From patchwork Mon Aug 14 17:28:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13353151 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6F56C04FE0 for ; Mon, 14 Aug 2023 17:29:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230329AbjHNR2y (ORCPT ); Mon, 14 Aug 2023 13:28:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230356AbjHNR2q (ORCPT ); Mon, 14 Aug 2023 13:28:46 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85F6E10DD for ; Mon, 14 Aug 2023 10:28:44 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-583d1d0de65so61514657b3.0 for ; Mon, 14 Aug 2023 10:28:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692034124; x=1692638924; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=ooTRBNPvBWcG23633hOLwSy6Pk7nUFD8xNZxmRBXym8=; b=HBqr2nGY2o7BAs7sQd8JiNUyCijK26XSpNFx3xtqSIulyvqO9qm5OnRyAmmNMFgClz RKill1y4hGl7bKKxGykVokMQortFTXg4lgxie+4mPino5bWWv7/5lXsXonl3cwdizjSs vh6UHyr3CxOAXu833BOdnBnalH/xbzZQYz9QXfS7X4V1dd64zYbDrX7EkCn0b+2Pu3XZ jYC5rbhHYcpbPx9iZpyhMd+KeQihw0/pm2uyAbmxqJ2RxGcdwE9m+M7v40UaPmAdFA/l kPtXvntiPfBwn4+eY8r2z/zV1M1CP4TeUIZ38XLoZC5AhtMq8lPXT3zvbjOMtWlSg+1Q 7rPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692034124; x=1692638924; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ooTRBNPvBWcG23633hOLwSy6Pk7nUFD8xNZxmRBXym8=; b=gcpjmOC33RADNPtdJ0P9JUB3JQk07bTd6mWmmn8Qh+UTCcmEAvhnPDdmhcT7CUANHq IjF5PwOqZHYOptVSRJniI9lPgPbmTloM3qbDyZwmxiaz7uoF4VRnqc5WF7ljcNbzHZe0 mRWF6nq2/4RXbi1Y9G1Fph8Hev+XSB/RwncS32rxKiOaA9Q+c2RapTkIwnREe1/UIaUk 9dJhG3YFDBL9TvhHzt6wtgqbKqPEt8vUopS5zC8BLTFY5Fi1TEoz9qYEl9Ce8x0MDEwc j/CH8+mZayoHSIin5TRr/4mq7lo9zYwH/7Vz5GFs+nSvUk+MIojJKpFVnRViMAyttXjz 4uZA== X-Gm-Message-State: AOJu0Yyr8FG5p1LCM1orTwz/7F4JlQWbpuqn30kWzoC4FR0HUBPHUjmq Mu35uFcshbxOuRho/jMvKVOMrNMmlDXcGnEQovoUlqQ7vMA9Emu7G0ByXIBuURh8y9jnJhTauLo wcU+l66wCzMX14EB01zkvn5tGwgAbqlHBDrR0Ecp4KnQ6q8781mAovj2X56G24NvndbfsGoAGzV UyU9N9gg== X-Google-Smtp-Source: AGHT+IHwZBIIV5T8nIbKG/c/meAKnRLxIj2igiWWybKGpAyCcQlVNNJp42MCF5UrI60uuh6hz9Xlarm+Ofs= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:9ca9:bbb1:765a:e929]) (user=gnoack job=sendgmr) by 2002:a05:6902:4c7:b0:d0f:a0a6:8e87 with SMTP id v7-20020a05690204c700b00d0fa0a68e87mr131848ybs.2.1692034123461; Mon, 14 Aug 2023 10:28:43 -0700 (PDT) Date: Mon, 14 Aug 2023 19:28:12 +0200 In-Reply-To: <20230814172816.3907299-1-gnoack@google.com> Message-Id: <20230814172816.3907299-2-gnoack@google.com> Mime-Version: 1.0 References: <20230814172816.3907299-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Subject: [PATCH v3 1/5] landlock: Add ioctl access right From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Introduces the LANDLOCK_ACCESS_FS_IOCTL access right and increments the Landlock ABI version to 4. Like the truncate right, these rights are associated with a file descriptor at the time of open(2), and get respected even when the file descriptor is used outside of the thread which it was originally opened in. A newly enabled Landlock policy therefore does not apply to file descriptors which are already open. If a file was opened without the LANDLOCK_ACCESS_FS_IOCTL right, IOCTL attempts on the opened file will fail, except for a small number of common and harmless IOCTL commands (see documentation). Noteworthy scenarios which require special attention: TTY devices support IOCTLs like TIOCSTI and TIOCLINUX, which can be used to control shell processes on the same terminal which run at different privilege levels, which may make it possible to escape a sandbox. Because stdin, stdout and stderr are normally inherited rather than newly opened, IOCTLs are usually permitted on them even after the Landlock policy is enforced. Some legitimate file system features, like setting up fscrypt, are exposed as IOCTL commands on regular files and directories -- users of Landlock are advised to double check that the sandboxed process does not require these IOCTLs. Known limitations: The LANDLOCK_ACCESS_FS_IOCTL access right is a coarse-grained control over IOCTL commands. Future work will enable a more fine-grained access control for IOCTLs. In the meantime, Landlock