From patchwork Fri Apr 5 21:40:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619430 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88D01174EEA for ; Fri, 5 Apr 2024 21:41:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353272; cv=none; b=UN0UyoNuihHkaMA0axKgaZ/5giB+6N+nbeiGI8bRvXwf1XldT++UfUw5L4+s560xbjpHS3c9mSU+mEEDzS5PYLRpUdwECaemnY292fvQi1ygQLDmBdiWba22yFuFQ6tWdKrM2Is4Eq2lZO/JqDqFAfmTbXU+Sw9kOuZguz+yEKo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353272; c=relaxed/simple; bh=rfuLSAoxAdlMwMqf+SnAQnLHYITftcO5C8a85oncnfw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=RWeHKIMEMUnkVbiUYDooBLo5I6EJK5I5EnuJ+mmNzbowpS1DK2fvfFNMkt7zQP2Xd7/c9vD22o659BbifFX1X+Bf7hA3Lr8g40B96DdlIEKTkFeJm4qsOAXILR1mcs76b37/8AuE0TOcRdycWqGj4Bca2OHI1YKVMvuG/va5iHk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ij3wKDpQ; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ij3wKDpQ" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-56e41cde4b7so47768a12.1 for ; Fri, 05 Apr 2024 14:41:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353269; x=1712958069; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=bgpVwwJA3MRA3y75oko3ScmdG271fOGajLCK9HYUHOE=; b=ij3wKDpQSjbdh7EQNpsbZxecBWwKQeShMyXH+jd7e2XNxBZ5N+IA2CSyc1E4myooyo WbWhCkZMmkDDbqLyC0DxPTQsMlm13UItS7DH3A+3bjb0mJZvC+nz0j2AfoEGozI5nyy0 CZDolQeGu5xreTMKKPeYNdJ2QYWjSYRL8rHjFh+cFreEds+G6pGWmrZBtv0fnJo2EdDa aYH0xJpPmuFVdvKgIbD8Yv2z0pVUovJ0GSTvjGPsMCzPE2b8+OJ7GDZ+MIqVL3mEcfsE 5dbomu0u2PceScdz6G2LWDhxk3CIOodewOKdbEjf1y+/mHYDFwEEBhU1/1LR2QYD6hmK 18wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353269; x=1712958069; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=bgpVwwJA3MRA3y75oko3ScmdG271fOGajLCK9HYUHOE=; b=k007oDSzuPPFPyw1BQgyU3PeFVZe6GInx2+/QPuURyJCUuBn/AjdY8Hf3kMT5ymjpF L/2drYNgUm8Odnvi+NGqdT1HX99fUs1Q6mV+ce9yCMTTbERhGmff7tZIC/FYmBMFO+bJ IiqZ6bCyhi2iZ+oTcs3V8s6balbFMuR2dTLQI0YwkhcAdUCuBxzccipbz4wYVBH+VY+U t/kPVO1fgHA6vhVgB86EhZI7NyWucbdmj0UDUY7CkUHObGKBvGmh80oL/zzTaM+MrGFf BvZoCG6eMZr8cb4RTjFoEIDju8wZ+LlRWWisVHiIAX/Qy6XEeB7AK8hBtPu41Ir6ngqX O9/w== X-Gm-Message-State: AOJu0Yy7RoWWtOyug0p64RWreG+RZo7MvlISOMzVPaLBWa3rIqvmPZ9A tmxQVc4Jsw/9aaLmMdoI5u2yxbAZjwIxXD8oZEJxMJrtWwbVlHdZFZ0vsgdcv05P4H0CjvRDPhw LwBm34ikOK/4Gsy5TpZiF5ptFxzG+CiaQ7eMHhFl/x2UOwHeGb0QLFMuxJvwNob5iAz+jvlEipl wvturFwmKToaZXzSSlc4H9SAFG3BCUhVQmGOnMgAjBlcG+VFc5mxJC X-Google-Smtp-Source: AGHT+IHkbB1/lpQMCZ+T3EoTISTLjUbfzEEhtyXSAqwnbQlBAsQnDVelSn77Kb6Gj2ka8UBRWJNxL5i6tes= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:370e:b0:56b:e571:8d40 with SMTP id ek14-20020a056402370e00b0056be5718d40mr3568edb.7.1712353268414; Fri, 05 Apr 2024 14:41:08 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:29 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-2-gnoack@google.com> Subject: [PATCH v14 01/12] fs: Return ENOTTY directly if FS_IOC_GETUUID or FS_IOC_GETFSSYSFSPATH fail From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " , Kent Overstreet , Christian Brauner , Jan Kara , Dave Chinner , "Darrick J . Wong" , "Theodore Ts'o" , Josef Bacik These IOCTL commands should be implemented by setting attributes on the superblock, rather than in the IOCTL hooks in struct file_operations. By returning -ENOTTY instead of -ENOIOCTLCMD, we instruct the fs/ioctl.c logic to return -ENOTTY immediately, rather than attempting to call f_op->unlocked_ioctl() or f_op->compat_ioctl() as a fallback. Why this is safe: Before this change, fs/ioctl.c would unsuccessfully attempt calling the IOCTL hooks, and then return -ENOTTY. By returning -ENOTTY directly, we return the same error code immediately, but save ourselves the fallback attempt. Motivation: This simplifies the logic for these IOCTL commands and lets us reason about the side effects of these IOCTLs more easily. It will be possible to permit these IOCTLs under LSM IOCTL policies, without having to worry about them getting dispatched to problematic device drivers (which sometimes do work before looking at the IOCTL command number). Link: https://lore.kernel.org/all/cnwpkeovzbumhprco7q2c2y6zxzmxfpwpwe3tyy6c3gg2szgqd@vfzjaw5v5imr/ Cc: Kent Overstreet Cc: Christian Brauner Cc: Jan Kara Cc: Dave Chinner Cc: Darrick J. Wong Cc: Theodore Ts'o Cc: Josef Bacik Signed-off-by: Günther Noack Acked-by: Kent Overstreet Acked-by: Mickaël Salaün --- fs/ioctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ioctl.c b/fs/ioctl.c index 1d5abfdf0f22..fb0628e680c4 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -769,7 +769,7 @@ static int ioctl_getfsuuid(struct file *file, void __user *argp) struct fsuuid2 u = { .len = sb->s_uuid_len, }; if (!sb->s_uuid_len) - return -ENOIOCTLCMD; + return -ENOTTY; memcpy(&u.uuid[0], &sb->s_uuid, sb->s_uuid_len); @@ -781,7 +781,7 @@ static int ioctl_get_fs_sysfs_path(struct file *file, void __user *argp) struct super_block *sb = file_inode(file)->i_sb; if (!strlen(sb->s_sysfs_name)) - return -ENOIOCTLCMD; + return -ENOTTY; struct fs_sysfs_path u = {}; From patchwork Fri Apr 5 21:40:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619431 Received: from mail-ej1-f74.google.com (mail-ej1-f74.google.com [209.85.218.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 51F39175557 for ; Fri, 5 Apr 2024 21:41:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353276; cv=none; b=nMIWrCOOge26D5OR3I0BF17yl3/F2veHfm6A7O3HpvymLsyMkiY9K7VKCJiACnzVef9dFozeYmq/nBgYRV7Xbn7ai9mC0IvPyv+TeBBWAFz8MsM/Lnw4vBQ+lhBjJ+bedmwBESys/Muydhu4JfEK7ZLEBYnKyVnIPxZF1/vajto= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353276; c=relaxed/simple; bh=XuBIkyWwbTtTyw6M5o6+QiYGw8z0vJIXI+0LylK4dZI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=CUA4f3huIoarz8T2VMpHBRvuk896ihwQTMEFES3IE0cuiiWdj1QQD9k62hOVAlqS/MHA9dZFgXnOsx2kt2f0KfiHcgXDzd/sP8/InW2CFe2kXqJe9DXJ2DKK5ZyczeF1zIovEXIOUJ1M3pxWmaZsvBWUo1cjD0Vwv+qAm10vzxU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=kl3pP5aR; arc=none smtp.client-ip=209.85.218.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kl3pP5aR" Received: by mail-ej1-f74.google.com with SMTP id a640c23a62f3a-a5193257fb7so120572066b.2 for ; Fri, 05 Apr 2024 14:41:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353272; x=1712958072; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=QFyUKhBygtgE4pYgKKMK5lI239GRM14OwFhWnA6nKf8=; b=kl3pP5aRHf198sp59VVoD/s8gmtgGgANHHiGPnqG2G+/F24A/mH4DVhYvyZejQI/Lj WtrBSb4NLwOUPGSwzrh0Q9RiB2ciUYRJOOf5XL7tltVMgShz40W8bBd1m3cedNWH7aR2 v3Ojm+FQhLRRKqDOod5niQdy/l+WQWux6ATXX0a2lKDdWZ0IW6c4ngOJ7nKvW+IRPmRi 3DK51tgK65sMdHeILZ4mmnG+vKFu1nIBb3o+SNcQ5ULfu1DKCHMg/XTuMLXFJOAwQAHK gDhmHiV1vQXviaoZTmaXpVdTkewUlm5EJ+FgVuDDZ13N+3F/Eiz5jUKGd/FkkfAbkxVs 4cBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353272; x=1712958072; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=QFyUKhBygtgE4pYgKKMK5lI239GRM14OwFhWnA6nKf8=; b=O+ApSQjjaI4TZ5RTV/zuR5o/tRUHQWIZTQXfes6IjHTzkSp6AYYQIUE45GYgosY108 7Dy6IZJG8QeLj3k2tAhiFjLADmM0DGM4MH6U9EHUmkLYuzlpET40ptIR8W3LscROmRVc xWqnqi8CpOH4qb2nCUUdrs4dbd0tE0bD2QuUX+ECAyQwPeJWXbcjr764u9RrrHWefH9N 60IDfkxceBPbHJIzwQKAiXBA8PrFlzBNwmseN1Tkne9/U41KD5EuDTlyeT1H2TnG16wT L4f1jG2xzAWskrwodFKccIUeE1Y/Z1AOp5yGNbXROTQwmsAXdy6dUBTPdqFx/Wdisoq6 ppRQ== X-Gm-Message-State: AOJu0YzO8+qaqVUsWC/7ibZqHrNWt0AW3CU09DF+/AOhQYICbg2z4Su8 K8JnYdEMnJ8SCrf3JNVsQgXbsJzn/nGjEq/SaU28gpvlBF/KSgRXJEe6KxA36yL51Dqwwy2MKy8 lMf689liI5lTzA/8mGfsDaLYu2zgoR2w7eYVG8rypQ+j52ZP1HLiCvESB3nTFPpr593Gq4WS2yZ /ySiHgXE9Q7Lqu/wGEredb7tfnL/LvYXg7S1mHptwIb6MUo7DkdRhl X-Google-Smtp-Source: AGHT+IGf3/8eK6g5sM5NdvoAMYrM++pY+SALiClD49dEz17X4GvmHc1K63YbLKs0xekY0i5mDzBTq8V7mOA= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a17:906:6a13:b0:a4e:6489:388d with SMTP id qw19-20020a1709066a1300b00a4e6489388dmr3556ejc.4.1712353272260; Fri, 05 Apr 2024 14:41:12 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:30 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-3-gnoack@google.com> Subject: [PATCH v14 02/12] landlock: Add IOCTL access right for character and block devices From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " , Christian Brauner Introduces the LANDLOCK_ACCESS_FS_IOCTL_DEV right and increments the Landlock ABI version to 5. This access right applies to device-custom IOCTL commands when they are invoked on block or character device files. Like the truncate right, this right is associated with a file descriptor at the time of open(2), and gets respected even when the file descriptor is used outside of the thread which it was originally opened in. Therefore, a newly enabled Landlock policy does not apply to file descriptors which are already open. If the LANDLOCK_ACCESS_FS_IOCTL_DEV right is handled, only a small number of safe IOCTL commands will be permitted on newly opened device files. These include FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC, as well as other IOCTL commands for regular files which are implemented in fs/ioctl.c. Noteworthy scenarios which require special attention: TTY devices are often passed into a process from the parent process, and so a newly enabled Landlock policy does not retroactively apply to them automatically. In the past, TTY devices have often supported IOCTL commands like TIOCSTI and some TIOCLINUX subcommands, which were letting callers control the TTY input buffer (and simulate keypresses). This should be restricted to CAP_SYS_ADMIN programs on modern kernels though. Known limitations: The LANDLOCK_ACCESS_FS_IOCTL_DEV access right is a coarse-grained control over IOCTL commands. Landlock users may use path-based restrictions in combination with their knowledge about the file system layout to