From patchwork Fri Apr 19 16:11:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636575 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9968130AED for ; Fri, 19 Apr 2024 16:11:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543096; cv=none; b=cf4ItyGBvQjr9su0HMnmNESB+t50TJ9wwvq2frBiOhm1b+LMAmyvnr0t+k8vsiZld8CSHKRlZHok6f2NvtG8ApBAWE01QUVa9wu3Gp1/rJxNVunvBxjlM4aHW2sH8x/K1LiXYWg0SFLIlksBwZiy8oDHyeMmQXfg8RSnz3ZX6xY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543096; c=relaxed/simple; bh=t3LK7mpMJ4NiGhcU5zIUYboqPRjV/Kw4jKaqB/cjp78=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=b0f8QJKHRy4Sa/DA18YhlNXJOn+wLs9TkHr3cZSYSo3EIMA0sYM/frXdm+B7e06dCfxV2jSSVRv9WK9aXvkTDIkopY4q2v1oFIgEbTqPuwAP3FOG9TiiXki1fXGhdDWlS6P2SRY5VScrxxQcxjdIFk8Fv1tRui21ITxePkJ9/w4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=syaWVYyn; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="syaWVYyn" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-dc6ceade361so4565085276.0 for ; Fri, 19 Apr 2024 09:11:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543092; x=1714147892; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=iuZLZ+ulI90EEf82tR354mE14FM4/KRwrOa8i4na5qE=; b=syaWVYynislnM7MhUbCfWotcOInDLZ8gQnYQkeHSd0sGw/Dj7T56eJPyN8OIfTQJNv OhsrsRn0ue2eX8uBBmMhtSi8E2uP9EJFswGfQl1eucIYK1OCeQwX8wuJX3zfEcdn3rxc GlRIPPtq7JzK9qs5WXxnzlaBbiFQAOc9OynE1ovqBVxWaKlusOeURmxvEKedUQsrSv1C oCxxQuYcQQX1XFT0sJKwp7SG7EmJDuFgx4G55UfFf3vWVbvrKDPWLbyizFb6QhIeCu8P YJH4/K/OagBWrkq2pCUN8+kfjtiTqzDITjdFpoA6OBhQcZSxr4mqi8Ty82JNze1/0TVv 0STw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543092; x=1714147892; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=iuZLZ+ulI90EEf82tR354mE14FM4/KRwrOa8i4na5qE=; b=hOBQmJvqxkQpUp6Swkv8le9UMnpzM3PtkjRB61IaSesYOnQggJSxIGpMlr6GzbKCLY 0t3IOPr0EXjIOyt8eOj7VtXhHrVYmfyNELehv6jTplVT8jV0KG+elccl5wdIgMqyy1ww 0OQIhh5xzTS8yGxViM+e5sTChlrBlheS6mSTIbRAYPHUji7bJjUv+foXTVayvV+7EzoX PkzyO5x4xIm4JEVH2tU1J9cNEp2dAHakEz2W2NxT7AJldnC1wh09oFrm7ddfrzLce4aZ d1BfQgs02MutLwJ8qzLfdc5FFcvgKrlMFJuUEmMa66yZja/2PGVBy0VDno3QA6y/tezN Yleg== X-Gm-Message-State: AOJu0YwSCXGj07avl8BbdXgcQPewcAY3tQLwk2hKvlvkY1xVNJOVYuVw uMPqP1JUgA+NAAI8xYmfqGl+EG6T808l59HCVCKTzZfwRr0gCaFR5X+e2uiZfh5qJ1g3S8C6AkX qCFpz6zx3PL9TZOb1XwLuCt4xq3TaWrZFx+ZIwmpuDDNLWi+Kq6K/JmVI5ItcBG8aSsWXI7tRIY xR5ICJpsRl1AZyYUlMdwhu4g7a3Z9oG5zGuS6Ivi0fQv44X6rWZeMi X-Google-Smtp-Source: AGHT+IFyffHtwKLVeb2f/a9E9NrFAQ1/YwJENwsClE9Kht3dVjgExZ+NAAws9HsigGIBwd2Em+CGyawTkOE= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6902:1889:b0:dc2:550b:a4f4 with SMTP id cj9-20020a056902188900b00dc2550ba4f4mr780898ybb.1.1713543091903; Fri, 19 Apr 2024 09:11:31 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:12 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-2-gnoack@google.com> Subject: [PATCH v15 01/11] landlock: Add IOCTL access right for character and block devices From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " , Christian Brauner Introduces the LANDLOCK_ACCESS_FS_IOCTL_DEV right and increments the Landlock ABI version to 5. This access right applies to device-custom IOCTL commands when they are invoked on block or character device files. Like the truncate right, this right is associated with a file descriptor at the time of open(2), and gets respected even when the file descriptor is used outside of the thread which it was originally opened in. Therefore, a newly enabled Landlock policy does not apply to file descriptors which are already open. If the LANDLOCK_ACCESS_FS_IOCTL_DEV right is handled, only a small number of safe IOCTL commands will be permitted on newly opened device files. These include FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC, as well as other IOCTL commands for regular files which are implemented in fs/ioctl.c. Noteworthy scenarios which require special attention: TTY devices are often passed into a process from the parent process, and so a newly enabled Landlock policy does not retroactively apply to them automatically. In the past, TTY devices have often supported IOCTL commands like TIOCSTI and some TIOCLINUX subcommands, which were letting callers control the TTY input buffer (and simulate keypresses). This should be restricted to CAP_SYS_ADMIN programs on modern kernels though. Known limitations: The LANDLOCK_ACCESS_FS_IOCTL_DEV access right is a coarse-grained control over IOCTL commands. Landlock users may use path-based restrictions in combination with their knowledge about the file system layout to control what IOCTLs can be done. Cc: Paul Moore Cc: Christian Brauner Cc: Arnd Bergmann Signed-off-by: Günther Noack --- include/uapi/linux/landlock.h | 38 +++- security/landlock/fs.c | 225 ++++++++++++++++++- security/landlock/limits.h | 2 +- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- tools/testing/selftests/landlock/fs_test.c | 5 +- 6 files changed, 258 insertions(+), 16 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 25c8d7677539..68625e728f43 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -128,7 +128,7 @@ struct landlock_net_port_attr { * files and directories. Files or directories opened before the sandboxing * are not subject to these restrictions. * - * A file can only receive these access rights: + * The following access rights apply only to files: * * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that @@ -138,12 +138,13 @@ struct landlock_net_port_attr { * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`, * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with - * ``O_TRUNC``. Whether an opened file can be truncated with - * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the - * same way as read and write permissions are checked during - * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and - * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the - * third version of the Landlock ABI. + * ``O_TRUNC``. This access right is available since the third version of the + * Landlock ABI. + * + * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used + * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as + * read and write permissions are checked during :manpage:`open(2)` using + * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE. * * A directory can receive access rights related to files or directories. The * following access right is applied to the directory itself, and the @@ -198,13 +199,33 @@ struct landlock_net_port_attr { * If multiple requirements are not met, the ``EACCES`` error code takes * precedence over ``EXDEV``. * + * The following access right applies both to files and directories: + * + * - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened + * character or block device. + * + * This access right applies to all `ioctl(2)` commands implemented by device + * drivers. However, the following common IOCTL commands continue to be + * invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right: + * + * * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``), + * * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``), + * * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``, + * ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``) + * * Some IOCTL commands which do not make sense when used with devices, but + * whose implementations are safe and return the right error codes + * (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``) + * + * This access right is available since the fifth version of the Landlock + * ABI. + * * .. warning:: * * It is currently not possible to restrict some file-related actions * accessible through these syscall families: :manpage:`chdir(2)`, * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`, * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`, - * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`. + * :manpage:`fcntl(2)`, :manpage:`access(2)`. * Future Landlock evolutions will enable to restrict them. */ /* clang-format off */ @@ -223,6 +244,7 @@ struct landlock_net_port_attr { #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12) #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13) #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14) +#define LANDLOCK_ACCESS_FS_IOCTL_DEV (1ULL << 15) /* clang-format on */ /** diff --git a/security/landlock/fs.c b/security/landlock/fs.c index c15559432d3d..22d8b7c28074 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -5,8 +5,11 @@ * Copyright © 2016-2020 Mickaël Salaün * Copyright © 2018-2020 ANSSI * Copyright © 2021-2022 Microsoft Corporation + * Copyright © 2022 Günther Noack + * Copyright © 2023-2024 Google LLC */ +#include #include #include #include @@ -14,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -29,6 +33,7 @@ #include #include #include +#include #include #include "common.h" @@ -84,6 +89,160 @@ static const struct landlock_object_underops landlock_fs_underops = { .release = release_inode }; +/* IOCTL helpers */ + +/** + * is_masked_device_ioctl - Determine whether an IOCTL command is always + * permitted with Landlock for device files. These commands can not be + * restricted on device files by enforcing a Landlock policy. + * + * @cmd: The IOCTL command that is supposed to be run. + * + * By default, any IOCTL on a device file requires the + * LANDLOCK_ACCESS_FS_IOCTL_DEV right. However, we blanket-permit some + * commands, if: + * + * 1. The command is implemented in fs/ioctl.c's do_vfs_ioctl(), + * not in f_ops->unlocked_ioctl() or f_ops->compat_ioctl(). + * + * 2. The command is harmless when invoked on devices. + * + * We also permit commands that do not make sense for devices, but where the + * do_vfs_ioctl() implementation returns a more conventional error code. + * + * Any new IOCTL commands that are implemented in fs/ioctl.c's do_vfs_ioctl() + * should be considered for inclusion here. + * + * Returns: true if the IOCTL @cmd can not be restricted with Landlock for + * device files. + */ +static __attribute_const__ bool is_masked_device_ioctl(const unsigned int cmd) +{ + switch (cmd) { + /* + * FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC manipulate the FD's + * close-on-exec and the file's buffered-IO and async flags. These + * operations are also available through fcntl(2), and are + * unconditionally permitted in Landlock. + */ + case FIOCLEX: + case FIONCLEX: + case FIONBIO: + case FIOASYNC: + /* + * FIOQSIZE queries the size of a regular file, directory, or link. + * + * We still permit it, because it always returns -ENOTTY for + * other file types. + */ + case FIOQSIZE: + /* + * FIFREEZE and FITHAW freeze and thaw the file system which the + * given file belongs to. Requires CAP_SYS_ADMIN. + * + * These commands operate on the file system's superblock rather + * than on the file itself. The same operations can also be + * done through any other file or directory on the same file + * system, so it is safe to permit these. + */ + case FIFREEZE: + case FITHAW: + /* + * FS_IOC_FIEMAP queries information about the allocation of + * blocks within a file. + * + * This IOCTL command only makes sense for regular files and is + * not implemented by devices. It is harmless to permit. + */ + case FS_IOC_FIEMAP: + /* + * FIGETBSZ queries the file system's block size for a file or + * directory. + * + * This command operates on the file system's superblock rather + * than on the file itself. The same operation can also be done + * through any other file or directory on the same file system, + * so it is safe to permit it. + */ + case FIGETBSZ: + /* + * FICLONE, FICLONERANGE and FIDEDUPERANGE make files share + * their underlying storage ("reflink") between source and + * destination FDs, on file systems which support that. + * + * These IOCTL commands only apply to regular files + * and are harmless to permit for device files. + */ + case FICLONE: + case FICLONERANGE: + case FIDEDUPERANGE: + /* + * FS_IOC_GETFSUUID and FS_IOC_GETFSSYSFSPATH both operate on + * the file system superblock, not on the specific file, so + * these operations are available through any other file on the + * same file system as well. + */ + case FS_IOC_GETFSUUID: + case FS_IOC_GETFSSYSFSPATH: + return true; + + /* + * FIONREAD, FS_IOC_GETFLAGS, FS_IOC_SETFLAGS, FS_IOC_FSGETXATTR and + * FS_IOC_FSSETXATTR are forwarded to device implementations. + */ + + /* + * file_ioctl() commands (FIBMAP, FS_IOC_RESVSP, FS_IOC_RESVSP64, + * FS_IOC_UNRESVSP, FS_IOC_UNRESVSP64 and FS_IOC_ZERO_RANGE) are + * forwarded to device implementations, so not permitted. + */ + + /* Other commands are guarded by the access right. */ + default: + return false; + } +} + +/* + * is_masked_device_ioctl_compat - same as the helper above, but checking the + * "compat" IOCTL commands. + * + * The IOCTL commands with special handling in compat-mode should behave the + * same as their non-compat counterparts. + */ +static __attribute_const__ bool +is_masked_device_ioctl_compat(const unsigned int cmd) +{ + switch (cmd) { + /* FICLONE is permitted, same as in the non-compat variant. */ + case FICLONE: + return true; + +#if defined(CONFIG_X86_64) + /* + * FS_IOC_RESVSP_32, FS_IOC_RESVSP64_32, FS_IOC_UNRESVSP_32, + * FS_IOC_UNRESVSP64_32, FS_IOC_ZERO_RANGE_32: not blanket-permitted, + * for consistency with their non-compat variants. + */ + case FS_IOC_RESVSP_32: + case FS_IOC_RESVSP64_32: + case FS_IOC_UNRESVSP_32: + case FS_IOC_UNRESVSP64_32: + case FS_IOC_ZERO_RANGE_32: +#endif + + /* + * FS_IOC32_GETFLAGS, FS_IOC32_SETFLAGS are forwarded to their device + * implementations. + */ + case FS_IOC32_GETFLAGS: + case FS_IOC32_SETFLAGS: + return false; + default: + return is_masked_device_ioctl(cmd); + } +} + /* Ruleset management */ static struct landlock_object *get_inode_object(struct inode *const inode) @@ -148,7 +307,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) /* clang-format on */ /* @@ -1332,11 +1492,18 @@ static int hook_file_alloc_security(struct file *const file) return 0; } +static bool is_device(const struct file *const file) +{ + const struct inode *inode = file_inode(file); + + return S_ISBLK(inode->i_mode) || S_ISCHR(inode->i_mode); +} + static int hook_file_open(struct file *const file) { layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {}; - access_mask_t open_access_request, full_access_request, allowed_access; - const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + access_mask_t open_access_request, full_access_request, allowed_access, + optional_access; const struct landlock_ruleset *const dom = get_fs_domain(landlock_cred(file->f_cred)->domain); @@ -1354,6 +1521,10 @@ static int hook_file_open(struct file *const file) * We look up more access than what we immediately need for open(), so * that we can later authorize operations on opened files. */ + optional_access = LANDLOCK_ACCESS_FS_TRUNCATE; + if (is_device(file)) + optional_access |= LANDLOCK_ACCESS_FS_IOCTL_DEV; + full_access_request = open_access_request | optional_access; if (is_access_to_paths_allowed( @@ -1410,6 +1581,52 @@ static int hook_file_truncate(struct file *const file) return -EACCES; } +static int hook_file_ioctl(struct file *file, unsigned int cmd, + unsigned long arg) +{ + access_mask_t allowed_access = landlock_file(file)->allowed_access; + + /* + * It is the access rights at the time of opening the file which + * determine whether IOCTL can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (allowed_access & LANDLOCK_ACCESS_FS_IOCTL_DEV) + return 0; + + if (!is_device(file)) + return 0; + + if (is_masked_device_ioctl(cmd)) + return 0; + + return -EACCES; +} + +static int hook_file_ioctl_compat(struct file *file, unsigned int cmd, + unsigned long arg) +{ + access_mask_t allowed_access = landlock_file(file)->allowed_access; + + /* + * It is the access rights at the time of opening the file which + * determine whether IOCTL can be used on the opened file later. + * + * The access right is attached to the opened file in hook_file_open(). + */ + if (allowed_access & LANDLOCK_ACCESS_FS_IOCTL_DEV) + return 0; + + if (!is_device(file)) + return 0; + + if (is_masked_device_ioctl_compat(cmd)) + return 0; + + return -EACCES; +} + static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(inode_free_security, hook_inode_free_security), @@ -1432,6 +1649,8 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = { LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security), LSM_HOOK_INIT(file_open, hook_file_open), LSM_HOOK_INIT(file_truncate, hook_file_truncate), + LSM_HOOK_INIT(file_ioctl, hook_file_ioctl), + LSM_HOOK_INIT(file_ioctl_compat, hook_file_ioctl_compat), }; __init void landlock_add_fs_hooks(void) diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 93c9c6f91556..20fdb5ff3514 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -18,7 +18,7 @@ #define LANDLOCK_MAX_NUM_LAYERS 16 #define LANDLOCK_MAX_NUM_RULES U32_MAX -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL_DEV #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1) #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS) #define LANDLOCK_SHIFT_ACCESS_FS 0 diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 6788e73b6681..03b470f5a85a 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -149,7 +149,7 @@ static const struct file_operations ruleset_fops = { .write = fop_dummy_write, }; -#define LANDLOCK_ABI_VERSION 4 +#define LANDLOCK_ABI_VERSION 5 /** * sys_landlock_create_ruleset - Create a new ruleset diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c index a6f89aaea77d..3c1e9f35b531 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -75,7 +75,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr = { .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(4, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(5, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 9a6036fbf289..418ad745a5dd 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -529,9 +529,10 @@ TEST_F_FORK(layout1, inval) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) -#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE +#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL_DEV #define ACCESS_ALL ( \ ACCESS_FILE | \ From patchwork Fri Apr 19 16:11:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636576 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6BDB9130E3F for ; Fri, 19 Apr 2024 16:11:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543098; cv=none; b=RmSFsTAxlqr5KkBsSMIUhvJkUpTcX8qyMTJdVKYaOVxG/TDtQIYrFRZW873Yf9f4yYuHYFDYioacWdufmXMTiGAHPj9cEit4A2EPn4ujozWWER/6bu2bTJyfiob1/1e68cB8QjfU/AUCfc8OPLhQk7QVgMw4JEnagYbg+atvlDc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543098; c=relaxed/simple; bh=89WV0CMvwXh9yq7ka8y1xe6QHE0cARt1R2UcEVb6Bts=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=YVxxx0E5QJRJ6PglN4ZkB7QGsydUwTVjK/i8ZZQXn0HDNTd2dm8p0UJCKq/agvhuGIllckfrs5s96JctTcFIH9N3l9GCEcUTbnjXfer96+wt9CKSD7fpKHau3sFpG9q8QRYvniUIPyEbftTrC5hqYpyWIRk0CU6AFb21omCmT6k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ZS+IJy9d; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZS+IJy9d" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-56e34264982so652124a12.3 for ; Fri, 19 Apr 2024 09:11:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543095; x=1714147895; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=OHBJvnMnNJzJ8vAgi2MyZlVxWJr4muBmk+RXJTR3a8k=; b=ZS+IJy9dsPLUIP1btRMCU7QyFotp5C5yRgZGU+slH8tYBkbiYYV3QSYY8wl+3B2RTF cEFGlsfdK3B3pmWCmYob4JejPdbjl1KzRuGehRvm8KRrpXJ5LmtbR0eohWnWO3WpGQCh ECWFkRivBcpIRQ2pZ+DK5AviGzD9IOrmq+4lTM2MRScdZF2Waw9cVwAI3yTu4teU2CDd /AmhrDWCk3TIzCdcHBIN885rO3ymu/u5g+nm7lxnrbZdHtg4ZfyHPvu5IkjwX985m8Sd begqC8345sGL2tTEGOQB8hlsJNvYNjN6CeNrOntH32qBj0qnpVeWvoTlOqNyTaQkSwUD JYUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543095; x=1714147895; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=OHBJvnMnNJzJ8vAgi2MyZlVxWJr4muBmk+RXJTR3a8k=; b=t9dujx3O4d8gHiQHlZPWxKI2iw7YmkBX39fTOAm8JAN492CYdjSsEHiBK1kQWyJSZl id1mciIwGU6L4PrJpKQFQ0GHCAJkYBT0HOP39DBgXnawlTk5H8Ivm1MfWkcTwsRUHfRI tXgqYHEaui+WbHKn4hQKz83MELvSUujQVENY4d94Am8/H3a3nv1hQdOtzzq760KvCLmp V1Ct8NdmJwmV6g6w14tSVRjxOvbSp+PzGosBcskVRaXZooS/APxtD8gM2gBcb7Pj4w8g /Zytvnt/+YAehwNXE+jvUh64MoYpuuLrRnD+5sOc+O8BCt+Fg90KoedtmnNHEm1dE3Mz PvJA== X-Gm-Message-State: AOJu0YyRjTQLp5dEAsj+Vx5TDL8cgz1uVliD4sXBRXJyXizDs+rL0F6V R6JpM5rlijN3TPESGBH92I7rUUMzCcW2BSYjNQ63I6aVffpYgZC+jWtsugNgRpY7Tn4gnD5wwn7 HdPoBbsjefFtWTUbKB/5IfMUAdurMN710FDd7aqBYdsBdRBGuXe7ZcZqz/tlhQyT9+ffwBKMDpM ZdhEDPIYGmH+s7PbHB4iDuaf0i8BANcaSeoBNyMJNF1OHWYJwnw4KP X-Google-Smtp-Source: AGHT+IHiDl8X7wS/Sbq5JyAvUWf/jlE2GQl6pxK2E96e9OZ0VmTpcBzsa/EbwXKplSwO9RggliX+U2rPO3Q= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:3785:b0:56e:6989:39d6 with SMTP id et5-20020a056402378500b0056e698939d6mr3182edb.3.1713543094582; Fri, 19 Apr 2024 09:11:34 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:13 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-3-gnoack@google.com> Subject: [PATCH v15 02/11] selftests/landlock: Test IOCTL support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Exercises Landlock's IOCTL feature in different combinations of handling and permitting the LANDLOCK_ACCESS_FS_IOCTL_DEV right, and in different combinations of using files and directories. Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 192 ++++++++++++++++++++- 1 file changed, 189 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 418ad745a5dd..cb1382a887c9 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -8,6 +8,7 @@ */ #define _GNU_SOURCE +#include #include #include #include @@ -15,6 +16,7 @@ #include #include #include +#include #include #include #include @@ -23,6 +25,12 @@ #include #include +/* + * Intentionally included last to work around header conflict. + * See https://sourceware.org/glibc/wiki/Synchronizing_Headers. + */ +#include + #include "common.h" #ifndef renameat2 @@ -737,6 +745,9 @@ static int create_ruleset(struct __test_metadata *const _metadata, } for (i = 0; rules[i].path; i++) { + if (!rules[i].access) + continue; + add_path_beneath(_metadata, ruleset_fd, rules[i].access, rules[i].path); } @@ -3445,7 +3456,7 @@ TEST_F_FORK(layout1, truncate_unhandled) LANDLOCK_ACCESS_FS_WRITE_FILE; int ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, handled, rules); ASSERT_LE(0, ruleset_fd); @@ -3528,7 +3539,7 @@ TEST_F_FORK(layout1, truncate) LANDLOCK_ACCESS_FS_TRUNCATE; int ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, handled, rules); ASSERT_LE(0, ruleset_fd); @@ -3754,7 +3765,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate) }; int fd, ruleset_fd; - /* Enable Landlock. */ + /* Enables Landlock. */ ruleset_fd = create_ruleset(_metadata, variant->handled, rules); ASSERT_LE(0, ruleset_fd); enforce_ruleset(_metadata, ruleset_fd); @@ -3847,6 +3858,181 @@ TEST(memfd_ftruncate) ASSERT_EQ(0, close(fd)); } +static int test_fionread_ioctl(int fd) +{ + size_t sz = 0; + + if (ioctl(fd, FIONREAD, &sz) < 0 && errno == EACCES) + return errno; + return 0; +} + +/* clang-format off */ +FIXTURE(ioctl) {}; + +FIXTURE_SETUP(ioctl) {}; + +FIXTURE_TEARDOWN(ioctl) {}; +/* clang-format on */ + +FIXTURE_VARIANT(ioctl) +{ + const __u64 handled; + const __u64 allowed; + const mode_t open_mode; + /* + * FIONREAD is used as a characteristic device-specific IOCTL command. + * It is implemented in fs/ioctl.c for regular files, + * but we do not blanket-permit it for devices. + */ + const int expected_fionread_result; +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_none) { + /* clang-format on */ + .