users may use path-based restrictions in combination with their knowledge about the file system layout to control what IOCTLs can be done. Mounting file systems with the nodev option can help to distinguish regular files and devices, and give guarantees about the affected files, which Landlock alone can not give yet. Signed-off-by: Günther Noack --- include/uapi/linux/landlock.h | 31 +++++++++++----- security/landlock/fs.c | 38 ++++++++++++++++++-- security/landlock/limits.h | 2 +- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- tools/testing/selftests/landlock/fs_test.c | 5 +-- 6 files changed, 65 insertions(+), 15 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 81d09ef9aa50..3c1d4f1e084d 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -92,7 +92,7 @@ struct landlock_path_beneath_attr { * files and directories. Files or directories opened before the sandboxing * are not subject to these restrictions. * - * A file can only receive these access rights: + * The following access rights apply only to files: * * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that @@ -102,12 +102,13 @@ struct landlock_path_beneath_attr { * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with - * ``O_TRUNC``. Whether an opened file can be truncated with - * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the - * same way as read and write permissions are checked during - * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and - * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the - * third version of the Landlock ABI. + * ``O_TRUNC``. This access right is available since the third version of the + * Landlock ABI. + * + * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used + * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as + * read and write permissions are checked during :manpage:`open(2)` using + * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. * * A directory can receive access rights related to files or directories. The * following access right is applied to the directory itself, and the @@ -162,13 +163,26 @@ struct landlock_path_beneath_attr { * If multiple requirements are not met, the ``EACCES`` error code takes * precedence over ``EXDEV``. * + * The following access right applies both to files and directories: + * + * - %LANDLOCK_ACCESS_FS_IOCTL: Invoke :manpage:`ioctl(2)` commands on an opened + * file or directory. + * + * This access right applies to all :manpage:`ioctl(2)` commands, except of + * ``FIOCLEX``, ``FIONCLEX``, ``FIONBIO``, ``FIOASYNC`` and ``FIONREAD``. + * These commands continue to be invokable independent of the + * %LANDLOCK_ACCESS_FS_IOCTL access right. + * + * This access right is available since the fourth version of the Landlock + * ABI. + * * .. warning:: * * It is currently not possible to restrict some file-related actions * accessible through these syscall families: :manpage:`chdir(2)`, * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, - * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. + * :manpage:`fcntl(2)`, :manpage:`access(2)`. * Future Landlock evolutions will enable to restrict them. */ /* clang-format off */ @@ -187,6 +201,7 @@ struct landlock_path_beneath_attr { #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#define LANDLOCK_ACCESS_FS_IOCTL (1ULL << 15) /* clang-format on */ #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 1c0c198f6fdb..3b4a6263f5a9 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -7,6 +7,7 @@ * Copyright © 2021-2022 Microsoft Corporation */ +#include #include #include #include @@ -147,7 +148,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ /* @@ -1207,7 +1209,8 @@ static int hook_file_open(struct file *const file) { layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; access_mask_t open_access_request, full_access_request, allowed_access; - const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL; const struct landlock_ruleset *const dom = landlock_get_current_domain(); @@ -1280,6 +1283,36 @@ static int hook_file_truncate(struct file *const file) return -EACCES; } +static int