control what IOCTLs can be done. Cc: Paul Moore Cc: Christian Brauner Cc: Arnd Bergmann Signed-off-by: Günther Noack --- include/uapi/linux/landlock.h | 38 +++- security/landlock/fs.c | 221 ++++++++++++++++++- security/landlock/limits.h | 2 +- security/landlock/syscalls.c | 8 +- tools/testing/selftests/landlock/base_test.c | 2 +- tools/testing/selftests/landlock/fs_test.c | 5 +- 6 files changed, 259 insertions(+), 17 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 25c8d7677539..68625e728f43 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -128,7 +128,7 @@ struct landlock_net_port_attr { * files and directories. Files or directories opened before the sandboxing * are not subject to these restrictions. * - * A file can only receive these access rights: + * The following access rights apply only to files: * * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that @@ -138,12 +138,13 @@ struct landlock_net_port_attr { * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with - * ``O_TRUNC``. Whether an opened file can be truncated with - * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the - * same way as read and write permissions are checked during - * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and - * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the - * third version of the Landlock ABI. + * ``O_TRUNC``. This access right is available since the third version of the + * Landlock ABI. + * + * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used + * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as + * read and write permissions are checked during :manpage:`open(2)` using + * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. * * A directory can receive access rights related to files or directories. The * following access right is applied to the directory itself, and the @@ -198,13 +199,33 @@ struct landlock_net_port_attr { * If multiple requirements are not met, the ``EACCES`` error code takes * precedence over ``EXDEV``. * + * The following access right applies both to files and directories: + * + * - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened + * character or block device. + * + * This access right applies to all `ioctl(2)` commands implemented by device + * drivers. However, the following common IOCTL commands continue to be + * invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right: + * + * * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``), + * * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``), + * * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, + * ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``) + * * Some IOCTL commands which do not make sense when used with devices, but + * whose implementations are safe and return the right error codes + * (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) + * + * This access right is available since the fifth version of the Landlock + * ABI. + * * .. warning:: * * It is currently not possible to restrict some file-related actions * accessible through these syscall families: :manpage:`chdir(2)`, * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, - * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. + * :manpage:`fcntl(2)`, :manpage:`access(2)`. * Future Landlock evolutions will enable to restrict them. */ /* clang-format off */ @@ -223,6 +244,7 @@ struct landlock_net_port_attr { #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) /* clang-format on */ /** diff --git a/security/landlock/fs.c b/security/landlock/fs.c index c15559432d3d..b0857541d5e0 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -7,6 +7,7 @@ * Copyright © 2021-2022 Microsoft Corporation */ +#include #include #include #include @@ -14,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -29,6 +31,7 @@ #include #include #include +#include #include #include "common.h" @@ -84,6 +87,158 @@ static const struct landlock_object_underops landlock_fs_underops = { .release = release_inode }; +/* IOCTL helpers */ + +/** + * is_masked_device_ioctl(): Determine whether an IOCTL command is always + * permitted with Landlock for device files. These commands can not be + * restricted on device files by enforcing a Landlock policy. + * + * @cmd: The IOCTL command that is supposed to be run. + * + * By default, any IOCTL on a device file requires the + * LANDLOCK_ACCESS_FS_IOCTL_DEV right. However, we blanket-permit some + * commands, if: + * + * 1. The command is implemented in fs/ioctl.c's do_vfs_ioctl(), + * not in f_ops->unlocked_ioctl() or f_ops->compat_ioctl(). + * + * 2. The command is harmless when invoked on devices. + * + * We also permit commands that do not make sense for devices, but where the + * do_vfs_ioctl() implementation returns a more conventional error code. + * + * Any new IOCTL commands that are implemented in fs/ioctl.c's do_vfs_ioctl() + * should be considered for inclusion here. + * + * Returns: true if the IOCTL @cmd can not be restricted with Landlock for + * device files. + */ +static __attribute_const__ bool is_masked_device_ioctl(const unsigned int cmd) +{ + switch (cmd) { + /* + * FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC manipulate the FD's + * close-on-exec and the file's buffered-IO and async flags. These + * operations are also available through fcntl(2), and are + * unconditionally permitted in Landlock. + */ + case FIOCLEX: + case FIONCLEX: + case FIONBIO: + case FIOASYNC: + /* + * FIOQSIZE queries the size of a regular file, directory, or link. + * + * We still permit it, because it always returns -ENOTTY for + * other file types. + */ + case FIOQSIZE: + /* + * FIFREEZE and FITHAW freeze and thaw the file system which the + * given file belongs to. Requires CAP_SYS_ADMIN. + * + * These commands operate on the file system's superblock rather + * than on the file itself. The same operations can also be + * done through any other file or directory on the same file + * system, so it is safe to permit these. + */ + case FIFREEZE: + case FITHAW: + /* + * FS_IOC_FIEMAP queries information about the allocation of + * blocks within a file. + * + * This IOCTL command only makes sense for regular files and is + * not implemented by devices. It is harmless to permit. + */ + case FS_IOC_FIEMAP: + /* + * FIGETBSZ queries the file system's block size for a file or + * directory. + * + * This command operates on the file system's superblock rather + * than on the file itself. The same operation can also be done + * through any other file or directory on the same file system, + * so it is safe to permit it. + */ + case FIGETBSZ: + /* + * FICLONE, FICLONERANGE and FIDEDUPERANGE make files share + * their underlying storage ("reflink") between source and + * destination FDs, on file systems which support that. + * + * These IOCTL commands only apply to regular files + * and are harmless to permit for device files. + */ + case FICLONE: + case FICLONERANGE: + case FIDEDUPERANGE: + /* + * FIONREAD, FS_IOC_GETFLAGS, FS_IOC_SETFLAGS, FS_IOC_FSGETXATTR and + * FS_IOC_FSSETXATTR are forwarded to device implementations. + */ + + /* + * FS_IOC_GETFSUUID and FS_IOC_GETFSSYSFSPATH both operate on + * the file system superblock, not on the specific file, so + * these operations are available through any other file on the + * same file system as well. + */ + case FS_IOC_GETFSUUID: + case FS_IOC_GETFSSYSFSPATH: + return true; + + /* + * file_ioctl() commands (FIBMAP, FS_IOC_RESVSP, FS_IOC_RESVSP64, + * FS_IOC_UNRESVSP, FS_IOC_UNRESVSP64 and FS_IOC_ZERO_RANGE) are + * forwarded to device implementations, so not permitted. + */ + + /* Other commands are guarded by the access right. */ + default: + return false; + } +} + +/* + * is_masked_device_ioctl_compat - same as the helper above, but checking the + * "compat" IOCTL commands. + * + * The IOCTL commands with special handling in compat-mode should behave the + * same as their non-compat counterparts. + */ +static __attribute_const__ bool +is_masked_device_ioctl_compat(const unsigned int cmd) +{ + switch (cmd) { + /* FICLONE is permitted, same as in the non-compat variant. */ + case FICLONE: + return true; +#if defined(CONFIG_X86_64) + /* + * FS_IOC_RESVSP_32, FS_IOC_RESVSP64_32, FS_IOC_UNRESVSP_32, + * FS_IOC_UNRESVSP64_32, FS_IOC_ZERO_RANGE_32: not blanket-permitted, + * for consistency with their non-compat variants. + */ + case FS_IOC_RESVSP_32: + case FS_IOC_RESVSP64_32: + case FS_IOC_UNRESVSP_32: + case FS_IOC_UNRESVSP64_32: + case FS_IOC_ZERO_RANGE_32: +#endif + /* + * FS_IOC32_GETFLAGS, FS_IOC32_SETFLAGS are forwarded to their device + * implementations. + */ + case FS_IOC32_GETFLAGS: + case FS_IOC32_SETFLAGS: + return false; + default: + return is_masked_device_ioctl(cmd); + } +} + /* Ruleset management */ static struct landlock_object *get_inode_object(struct inode *const inode) @@ -148,7 +303,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) /* clang-format on */ /* @@ -1332,11 +1488,18 @@ static int hook_file_alloc_security(struct file *const file) return 0; } +static bool is_device(const struct file *const file) +{ + const struct inode *inode = file_inode(file); + + return S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode); +} + static int hook_file_open(struct file *const file) { layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; - access_mask_t open_access_request, full_access_request, allowed_access; - const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + access_mask_t open_access_request, full_access_request, allowed_access, + optional_access; const