From patchwork Tue May 2 17:17:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13229196 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 67CEDC77B7E for ; Tue, 2 May 2023 17:18:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233875AbjEBRSM (ORCPT ); Tue, 2 May 2023 13:18:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234331AbjEBRSL (ORCPT ); Tue, 2 May 2023 13:18:11 -0400 Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70E3F1700 for ; Tue, 2 May 2023 10:18:02 -0700 (PDT) Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-3f20215fa70so26949875e9.0 for ; Tue, 02 May 2023 10:18:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683047881; x=1685639881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8K1bnKuWYHqxbRlOxJJGQFetbQIj2EsjF7Ail6vx8I8=; b=ddfs1GGQ6UuM0jIgPqjBkeDXsgzwuIBBGw2tF3qV4yjGuTzxU4habl4BucQ28cO6N4 kyFi7geTaJ+D3w9iIvcHHXpXaohFeSfHIENJWyGXWSrYji80AJSfKbFhcgbrNX/+V+ZS JLC0UsofrVrg8/bMl6hKYHykXdIPtb647YU7U0U2h6x7M1RAb7pzega5tyYXWYcWnIfx EGibNKMKyh1jlT4yalOKl7YvHCNpFC3Ur5ZpOJ4cWki2XbZMUpr0ybyhiIjuezsnsUBE 3Cvur17fJm/E6P21ApSSo/kISIwlqqYguWx9V7pouwBRBnPflHWU4EcfBij8ZKLgENbd 5IsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683047881; x=1685639881; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8K1bnKuWYHqxbRlOxJJGQFetbQIj2EsjF7Ail6vx8I8=; b=hbJArP8eWhs4S0M2Wy7W8MaVJzFOCwHkqq0u3WUZ8NWPerXBhciwmXDinApr+oTUKc brdRoewzow6WhK3xEnof7GbO71sXeyJHIFmYer7rRa5jkBxjEaPHE6keHda1dsiFuSqj G26pGJSzAnAfGsfVcvHRvzyiN3TZVJDWDctMt2rHU7MbiHn2X6zNg+NVP961JdVFkPGi /VT173NT4lYm92BV0xJSrIEmZ/ONPu7uvmsOLaz3eGvx9i3HfSYV+eDEzNVTcDNAkdju eZkHRNvWkeWRudEWaeQLPCYGNnEdUNLUBTgKVP8ThTcp4srGJFYZUwBbeN+sIK53agbL kuIg== X-Gm-Message-State: AC+VfDydHGEdwLJ2OPrEcLpltcjoguPu5mTt1L40BRAJy5NyvXmhDKQg VdYymt/bu0dwfJF3ATUfZ2Uc5kq/MRM= X-Google-Smtp-Source: ACHHUZ4MBS2z5ZxE4wZPYM+T17dP6HlZKz+UJDhMlt8WJz4l/VmLj7tAPxrISgpT5xgp4kAMXEHkuA== X-Received: by 2002:a05:6000:124b:b0:306:31b7:abe4 with SMTP id j11-20020a056000124b00b0030631b7abe4mr4356796wrx.14.1683047880843; Tue, 02 May 2023 10:18:00 -0700 (PDT) Received: from localhost ([2a02:168:633b:1:9d6a:15a4:c7d1:a0f0]) by smtp.gmail.com with ESMTPSA id i6-20020a5d6306000000b002fed865c55esm31507763wru.56.2023.05.02.10.18.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 10:18:00 -0700 (PDT) From: =?utf-8?q?G=C3=BCnther_Noack?= To: linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= Cc: =?utf-8?q?G=C3=BCnther_Noack?= , Paul Moore , Konstantin Meskhidze Subject: [RFC 1/4] landlock: Increment Landlock ABI version to 4 Date: Tue, 2 May 2023 19:17:52 +0200 Message-Id: <20230502171755.9788-2-gnoack3000@gmail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230502171755.9788-1-gnoack3000@gmail.com> References: <20230502171755.9788-1-gnoack3000@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: Increment the Landlock ABI version in preparation for the ioctl feature. Signed-off-by: Günther Noack --- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 245cc650a4d..c70fc9e6fe9 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -129,7 +129,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 3 +#define LANDLOCK_ABI_VERSION 4 /** * sys_landlock_create_ruleset - Create a new ruleset diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index 792c3f0a59b..646f778dfb1 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(3, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(4, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, From patchwork Tue May 2 17:17:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13229198 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A62B9C77B73 for ; Tue, 2 May 2023 17:18:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234300AbjEBRSN (ORCPT ); Tue, 2 May 2023 13:18:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234309AbjEBRSM (ORCPT ); Tue, 2 May 2023 13:18:12 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33872F5 for ; Tue, 2 May 2023 