hook_file_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + /* + * These IOCTL commands are generally permitted with Landlock: FIOCLEX, + * FIONCLEX, FIONBIO and FIOASYNC manipulate the FD's close-on-exec and + * the file's buffered-IO and async flags. These operations are also + * available through fcntl(2). FIONREAD returns the number of + * immediately writable bytes. + */ + switch (cmd) { + case FIOCLEX: + case FIONCLEX: + case FIONBIO: + case FIOASYNC: + case FIONREAD: + return 0; + } + + /* + * It is the access rights at the time of opening the file which + * determine whether ioctl can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (landlock_file(file)->allowed_access & LANDLOCK_ACCESS_FS_IOCTL) + return 0; + return -EACCES; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1302,6 +1335,7 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security), LSM_HOOK_INIT(file_open, hook_file_open), LSM_HOOK_INIT(file_truncate, hook_file_truncate), + LSM_HOOK_INIT(file_ioctl, hook_file_ioctl), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 82288f0e9e5e..40d8f17698b6 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -18,7 +18,7 @@ #define LANDLOCK_MAX_NUM_LAYERS 16 #define LANDLOCK_MAX_NUM_RULES U32_MAX -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1) #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS) diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 245cc650a4dc..c70fc9e6fe9e 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -129,7 +129,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 3 +#define LANDLOCK_ABI_VERSION 4 /** * sys_landlock_create_ruleset - Create a new ruleset diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 792c3f0a59b4..646f778dfb1e 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(3, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(4, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 83d565569512..09dd1eaac8a9 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -523,9 +523,10 @@ TEST_F_FORK(layout1, inval) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) -#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE +#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL #define ACCESS_ALL ( \ ACCESS_FILE | \ From patchwork Mon Aug 14 17:28:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13353150 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D690BC04E69 for ; Mon, 14 Aug 2023 17:29:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230349AbjHNR2y (ORCPT ); Mon, 14 Aug 2023 13:28:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230373AbjHNR2s (ORCPT ); Mon, 14 Aug 2023 13:28:48 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1FCF10DD for ; Mon, 14 Aug 2023 10:28:47 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-56942667393so66747597b3.2 for ; Mon, 14 Aug 2023 10:28:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692034127; x=1692638927; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=/WtvUIdGkzX23JX/YHq7vqp/GHfdIGhzgpFpFAQBHX0=; b=LOerCmETGzBdbO/XQpzvs8FA03LvnAh5hvSc9iUuao6yCQxnXRB1Hk8ouJl3YGrUp5 m7gVsW4y+6svba7DF2zPWTCxsMp/HhU6vs+SRbpo5BmugRRrkF35Ie4reFuXoZvai3B7 uMZwxcaT5hxdoYypmbXt5fyWot1t2W3JmSHkqMRFSWfnFeKQaL58MdKbG/IEbUbqxtD6 k87WmkUgtXVMsPizNinCosipYccAgn5WJKr1NA3FjqR8n6MRNdhu95Xx+EatjRbeGcv7 iTwrRMNn2irm6Nijc5/86zIbp9+LwIdzCb32JkMsS4eGmbfa6AXY5i0iZ6i8Zf1Fgm+0 +EMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692034127; x=1692638927; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/WtvUIdGkzX23JX/YHq7vqp/GHfdIGhzgpFpFAQBHX0=; b=j8doqbbFnERqAJKy43sGVzrzvIxAB3VgDOIGBIk+yvwRrYkoq++nsdDbB+9jjztKXT K58ovpUK5kuPosbZ5EJubhrjG0ammxl/MAAPvy+QDQANsIFfOeBLqS96IhlevqlJFyfr O8zio0ssfOr39MWrDhin5SOAXYUDoY+DaiNTd4mU6uriNK7NKK806HP5OIzpTFGunB6g 3uHO6zm7+HlHNsvksu6MRq9NZqHn1rbFtbgX84nVzpfBtn8EAq7RcESdbxzL9t+VKefI /I/CL3N5QAQ+5F9OinxGfEtHSzbCd1Hl4TyI5uEqbjP0XISI35TdeRbTMsDZ7DbYa065 jcYQ== X-Gm-Message-State: AOJu0Yz3gzfxl/oV1Zrxzow1FNDHbMkDOWCpzNgWP0bhkDhkNt9zad1i +xpyDOTv3ShBROSOUyOW/sLTAfxhEIV5pWmeFnpvltpOwcoEu+WNs2+OXRyFD6fftT7N1uUSY09 lQnNfU4Q22WruRwMLRlKrpOzRuhUc0un8CnOOM+onTkEPDOFHer+lqam2GLoBIzFuyvvl50XiT8 