struct landlock_ruleset *const dom = get_fs_domain(landlock_cred(file->f_cred)->domain); @@ -1354,6 +1517,10 @@ static int hook_file_open(struct file *const file) * We look up more access than what we immediately need for open(), so * that we can later authorize operations on opened files. */ + optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + if (is_device(file)) + optional_access |= LANDLOCK_ACCESS_FS_IOCTL_DEV; + full_access_request = open_access_request | optional_access; if (is_access_to_paths_allowed( @@ -1410,6 +1577,52 @@ static int hook_file_truncate(struct file *const file) return -EACCES; } +static int hook_file_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + access_mask_t allowed_access = landlock_file(file)->allowed_access; + + /* + * It is the access rights at the time of opening the file which + * determine whether IOCTL can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (allowed_access & LANDLOCK_ACCESS_FS_IOCTL_DEV) + return 0; + + if (!is_device(file)) + return 0; + + if (is_masked_device_ioctl(cmd)) + return 0; + + return -EACCES; +} + +static int hook_file_ioctl_compat(struct file *file, unsigned int cmd, + unsigned long arg) +{ + access_mask_t allowed_access = landlock_file(file)->allowed_access; + + /* + * It is the access rights at the time of opening the file which + * determine whether IOCTL can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (allowed_access & LANDLOCK_ACCESS_FS_IOCTL_DEV) + return 0; + + if (!is_device(file)) + return 0; + + if (is_masked_device_ioctl_compat(cmd)) + return 0; + + return -EACCES; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1432,6 +1645,8 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security), LSM_HOOK_INIT(file_open, hook_file_open), LSM_HOOK_INIT(file_truncate, hook_file_truncate), + LSM_HOOK_INIT(file_ioctl, hook_file_ioctl), + LSM_HOOK_INIT(file_ioctl_compat, hook_file_ioctl_compat), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 93c9c6f91556..20fdb5ff3514 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -18,7 +18,7 @@ #define LANDLOCK_MAX_NUM_LAYERS 16 #define LANDLOCK_MAX_NUM_RULES U32_MAX -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL_DEV #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1) #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS) #define LANDLOCK_SHIFT_ACCESS_FS 0 diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 6788e73b6681..9ae3dfa47443 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -149,7 +149,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 4 +#define LANDLOCK_ABI_VERSION 5 /** * sys_landlock_create_ruleset - Create a new ruleset @@ -321,7 +321,11 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset, if (!path_beneath_attr.allowed_access) return -ENOMSG; - /* Checks that allowed_access matches the @ruleset constraints. */ + /* + * Checks that allowed_access matches the @ruleset constraints and only + * consists of publicly visible access rights (as opposed to synthetic + * ones). + */ mask = landlock_get_raw_fs_access_mask(ruleset, 0); if ((path_beneath_attr.allowed_access | mask) != mask) return -EINVAL; diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index a6f89aaea77d..3c1e9f35b531 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(4, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(5, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 9a6036fbf289..418ad745a5dd 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -529,9 +529,10 @@ TEST_F_FORK(layout1, inval) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) -#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE +#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL_DEV #define ACCESS_ALL ( \ ACCESS_FILE | \ From patchwork Fri Apr 5 21:40:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619432 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 624ED17555A for ; Fri, 5 Apr 2024 21:41:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353278; cv=none; b=pq7WleB3F7pJr2NkMFdZ5vV+XTBn8dG2WFmS1BedVFQipc8kjW+nerNhp3jksZmJP/shwgsEp5i0pEvDO9vftQcgfFyZdxcYHA7kOr7os22FPrrS6VzNBAwdhJ6KHQk4Fa/ZG/aRlQlvyMq6DSdJmsV1F4PcvjqKPIP4805MW9I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353278; c=relaxed/simple; bh=Sum4EMToXj/OKtXUcDUkLaOTfYyFqAnqoxL7KhbOZtQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=sA/6ULyqyHHzCpG85RTNKubjxzTO5sLz6V3g1KBQ2pTRArdZKtbIaCYGCRvO1DaVf23OS7UKEPyIukElFKkM++KRLybYrt2XKSlG8PHLfDRj9RSTKIFog1l4rdSdLCbSD0rqI35S5lDRWn9qQ6c9hzBDufOIO2Yd7OjkgYbckbs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=le0P1/59; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="le0P1/59" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-558aafe9bf2so2091217a12.1 for ; Fri, 05 Apr 2024 14:41:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353275; x=1712958075; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=Aofx+t608hkJDSbgJreaC1UFvhMHU/jfKZpHBV0ifF8=; b=le0P1/59pzyNC//ihogwu8nSuYd/OTVtYjRD1DZFyuqyC+GqTJg05kd1vNbOqRfYhp t1E5FJfjJvKF9N2EpNq+vv9YRCwnYzrkNMfgUgboPwESBjGZrURdJqsmDQxWdMt6DSRC u5SY+EaL85G80WLxf8d0/bGx0jLC4qCuGqZkHOhM0iRrupE5e/404IdloiakyiTwGTBq DyjamtlsAobG5La6seS8eifJCAwbu502SKBVwSH3kgXNfOGKhKYJ2P0Wlb6XVNqEwDRX r3uN9Om3BxOUceDSLmG45A6Xvtc+9ixettn7nfsPxc/Lu/Ziew0iHrz+FfthdkNjnkZ+ XoJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353275; x=1712958075; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=Aofx+t608hkJDSbgJreaC1UFvhMHU/jfKZpHBV0ifF8=; b=kmWLe8MYON6O7nTA4h22s4II6tNc7dsMdybHggfTtLgQzu62bX4Rbs7IH1URMj4SFB paJP6/jLfwW7QCIvAsjveP0ig1vO3t7GrbV8pW1BE9J95/Kkw8EnB60xlnCdCiJhO6h/ XnnqHaDUB2va8gB2nfY6pzLU+wubVmlGBMlPfnjAVJCa9SRycTiS2srN+ENnDx+2BYBO gKA3nsOIqhaiy1iB2xaqcf8e/Z/d9h0Ht6vq35PGnhtVamuoMyAe1gJAlagp6+u2NbzA viOelfQReHm5DkATDTVeGpdztYv375dQ8E6A7PuQDqoRwWT7WWpCEDGHWsYPQqRFdwO5 Ss7Q== X-Gm-Message-State: AOJu0YzGXQCplGRJWTU8IUc6rPPz9qbunwdz+gyISkk1OijYpA2IVdPe cvKrJJIrw5kzZrp1Gzm61vh8nNHs7yHF7DrqXfoGD1lpH+yRjpj6jmb/y49WN3qrk+3ewp3VvhF A/glL44TEZs2aXGEw5AS+Yq2RsuWaflq4frAUPqWRIAH1ygGZbSu+zvQ5N++FKUhSVl+gxWiWKB JlaB6Io36hbZl3gBCUKQald7ybhFyY1W9K5FcBMld3YFu4c2b3HA3n X-Google-Smtp-Source: AGHT+IGxjy6XrGMyavG+XiOc2sbD3JYzVW80Y9PbADM1gGdwDlRngpPHRsrHLQ8vV5V0dy+NKImSpzD8YV0= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:5296:b0:56e:c25:6cb2 with SMTP id en22-20020a056402529600b0056e0c256cb2mr4132edb.4.1712353274740; Fri, 05 Apr 2024 14:41:14 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:31 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-4-gnoack@google.com> Subject: [PATCH v14 03/12] selftests/landlock: Test IOCTL support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Exercises Landlock's IOCTL feature in different combinations of handling and permitting the LANDLOCK_ACCESS_FS_IOCTL_DEV right, and in different combinations of using files and directories. Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 227 ++++++++++++++++++++- 1 file changed, 224 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 418ad745a5dd..8a72e26d4977 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -8,6 +8,7 @@ */ #define _GNU_SOURCE +#include #include #include #include @@ -15,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -23,6 +25,12 @@ #include #include +/* + * Intentionally included last to work around header conflict. + * See https://sourceware.org/glibc/wiki/Synchronizing_Headers. + */ +#include + #include "common.h" #ifndef renameat2 @@ -737,6 +745,9 @@ static int create_ruleset(struct __test_metadata *const _metadata, } for (i = 0; rules[i].path; i++) { + if (!rules[i].access) + continue; + add_path_beneath(_metadata, ruleset_fd, rules[i].access, rules[i].path); } @@ -3445,7 +3456,7 @@ TEST_F_FORK(layout1, truncate_unhandled) LANDLOCK_ACCESS_FS_WRITE_FILE; int ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, handled, rules); ASSERT_LE(0, ruleset_fd); @@ -3528,7 +3539,7 @@ TEST_F_FORK(layout1, truncate) LANDLOCK_ACCESS_FS_TRUNCATE; int ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, handled, rules); ASSERT_LE(0, ruleset_fd); @@ -3754,7 +3765,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate) }; int fd, ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, variant->handled, rules); ASSERT_LE(0, ruleset_fd); enforce_ruleset(_metadata, ruleset_fd); @@ -3831,6 +3842,16 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes) ASSERT_EQ(0, close(socket_fds[1])); } +/* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */ +static int test_fs_ioc_getflags_ioctl(int fd) +{ + uint32_t flags; + + if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0) + return errno; + return 0; +} + TEST(memfd_ftruncate) { int fd; @@ -3847,6 +3868,206 @@ TEST(memfd_ftruncate) ASSERT_EQ(0, close(fd)); } +static int test_fionread_ioctl(int fd) +{ + size_t sz = 0; + + if (ioctl(fd, FIONREAD, &sz) < 0 && errno == EACCES) + return errno; + return 0; +} + +/* clang-format off */ +FIXTURE(ioctl) {}; + +FIXTURE_SETUP(ioctl) {}; + +FIXTURE_TEARDOWN(ioctl) {}; +/* clang-format on */ + +FIXTURE_VARIANT(ioctl) +{ + const __u64 handled; + const __u64 allowed; + const mode_t open_mode; + /* + * TCGETS is used as a characteristic device-specific IOCTL command. + * The logic is the same for other IOCTL commands as well. + */ + const int expected_tcgets_result; /* terminal device IOCTL */ + /* + * FIONREAD is implemented in fs/ioctl.c for regular files, + * but we do not blanket-permit it for devices. + */ + const int expected_fionread_result; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_none) { + /* clang-format on */ + .