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV, + .allowed = 0, + .open_mode = O_RDWR, + .expected_fionread_result = EACCES, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_i) { + /* clang-format on */ + .handled = LANDLOCK_ACCESS_FS_IOCTL_DEV, + .allowed = LANDLOCK_ACCESS_FS_IOCTL_DEV, + .open_mode = O_RDWR, + .expected_fionread_result = 0, +}; + +/* clang-format off */ +FIXTURE_VARIANT_ADD(ioctl, unhandled) { + /* clang-format on */ + .handled = LANDLOCK_ACCESS_FS_EXECUTE, + .allowed = LANDLOCK_ACCESS_FS_EXECUTE, + .open_mode = O_RDWR, + .expected_fionread_result = 0, +}; + +TEST_F_FORK(ioctl, handle_dir_access_file) +{ + const int flag = 0; + const struct rule rules[] = { + { + .path = "/dev", + .access = variant->allowed, + }, + {}, + }; + int file_fd, ruleset_fd; + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, variant->handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + file_fd = open("/dev/zero", variant->open_mode); + ASSERT_LE(0, file_fd); + + /* Checks that IOCTL commands return the expected errors. */ + EXPECT_EQ(variant->expected_fionread_result, + test_fionread_ioctl(file_fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(file_fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag)); + + ASSERT_EQ(0, close(file_fd)); +} + +TEST_F_FORK(ioctl, handle_dir_access_dir) +{ + const int flag = 0; + const struct rule rules[] = { + { + .path = "/dev", + .access = variant->allowed, + }, + {}, + }; + int dir_fd, ruleset_fd; + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, variant->handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* + * Ignore variant->open_mode for this test, as we intend to open a + * directory. If the directory can not be opened, the variant is + * infeasible to test with an opened directory. + */ + dir_fd = open("/dev", O_RDONLY); + if (dir_fd < 0) + return; + + /* + * Checks that IOCTL commands return the expected errors. + * We do not use the expected values from the fixture here. + * + * When using IOCTL on a directory, no Landlock restrictions apply. + */ + EXPECT_EQ(0, test_fionread_ioctl(dir_fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(dir_fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(dir_fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(dir_fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(dir_fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(dir_fd, FIGETBSZ, &flag)); + + ASSERT_EQ(0, close(dir_fd)); +} + +TEST_F_FORK(ioctl, handle_file_access_file) +{ + const int flag = 0; + const struct rule rules[] = { + { + .path = "/dev/zero", + .access = variant->allowed, + }, + {}, + }; + int file_fd, ruleset_fd; + + /* Enables Landlock. */ + ruleset_fd = create_ruleset(_metadata, variant->handled, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + file_fd = open("/dev/zero", variant->open_mode); + ASSERT_LE(0, file_fd) + { + TH_LOG("Failed to open /dev/zero: %s", strerror(errno)); + } + + /* Checks that IOCTL commands return the expected errors. */ + EXPECT_EQ(variant->expected_fionread_result, + test_fionread_ioctl(file_fd)); + + /* Checks that unrestrictable commands are unrestricted. */ + EXPECT_EQ(0, ioctl(file_fd, FIOCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONCLEX)); + EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag)); + EXPECT_EQ(0, ioctl(file_fd, FIGETBSZ, &flag)); + + ASSERT_EQ(0, close(file_fd)); +} + /* clang-format off */ FIXTURE(layout1_bind) {}; /* clang-format on */ From patchwork Fri Apr 19 16:11:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636577 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CE7D130E5C for ; Fri, 19 Apr 2024 16:11:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543099; cv=none; b=EytncOdGhiWjc/QeQHoblaY2S+PCrXpMXCNsnhZcbrijEvw/XofXXsCw8BWnUIsbij/3A7oW6FWGdx5Mwl1YnLHI3paPTxtF2ykRrN1mPkJqMLN24w8rL3Z06ZtolR/vhjf7jvfh+auowL8SEVbDgEaeAKAeCVr5GsFHLdyizWo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543099; c=relaxed/simple; bh=7d/RbSKpR3aY4FL0pO6CN0tfxMLVWk8XhMdOS8y3ssM=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=kbxoX0QjVWC5VMC48z57jbvQRMZY3P6izPjXClpzOilGzovuBxnzyxSfKBRN1LncgpLrZWRGtbgZgp0dTAsGLNEbmXAbVktAejmKwczGM/KT/aRD+ttwh9pqhOk6uEWiCxoNcXrcwTe6dtCM9LqsRz2dd6dgjmMiX4vkSF1/EvY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=EGztUAzk; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="EGztUAzk" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-61ab19438a3so40137727b3.1 for ; Fri, 19 Apr 2024 09:11:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543097; x=1714147897; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=stVtFYF+LnL18YF8nyIqbl9KBod0cDeM8+x9sNLHztU=; b=EGztUAzkPmn0kRVGsbhCyJlf2yIN5mPUe+B2O4y2JEuLIlH6xspnmcy8eCowBEyBf4 vc3Bc/oGtvxy6r8XE2Wx4m+E5PMyuD3Ox4YgoD9RsYMf/7jzIph/3KdRah880PBiyCMt rsffNQ3cz+EIColnoTGyb/vPyiWhdRblzFL/7fZPxPTt+TUQl9liboTn/qxIimL2SKY8 iGYs/hUlHd6bR4fwYbxTMRSpcCIWWLBEHtuS+nYMNA/EpHKUD1X7mVcOVa3d6umEN4Ck AiF4YAiJnfzeq7Ic2fHa5zGm2hHS3oqTabV44n9vLmIpBZfVAF+WT3an8mi8qiwD0C5p KRDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543097; x=1714147897; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=stVtFYF+LnL18YF8nyIqbl9KBod0cDeM8+x9sNLHztU=; b=lk1fo7cWXLLTV3AR/cc/xd75AAp5+RCPBoFH03hqqVdMS1tFoX6SzsU3X8bs4Fhsm3 