10:18:04 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-2f833bda191so2512096f8f.1 for ; Tue, 02 May 2023 10:18:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683047882; x=1685639882; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VS5NmcZD51mffglcosueyzTqn27LuICoPZ/rt9zOLWw=; b=GVw5Z7otZODOVuahEv0CIvjtNHl5hK6voyJVvgYD9T0CDGSv720ODqV+CLUHuXgUBr ovqDA28Z0HcNNNnSHbiz+08pK5Tv+C1BGvp7HpB2xiUTMXAkBpfbVLWfM/vTSHvyHBxa IPDrQ6RochIZVy1BPUgulgIHAQotv7SYsrQwnaiO1sx36EtzkivkVV/xih+hLguJAICR KPzE6PzyA1QVgQ7ehJaP9fugUa58d/Ewj/WrkuyV7wW8hY1PL/uXdGdqzzIwm8A0b/fx huelzankz2gvPaoAZN2CCsSvvfl5/Ejw5Jc53j4zfP98AypylK9gUjWALHLh7O/5BV1i UadA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683047882; x=1685639882; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VS5NmcZD51mffglcosueyzTqn27LuICoPZ/rt9zOLWw=; b=V1qd6Si7RBXCG3H2JvyROfSdj0OgfYPiI3+0rmCRZKXMMOWaw8rwdwAulAfUecIAPr O/SSLnKvb3k1rE70zuUhV9w5JecLjmSbS4efFKdyjhUU7TfI7W/3YukWjwOLckFz7oUi /+fH5daQ3s/UGX/bSxBxmBvZkOM3LBcAGmytKsDtnS00nDOkwx80DGyl/ma0ljwo22Je cv8O+/RWbSmLlMx59T4ZVl78OW56dAXg7FHvHDkYTZwwYVirr7x3CSWezd3OquEirWwe xZBX4DZtOItHXiy72eYaW3JQdQ1XEaol1P4d0St3ULZT8+SoZxgQnh6cWQXBYxoNPhq5 xVUQ== X-Gm-Message-State: AC+VfDw57T6elaO0rt0MDxVrO5oyrMNaSlme6XrRofAZsTikcxJ/euYF 8xm3tSTm2ZNXq/gjiQ049cM7CXlJuNc= X-Google-Smtp-Source: ACHHUZ4Lz+qWkhKDX/INyq5WimtpnxeBaBVNxy+D6CMJjPBFHiE9OiQQOEZZZvX2VRWGz8PYE4TMgg== X-Received: by 2002:adf:eb07:0:b0:303:2583:9635 with SMTP id s7-20020adfeb07000000b0030325839635mr11410218wrn.20.1683047882602; Tue, 02 May 2023 10:18:02 -0700 (PDT) Received: from localhost ([2a02:168:633b:1:9d6a:15a4:c7d1:a0f0]) by smtp.gmail.com with ESMTPSA id k17-20020a5d6291000000b002c561805a4csm31427244wru.45.2023.05.02.10.18.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 10:18:02 -0700 (PDT) From: =?utf-8?q?G=C3=BCnther_Noack?= To: linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= Cc: =?utf-8?q?G=C3=BCnther_Noack?= , Paul Moore , Konstantin Meskhidze Subject: [RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right Date: Tue, 2 May 2023 19:17:53 +0200 Message-Id: <20230502171755.9788-3-gnoack3000@gmail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230502171755.9788-1-gnoack3000@gmail.com> References: <20230502171755.9788-1-gnoack3000@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: Like the truncate right, this right is associated with a file descriptor at the time of open(2), and gets respected even when the file descriptor is used outside of the thread which it was originally created in. In particular, this happens for the commonly inherited file descriptors stdin, stdout and stderr, if these are bound to a tty. This means that programs using tty ioctls can drop the ioctl access right, but continue using these ioctls on the already opened input and output file descriptors. Signed-off-by: Günther Noack --- include/uapi/linux/landlock.h | 19 ++++++++++++------- security/landlock/fs.c | 20 ++++++++++++++++++-- security/landlock/limits.h | 2 +- tools/testing/selftests/landlock/fs_test.c | 5 +++-- 4 files changed, 34 insertions(+), 12 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index f3223f96469..d87457a1c22 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -102,12 +102,16 @@ struct landlock_path_beneath_attr { * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with - * ``O_TRUNC``. Whether an opened file can be truncated with - * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the - * same way as read and write permissions are checked during - * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and - * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the - * third version of the Landlock ABI. + * ``O_TRUNC``. This access right is available since the third version of the + * Landlock ABI. + * - %LANDLOCK_ACCESS_FS_IOCTL: Invoke :manpage:`ioctl(2)` on the opened file. + * This access right is available since the fourth version of the Landlock + * ABI. + * + * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used + * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as + * read and write permissions are checked during :manpage:`open(2)` using + * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. * * A directory can receive access rights related to files or directories. The * following access right is applied to the directory itself, and the @@ -152,7 +156,7 @@ struct landlock_path_beneath_attr { * accessible through these syscall families: :manpage:`chdir(2)`, * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, - * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. + * :manpage:`fcntl(2)`, :manpage:`access(2)`. * Future Landlock evolutions will enable to restrict them. */ /* clang-format off */ @@ -171,6 +175,7 @@ struct landlock_path_beneath_attr { #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#define LANDLOCK_ACCESS_FS_IOCTL (1ULL << 15) /* clang-format on */ #endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/fs.c b/security/landlock/fs.c index adcea0fe7e6..b13c765733c 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -147,7 +147,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ /* @@ -1207,7 +1208,8 @@ static int hook_file_open(struct file *const file) { layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; access_mask_t open_access_request, full_access_request, allowed_access; - const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL; const struct landlock_ruleset *const dom = landlock_get_current_domain(); @@ -1280,6 +1282,19 @@ static int hook_file_truncate(struct file *const file) return -EACCES; } +static int hook_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +{ + /* + * It is the access rights at the time of opening the file which + * determine whether ioctl can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (landlock_file(file)->allowed_access & LANDLOCK_ACCESS_FS_IOCTL) + return 0; + return -EACCES; +} + static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1302,6 +1317,7 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security), LSM_HOOK_INIT(file_open, hook_file_open), LSM_HOOK_INIT(file_truncate, hook_file_truncate), + LSM_HOOK_INIT(file_ioctl, hook_file_ioctl), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 82288f0e9e5..40d8f17698b 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -18,7 +18,7 @@ #define LANDLOCK_MAX_NUM_LAYERS 16 #define LANDLOCK_MAX_NUM_RULES U32_MAX -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1) #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index b6c4be3faf7..fdd7d439ce4 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -446,9 +446,10 @@ TEST_F_FORK(layout1, inval) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) -#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE +#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL #define ACCESS_ALL ( \ ACCESS_FILE | \ From patchwork Tue May 2 17:17:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13229199 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E019C77B7E for ; Tue, 2 May 2023 17:18:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234331AbjEBRSO (ORCPT ); Tue, 2 May 2023 13:18:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234356AbjEBRSN (ORCPT ); Tue, 2 May 2023 13:18:13 -0400 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BA0C138 for ; Tue, 2 May 2023 10:18:06 -0700 (PDT) Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-3f315712406so179060165e9.0 for ; Tue, 02 May 2023 10:18:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683047884; x=1685639884; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FRrHRY2a9JHTqLK37KTn7bvs8ECBmgcW0KqY+J3cONs=; b=Z1Pw09wyXin3S309+RagdJNHbAYM/IXhUERpdv73hVdRiXRxH0dlme69m0M8RumlI1 iKCniVzkeHhVD4MEKiKvRZOimc/UU65qJsqxm6rDbTtV2zRybjoJ9Lj5eiyxJfXYS1uY W96c/Bauq6Jq6GE6bWXL5QyLJXBTS8orj1jNf7EmuKiLSDRCzW6vsVEsR2BhPk9b2Qyd