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV, + .allowed = 0, + .open_mode = O_RDWR, + .expected_tcgets_result = EACCES, + .expected_fionread_result = EACCES, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_i) { + /* clang-format on */ + .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV, + .allowed = LANDLOCK_ACCESS_FS_IOCTL_DEV, + .open_mode = O_RDWR, + .expected_tcgets_result = 0, + .expected_fionread_result = 0, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(ioctl, unhandled) { + /* clang-format on */ + .handled = LANDLOCK_ACCESS_FS_EXECUTE, + .allowed = LANDLOCK_ACCESS_FS_EXECUTE, + .open_mode = O_RDWR, + .expected_tcgets_result = 0, + .expected_fionread_result = 0, +}; + +static int test_tcgets_ioctl(int fd) +{ + struct termios info; + + if (ioctl(fd, TCGETS, &info) < 0) + return errno; + return 0; +} + +TEST_F_FORK(ioctl, handle_dir_access_file) +{ + const int flag = 0; + const struct rule rules[] = { + { + .path = "/dev", + .access = variant->allowed, + }, + {}, + }; + int file_fd, ruleset_fd; + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, variant->handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + file_fd = open("/dev/tty", variant->open_mode); + ASSERT_LE(0, file_fd); + + /* Checks that IOCTL commands return the expected errors. */ + EXPECT_EQ(variant->expected_tcgets_result, test_tcgets_ioctl(file_fd)); + EXPECT_EQ(variant->expected_fionread_result, + test_fionread_ioctl(file_fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(file_fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag)); + + ASSERT_EQ(0, close(file_fd)); +} + +TEST_F_FORK(ioctl, handle_dir_access_dir) +{ + const int flag = 0; + const struct rule rules[] = { + { + .path = "/dev", + .access = variant->allowed, + }, + {}, + }; + int dir_fd, ruleset_fd; + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, variant->handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* + * Ignore variant->open_mode for this test, as we intend to open a + * directory. If the directory can not be opened, the variant is + * infeasible to test with an opened directory. + */ + dir_fd = open("/dev", O_RDONLY); + if (dir_fd < 0) + return; + + /* + * Checks that IOCTL commands return the expected errors. + * We do not use the expected values from the fixture here. + * + * When using IOCTL on a directory, no Landlock restrictions apply. + * TCGETS will fail anyway because it is not invoked on a TTY device. + */ + EXPECT_EQ(ENOTTY, test_tcgets_ioctl(dir_fd)); + EXPECT_EQ(0, test_fionread_ioctl(dir_fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(dir_fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(dir_fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(dir_fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(dir_fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(dir_fd, FIGETBSZ, &flag)); + + ASSERT_EQ(0, close(dir_fd)); +} + +TEST_F_FORK(ioctl, handle_file_access_file) +{ + const int flag = 0; + const struct rule rules[] = { + { + .path = "/dev/tty0", + .access = variant->allowed, + }, + {}, + }; + int file_fd, ruleset_fd; + + if (variant->allowed & LANDLOCK_ACCESS_FS_READ_DIR) { + SKIP(return, "LANDLOCK_ACCESS_FS_READ_DIR " + "can not be granted on files"); + } + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, variant->handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + file_fd = open("/dev/tty0", variant->open_mode); + ASSERT_LE(0, file_fd) + { + TH_LOG("Failed to open /dev/tty0: %s", strerror(errno)); + } + + /* Checks that IOCTL commands return the expected errors. */ + EXPECT_EQ(variant->expected_tcgets_result, test_tcgets_ioctl(file_fd)); + EXPECT_EQ(variant->expected_fionread_result, + test_fionread_ioctl(file_fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(file_fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag)); + + ASSERT_EQ(0, close(file_fd)); +} + /* clang-format off */ FIXTURE(layout1_bind) {}; /* clang-format on */ From patchwork Fri Apr 5 21:40:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619433 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D4338175569 for ; Fri, 5 Apr 2024 21:41:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353280; cv=none; b=AVhjFL9v8wcqvCzwfm+/F0Q/uuBk1bKp3lBjEsleaokxjVfT5C+6s+Ou52jXpaM2xnNXfHxqoFVd2N4hp+Qv8EVVgrWRQ2nqNByGMS1igsX49SY8PaToVUt3y4eqrkR7YP6JZ4MSATivbPFQRxra4EwjC/pwUjMlLDqG+6dCdYU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353280; c=relaxed/simple; bh=mTGd0atLVM8A70V3jLnT5qjUJDUe0jZM2W1J5PkVDac=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=QAzVhsBX7yUAuEQC+4Q7x2HL9Z0AW5zwHKCYfVP6Uk8gRx4qyNIyUyB4mD1XP6ozJsl5IagYyd7OpvbLZxaHjBvTKQQ/+Zf6fnaIECb/P1Aq3h65mEtECyWHJ/IZegrBXxuV1x1bNG/2NFlqMIrrJun/EugSxZlT/GERDGT+3Eg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Pr3V5wGG; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Pr3V5wGG" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-a51a1c8d979so16884466b.2 for ; Fri, 05 Apr 2024 14:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353277; x=1712958077; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=sQsxKlrfUUBg5XpcWZn3PX2WqaAgMSpXIdj6//RRCTY=; b=Pr3V5wGGzvCYBT0cGjvHsAnx8SBaEpKu/NVbrIleH1Sy31y/BglNewgzmvuZCwCXEy k/30XjYKyd7e+hUS033wpxw7O9JKyZ0XL6HNOyMXA14KX5oOUsUJrGRhNNtJa2ffXAAT 0U3q9npxpGH1M6wYBCpoBUodoPK6oqKVIj6EufYetOA8P/zA4NZU2tRDxj5cqXYo/1ch fjxFSFz7rRhFVK+/p89wweDPQsroqs7yWhfAXse+BYS5FrYCo9Mb9kcJ7bRJyM+qkPEt 2p4vv0krtlW4gUObQVKpJ4tbWB/IP3qCs+xeDSrm/z2IelMqR9O/ZZASbOSozFJ9HrHI V0rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353277; x=1712958077; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=sQsxKlrfUUBg5XpcWZn3PX2WqaAgMSpXIdj6//RRCTY=; b=ZITUlCWteiC4OMoBl5uNnl93JNgYdXkTEMZXnyzNQOawi3TMzO+PDKfVYonVKe6wgF OC0sIOO7KmFdGilmeGUuCrU1khZuuTIlWQd4yki9CRxq0zb9E99eiwbGU/BLoomtgGVs IpCzcUMZwEvHzG0TV9V9oBLoqTyVkirHf+XiJORGVyssNvR+/5vwpJyooKp4V56YVEYG rYDMbfM3Lo67iNWMu1wn/tiBIH3Q+0dTHYp9ja+wLStWEUd1l2imiy4OLZQklbZYHtH3 Wn+YYKrDGW6ip98bzZfm7jMdTsOHRagJJBhgYvnEMRsU2eoQsXEsRPwrbVqdHKTbdaoq J49A== X-Gm-Message-State: AOJu0YxkPvZxJho4xEY/JRuK9zKBqCcbFiZScKvSAk0JmcTashMzD9Su 235WsT19daB+YsY/hKckQnBGxHbEKCVPnhjXl3RXkOCGSEq37XYQ6o2vDzxBfgPjAcRX13NQQt4 4FOCS/qoBwPAmc7ReU3kKs5OkkPsEirH3BahUSx5ZMEwglz59JN1tcBkiosThnx1HFzdDr+ugR4 aA+Ug9TClAfRSgAO5Yieo6CZ6Hb98BJE67GIUPC9mTSNWhfQtR3Wu+ X-Google-Smtp-Source: AGHT+IHc7ZnRf9A4OQGK/czqVVD9KSBBMChv4wWI41HPw7YFWsTFeHHYpppwlobrqfsWzdUXKh92rqCxbMc= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a17:907:77d2:b0:a51:9148:1938 with SMTP id kz18-20020a17090777d200b00a5191481938mr3232ejc.15.1712353276946; Fri, 05 Apr 2024 14:41:16 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:32 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-5-gnoack@google.com> Subject: [PATCH v14 04/12] selftests/landlock: Test IOCTL with memfds From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Because the LANDLOCK_ACCESS_FS_IOCTL_DEV right is associated with the opened file during open(2), IOCTLs are supposed to work with files which are opened by means other than open(2). Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 36 ++++++++++++++++------ 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 8a72e26d4977..70a05651619d 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3852,20 +3852,38 @@ static int test_fs_ioc_getflags_ioctl(int fd) return 0; } -TEST(memfd_ftruncate) +TEST(memfd_ftruncate_and_ioctl) { - int fd; - - fd = memfd_create("name", MFD_CLOEXEC); - ASSERT_LE(0, fd); + const struct landlock_ruleset_attr attr = { + .handled_access_fs = ACCESS_ALL, + }; + int ruleset_fd, fd, i; /* - * Checks that ftruncate is permitted on file descriptors that are - * created in ways other than open(2). + * We exercise the same test both with and without Landlock enabled, to + * ensure that it behaves the same in both cases. */ - EXPECT_EQ(0, test_ftruncate(fd)); + for (i = 0; i < 2; i++) { + /* Creates a new memfd. */ + fd = memfd_create("name", MFD_CLOEXEC); + ASSERT_LE(0, fd); - ASSERT_EQ(0, close(fd)); + /* + * Checks that operations associated with the opened file + * (ftruncate, ioctl) are permitted on file descriptors that are + * created in ways other than open(2). + */ + EXPECT_EQ(0, test_ftruncate(fd)); + EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + } } static int test_fionread_ioctl(int fd) From patchwork Fri Apr 5 21:40:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619434 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A33B117556D for ; Fri, 5 Apr 2024 21:41:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353282; cv=none; b=VxV7k7CVxSnefiYisqj9HSUgRmEHDts3IFTgOT3060nTLlXBqVspfWjIUpJblz00jkQej72CEUa8/Dcnp3UiXagNEIBBFsWuX30/Zu1SDztETOgmkRPz0I8gX90vvIA81Oyfv0RJbftpOKjV8x99byBHcY53eXz8WvGrnJ9COBs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353282; c=relaxed/simple; bh=cn1OktrYxfexIxvnLjxZnl8EEiqk8pa4E/agZ8LAcHo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=WBfD2YKxk6aUNyz635WwJKBg9e1fH9rVTMN9OSGURWCh9NwvNw1Gw8ZOcl0xQQKJgbjl7ouq1SdnCV26AzMCG9gsWaEV1fX+5RfH1JIK4VbM47sIHhnIKuQbQjui9iesYW4qFuIeiySn1bz5uMbW+4O+0WNiY5+GjUXIZEERG2Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ePkCYsHq; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ePkCYsHq" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-60a2386e932so48563157b3.1 for ; Fri, 05 Apr 2024 14:41:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353280; x=1712958080; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=g0G0jOKR0aVvhcJWNUSzc1F+nw52n1gf12u/GuQVyXU=; b=ePkCYsHqHTqZ70B3Dd/HqI4oLySQ/M3tpzOWZxM5/JuF/Z73/JcNVzmOyVa9TCTE/U 4WC4Zim4x407LSB+Uop9sJZD44lg0C4zxM0UmiCiozN+7ydK+2F+L5bKKD+iWT5pVzR+ tMct/kRrCfiv6YlK328OvoV2URQ9OGWogsmx1MRl0quYLme6o4O0myiLkYiolGUVeaM4 itKjw5h+7CFjA+eBKt9jbIl6ltguXlOxuhXM23WPNFTZ/V+bMQUrWAYT9IVu9vezZyLE pLE0duF43uCSMPBmpoeXpkg8FbNdlJ+G3cqdGReCqo9p4FdnspZ6V4JFgY5e1aWuKTBk OzGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353280; x=1712958080; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=g0G0jOKR0aVvhcJWNUSzc1F+nw52n1gf12u/GuQVyXU=; b=Ly6UmpofVp/pUp8wQ94+3YshV81/LZ7qsJC7U2/Hc7eFqremMaTLuJPe9Up4t9hj4o qhuwhBx3SvvHWZqi5Ahl5cku4MZKwMfGrNde28mr0Vuk/cr+e1GieM6w4eaGP27gNISR BAfyzTdHxOQQ2n59GjI7gitnDMfie6fiKH/t7agEMRIRvkAq5+wUxvOq5u+sG9aa966F nERY+8YmO67yEm7sVtoqoE+9wv3OnlKja25QXKCuC/+79ZdQ5d0ZCVeHXMhCvREW0i5O RxE+2ZRBEquYJxq3JlRgcI5rfNIndx+zkt+DhIlA7XiG3Vp6Cwh/ZkzJ71S0rzKlnEQG m5bQ== X-Gm-Message-State: AOJu0YwMCzbkcFeG87j8f0QnIMdftgj5uxZz84is0MamZq8cFha/3UHK jnYpoqV13+RivAG7qU7I8VuHHWDhqjcrZzP3irW9604XK3sKkOHZRRBlXWgc/ByqDg9R+2aVn6v 1At5d3IJpQzOLOkbl3hA7BhcaR1qkMz/4+689g6riaB3V0QVSmVjaePSMn/acukeRNgnUp1vd2x TmgjdKBqs073H51G5UXVlTX+3HDdljgbcFaJqK9GJzgy1z2n1Pa0TE X-Google-Smtp-Source: AGHT+IFk7eYL+6vrQYJifJQ2QGJFdPZ/x9sRIPx8+ra6M5qJeWO0gO4hfdcb+sSyaa8EDcRQy1jdz59QZMQ= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:690c:6e09:b0:615:33de:61d5 with SMTP id jb9-20020a05690c6e0900b0061533de61d5mr643105ywb.1.1712353279626; Fri, 05 Apr 2024 14:41:19 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:33 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-6-gnoack@google.com> Subject: [PATCH v14 05/12] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " ioctl(2) and ftruncate(2) operations on files opened with O_PATH should always return EBADF, independent of the LANDLOCK_ACCESS_FS_TRUNCATE and LANDLOCK_ACCESS_FS_IOCTL_DEV access rights in that file hierarchy. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 70a05651619d..84e5477d2e36 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3895,6 +3895,46 @@ static int test_fionread_ioctl(int fd) return 0; } +TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl) +{ + const struct landlock_ruleset_attr attr = { + .handled_access_fs = ACCESS_ALL, + }; + int ruleset_fd, fd; + + /* + * Checks that for files opened with O_PATH, both ioctl(2) and + * ftruncate(2) yield EBADF, as it is documented in open(2) for the + * O_PATH flag. + */ + fd = open(dir_s1d1, O_PATH | O_CLOEXEC); + ASSERT_LE(0, fd); + + EXPECT_EQ(EBADF, test_ftruncate(fd)); + EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* + * Checks that after enabling Landlock, + * - the file can still be opened with O_PATH + * - both ioctl and truncate still yield EBADF (not EACCES). + */ + fd = open(dir_s1d1, O_PATH | O_CLOEXEC); + ASSERT_LE(0, fd); + + EXPECT_EQ(EBADF, test_ftruncate(fd)); + EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); +} + /* clang-format off */ FIXTURE(ioctl) {}; From patchwork Fri Apr 5 21:40:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619435 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6CAA17555C for ; Fri, 5 Apr 2024 21:41:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353285; cv=none; b=Gj6K8kEZYPZV7doF6F58Li+X5if/PUpGEzzgVar5PCdYtBEr8fMxyKXl+sTgrj0rn3147f36aDvqahjT+A0xd060DTjR9l1br1/Krexl+61QsM89jwhZVDpBKVnUVz6UNv9HpH97FAhm8DSvmrH6jUpozG+8hz6wVxPj28W05wA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353285; c=relaxed/simple; bh=MtpbTlvL7SyD43IAyhPOPaImHwA66wNwR74olQIifFA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=pBDnhmEiZipihzpxW61Vw2o/XZtkcQY3nzejBdHbpf4O0/Ox0WLl2IuWnKHJ9Sh9sLCIjpI5TLShFApHpd25LvM6J1RaI5XY4kILvOcZzbMaB5OhNp5/2CiMBO8uWsaBb0nVI6T7QEfzorbY/D2ZXk0zGlkcn4lmsHT746tRwvY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=P0wxu0rb; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="P0wxu0rb" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-56c5ce6dd4dso1884471a12.2 for ; Fri, 05 Apr 2024 14:41:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353282; x=1712958082; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=sFM7a28BI4HHHJ3WCQsqOtPwSLDVB+jP/gaHsbLT3vs=; b=P0wxu0rbbFiwXEKVeE41o7ut4Elu1UciQlXMapU8sDqVsvMucIVIMLBgW4UDJlltM5 0lGgvrgohxVmvF5wdZKgroGLEiltHBZxcNUTHSal974owvKTEtACLG0L1LgJqMJZ/4D7 AoKlLS9kgmg0K3xIYnQ8r89Aly3wd65HJ6zrsqhlSXPXGS5XH9XUt0aPyw+wPSAxc7aM 79uJ1uPqyBTYotCrJxF1t0DY6GpW9GBZFLrLy0+c4sSw8IjxJC0KM/iqdwB1kV+yWmn8 S/t4d9EbjJSlGm+xo82TVloIpthmrMC5TbxfYWHejeftg9Fzai3rw++xLDzS7Bpk82Zu iUQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353282; x=1712958082; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=sFM7a28BI4HHHJ3WCQsqOtPwSLDVB+jP/gaHsbLT3vs=; b=w4qruotnOIY9b7CHDsJMSHYQFvoLVK9KbNIn2edSvwxfYuzAWo7LvCpxfFvIUlR7UG uE+emuJUw1Qb2/apGKSklr1DtVE+9fYBbXQqwTGAwR1+crgruepEeU/dVMX0dAqlIvTt iYTj3WObyY7/UghRDCuxLiwRyv2XW/3DfoZyA8u04A5CGxI+TETbiOGPCFNpa1US51Bs FWCTc4L52tNzb2Km48Dg89A3U3j2bawJySslSGiwI9FZ4nt9dKqfYlwOu/HQv+qtU76R ohQdaOWXdb4ijObOw+KsBG7mofXhmmiS1yWlup9vht7JRNKqF7+EPAbHLAZp6+RUBQJK v96Q== X-Gm-Message-State: AOJu0Yy04EHQ4MHTLkSZvTfLmshP5v2yPx89lQgfxMdoeR3X0HmLK0xo oRwkyCddD26sez2NKihtaaTkbod3c6O4pXkEnsoRHCWdEwwtv57+i2YDzrFUgg1GgHBbLaMOxFS sz+6X7AIXKvTAW+3CbgT15zjeQNw8glhzXBbdxxf9PD42F8+XSOU1Wg8DK8Og/AX86/EIt3GuWe H+huLI7PPVZbvjHiGIXPGP/orIOAxQgn7gqad9AmRrEtQBAVE/R4QT X-Google-Smtp-Source: AGHT+IEUZPxdGsJVz4Sgv0mtGdF/BAGJk8yDSWeRh3CR6MVV8l8ysgBWYXvTPD9tQmebd+OME7EreOfHGN8= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:551b:b0:56b:b73a:5f8b with SMTP id fi27-20020a056402551b00b0056bb73a5f8bmr4335edb.5.1712353282022; Fri, 05 Apr 2024 14:41:22 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:34 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-7-gnoack@google.com> Subject: [PATCH v14 06/12] selftests/landlock: Test IOCTLs on named pipes From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Named pipes should behave like pipes created with pipe(2), so we don't want to restrict IOCTLs on them. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 84e5477d2e36..215f0e8bcd69 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3935,6 +3935,49 @@ TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl) ASSERT_EQ(0, close(fd)); } +/* + * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right, + * because they are not character or block devices. + */ +TEST_F_FORK(layout1, named_pipe_ioctl) +{ + pid_t child_pid; + int fd, ruleset_fd; + const char *const path = file1_s1d1; + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + + ASSERT_EQ(0, unlink(path)); + ASSERT_EQ(0, mkfifo(path, 0600)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* The child process opens the pipe for writing. */ + child_pid = fork(); + ASSERT_NE(-1, child_pid); + if (child_pid == 0) { + fd = open(path, O_WRONLY); + close(fd); + exit(0); + } + + fd = open(path, O_RDONLY); + ASSERT_LE(0, fd); + + /* FIONREAD is implemented by pipefifo_fops. */ + EXPECT_EQ(0, test_fionread_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + ASSERT_EQ(0, unlink(path)); + + ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0)); +} + /* clang-format off */ FIXTURE(ioctl) {}; From patchwork Fri Apr 5 21:40:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619436 Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A23C17557E for ; Fri, 5 Apr 2024 21:41:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353287; cv=none; b=qPtCf2CLIRlaRIBLm15yi1eLsxSS7DgoS0xt2X/UZzEiyJRlFapdst1+2O6c8uBhOrKOmiR4+XTJ2YEhwHQkiSyKwF8zxuPooEWlOzYxNa9w7FSdB4IqoWbQQ0haRRpnicwNbWKl8bxwc0dOA2ZI/JK9hJqH96FOvSsBAAVtuJk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353287; c=relaxed/simple; bh=XrnYYxI+KCCO+Qa5vPr3MeDGJNYdQzakwnKE59Nzsts=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=kLQkYJNQb9GYLWeutqRW7h0gM8IaGCwAOlGR6f6HaH8z/dQlc/TFEumpdLfN/z5we/mwBPh9U3ZOZELE/i8ngQ7bAll7aKaJ1rCHYMX4sERsVptcHAC3qsK1utFTiFgFO43rU1oAu8Q4n5quPSCy3ljE35gPJn/uer9H+hoCJls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=JpfQD9XZ; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="JpfQD9XZ" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-dbf618042daso4149251276.0 for ; Fri, 05 Apr 2024 14:41:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353284; x=1712958084; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=nBbNmNFl+n5lpfyI1mNxnpRrGBsCnYQndb3n58WFmTI=; b=JpfQD9XZoe4ha97rfIvq5FRM1dXGLRDwp0FKxuxpjURBHQ5hkrRaf+pYzQfdM930x4 8tBaBJriY46QpY9vhgToDOdAfKNAJ8kq1iUQGCKmMxFgUQkPgFJEAnC4Aaq7iTL9+Vqj Hn+e01OegOtYAFIqRX6n9zxQ6H3lVcZZFQpALV5QtkxMX8DXJQpCQ1sXO0lJhZGccmIv i8K4cwBk/hEs0DgxQpTWrSP+Z2GMk3Z9GwRSI6zovzG2wcCPX9RutA4L2B2KaGDpWlDi /DU8Zyp/SI8+a5l0bs6NA9GefdGGjExziZ00YJCJWGkcGvCgcA0bFOCMen2GPQwWj7dI 80uQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353284; x=1712958084; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=nBbNmNFl+n5lpfyI1mNxnpRrGBsCnYQndb3n58WFmTI=; b=XC4xirJvzcrYyqh8XwyUBl/bSn4N7qBqYAS/rCB6SXj4TCfCFvbVHjf3wcXIijWtdX tl3bKP4bkSFwv7j+yIy6FLVptUVQH1pN35aCYTyq6cA78qK9RxoK5XDCZaVO30zyhnC4 V47JyxNdk9lYVV0bpEkQqvXT04BsG5NUMRXXt0In5OnJXQMgz+2unpa6teUiiNGzm3cD lK96hIY7FBlQlEu6c4BcgD4ijlNW3qaUrC8QZVvb3POj0PlLL9+OjsAUssaTjpED1Msd WdI+pkyfLi4JZWch+i0StlndVBPa4TTqm3TGj9SL2ZcSgS5DBd7uIlCAv1kPSAZmPsRl sBjg== X-Gm-Message-State: AOJu0YwOV0kDwwqqps1D/+eOPcVCVJZrS8wQxZ+dXBFTPX2oJk56B97W 21KoEpWHwI1QYkDv89uU6WoxbE6lZD4omBzcTjqTnF9IUs3b05O4/Zl/oErIUowmtBHyzrRMWY1 hSpI6SXI5aS9tmMHasTUK2fVZTxi/y/Tv2Ypho2qDaHbOHZrZRjEw3/ds7Zrl/XDh0qFK+ORt7l AS8GZSdi7djuV8IxPu+T5BDJfWXodHc+CVVTH4zQObiNjIAZDVPOOA X-Google-Smtp-Source: AGHT+IGlCqhV+FVUp2mV1SdfkGDRhN8E7j+1Aly5UutobdCKC56eYKvbcj9nPfvjhlxl9RyHI6kcUe7DqJA= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6902:1502:b0:dd9:1b94:edb5 with SMTP id