vPW2xuzg== X-Google-Smtp-Source: AGHT+IG19zvmZEkIlqv5EFl1D+B1zLaR7MtRp+mouvPIuY0XBo+TEsPB2oggohyn3O+q/wVu3sA+yy8obMw= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:9ca9:bbb1:765a:e929]) (user=gnoack job=sendgmr) by 2002:a81:ac23:0:b0:570:b1:ca37 with SMTP id k35-20020a81ac23000000b0057000b1ca37mr158065ywh.5.1692034126344; Mon, 14 Aug 2023 10:28:46 -0700 (PDT) Date: Mon, 14 Aug 2023 19:28:13 +0200 In-Reply-To: <20230814172816.3907299-1-gnoack@google.com> Message-Id: <20230814172816.3907299-3-gnoack@google.com> Mime-Version: 1.0 References: <20230814172816.3907299-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Subject: [PATCH v3 2/5] selftests/landlock: Test ioctl support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Exercises Landlock's IOCTL feature: If the LANDLOCK_ACCESS_FS_IOCTL right is restricted, the use of IOCTL fails with a freshly opened file. Irrespective of the LANDLOCK_ACCESS_FS_IOCTL right, IOCTL continues to work with a selected set of known harmless IOCTL commands. Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 96 +++++++++++++++++++++- 1 file changed, 93 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 09dd1eaac8a9..456bd681091d 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3329,7 +3329,7 @@ TEST_F_FORK(layout1, truncate_unhandled) LANDLOCK_ACCESS_FS_WRITE_FILE; int ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, handled, rules); ASSERT_LE(0, ruleset_fd); @@ -3412,7 +3412,7 @@ TEST_F_FORK(layout1, truncate) LANDLOCK_ACCESS_FS_TRUNCATE; int ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, handled, rules); ASSERT_LE(0, ruleset_fd); @@ -3639,7 +3639,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate) }; int fd, ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, variant->handled, rules); ASSERT_LE(0, ruleset_fd); enforce_ruleset(_metadata, ruleset_fd); @@ -3732,6 +3732,96 @@ TEST(memfd_ftruncate) ASSERT_EQ(0, close(fd)); } +/* Invokes the FIOQSIZE ioctl(2) and returns its errno or 0. */ +static int test_fioqsize_ioctl(int fd) +{ + loff_t size; + + if (ioctl(fd, FIOQSIZE, &size) < 0) + return errno; + return 0; +} + +/* + * Attempt ioctls on regular files, with file descriptors opened before and + * after landlocking. + */ +TEST_F_FORK(layout1, ioctl) +{ + const struct rule rules[] = { + { + .path = file1_s1d1, + .access = LANDLOCK_ACCESS_FS_IOCTL, + }, + { + .path = dir_s2d1, + .access = LANDLOCK_ACCESS_FS_IOCTL, + }, + {}, + }; + const __u64 handled = LANDLOCK_ACCESS_FS_IOCTL; + int ruleset_fd; + int dir_s1d1_fd, file1_s1d1_fd, dir_s2d1_fd; + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + dir_s1d1_fd = open(dir_s1d1, O_RDONLY); + ASSERT_LE(0, dir_s1d1_fd); + file1_s1d1_fd = open(file1_s1d1, O_RDONLY); + ASSERT_LE(0, file1_s1d1_fd); + dir_s2d1_fd = open(dir_s2d1, O_RDONLY); + ASSERT_LE(0, dir_s2d1_fd); + + /* + * Checks that FIOQSIZE works on files where LANDLOCK_ACCESS_FS_IOCTL is + * permitted. + */ + EXPECT_EQ(EACCES, test_fioqsize_ioctl(dir_s1d1_fd)); + EXPECT_EQ(0, test_fioqsize_ioctl(file1_s1d1_fd)); + EXPECT_EQ(0, test_fioqsize_ioctl(dir_s2d1_fd)); + + /* Closes all file descriptors. */ + ASSERT_EQ(0, close(dir_s1d1_fd)); + ASSERT_EQ(0, close(file1_s1d1_fd)); + ASSERT_EQ(0, close(dir_s2d1_fd)); +} + +TEST_F_FORK(layout1, ioctl_always_allowed) +{ + struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL, + }; + int ruleset_fd, fd; + int flag = 0; + int n; + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + fd = open(file1_s1d1, O_RDONLY); + ASSERT_LE(0, fd); + + /* Checks that the restrictable FIOQSIZE is restricted. */ + EXPECT_EQ(EACCES, test_fioqsize_ioctl(fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(fd, FIONREAD, &n)); + EXPECT_EQ(0, n); + + ASSERT_EQ(0, close(fd)); +} + /* clang-format off */ FIXTURE(layout1_bind) {}; /* clang-format on */ From patchwork Mon Aug 14 17:28:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13353152 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32276C0729B for ; Mon, 14 Aug 2023 17:29:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230353AbjHNR2z (ORCPT ); Mon, 14 Aug 2023 13:28:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230392AbjHNR2w (ORCPT ); Mon, 14 Aug 2023 13:28:52 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A401C10DB for ; Mon, 14 Aug 2023 10:28:50 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id a640c23a62f3a-99beea69484so268653166b.0 for ; Mon, 14 Aug 2023 10:28:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692034129; x=1692638929; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=3y+Q4IgcXaw8U/O/rkXVJ7BYtEcI6PYv5gdexTlLSGg=; b=76LNTaNIah1o+e6XeFaLssd4uycHXfK97IQH6AHGjHtLoh6b9kde4Ii6a4C8W8la3f 8+iH3Yy0Hg9ym+ynWn2v63PPJb/Ny+icFkUFYHjL9gtSxEmXzEhztxIoLUfKtywHmUD8 VnU384WXTthdvxw4yfv5w/VfMAokctotuBPvp0a3p6axWTiv1+QP6rTMF4TU6UeUYp1H 6tsrJwYyQRFFiH3GCLGJOTOLvSghmDSsyaOQCEBKx7uBb8rC1kAZv6SrsmmxnyVYsUAc /7+YEO8WlxlmuHdt0TvV9vz8wEpIymFIwroe5nWKI4afWsnKGyWDRDifb/ZEWAGJsZ1C Cx+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692034129; x=1692638929; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=3y+Q4IgcXaw8U/O/rkXVJ7BYtEcI6PYv5gdexTlLSGg=; b=SnX6hxnKlW219KHlsMn+XYUpXo6aqkYEDKTA6P6H7jTkuaKfvatxhP2suTeWixJXBY mfgz8YA/TvACjK5HjVdr0GN97Em1sbYrdqkXHYdYm/4xVwhCBicEHaWO4y6jxq/9InqH ohfGbf/NQxgWoN7MEBByjLmVGDeLuHiOz8OqzDFcDDVOBUYNiQllFN19+kZ1gc6qDzq5 k7fp+6U+z4SunEDrcqiQonO3P3+to3+grmt3zuD46de4+4BtaeNLFFzCXUhNNlcWvMNb 6/2Ti1rTQgfVCHgBHs4MXRFu3RlW/frhbzEDYtweMrM8/kEtQHOSWFVs37rU10ZT+zSW zm4A== X-Gm-Message-State: AOJu0YydRtjE+bhiT/8Y4Qzd70nVTVggiNQsPOFWsL1/sjwCi37Vp2Gt HjArTjHhrxubN9U6emY5bpBujK8Qg/zOVemPdh1oWp8fY170OXvr8N4EjfWrd9HCTtWHSjipyLB 4TKc7njjhJYRTMNDLMGG9hK+IaF6+5dIugfcUYEvApnHiXvuatl8zTHvoCx5zSkla/iu7TU5M4v aIN4ut/g== X-Google-Smtp-Source: AGHT+IFW4XpqyjomRR9EPf5Gq+z2WJPB0LttavYHYi6hcS3R6CAGGgvghrTtGhKZZUe5XQ84aS0BgC2gBSo= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:9ca9:bbb1:765a:e929]) (user=gnoack job=sendgmr) by 2002:a17:906:6b4e:b0:99b:ed53:6574 with SMTP id o14-20020a1709066b4e00b0099bed536574mr48745ejs.14.1692034129000; Mon, 14 Aug 2023 10:28:49 -0700 (PDT) Date: Mon, 14 Aug 2023 19:28:14 +0200 In-Reply-To: <20230814172816.3907299-1-gnoack@google.com> Message-Id: <20230814172816.3907299-4-gnoack@google.com> Mime-Version: 1.0 References: <20230814172816.3907299-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Subject: [PATCH v3 3/5] selftests/landlock: Test ioctl with memfds From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Because the ioctl right is associated with the opened file, we expect that it will work with files which are opened by means other than open(2). Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 50 +++++++++++++++------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 456bd681091d..4eb989d5ff39 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3716,22 +3716,6 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes) ASSERT_EQ(0, close(socket_fds[1])); } -TEST(memfd_ftruncate) -{ - int fd; - - fd = memfd_create("name", MFD_CLOEXEC); - ASSERT_LE(0, fd); - - /* - * Checks that ftruncate is permitted on file descriptors that are - * created in ways other than open(2). - */ - EXPECT_EQ(0, test_ftruncate(fd)); - - ASSERT_EQ(0, close(fd)); -} - /* Invokes the FIOQSIZE ioctl(2) and returns its errno or 0. */ static int test_fioqsize_ioctl(int fd) { @@ -3742,6 +3726,40 @@ static int test_fioqsize_ioctl(int fd) return 0; } +TEST(memfd_ftruncate_and_ioctl) +{ + struct landlock_ruleset_attr attr = { + .handled_access_fs = ACCESS_ALL, + }; + int ruleset_fd, fd, i; + + /* + * We exercise the same test both with and without Landlock enabled, to + * ensure that it behaves the same in both cases. + */ + for (i = 0; i < 2; i++) { + /* Creates a new memfd. */ + fd = memfd_create("name", MFD_CLOEXEC); + ASSERT_LE(0, fd); + + /* + * Checks that operations associated with the opened file + * (ftruncate, ioctl) are permitted on file descriptors that are + * created in ways other than open(2). + */ + EXPECT_EQ(0, test_ftruncate(fd)); + EXPECT_EQ(0, test_fioqsize_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd) + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + } +} + /* * Attempt