Starting with the Landlock ABI version 4, it is possible to restrict the use of +ioctl using the new ``LANDLOCK_ACCESS_FS_IOCTL`` access right. + .. _kernel_support: Kernel support