q2-20020a056902150200b00dd91b94edb5mr220907ybu.10.1712353284398; Fri, 05 Apr 2024 14:41:24 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:35 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-8-gnoack@google.com> Subject: [PATCH v14 07/12] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 51 ++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 215f0e8bcd69..10b29a288e9c 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -20,8 +20,10 @@ #include #include #include +#include #include #include +#include #include #include @@ -3978,6 +3980,55 @@ TEST_F_FORK(layout1, named_pipe_ioctl) ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0)); } +/* For named UNIX domain sockets, no IOCTL restrictions apply. */ +TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) +{ + const char *const path = file1_s1d1; + int srv_fd, cli_fd, ruleset_fd; + socklen_t size; + struct sockaddr_un srv_un, cli_un; + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + + /* Sets up a server */ + srv_un.sun_family = AF_UNIX; + strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path)); + + ASSERT_EQ(0, unlink(path)); + ASSERT_LE(0, (srv_fd = socket(AF_UNIX, SOCK_STREAM, 0))); + + size = offsetof(struct sockaddr_un, sun_path) + strlen(srv_un.sun_path); + ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, size)); + ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* Sets up a client connection to it */ + cli_un.sun_family = AF_UNIX; + + ASSERT_LE(0, (cli_fd = socket(AF_UNIX, SOCK_STREAM, 0))); + + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); + ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size)); + + bzero(&cli_un, sizeof(cli_un)); + cli_un.sun_family = AF_UNIX; + strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path)); + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); + + ASSERT_EQ(0, connect(cli_fd, (struct sockaddr *)&cli_un, size)); + + /* FIONREAD and other IOCTLs should not be forbidden. */ + EXPECT_EQ(0, test_fionread_ioctl(cli_fd)); + + ASSERT_EQ(0, close(cli_fd)); +} + /* clang-format off */ FIXTURE(ioctl) {}; From patchwork Fri Apr 5 21:40:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619437 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78AA0175548 for ; Fri, 5 Apr 2024 21:41:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353290; cv=none; b=ucXrU6bKiIMB1eLCaqKSpjnEO7cvTarLgaetRJhjq3m9eoUmODyPcXaCGONMSVOU5T4N3Q1UNXUzBDexkw+L7DCAZhoc872Nu+B3buhIspKzkHZtvUVAggCamAsthzeP0K+EyMFAl9UmyIOI5L+Z9SUffOvKzlkRmRqAhIDHKac= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353290; c=relaxed/simple; bh=qLMDwtyoGcqvFMu9EgR1JHLn66RlQNI/pH5oSg2jAJk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=MgzU5XQlX9tLfL/ZAypVdidm3ILyKVxHiAHLhlUVK7YyMvWGka10pRajz/IwgazyX9tSsvH2WfMIs+6P0lJbThOl/y8F9J0MwrXqmukN2jhO2HuSSWiIgyClwb/k4MJ63ipy4C1XQjQJayQJ9SvtYZvEfe/IwKJMkZwpysQ6YTI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=TIsUASRU; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="TIsUASRU" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-56c5ce6dd4dso1884517a12.2 for ; Fri, 05 Apr 2024 14:41:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353287; x=1712958087; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=Fc14ktG9ishMSkK8oO4f2RF7Hc8qCkHa2Mip9JK5uP8=; b=TIsUASRUNvHEB6EPNkNhzpI/KHtjt+fSWcKUiS9TGX2Vn9bEYjvknmFFqxgq02vJUj gg6JrnGIexYBCz7Vwvmen+xxKU7/Zn5lFfhWqcImrxGpoTczhczdW/gpRwgjEsCJScOu Zvaa+ZBs+05TZR17PADuAd1TcnLLIj9OGfb1FAMy9XIoEMeQpynassqNYCEZ6X4t58xP 7n1xGBvk0v8ZWiN1R++OX2QJcpPGENbcGMZZPFIGjLhEa4+P97b35nNd/zyuRu4PVTzf x+Q58Cvf+lA3DcJb3oyeRUlq7lg+eX5iAoFNwi7v0pafrU4YvbgTNc/+AuCnI/MqoYn5 U+wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353287; x=1712958087; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=Fc14ktG9ishMSkK8oO4f2RF7Hc8qCkHa2Mip9JK5uP8=; b=wpc31BgzPMxlWLlTpvka5LClroPbnZB/GlLJYEUZA227ZZSt+JJRS7qPHlrbobxV7m R2RsZMyJSvATByyxQKtAZq0qVt7g0bkRzFttND3g47HafVT1M325lZBLDEKhD8K0Rcz0 /BjgbhUgBD6woQX3wLuiFOmCLseVIqSFUD9UuF0nmdu4XJ+SMM+CfHDUgAEONHsFUZp4 ZuMr6BSIFNOh0Aoyo6qwcmKbATjIB8N9iY9HlTEJGLE7OMDLhWOdp+QFTQANaXP+pZuh sNTSFjcZQqKTM1y196Qa9UOiPZQthkPPlL7n+t7x5/7+p+5k6hyBDv+OPOpM7Ts1qAfb wRWg== X-Gm-Message-State: AOJu0YwxhHGXh791tQEjlmOhV20ZM3kPce+H1kPju66j6k99+an/tNwr fhZbC82zV9SdUXK877YFUj6vBWcozp0eTPCJoievAVcLATkWjoUrbHFzLGc4eLAiT108XcfRYyU oBtZvwB7OOkNVnGMVX5h2P0tJiaEp8jc8k6Q5GcuZMaX4RetzSEHUfZIGHhd27/DA/J/zXRQeJ6 XhJRO/nHOWQB+SFmyI99kvMdfj45KEQrFnioNnXpmz9fyhgYOJKXy3 X-Google-Smtp-Source: AGHT+IHqFS5AI9UI/vpOn5k0bm6lPACo3o++vVDdnl0yWHrksyzS5WQtUNQe7q479q6p/ykpoXJPgD3hAtg= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:321e:b0:56c:4d33:10a5 with SMTP id g30-20020a056402321e00b0056c4d3310a5mr4155eda.2.1712353286763; Fri, 05 Apr 2024 14:41:26 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:36 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-9-gnoack@google.com> Subject: [PATCH v14 08/12] selftests/landlock: Exhaustive test for the IOCTL allow-list From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " This test checks all IOCTL commands implemented in do_vfs_ioctl(). Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 95 ++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 10b29a288e9c..e4ba149cf6fd 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -10,6 +10,7 @@ #define _GNU_SOURCE #include #include +#include #include #include #include @@ -3937,6 +3938,100 @@ TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl) ASSERT_EQ(0, close(fd)); } +/* + * ioctl_error - generically call the given ioctl with a pointer to a + * sufficiently large memory region + * + * Returns the IOCTLs error, or 0. + */ +static int ioctl_error(int fd, unsigned int cmd) +{ + char buf[1024]; /* sufficiently large */ + int res = ioctl(fd, cmd, &buf); + + if (res < 0) + return errno; + + return 0; +} + +/* Define some linux/falloc.h IOCTL commands which are not available in uapi headers. */ +struct space_resv { + __s16 l_type; + __s16 l_whence; + __s64 l_start; + __s64 l_len; /* len == 0 means until end of file */ + __s32 l_sysid; + __u32 l_pid; + __s32 l_pad[4]; /* reserved area */ +}; + +#define FS_IOC_RESVSP _IOW('X', 40, struct space_resv) +#define FS_IOC_UNRESVSP _IOW('X', 41, struct space_resv) +#define FS_IOC_RESVSP64 _IOW('X', 42, struct space_resv) +#define FS_IOC_UNRESVSP64 _IOW('X', 43, struct space_resv) +#define FS_IOC_ZERO_RANGE _IOW('X', 57, struct space_resv) + +/* + * Tests a series of blanket-permitted and denied IOCTLs. + */ +TEST_F_FORK(layout1, blanket_permitted_ioctls) +{ + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + int ruleset_fd, fd; + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + fd = open("/dev/null", O_RDWR | O_CLOEXEC); + ASSERT_LE(0, fd); + + /* + * Checks permitted commands. + * These ones may return errors, but should not be blocked by Landlock. + */ + EXPECT_NE(EACCES, ioctl_error(fd, FIOCLEX)); + EXPECT_NE(EACCES, ioctl_error(fd, FIONCLEX)); + EXPECT_NE(EACCES, ioctl_error(fd, FIONBIO)); + EXPECT_NE(EACCES, ioctl_error(fd, FIOASYNC)); + EXPECT_NE(EACCES, ioctl_error(fd, FIOQSIZE)); + EXPECT_NE(EACCES, ioctl_error(fd, FIFREEZE)); + EXPECT_NE(EACCES, ioctl_error(fd, FITHAW)); + EXPECT_NE(EACCES, ioctl_error(fd, FS_IOC_FIEMAP)); + EXPECT_NE(EACCES, ioctl_error(fd, FIGETBSZ)); + EXPECT_NE(EACCES, ioctl_error(fd, FICLONE)); + EXPECT_NE(EACCES, ioctl_error(fd, FICLONERANGE)); + EXPECT_NE(EACCES, ioctl_error(fd, FIDEDUPERANGE)); + EXPECT_NE(EACCES, ioctl_error(fd, FS_IOC_GETFSUUID)); + EXPECT_NE(EACCES, ioctl_error(fd, FS_IOC_GETFSSYSFSPATH)); + + /* + * Checks blocked commands. + * A call to a blocked IOCTL command always returns EACCES. + */ + EXPECT_EQ(EACCES, ioctl_error(fd, FIONREAD)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_GETFLAGS)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_SETFLAGS)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_FSGETXATTR)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_FSSETXATTR)); + EXPECT_EQ(EACCES, ioctl_error(fd, FIBMAP)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_RESVSP)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_RESVSP64)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_UNRESVSP)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_UNRESVSP64)); + EXPECT_EQ(EACCES, ioctl_error(fd, FS_IOC_ZERO_RANGE)); + + /* Default case is also blocked. */ + EXPECT_EQ(EACCES, ioctl_error(fd, 0xc00ffeee)); + + ASSERT_EQ(0, close(fd)); +} + /* * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right, * because they are not character or block devices. From patchwork Fri Apr 5 21:40:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619438 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5482176FAD for ; Fri, 5 Apr 2024 21:41:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353292; cv=none; b=B/w+uUR5Jtot6UJSv1x+Z4AyChHwSssRdhnxuG7UJDPapBneQhSm8CNRu0i/n6X1B5oSk87eoMX3ZA66g7MdX16ViNj3YZZHFSPOlkAFTt2M8X/cqIbA5ckQAeJQdgifaz+DvibShk6aR0gnd/9Ial4JJgjsHHVubBTPpfQfinU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353292; c=relaxed/simple; bh=9Bvm7wkelXg3zuWpOV1qRg281JzLxe+nmHUyb7/CNOo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=M1o0fQqClxi0iyRcPE+Gn8fVkmj6EtjHghYA3d3XxICItsIc23OPVU1lEk98JjDzPeLdkPmVvcmoD8SN4vFnm3kbiuMRpLVLwZyCsVHQfjnVEEAZ3+g87lOYAhMObokIH+d6MuZVQd6v87BHinYPIVadZqMkS/SzwcY7K7LHwm4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=0punSIxU; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="0punSIxU" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-56bf2d59fceso2209467a12.3 for ; Fri, 05 Apr 2024 