KqAvUW4k9Se+1wyZLYH9TQRSUpbjEjITMkEjdkmklzU/uxsQ2oDbzffPWBl1HLaJuQ7v P/6tsFTo2+6tqkMiXEqnEBmylTndF+ORGAqGaWVA33GerwiYX5/CkOtYIsinhs/Vvc40 ULGggkHf66T832TfUtkjcFTE2DzDDkFScQm9u3esP/bY3OZ+VQFJF4sV8iRM1gAT/tGF IoAXUnXXOQXkJO/xH4N16nTG+aegT9TAY99xUcHyfZJAvEKh8iFkvPs2bxhh00lftcOb yCcw== X-Gm-Message-State: AOJu0Yxssgv/iIQyuHZz5APPwu0SygEFp/xJzeZF/zm4PhqB3x72BvT7 tUkEryTjxZpfFzk7zeBmRy3m5wLFQ7LhvEg4h/F90MFTOKL+NPfIklN55dhsbPXHVVcYfpqOSIR YvlbO5dChaILo3A6XRPhRy0KXiBfxae4zHME9/4KTsAbWs+j28E18zohUb9XIZaJFA1j6+zKlWl VixSIuCxHU1CXLEY2SO2mclsoO/EjOtXPdEzgr+khE8APBzjIMVXs+ X-Google-Smtp-Source: AGHT+IGI4BKwr0cL9YRBOG+ryUuic3GjJcK5yIXcHug+feKSxxoAvlNyZs29Z2yD3lwOvXRwrx+qf8GMrIc= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a81:9e4b:0:b0:618:91c3:c8e2 with SMTP id n11-20020a819e4b000000b0061891c3c8e2mr520711ywj.1.1713543097028; Fri, 19 Apr 2024 09:11:37 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:14 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-4-gnoack@google.com> Subject: [PATCH v15 03/11] selftests/landlock: Test IOCTL with memfds From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Because the LANDLOCK_ACCESS_FS_IOCTL_DEV right is associated with the opened file during open(2), IOCTLs are supposed to work with files which are opened by means other than open(2). Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 44 ++++++++++++++++++---- 1 file changed, 36 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index cb1382a887c9..6967e02ba3cb 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3842,20 +3842,48 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes) ASSERT_EQ(0, close(socket_fds[1])); } -TEST(memfd_ftruncate) +/* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */ +static int test_fs_ioc_getflags_ioctl(int fd) { - int fd; + uint32_t flags; + + if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0) + return errno; + return 0; +} - fd = memfd_create("name", MFD_CLOEXEC); - ASSERT_LE(0, fd); +TEST(memfd_ftruncate_and_ioctl) +{ + const struct landlock_ruleset_attr attr = { + .handled_access_fs = ACCESS_ALL, + }; + int ruleset_fd, fd, i; /* - * Checks that ftruncate is permitted on file descriptors that are - * created in ways other than open(2). + * We exercise the same test both with and without Landlock enabled, to + * ensure that it behaves the same in both cases. */ - EXPECT_EQ(0, test_ftruncate(fd)); + for (i = 0; i < 2; i++) { + /* Creates a new memfd. */ + fd = memfd_create("name", MFD_CLOEXEC); + ASSERT_LE(0, fd); - ASSERT_EQ(0, close(fd)); + /* + * Checks that operations associated with the opened file + * (ftruncate, ioctl) are permitted on file descriptors that are + * created in ways other than open(2). + */ + EXPECT_EQ(0, test_ftruncate(fd)); + EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + } } static int test_fionread_ioctl(int fd) From patchwork Fri Apr 19 16:11:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636578 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C1BD130AED for ; Fri, 19 Apr 2024 16:11:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543103; cv=none; b=SiYbtBgPSRKOopfElBYF1hIgZUkXyDgB5TFLwWJnn13HcF0427Dmu1+g/9MGpDkTwIcN+MzzpBExb0GrENE3Qx2lT0e4RZxpxga2GNFoBru/o9b/6uGcuyE9+GWUta1BiTHPpur3dajkOtvvZWHv+l2vcJPJJdxhrVhRX7eAOF4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543103; c=relaxed/simple; bh=r5UNgUM78q5XLuj5NMQgb9HQbedr3JCHVW3UzlU0A0c=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=T+qQmZ6rCYMD5kuG36m/2zMwdWUYokUie1Nf3iNxmgO96MTE+G4Ix0ueDOX0dUprbZ+pKq0Z4fqiLBkF9gTRUYLhfas8pEUXIjHjMsVWYJsqYNBkPBI381TTlr9ilLx8uGp+PSnBCoNm2G7u4Tx9frO/x8QaU9r88B0jzOExv6Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=ghliW+mr; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ghliW+mr" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-56e678f6d81so3243826a12.0 for ; Fri, 19 Apr 2024 09:11:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543099; x=1714147899; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=6J5az365xK+ZzeSMyv+LbNjMTEu5kjOKEeh883eiHPw=; b=ghliW+mrI6gp5GPUugW2/3vuYipLaCVWr6n8+suqnNhu3olQtd6fm99VRP5LB8QmWG QV51VN5Tb1MRuQU2C75XH1b+EwYA72aweJRxB/UAbmf59H1gbFC1JFyjqD+ZEpUIctK3 LISsn1TUWpSNS/47M6JtL1m7EZ1vglQbOXiyMkWKuQ/q75gEsDY9TgkftPVxU4lB4Xif /hqJl0wfzKfNKKwSvQKbnfl3y6NSMOT2Cm6XujVj4+c3T0PcWMtblXnX40UI1qKURDw8 7We5taMl77ZLMCK4viLGpwNHYilMWAGwUBa83/AUqIGSKY1ICKBbdI4sdF1s6oRyz5Jg eHMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543099; x=1714147899; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=6J5az365xK+ZzeSMyv+LbNjMTEu5kjOKEeh883eiHPw=; b=F4djXfWXdGmesNrJ/zlOTUd6zs+bdDc4O7bja/obFEDSZJhSBk/qPrkXqcAcTheGoS 350ocr9bioCzNMXhcmiYS0Tk7wBbiZPzo4MZ2zWS2Ic08dkZM75ahIH8DyrK+Eeraydf 2hpEpMqI7b1tneKSkBJAFhqU4CZEIOYpSQ3yRUcQ2j+0+tCh0bWFe00dQGWVC89AaKkY yLHs0gRklmrobrYuirOE2GGYB4iLh2uuUS7GsrEJSPFDQ5CUbIirSWBV5s9PxNuUXgUa TfHSns7ORKPa34O5wIHtRjJp9FXsUxM6/Bf6JmiclOsyOR/mKXcCSRs2OqgufLG7AU2I K9dw== X-Gm-Message-State: AOJu0YxpWh3wvW2B8vj09KOFKr17ZIAa54pE/+0QvUS6Wt/j6cRuxrs1 iTUCfZSGS57YCkQVUsjbiBz7Aj7h3TMmb1eRHnJ/yB7Rxv9CynRo9foQqBhS3fT2ihIqK3E2B4f 9q5tZ0DdelD8iXZaqJDUQvxr4NlAtQDVwzyrf3+NEPl7mz9kQrwNzpnbBhdMjB2cUgboyiarO51 EYbN18VGeMngZh0yL1PqYehcOXZs6ypT29Ts0aXPucYlcAebKIHea/ X-Google-Smtp-Source: AGHT+IHisJXB+GsHOnfXBzfhkwHJ+2ZKhxXdPCwJnSFv+hBOjspSP9l3J/lisVR8sJ4EglnuqSdIBajCuW4= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:aa7:d654:0:b0:571:d7c8:9d5f with SMTP id v20-20020aa7d654000000b00571d7c89d5fmr1918edr.3.1713543099468; Fri, 19 Apr 2024 09:11:39 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:15 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-5-gnoack@google.com> Subject: [PATCH v15 04/11] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " ioctl(2) and ftruncate(2) operations on files opened with O_PATH should always return EBADF, independent of the LANDLOCK_ACCESS_FS_TRUNCATE and LANDLOCK_ACCESS_FS_IOCTL_DEV access rights in that file hierarchy. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 6967e02ba3cb..2cfda6af71ab 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3895,6 +3895,46 @@ static int test_fionread_ioctl(int fd) return 0; } +TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl) +{ + const struct landlock_ruleset_attr attr = { + .handled_access_fs = ACCESS_ALL, + }; + int ruleset_fd, fd; + + /* + * Checks that for files opened with O_PATH, both ioctl(2) and + * ftruncate(2) yield EBADF, as it is documented in open(2) for the + * O_PATH flag. + */ + fd = open(dir_s1d1, O_PATH | O_CLOEXEC); + ASSERT_LE(0, fd); + + EXPECT_EQ(EBADF, test_ftruncate(fd)); + EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* + * Checks that after enabling Landlock, + * - the file can still be opened with O_PATH + * - both ioctl and truncate still yield EBADF (not EACCES). + */ + fd = open(dir_s1d1, O_PATH | O_CLOEXEC); + ASSERT_LE(0, fd); + + EXPECT_EQ(EBADF, test_ftruncate(fd)); + EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); +} + /* clang-format off */ FIXTURE(ioctl) {}; From patchwork Fri Apr 19 16:11:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636579 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2029B131BB8 for ; Fri, 19 Apr 2024 16:11:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543105; cv=none; b=mj3RFlO0bGZqM920QVfNaH8V9pwv2fMRet0BrSiztkLUO9vv88761noKcBT6hfYK7nx5Fb5sp+wcgJJgAKlV3gPeGhsGN6/BGrRavvsdcl60RbyVe0m7r3UnnRRDOOoAHkmfle9vzp48nu+u4vtgiczc/IGoiLGvNTh/92U3WbA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543105; c=relaxed/simple; bh=kh5QUAcOI7RBZEN5h8SIH0WFDUJ09lkH33NG6IWE3bo=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=myr+OK+d/F6Zt18vaQnZBcmJxUP+cgkKQjMJijb2u2io84JYMPPhiVo3kG1FhohQNR3WI2z/HL1pVLVBAs4j/e0DV9lATIfOS1GyEaUEkJfdURP9bpsHRF4TBoCbjbaU/HBcUdsLHJf7XoHua7Tk30hpMJ4gEevDnTksBCgPXxc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=N5v//4VE; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="N5v//4VE" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-a558739aaf4so51515566b.0 for ; Fri, 19 Apr 2024 09:11:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543102; x=1714147902; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=s1ztm+fTKPRtSermP05/SXl1UA012b6wxHzpXmBHXE4=; b=N5v//4VEt+FM3/kzKgdjjKJ0YrZu02qhx4ij36QOtnwmjP2kJ7UHZWywX9vfuYOlUp wJ6Pq7D5lHA1q1vCpDQFY2+kbseu7ECIKoxN8fswX6MRvaTIptrTpCi2XtJGWLaMYKhc o3dPS3lpVovkGan/DvWcS/kcaRdjOlbPMzOXpXs/GHNa1hA1tX5/uctq7btTTRXjk0w5 YA9m7zQzhZ8ker+dJiy/k7JHQ3ZgVo2gfj7cU031C1LLQNg188ISmIV2Rm5jK09FHj6O UOjcaJ75ZJZpVTdFuxhtEjGXkl9ohTw64YE8LW9uNGNmmfnlqLH52jzjim7JKyByjUze W/9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543102; x=1714147902; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=s1ztm+fTKPRtSermP05/SXl1UA012b6wxHzpXmBHXE4=; b=d6AtHAxY0zyWN9HnVZolOz63hOiruei0qqS2RVgjbRYcQ7hSUq3t3rn36mggkfaqFN g8/7yGYU03MiTivK3FwxNxvwxmTYHRFZrMdNu4DREcq+N5sZ4MafhdAld1rWbYqGi6V5 W4ieZvwJfprWKFbpaeunHcGD/HHP64YRDharuBugLziGl4E3ayMjaa4hZKUlAND9uEDo j9eeR7GfDLwiecZR8UiGqS78L02qB3YkED/rjIE/9Y6h8bttFIHWtU6paTEVNOb53ybC O3PwVpMuLlnbq+azzwO67LV9kA/VHy0Lzlbbkzztl/QDTWjpbluGujB6Ec0BlGTAa7bl qcqw== X-Gm-Message-State: AOJu0YzJdS+cbN1WECdGgVMS/udjFwNs+T6UqoM9hKto7psodwD3F8V8 2bV9nTGnDqSh4KbtwRMMqFdI76+XI4Mg+SYI+D9iHx3m42IaMSeV8Je4WzNlb6mV3LKqModQhMZ 7EQJ6WzH9MtzGivVbnVSfdxB+NeOEsS05x/UV0PF/ajUDgKc7g4QpR71u5BTAaCk+ZVhTYKtz8n cPYkQhoz4tHHVxQX5rmusfQIIwzx9yVcpSBVIqrksqs7GlpJrmxF4S X-Google-Smtp-Source: AGHT+IFZYiNXpHftrPvrXtHYkK2NuClawtjOOgaCzFHrQYBnDdkHEsWaDY5Icuy9ZBLfKKYYuAdCrh6qRfQ= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a17:907:2cea:b0:a55:63c1:8c4c with SMTP id hz10-20020a1709072cea00b00a5563c18c4cmr2441ejc.4.1713543101742; Fri, 19 Apr 2024 09:11:41 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:16 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-6-gnoack@google.com> Subject: [PATCH v15 05/11] selftests/landlock: Test IOCTLs on named pipes From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Named pipes should behave like pipes created with pipe(2), so we don't want to restrict IOCTLs on them. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 2cfda6af71ab..f4c6b9fadef8 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -3935,6 +3935,49 @@ TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl) ASSERT_EQ(0, close(fd)); } +/* + * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right, + * because they are not character or block devices. + */ +TEST_F_FORK(layout1, named_pipe_ioctl) +{ + pid_t child_pid; + int fd, ruleset_fd; + const char *const path = file1_s1d1; + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + + ASSERT_EQ(0, unlink(path)); + ASSERT_EQ(0, mkfifo(path, 0600)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* The child process opens the pipe for writing. */ + child_pid = fork(); + ASSERT_NE(-1, child_pid); + if (child_pid == 0) { + fd = open(path, O_WRONLY); + close(fd); + exit(0); + } + + fd = open(path, O_RDONLY); + ASSERT_LE(0, fd); + + /* FIONREAD is implemented by pipefifo_fops. */ + EXPECT_EQ(0, test_fionread_ioctl(fd)); + + ASSERT_EQ(0, close(fd)); + ASSERT_EQ(0, unlink(path)); + + ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0)); +} + /* clang-format off */ FIXTURE(ioctl) {}; From patchwork Fri Apr 19 16:11:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636580 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D3B8132499 for ; Fri, 19 Apr 2024 