evdF12UbSo08SyZl95JxB39zWEqMYKzGlokFfovRUbKJ+be/umgu4pZ46jKIJnZ+dEOL fxzq+dCZXGiEAK5Dft300VHffpGHfJ4rOr7MGmzFBH9wTBlgprY2O/ZiVw0RwAC0+qB/ H1zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683047884; x=1685639884; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FRrHRY2a9JHTqLK37KTn7bvs8ECBmgcW0KqY+J3cONs=; b=Swgr1UmN17jmPhEZuKutpnBh/BFxmA3uc+hqTsRA596ScDTmPN6XzJHDGlJN+DDxmh 5L4WCI5V6yjYJONauLTBhHSAtM6ErASYQgiphkybeaHsqCKysoVZppg2CFIsLEHaflnb lNJuulTj5Rqr2Q5PhXtCSlwgH77dG0Bz0OmvtEkbpaYBqMSFeZClouLaHhJyH1U4hZs3 OWjepaGPXXpnlSOfrEHLuvdHICiTwZ4ByT4l4ifdqd5oVn8llwQpI7biBYYujKpFG44z 4/zH45HU838B/lmXIVEA2PS/dZBanUdef1smySsklUkxFf+IywY7U3QnniVpvI4muzTG Hmbg== X-Gm-Message-State: AC+VfDz7Zgk9z4mMykxeBnkpX8S3WPKwJZZ1iBT1kq7GmAsqtPVEKk4r 2o3bvec49Rs5lA/vLKuoNkhbGJdaEHs= X-Google-Smtp-Source: ACHHUZ4Eti+Tcdw5Jy3ywwcN28hj5Cpf7vXT6Yhz5Bh+K0XdC+kay8Gppc2+jfpet2gUi3vwi1dDAw== X-Received: by 2002:adf:f40a:0:b0:2f5:9146:7024 with SMTP id g10-20020adff40a000000b002f591467024mr14726491wro.22.1683047884352; Tue, 02 May 2023 10:18:04 -0700 (PDT) Received: from localhost ([2a02:168:633b:1:9d6a:15a4:c7d1:a0f0]) by smtp.gmail.com with ESMTPSA id z2-20020a056000110200b003062b2c5255sm7058507wrw.40.2023.05.02.10.18.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 10:18:04 -0700 (PDT) From: =?utf-8?q?G=C3=BCnther_Noack?= To: linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= Cc: =?utf-8?q?G=C3=BCnther_Noack?= , Paul Moore , Konstantin Meskhidze Subject: [RFC 3/4] selftests/landlock: Test ioctl support Date: Tue, 2 May 2023 19:17:54 +0200 Message-Id: <20230502171755.9788-4-gnoack3000@gmail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230502171755.9788-1-gnoack3000@gmail.com> References: <20230502171755.9788-1-gnoack3000@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: Exercise the use of Landlock's ioctl restriction: If ioctl is restricted, the use of ioctl fails with a freshly opened /dev/tty file. Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 62 ++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index fdd7d439ce4..1f827604374 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3655,6 +3655,68 @@ TEST(memfd_ftruncate) ASSERT_EQ(0, close(fd)); } +/* + * Invokes ioctl(2) and returns its errno or 0. + * The provided fd needs to be a tty for this to work. + */ +static int test_tty_ioctl(int fd) +{ + struct winsize ws; + + if (ioctl(fd, TIOCGWINSZ, &ws) < 0) + return errno; + return 0; +} + +/* + * Attempt ioctl on /dev/tty0 and /dev/tty1, + * with file descriptors opened before and after landlocking. + */ +TEST_F_FORK(layout1, ioctl) +{ + const struct rule rules[] = { + { + .path = "/dev/tty1", + .access = LANDLOCK_ACCESS_FS_IOCTL, + }, + /* Implicitly: No ioctl access on /dev/tty0. */ + {}, + }; + const __u64 handled = LANDLOCK_ACCESS_FS_IOCTL; + int ruleset_fd; + int old_tty0_fd, tty0_fd, tty1_fd; + + old_tty0_fd = open("/dev/tty0", O_RDWR); + ASSERT_LE(0, old_tty0_fd); + + /* Checks that ioctl works before landlocking. */ + EXPECT_EQ(0, test_tty_ioctl(old_tty0_fd)); + + /* Enable Landlock. */ + ruleset_fd = create_ruleset(_metadata, handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* Checks that ioctl with existing FD works after landlocking. */ + EXPECT_EQ(0, test_tty_ioctl(old_tty0_fd)); + + /* Checks that same ioctl fails when file is opened after landlocking. */ + tty0_fd = open("/dev/tty0", O_RDWR); + ASSERT_LE(0, tty0_fd); + EXPECT_EQ(EACCES, test_tty_ioctl(tty0_fd)); + + /* Checks that same ioctl fails when file is opened after landlocking. */ + tty1_fd = open("/dev/tty1", O_RDWR); + ASSERT_LE(0, tty1_fd); + EXPECT_EQ(0, test_tty_ioctl(tty1_fd)); + + /* Close all TTY file descriptors. */ + ASSERT_EQ(0, close(old_tty0_fd)); + ASSERT_EQ(0, close(tty0_fd)); + ASSERT_EQ(0, close(tty1_fd)); +} + /* clang-format off */ FIXTURE(layout1_bind) {}; /* clang-format on */ From patchwork Tue May 2 17:17:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13229200 