14:41:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353289; x=1712958089; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=ultcrwgHPiEzFAA7CCqNmrNyImFBzR16Q+4Vi/kOOJw=; b=0punSIxUMLsY2JjaLX1i4t4nNfdqVYiFp/m6QIZrY9cRLfyuVdXHDMB1MYpF5sUGwV kLlbYQyZL9wEYLYSlxTwBrpQVzBcxoeghdKNoMhRdSNNBDXUoBNmctthPGRe3GJsEAzA b5FrYNmaoAVguSJKCZg83MDO+ukqbwI3sKAe1WQt0Q3xULmtLi8QPSmzR1FwGc5nmCte qm+ywgb1kelQK8jjpq9MIFGDyA/GDLtURthNYrvvXh2sLdv7SNoqguXqvi6eY7g1QPOw 1yZIYMzT8C6vKxiEQCeIw3n5zy4mc4PwhLW9SD7ux9jnfKCl5IpqN4nfLl8oAgkrMD5P TGng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353289; x=1712958089; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=ultcrwgHPiEzFAA7CCqNmrNyImFBzR16Q+4Vi/kOOJw=; b=qnYHl0ojpt5ns9+VZLgwAIvPZXh1qzJUVOElZc/PxZVsnpvuz9NgkDE9Enzm9xk0M7 PiJfVy7Sl1AXG6k2pEgM1a9q3oBEK+F2mSq78iWeEQYHQe0a1bFd4HNEMQ5TDQOInDm5 8ndl/iQ2KoR0BXVSHRBYFGikFrYnmAVP1R1ohIsu8wqPlqwyOgy1EKvcvLLBTsEhAH5p WVQGRgK6/oxslZ5gTyoZwgaM6nvdHWPvpaHQ8Zl0Qnmfqd7PxxDoHX9GvqHTEnhuK+vc ngGu8NCr6kL9yfeSdwVEaIZyKIKkuiAGr+jkl28GbnXeqvOFloCYwiqq7rAdym/A/c+Y +N2g== X-Gm-Message-State: AOJu0Yztp+2GONUO/GdFd4B0NeMBqdO5FTMwuSx1kDlIedOmVK86p3sR XK8j1/BPEKBa5SZ2RgAe7n71ncvWir+sG+YR0pt4K0yjzu2KuBTkiSz99skLzxOgIJybXLOhu8u Pmgmk2gCx+llLyTgDUEmTzaQ4ovai4+f6GsbJIHspzJz7a08a0GjLUK0bMwmNltglFG/SBhVT2T v0bpp5FrIhT6z75TIiqi8KcfWiBxkH59Hw/jWeh+T4xnA7VQ1AF3sK X-Google-Smtp-Source: AGHT+IEi1Tr0mj+N7k8dKKy59BA8xsPweUC3pHZOcuxUXuM6/XMmqRsc/RxPwvLE6a6FEGS8k5AJIoSe0jY= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:321e:b0:56c:4d33:10a5 with SMTP id g30-20020a056402321e00b0056c4d3310a5mr4157eda.2.1712353289057; Fri, 05 Apr 2024 14:41:29 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:37 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-10-gnoack@google.com> Subject: [PATCH v14 09/12] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL_DEV From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Add IOCTL support to the Landlock sample tool. The IOCTL right is grouped with the read-write rights in the sample tool, as some IOCTL requests provide features that mutate state. Signed-off-by: Günther Noack --- samples/landlock/sandboxer.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 8b8ecd65c28c..e8223c3e781a 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -81,7 +81,8 @@ static int parse_path(char *env_path, const char ***const path_list) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) /* clang-format on */ @@ -202,11 +203,12 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd, LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ LANDLOCK_ACCESS_FS_REFER | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) /* clang-format on */ -#define LANDLOCK_ABI_LAST 4 +#define LANDLOCK_ABI_LAST 5 int main(const int argc, char *const argv[], char *const *const envp) { @@ -320,6 +322,11 @@ int main(const int argc, char *const argv[], char *const *const envp) ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); + __attribute__((fallthrough)); + case 4: + /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " From patchwork Fri Apr 5 21:40:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619439 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D853176FB3 for ; Fri, 5 Apr 2024 21:41:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353294; cv=none; b=aIBTUeP4A5QCGjNQ3QakpttjrxX0TdRjQlOCxHXu71FpWoKpI4uR4cF4Fmaaor0KFQqEx7DLMohqatONcLRn2JYTwr+OOyue96GARRWljOiUmw6qGDTD4Z8Ok70fBmemYsn6rslo4AIIrYV6RVIqDlMeDq0jwJccwwJC+KyGSSg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353294; c=relaxed/simple; bh=PzM10ZtG+6VdQc4cRtb+hdvN27Ed0oLIATTMHdl1p8s=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=T8tuM0hk5lWYR9U/SWXL+xK8+m2iTf1SEcKW9K3PuJVK8Ilg5i3b3q0VZ91hDisB9NOcVeLQkodn2qmGFCzcDN/LT9fd4MIq9ebPKtL7fHq70F95up/DGt0KrtwUvNbGiFWH1+88XR+bR3Z4tx1MJ15uY4tCuLKLWooOx9BLU5I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=PaOdw26z; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="PaOdw26z" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-56e2a11ff78so918906a12.0 for ; Fri, 05 Apr 2024 14:41:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353291; x=1712958091; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=isB/6NTaww6M2cn6lPF/fnCESTN/aXK4hSyQbKpCQG8=; b=PaOdw26zYokMEQPM/FngXeyifEs8rvQtx7koWXEQpZE9i8huTtNcQetXzQqvKqo8iW HyjmhxKTWtu7Cf1zT9UfufguwYl/mj/xncAzf8vhm49f5Zw5R7RXPNqWMHikTrJA7D5l auy4vGdm/15jtE/L5NUJRdFFU4Kd5/NiMlPwkMSRmeEN1a5gfRP6/dd1qbF1uVif1HAR tLZcPD/zPXOhkm1zlQhReS7kDrGnINY1lO+QUJe29lKUqRPRYqvyhOzChO0u/VZs9RX8 ma+vdUotiR7TPGRFyQXvsh03dOSvA26AUV3bY8CahaM63h67ouYo5LD4BqVFtDFyGg5+ r5fg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353291; x=1712958091; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=isB/6NTaww6M2cn6lPF/fnCESTN/aXK4hSyQbKpCQG8=; b=TzAV4Abag17L82Elz5hnOt9MZwrJegxaKYQVmoGJsCTdCsUZ6IXL6SITuhytBn6lXb f36Uhva/ExnzxZlgulcYh36V/K3MOf4d/TRbeeslU4f7UMwMXS6BmO4h6xjYdRky+nSv rPve2HxzavtpXPtxgURYAmeUayCAzZm+J+REuNyHSMbfnTUAEJIHtCJfin4tTKmUm+jH aroynVpyCx/+nd1DNM+Wmlc1VGPPH7a4y77r0yNLWad5Ey2CAJYJzqLexYrWGci7rMHL X5oRU7SNDZCCLqMKAHRo+mLV30AFcrjn429k4EqhRem+VDNWJOdnWResvNwNg6DNYdAf 5Qow== X-Gm-Message-State: AOJu0Yw7EZRunbXfcygIM3/S8TT7pafAjs8+RHkEAWbotDw0FXwVAvue ONdvQK1D/+k2d+P8/X6xFMpG4MLZNksd3ZZORv/PFj2syVip0yzpc3Zb4LT2k35s1eSZvBSL2VN ytUO8fASPhyaQyAyZyQ9qA0Uxq0gUYD/6QP3n3C9qA6Tr1UtEoZ2k1xXwxVVS/n8Dopk7hFhvq6 RCZUyHhoDId21dAQMpmzSlWd5qg2zzSwyNU2+8bdx/FfFL+nWiwnQv X-Google-Smtp-Source: AGHT+IEVbO3rdyX60LZh6nWO522D/0YtwQJ9L7PdtAbBcy3DJGOyGojAMANkVBpUDtb1Y4m+QkovcxqvTII= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a17:906:2c17:b0:a51:969e:63cc with SMTP id e23-20020a1709062c1700b00a51969e63ccmr3214ejh.12.1712353291098; Fri, 05 Apr 2024 14:41:31 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:38 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-11-gnoack@google.com> Subject: [PATCH v14 10/12] landlock: Document IOCTL support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " In the paragraph above the fallback logic, use the shorter phrasing from the landlock(7) man page. Signed-off-by: Günther Noack --- Documentation/userspace-api/landlock.rst | 76 +++++++++++++++++++----- 1 file changed, 61 insertions(+), 15 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 9dd636aaa829..145bd869c684 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -76,7 +76,8 @@ to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | - LANDLOCK_ACCESS_FS_TRUNCATE, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL_DEV, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, @@ -85,10 +86,10 @@ to be explicit about the denied-by-default access rights. Because we may not know on which kernel version an application will be executed, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are -using. To avoid binary enforcement (i.e. either all security features or -none), we can leverage a dedicated Landlock command to get the current version -of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove access rights which are only supported in higher versions of the ABI. +using. + +To be compatible with older Linux versions, we detect the available Landlock ABI +version, and only use the available subset of access rights: .. code-block:: c @@ -114,6 +115,10 @@ remove access rights which are only supported in higher versions of the ABI. ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); + __attribute__((fallthrough)); + case 4: + /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; } This enables to create an inclusive ruleset that will contain our rules. @@ -225,6 +230,7 @@ access rights per directory enables to change the location of such directory without relying on the destination directory access rights (except those that are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER`` documentation). + Having self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, @@ -318,18 +324,26 @@ It should also be noted that truncating files does not require the system call, this can also be done through :manpage:`open(2)` with the flags ``O_RDONLY | O_TRUNC``. -When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` -right is associated with the newly created file descriptor and will be used for -subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is -similar to opening a file for reading or writing, where permissions are checked -during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and +The truncate right is associated with the opened file (see below). + +Rights associated with file descriptors +--------------------------------------- + +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created +file descriptor and will be used for subsequent truncation and ioctl attempts +using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar +to opening a file for reading or writing, where permissions are checked during +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and :manpage:`write(2)` calls. -As a consequence, it is possible to have multiple open file descriptors for the -same file, where one grants the right to truncate the file and the other does -not. It is also possible to pass such file descriptors between processes, -keeping their Landlock properties, even when these processes do not have an -enforced Landlock ruleset. +As a consequence, it is possible that a process has multiple open file +descriptors referring to the same file, but Landlock enforces different things +when operating with these file descriptors. This can happen when a Landlock +ruleset gets enforced and the process keeps file descriptors which were opened +both before and after the enforcement. It is also possible to pass such file +descriptors between processes, keeping their Landlock properties, even when some +of the involved processes do not have an enforced Landlock ruleset. Compatibility ============= @@ -458,6 +472,28 @@ Memory usage Kernel memory allocated to create rulesets is accounted and can be restricted by the Documentation/admin-guide/cgroup-v1/memory.rst. +IOCTL support +------------- + +The ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of +:manpage:`ioctl(2)`, but it only applies to *newly opened* device files. This +means specifically that pre-existing file descriptors like stdin, stdout and +stderr are unaffected. + +Users should be aware that TTY devices have traditionally permitted to control +other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL +commands. Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but +the behavior is configurable for ``TIOCSTI``. + +On older systems, it is therefore recommended to close inherited TTY file +descriptors, or to reopen them from ``/proc/self/fd/*`` without the +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible. + +Landlock's IOCTL support is coarse-grained at the moment, but may become more +fine-grained in the future. Until then, users are advised to establish the +guarantees that they need through the file hierarchy, by only allowing the +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required. + Previous limitations ==================== @@ -495,6 +531,16 @@ bind and connect actions to only a set of allowed ports thanks to the new ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` access rights. +IOCTL (ABI < 5) +--------------- + +IOCTL operations could not be denied before the fifth Landlock ABI, so +:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an +earlier ABI. + +Starting with the Landlock ABI version 5, it is possible to restrict the use of +:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` access right. + .. _kernel_support: Kernel support From patchwork Fri Apr 5 21:40:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619440 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06863176FB4 for ; Fri, 5 Apr 2024 21:41:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353296; cv=none; b=JGVYCF9RXZ4Eu3Uf6eqv1cYMTWEmshk2c+UEzhjq4jXNXl8gxSU12Ad1/b3VBPMX4bUT5B29oS0abIfcC2Luhwx2Bn7LW63hQe+whXa2giTwi6PZONTXsv0xdN8njuPDkIGM+lR68luFdcrfWx3nTb/syEC7WfE9sYImahplmr0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353296; c=relaxed/simple; bh=eerKUwOAJdG4l07tn4UJJFXLatw+oUupMvi98+9SFSM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=tLyAlk+cMs0yJAb1E0XB/1SgZ89VKmVZCuOVcSBfT0xNryn94bWSo5EljkVORH4earKCjdY2JKFzD71skAVerkS4k6fp/cyE8IjZmuYm9ys/RjXEjWZUg1VMvV8fD1oipeifPlBnTOTgCTUagNpmKqfFXHrFa5btBJ9Xn6jgTRE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=QuG+Qxfc; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QuG+Qxfc" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-5684345c0ebso4011873a12.1 for ; Fri, 05 Apr 2024 14:41:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353293; x=1712958093; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=gfT1cU34Qatifm1LZ7TB36yHQ1WB+M5CqgNm/urbeDk=; b=QuG+Qxfci83vAdzMxx/+kBFIL+Cr2P3RV0bzClVXwzBc6s1+saBfAy9vreGy+ViMnO o5CO41z4t+M4pjNSREpJYQGLtsHi1+oMbAT91mMJ0ZHvFY1UIm/wXf6xArvrY/68W/Al UlpKCkCEpFWxNmmSEFZvtWosRCB1hSatZ/Kaqma6e36Ni7QRf4Mkbi8G3VRNGoiEgX/V NzrVAFK+8Yuz7F11T0ZxHK/gGQPCJSJXx4JJKUftUHp3F48kO8l3XD7rwZPEj9hufNQa GAshZdvJwROFId9ql6t6w3zH7423y9zcp8p7n4Gh+VLaOc7gau9P0XjM26K3e3a3zoUL Ddyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353293; x=1712958093; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=gfT1cU34Qatifm1LZ7TB36yHQ1WB+M5CqgNm/urbeDk=; b=nYcvDz+ysVpomR7Ah+zu4cWxhltYaNeJrfj6XjDT9ik7pP4p2M/SPNrEdQ8kS203i9 zxKBJwG9MU+vMaLdO37emRAqAw4HKh+Xqt5MGooSbbBKnd2WKUS+kmy0rHkwOee5VY0E nJ9o28myp6k7IiUpsiB5BOxo87hDB7NGFyycb6OjX+ZXLNQxdAUC3beTKHz7Li7cX+Ut 0NHkgv2yMtIi73msgADhRgonvlOnaTw0jYyb0+PNbP91jM9lklI88WhmS67yfcndJe04 D/Q4evTQPJNupYken1trwbToX3DLZb4F8ZBVDmXnZr94UxExwztflqyCWUBvJXrtNrUM /z0w== X-Gm-Message-State: AOJu0Yz+SL7UPSojbu6uEqFkpuvk6bEt2l+at5sYzbRaaOLC2BC3FoqD 9sq10922aYu4d37EvHiVbMr08+CDQ2FkVKodUKZLxoaPksSO5Pw3Qe6wpADC4EKsWretCAX1/tI Yf0b4/++PQ77keL1xn57J+WcpeJGVpU9rzcgibC40gZN5IIzVrBp2ULHUA0qkY659vjKPyEuoMu hAXBnQEdtX64ugfac9P/IbDNv3wQZzDHHFImkpc4vS417TwlJvRYlY X-Google-Smtp-Source: AGHT+IEAdLuUBypZI8eUpc+P8XMt48vwGgNa6irD0KxC4ZtesgZXcC4GYp2ABm0GpsyFPJv/hcaNj/eaHIw= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:2696:b0:56c:2c3f:9c82 with SMTP id w22-20020a056402269600b0056c2c3f9c82mr8485edd.1.1712353293398; Fri, 05 Apr 2024 14:41:33 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:39 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-12-gnoack@google.com> Subject: [PATCH v14 11/12] MAINTAINERS: Notify Landlock maintainers about changes to fs/ioctl.c From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Landlock needs to track changes to do_vfs_ioctl() when new IOCTL implementations are added to it. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index aa3b947fb080..c95dabf4ecc9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -12222,6 +12222,7 @@ W: https://landlock.io T: git https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git F: Documentation/security/landlock.rst F: Documentation/userspace-api/landlock.rst +F: fs/ioctl.c F: include/uapi/linux/landlock.h F: samples/landlock/ F: security/landlock/ From patchwork Fri Apr 5 21:40:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13619441 Received: from mail-wr1-f73.google.com (mail-wr1-f73.google.com [209.85.221.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B06C3175558 for ; Fri, 5 Apr 2024 21:41:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353299; cv=none; b=h40+ay1Ggbe4OVD8M2s2wOeNisCHoslXodmVUgR98W9ciPF60OycquJlyf2T1aRhthvWoZuhvswURgNqY93CN6FtIyIa6tbPS44GnSDfZn8oH86lsf6QYf97oFKdlQFQeat/FosI+IyyexMZ2S2bYmgAo1X0A9XLMZgd9n2RZyg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712353299; c=relaxed/simple; bh=6+gvohWDkjUJJGA4Zsd7JtJUdl3sLC5pZJEhJQPekgM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=HEa4rSkVOeeigFu82tccoGF9XJ/s3NF9wQQsyQJSb4U9zcQvaIhvCXSrtDEsRu/JBBPpOagEo3TqDspNr3/CegC/xgv94PaXjABOF2SHCYXv/PEyqxGn03Igte4cXY+F/7pO6eP8WklGmThO9E4dSap4S3yIFy+K7AQqqtZH620= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=gWQ8Ep7m; arc=none smtp.client-ip=209.85.221.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="gWQ8Ep7m" Received: by mail-wr1-f73.google.com with SMTP id ffacd0b85a97d-343e74dcf0bso480020f8f.0 for ; Fri, 05 Apr 2024 14:41:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712353296; x=1712958096; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=fBsW1fdSkwIBXUs1pxIrhy09C1hIfpBAjgqErgaWIuU=; b=gWQ8Ep7medbhwKCUsx0QtXBxI8ZrydArz7RLbi3HX2LuEkjBMMyABcG0FsxyvKv0qP G1dDjol+bS7GD3MPrRCnthn1LR3CNA42etlVqO5yEKjgnxnkUexAL/3nuoQegDzUTydE ONx0cNEPEgSFsRyfIXfU9grJfvmoeTvmtk0w2eWeIa9qACO2MA8jJMcbkIVFIyxcGOoC BCqPPUdDZ1ZViWzE0LuCtxRpZ1Tf77eNtM3ttVs2hWMLd9rEH8npKDf/qBT9OJ4rbRta aBsM9MnnJDH9/O23WFRH8QPTXKj51SzJ7/rV/rEgv7C8BXi93EJqcjz5JroG+Z3rYIrc bqGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712353296; x=1712958096; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=fBsW1fdSkwIBXUs1pxIrhy09C1hIfpBAjgqErgaWIuU=; b=Z3oos4ZYtNrdbq1Yn/ltxjwkGiTaPZFQUzhag6BZdbir0BWpX6bgqmhgDExmnmwvPF vxySVaoUVa0DWrrjxKxepsGdZldigqRJjRkDDxTj9uJy+YjkqQVTEkNNoCC6jIYxU++G 1f+Y3CaErhNZxqZO4Qx+Ti55sGd4xLw7D9QXZWQ/9ikn+sePzJhsRFgRQPtQqMXn6ARF z5J0rGMJSYi/tZ6lMhJU5N5keEG5hNE1d2CooGrhOqjZux3ip48e54HjyqFxQYWFd9v7 2tpDqFlJ6CieBnIcLUNSpgQQIDQ1aXgoQgopSQXll4KW79YF1kG11Ggvcl3AjxAG4CDp E7Dw== X-Gm-Message-State: AOJu0YzSG8XTxzdfgfahiiwSsJSc2966OsiIuF/LkuzmIUTnh5YjYpyf 5w8jmR/iu1vIE37Rvr7yhd3X8pFPaU10i3/8owRrC0r8FvfdcAA0KeHgR6grN6MXXhqVfHakos0 TU+e/0G/NnedN43ACOVedMto9vVAE9REcLnk+RsKp6U6Wad82sPwV5D+ymJ1Bvwy/NJoYq1tmwU 7ZS7u/QuNNkIXnPJSyV0kaaUPCUTZjbY7J2mNnE0U0v7KA6msqB+c4 X-Google-Smtp-Source: AGHT+IGX1eIbjjNMVba43aYVOq2ZT3mTAE8MH+z1SrggGLXN4E3yEJqi6XGhpoOSLqZO9NPCc5beK5SS57M= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6000:815:b0:343:c54d:28e8 with SMTP id bt21-20020a056000081500b00343c54d28e8mr5040wrb.10.1712353295759; Fri, 05 Apr 2024 14:41:35 -0700 (PDT) Date: Fri, 5 Apr 2024 21:40:40 +0000 In-Reply-To: <20240405214040.101396-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240405214040.101396-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.478.gd926399ef9-goog Message-ID: <20240405214040.101396-13-gnoack@google.com> Subject: [PATCH v14 12/12] fs/ioctl: Add a comment to keep the logic in sync with LSM policies From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Landlock's IOCTL support needs to partially replicate the list of IOCTLs from do_vfs_ioctl(). The list of commands implemented in do_vfs_ioctl() should be kept in sync with Landlock's IOCTL policies. Suggested-by: Paul Moore Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- fs/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ioctl.c b/fs/ioctl.c index fb0628e680c4..64776891120c 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -796,6 +796,9 @@ static int ioctl_get_fs_sysfs_path(struct file *file, void __user *argp) * * When you add any new common ioctls to the switches above and below, * please ensure they have compatible arguments in compat mode. + * + * The LSM mailing list should also be notified of any command additions or + * changes, as specific LSMs may be affected. */ static int do_vfs_ioctl(struct file *filp, unsigned int fd, unsigned int cmd, unsigned long arg)