ioctls on regular files, with file descriptors opened before and * after landlocking. From patchwork Mon Aug 14 17:28:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13353153 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CA75C04A94 for ; Mon, 14 Aug 2023 17:29:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230418AbjHNR32 (ORCPT ); Mon, 14 Aug 2023 13:29:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229607AbjHNR2y (ORCPT ); Mon, 14 Aug 2023 13:28:54 -0400 Received: from mail-ed1-x549.google.com (mail-ed1-x549.google.com [IPv6:2a00:1450:4864:20::549]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A5E710DD for ; Mon, 14 Aug 2023 10:28:53 -0700 (PDT) Received: by mail-ed1-x549.google.com with SMTP id 4fb4d7f45d1cf-5255aa38ac2so949297a12.0 for ; Mon, 14 Aug 2023 10:28:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692034131; x=1692638931; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=8I4DS/YlxNmOox1c27eCaqLGJBbviyQCQLdr4ik+75g=; b=dn6wV5cPvNZKX03rb32KhTDsukig7Bms7xNRGpjVXK09qtjB9MLIwQAdVOb52dKz9E sTFa9TPwVfy7egxQlmB8ROefEjQvaIDYbvNYcnhRjXt9Z5tiRkj4gTp3vMnuGXlUzeKn caiE+w5v30zU5gExpyRoXm5suCwuwnrH+e2r+mZGWh4Y+CdPRW64RJJfdWF1ULWBAIvu drhod+vEQx4TC5L/Mn0sltYeCzWqclPfx5ALdlgnF5jnBb6ClqTCbzzakUK5d5PUSYzc /mJ0t1Zsj3TL3St4T3I2iaA0TRapoU8i6dsNsHsx+mb+v3oYcU04CVs29LtHhJu3bjhk K92w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692034131; x=1692638931; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=8I4DS/YlxNmOox1c27eCaqLGJBbviyQCQLdr4ik+75g=; b=L5gr8+st+UUELeOrdbGw5a4qDh/GETgpPHS9FVnxGWfhu5EnOI33nw36Ayl4jP8oT5 bRP5sBb5uU6kTBq+H2T7CoQJHcE8pyxUfe87YTbJEEonqn6Jip9xZzMjqcZuq4d0hAI7 r7UXgJf8nyMBOgmr4p+FERX9+8leLbuw2B/nAEqIqvyKfrZVBSqPQrQ9pakDhWO2/4Ny EmLFFD2i/hJatMC05uu426j1f8HH/oPiyXbex5e8fjsHeLPKyUpgcTV6lEl/cTiVneRv EAPGq64MapbVG03tC9OnHSRVCTy/f5xgpjLLdY5WiIOAeaI+rUbMMuULHvKz+y5vsnFG HNWw== X-Gm-Message-State: AOJu0YzszWEo2snf87m7L7fTNvAUo1isvs3v6P69oFrIGTls3pwxjPy2 pXt34uPA9y3302i213Ovik6xe8qyMTr/ikWfHBnw8pSlbkiE2Y+QJXqWoOuEYcCkgBEzoxC3bdh Xr1maEmY7tdYbRJPwXhepiwsJgmDM6htgUvBWZfOBI6UKR/qRJpmSy/XUTMhUk12SVMlH6MPTp2 OmLUgRVA== X-Google-Smtp-Source: AGHT+IE9tbEGtqoeewRDiaw2yxih9oE5UnmOdWjA0xrpCULVju6BtbNNMGtN5Jc4P3qVHy8VaS2QkrbRKXU= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:9ca9:bbb1:765a:e929]) (user=gnoack job=sendgmr) by 2002:a50:d49d:0:b0:51b:ee9e:aad1 with SMTP id s29-20020a50d49d000000b0051bee9eaad1mr68391edi.2.1692034131560; Mon, 14 Aug 2023 10:28:51 -0700 (PDT) Date: Mon, 14 Aug 2023 19:28:15 +0200 In-Reply-To: <20230814172816.3907299-1-gnoack@google.com> Message-Id: <20230814172816.3907299-5-gnoack@google.com> Mime-Version: 1.0 References: <20230814172816.3907299-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Subject: [PATCH v3 4/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: Add ioctl support to the Landlock sample tool. The ioctl right is grouped with the read-write rights in the sample tool, as some ioctl requests provide features that mutate state. Signed-off-by: Günther Noack --- samples/landlock/sandboxer.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index e2056c8b902c..c70d96d15c70 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -77,7 +77,8 @@ static int parse_path(char *env_path, const char ***const path_list) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ @@ -162,11 +163,12 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ LANDLOCK_ACCESS_FS_REFER | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ -#define LANDLOCK_ABI_LAST 3 +#define LANDLOCK_ABI_LAST 4 int main(const int argc, char *const argv[], char *const *const envp) { @@ -255,6 +257,10 @@ int main(const int argc, char *const argv[], char *const *const envp) case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + __attribute__((fallthrough)); + case 3: + /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 4 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL; fprintf(stderr, "Hint: You should update the running kernel " From patchwork Mon Aug 14 17:28:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13353154 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97824C04E69 