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4ABD7C77B73 for ; Tue, 2 May 2023 17:18:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234414AbjEBRS0 (ORCPT ); Tue, 2 May 2023 13:18:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234356AbjEBRSP (ORCPT ); Tue, 2 May 2023 13:18:15 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A56F91724 for ; Tue, 2 May 2023 10:18:07 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3f1950f5628so39749975e9.3 for ; Tue, 02 May 2023 10:18:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683047886; x=1685639886; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YMuWJnZxC5vpZzYAd2BIYmuop+36mC3iEn3DltRGUwQ=; b=SRSA8DKP71LUZKlLhSMcF/ScMdLhiQi5F0ej/pFb5ZkRntHRN29MTRQT6mI7vdFw8r YRfLErhr7wXe4S1fObS4ZShuk2KSzfkWTSOK1jOtstNVNgqSUUFFK9DdTww7fpWcYZXN ArkV9Xa3kf1hL057PNdsyB+Bwq6DupSv7B1Uwkl8KutzKbfN27gnQsVRNeJw57MrrEfx BhTrr/ZZMVUbTd59qF2ZKX6Amfq8rUVB8KQSo2AyFNttOH3w6YiXbotmBltmeZmKDV8M 8uVRqYTgW386HcEolmI3oMnird/c+oMmPsCGR0W7Hwillh8Ma+4UuqT9v6LclFJxHhWX 2DiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683047886; x=1685639886; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YMuWJnZxC5vpZzYAd2BIYmuop+36mC3iEn3DltRGUwQ=; b=DdDGtgS+9m3ZMDvxjDGYSLIJthOAngQGSoGoCdEe0jNMsnZikf9wulkKSC2kul+eHi eF+r7z293n2yrXYags8r8f9pk28BdqhqCzrsG6/nAMcEOkU0xQ7hdT3b/3jT4WJBClZl TDrpXoGs/Stq9Z46ZNBycPw65oZ5g6klKNj/6tpOCPgG6f14Km6H0wzSGZ0qgg+LhNzY SZzGHpM0PKfWBegCnLA9ulloGB6yGUh53hLoQOxTDPC/ROBl3wDxG8jGKomWW4M6ATJt AWJHnywo5LpPlc6A7snYqaHw8+ZZl8q/BbHp+FZYnKa0WDtbKQHQxIGrOycZnaA6crD5 kOkQ== X-Gm-Message-State: AC+VfDwMZPDOH7v5DNHI3vVOPZ8uvA55rtAGYi17SNPZKgYn5tQCGZYA Mda9LlyFiGBGQKQT7I44lYINUi9HWyM= X-Google-Smtp-Source: ACHHUZ45V4aMKUZOMnAPcebnNo+YtDQXuLL52VN3Fr+xha20BzMNSpBLKt6kDwXOIEuLVrrV80NJ4A== X-Received: by 2002:a5d:44c8:0:b0:306:2fec:107e with SMTP id z8-20020a5d44c8000000b003062fec107emr3903435wrr.34.1683047886074; Tue, 02 May 2023 10:18:06 -0700 (PDT) Received: from localhost ([2a02:168:633b:1:9d6a:15a4:c7d1:a0f0]) by smtp.gmail.com with ESMTPSA id o10-20020a5d684a000000b003063176ef0dsm4483607wrw.97.2023.05.02.10.18.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 10:18:05 -0700 (PDT) From: =?utf-8?q?G=C3=BCnther_Noack?= To: linux-security-module@vger.kernel.org, =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= Cc: =?utf-8?q?G=C3=BCnther_Noack?= , Paul Moore , Konstantin Meskhidze Subject: [RFC 4/4] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Date: Tue, 2 May 2023 19:17:55 +0200 Message-Id: <20230502171755.9788-5-gnoack3000@gmail.com> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230502171755.9788-1-gnoack3000@gmail.com> References: <20230502171755.9788-1-gnoack3000@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: Add ioctl support to the Landlock sample tool. The ioctl right is grouped with the read-write rights in the sample tool, as some ioctl requests provide features that mutate state. Signed-off-by: Günther Noack --- samples/landlock/sandboxer.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index e2056c8b902..c70d96d15c7 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -77,7 +77,8 @@ static int parse_path(char *env_path, const char ***const path_list) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ @@ -162,11 +163,12 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ LANDLOCK_ACCESS_FS_REFER | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL) /* clang-format on */ -#define LANDLOCK_ABI_LAST 3 +#define LANDLOCK_ABI_LAST 4 int main(const int argc, char *const argv[], char *const *const envp) { @@ -255,6 +257,10 @@ int main(const int argc, char *const argv[], char *const *const envp) case 2: /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; + __attribute__((fallthrough)); + case 3: + /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 4 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL; fprintf(stderr, "Hint: You should update the running kernel "