for ; Mon, 14 Aug 2023 17:29:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230202AbjHNR33 (ORCPT ); Mon, 14 Aug 2023 13:29:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230398AbjHNR26 (ORCPT ); Mon, 14 Aug 2023 13:28:58 -0400 Received: from mail-ed1-x54a.google.com (mail-ed1-x54a.google.com [IPv6:2a00:1450:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16D8D10D5 for ; Mon, 14 Aug 2023 10:28:56 -0700 (PDT) Received: by mail-ed1-x54a.google.com with SMTP id 4fb4d7f45d1cf-51a5296eb8eso3037158a12.2 for ; Mon, 14 Aug 2023 10:28:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1692034134; x=1692638934; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:from:to:cc:subject:date :message-id:reply-to; bh=smHHZUXo6xifLxvzSdFKZuUE8vzgs5PoROM2xnAb1UU=; b=MmICPA+CBs0ocp8vk0U5aDzxtXLls/Da9mjxg3tWq5UHM37KvQHj9TtYVrpEQ5dkfr BTJZesfkpmlWL5xX9gL9fD52AaWffPyLQ7ea0v9+TPgzmOJT4TsnZc/IzKirh6oEH50s K1OJpxQ3AbBfQzCHIBP98X6s8qCWxL+5Q+yXWMHMd9GRObLn3lZKWat9BAK21yWwgeyF JmcKT7XQn618XBmzaVjVoWBUjASU1q4DpOMHd8FPnMALqMDMjqRsPvaVQW8rnrmEyUNa c1qY+zbAeal3t5q13QJfbz1rYML33vj1OU6Cp6HMNbP7kr0DBwk0cMQhzCa69naHldxa lubw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692034134; x=1692638934; h=content-transfer-encoding:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=smHHZUXo6xifLxvzSdFKZuUE8vzgs5PoROM2xnAb1UU=; b=ZzoFydNt6U3LazNmgO4qg7gFgPg1YtbY7zz3NXmkJiDH4XZ1FQ+mqROGOcKuL+eGAD bUcf4pmRvSWz/XX/NLMwgKMBY9HqSjf+63HjONaSHLJRY3WiQRflouxrLT9NwVPxz1nK pmyELJ2fRqWYsVlfkZfcRrb0mZ5t94KgSKRUUpLqexkjQGqO6Pw4Qp+C3J/cu1ejGE1z qZV8cSVdYzsSKM50uOgCRW4WxG8Q3nrC+kUvapZP/lIN/mWY+ZAZQj1uvDuu85zyfuSv X8LFBms9mdkV7E4ZrLBXniQOnMirfN+Qa2E87wYOP5Erj5zIjEH7kMGCfIEEaqQsHY26 FMGg== X-Gm-Message-State: AOJu0YwkjyADUhix9jnCfxbrJU2HZhowDNgMp5D/QZXPxOiReSkv+0pS XltqhN8dI7KUc4MbKinOuNtPbly7qzTNHN1WSvNIfTz8KFkPrZNlS+RGkgdE7yqWwvHuIWgiYW3 bB1dDdn0+ffHdtzPA6l0kCg70slTzrtOk+MAIX9/2UWO3unQnPwm7jCTVW2au7NnMdvoZkkXBIc oarBrM7Q== X-Google-Smtp-Source: AGHT+IHmqMu/X9mmCiJCAAI9Pit6YQDW4JrH5hSYyJasXbkHuB54lsl2W5ZNCk/WmrELpo/GXDLWDp8pH9c= X-Received: from sport.zrh.corp.google.com ([2a00:79e0:9d:4:9ca9:bbb1:765a:e929]) (user=gnoack job=sendgmr) by 2002:a50:9e48:0:b0:525:4afe:dd7f with SMTP id z66-20020a509e48000000b005254afedd7fmr41439ede.6.1692034134651; Mon, 14 Aug 2023 10:28:54 -0700 (PDT) Date: Mon, 14 Aug 2023 19:28:16 +0200 In-Reply-To: <20230814172816.3907299-1-gnoack@google.com> Message-Id: <20230814172816.3907299-6-gnoack@google.com> Mime-Version: 1.0 References: <20230814172816.3907299-1-gnoack@google.com> X-Mailer: git-send-email 2.41.0.694.ge786442a9b-goog Subject: [PATCH v3 5/5] landlock: Document ioctl support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Precedence: bulk List-ID: In the paragraph above the fallback logic, use the shorter phrasing from the landlock(7) man page. Signed-off-by: Günther Noack --- Documentation/userspace-api/landlock.rst | 74 ++++++++++++++++++------ 1 file changed, 57 insertions(+), 17 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index d8cd8cd9ce25..e0e35e474307 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -61,18 +61,17 @@ the need to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | - LANDLOCK_ACCESS_FS_TRUNCATE, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL, }; Because we may not know on which kernel version an application will be executed, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are -using. To avoid binary enforcement (i.e. either all security features or -none), we can leverage a dedicated Landlock command to get the current version -of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE`` -access rights, which are only supported starting with the second and third -version of the ABI. +using. + +To be compatible with older Linux versions, we detect the available Landlock ABI +version, and only use the available subset of access rights: .. code-block:: c @@ -92,6 +91,9 @@ version of the ABI. case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + case 3: + /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 4 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL; } This enables to create an inclusive ruleset that will contain our rules. @@ -190,6 +192,7 @@ access rights per directory enables to change the location of such directory without relying on the destination directory access rights (except those that are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER`` documentation). + Having self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, @@ -283,18 +286,24 @@ It should also be noted that truncating files does not require the system call, this can also be done through :manpage:`open(2)` with the flags ``O_RDONLY | O_TRUNC``. -When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` -right is associated with the newly created file descriptor and will be used for -subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is -similar to opening a file for reading or writing, where permissions are checked -during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and +The truncate right is associated with the opened file (see below). + +Rights associated with file descriptors +--------------------------------------- + +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and +``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file +descriptor and will be used for subsequent truncation and ioctl attempts using +:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar to +opening a file for reading or writing, where permissions are checked during +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and :manpage:`write(2)` calls. -As a consequence, it is possible to have multiple open file descriptors for the -same file, where one grants the right to truncate the file and the other does -not. It is also possible to pass such file descriptors between processes, -keeping their Landlock properties, even when these processes do not have an -enforced Landlock ruleset. +As a consequence, it is possible to have multiple open file descriptors +referring to the same file, where one grants the truncate or ioctl right and the +other does not. It is also possible to pass such file descriptors between +processes, keeping their Landlock properties, even when these processes do not +have an enforced Landlock ruleset. Compatibility ============= @@ -422,6 +431,27 @@ Memory usage Kernel memory allocated to create rulesets is accounted and can be restricted by the Documentation/admin-guide/cgroup-v1/memory.rst. +IOCTL support +------------- + +The ``LANDLOCK_ACCESS_FS_IOCTL`` access right restricts the use of +:manpage:`ioctl(2)`, but it only applies to newly opened files. This means +specifically that pre-existing file descriptors like STDIN, STDOUT and STDERR +are unaffected. + +Users should be aware that TTY devices have traditionally permitted to control +other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL +commands. It is therefore recommended to close inherited TTY file descriptors. +The :manpage:`isatty(3)` function checks whether a given file descriptor is a +TTY. + +Landlock's IOCTL support is coarse-grained at the moment, but may become more +fine-grained in the future. Until then, users are advised to establish the +guarantees that they need through the file hierarchy, by only permitting the +``LANDLOCK_ACCESS_FS_IOCTL`` right on files where it is really harmless. In +cases where you can control the mounts, the ``nodev`` mount option can help to +rule out that device files can be accessed. + Previous limitations ==================== @@ -451,6 +481,16 @@ always allowed when using a kernel that only supports the first or second ABI. Starting with the Landlock ABI version 3, it is now possible to securely control truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right. +Ioctl (ABI < 4) +--------------- + +IOCTL operations could not be denied before the fourth Landlock ABI, so +:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an +earlier ABI. + +Starting with the Landlock ABI version 4, it is possible to restrict the use of +:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL`` access right. + .. _kernel_support: Kernel support