16:11:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543110; cv=none; b=Fhrnfjew2B35u08vhHvmf18aphcBZLsKKa+Qyn2TVhdnTPEgiZAbg9sVpwa2DxWQLQCGFGHsoaAbfiTvDEkBFxV/4V6enU6uZ6AArPW5MHYxQjgpyCZtk4HjIRdbcfurtgMhCpR/kFk/3nAjXP+HUIf3y9/iNjBB+1EBDULV5+8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543110; c=relaxed/simple; bh=/T2ATdVre3nC66getn9D+RTNZJEh2jhYoVCDuKPjn0M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=tXTPq74mtlSgT42JGFDiAn+vVQXCh68ugSuRJKrRWftm/OVU+nEOL53iW1aeb3Zb3AJOczmqZXta0cBen8Mvgme9l0av7HB7SB0vGnGg9bjPSKynj+VTiKctCv8Y76BCS9FiJxN4K4J62YrrBqDMXXIQuMyVnQ2l7GT4iEjJ4KE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=FJjfqni/; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FJjfqni/" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-a51a2113040so112372066b.0 for ; Fri, 19 Apr 2024 09:11:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543105; x=1714147905; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=u3Q8PluHQ2WZfMWH5jOIaXU1wUR7CEGtaUVFi0VXGVQ=; b=FJjfqni/E+SsH0uwj36wfUNWEZWhkDi4AjHtfCMExArPUOKY9GLcJgDo3c1ZpR8LZu Rm72OedZQOGq0ResXchqEuKotu85PaHpF3rilzpIjhxUmCO1ufj94fv9jlO5dKISgUZO ZI6tjRo6N+IAKKPKu54U/vHBRuWoZ1Bbx0J8q7yxHA7i8yGVone/+Cfx/n7oPRhPfoZ/ v0CMorCNbr2a7KtRIexy9r1wztROX9vL06g+hMiAVo2ukxWPQGV36PZ8L4y5COa1j6F0 bpP9yM7vCx08fLjVQkQ+ade+rYpocqBDHLhFtOCu5j6OIFdzc4CIJqwixHjTU6qjO27L ZkyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543105; x=1714147905; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=u3Q8PluHQ2WZfMWH5jOIaXU1wUR7CEGtaUVFi0VXGVQ=; b=Vx82qdMFLmjjYu7d9XTlKVanyFSGdTuuHAggUyp9dQMldq1QtetZtj3VEPk3pnAf5q 5MjFnJYGZlPBhN4UHEa3FfYbGrxjwq0XiQmZlL/+jYMO0lHcoHdcNwsY5fFeVPB5fgFV HkA8A4FYlmv5P4kwXTfNLvhw9j0pur4U10EwJ74jy6glU+WAMot+gUWNMlrz1mipY8kj ZNDmh9SBfT9y4husxmIw/uFBxVla7Bd4yNZxPrhWE0N4CW/jSjN9w45ZaVfavEKH3WHz QVq/lKlASDesqiAJNrmw3rD1zWsYn0R6jeu0E37YU9Zj/FYP1eIN7cYSC5ChR/5KCrG7 v+Zw== X-Gm-Message-State: AOJu0YxXvu7P90yS3IAfO6dfa8VEmPX4Kje0b2LeGgXaLrsVAHfSSP/f 5E9lWlX806wsFnVKXYogbdzcNCOTT57kC6Da0gjbANbfFkmSaaB9bCIzSCmM54hqbpkUWFG7QJn atPXxGtgvfVkA0eOytZfARU3o1/Ot4OqVcOCtaTAAK0I72TvXsxqZbIDYhvNiU5MqV/VBU2tXh8 8KjBsak2e9Lxs0W3Lbg2Lxy4k9NlPLVtThqPc5Z6zilFcFciVKhYkO X-Google-Smtp-Source: AGHT+IHcOl5SAaDcp7T7q5bwPlujuHOYqKTXXleyT6wfMJpe6DECCqjIK5YVX2PlOrj5a5ETvyGSrhnpYKg= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a17:906:2bcd:b0:a51:d7c5:31af with SMTP id n13-20020a1709062bcd00b00a51d7c531afmr1768ejg.13.1713543104653; Fri, 19 Apr 2024 09:11:44 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:17 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-7-gnoack@google.com> Subject: [PATCH v15 06/11] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " The LANDLOCK_ACCESS_FS_IOCTL_DEV right should have no effect on the use of named UNIX domain sockets. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index f4c6b9fadef8..232ab02f829d 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -20,8 +20,10 @@ #include #include #include +#include #include #include +#include #include #include @@ -3978,6 +3980,56 @@ TEST_F_FORK(layout1, named_pipe_ioctl) ASSERT_EQ(child_pid, waitpid(child_pid, NULL, 0)); } +/* For named UNIX domain sockets, no IOCTL restrictions apply. */ +TEST_F_FORK(layout1, named_unix_domain_socket_ioctl) +{ + const char *const path = file1_s1d1; + int srv_fd, cli_fd, ruleset_fd; + socklen_t size; + struct sockaddr_un srv_un, cli_un; + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + + /* Sets up a server */ + srv_un.sun_family = AF_UNIX; + strncpy(srv_un.sun_path, path, sizeof(srv_un.sun_path)); + + ASSERT_EQ(0, unlink(path)); + srv_fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_LE(0, srv_fd); + + size = offsetof(struct sockaddr_un, sun_path) + strlen(srv_un.sun_path); + ASSERT_EQ(0, bind(srv_fd, (struct sockaddr *)&srv_un, size)); + ASSERT_EQ(0, listen(srv_fd, 10 /* qlen */)); + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* Sets up a client connection to it */ + cli_un.sun_family = AF_UNIX; + cli_fd = socket(AF_UNIX, SOCK_STREAM, 0); + ASSERT_LE(0, cli_fd); + + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); + ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size)); + + bzero(&cli_un, sizeof(cli_un)); + cli_un.sun_family = AF_UNIX; + strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path)); + size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path); + + ASSERT_EQ(0, connect(cli_fd, (struct sockaddr *)&cli_un, size)); + + /* FIONREAD and other IOCTLs should not be forbidden. */ + EXPECT_EQ(0, test_fionread_ioctl(cli_fd)); + + ASSERT_EQ(0, close(cli_fd)); +} + /* clang-format off */ FIXTURE(ioctl) {}; From patchwork Fri Apr 19 16:11:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636581 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8258130E5E for ; Fri, 19 Apr 2024 16:11:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543110; cv=none; b=jI+CSUd9+Ao/iX/xJ+3Bpcel7PmQAQrznrBODFmubPohv8Gl/GpUFsy7e4j65bziYyC2bZsl9ExtiKuel66yFRVBy7gLmHumWiJBA6m9MqGqubyQuTxjz6GPQzQGS3jb6aCi1lLSbqlRK2WL4YDITvihv1Jt1LediduIaPenWko= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543110; c=relaxed/simple; bh=aaS/rxuzH0/LdbPc/Gme9UHEZOyJtUZlv6RxicDoDB0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=fmS6hzaQjkZHX9IM9hXRwNz+0xdmeWaPNAaQBudrT+G0f0RXqJ4hFzV/SLpXvL5ncy+YRCtCYdgDPkRi6z+IQSe89HUKx6ubRuqxj045KiPB3fuQobm3f7327r+FzhkvqlxUyd122XuhIFSa+KVmIVX0GSMEuROQH1kkdVyhI6k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=IRUBJCb+; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IRUBJCb+" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-a51acf7c214so73384566b.1 for ; Fri, 19 Apr 2024 09:11:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543107; x=1714147907; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=mTpirY2EDqMuFXipxHHF5iZId6Sqj8pwgsZB0mt9fb0=; b=IRUBJCb+zqkubnMHpN2HjD+PfyYiH6IwiYoWlD1aYoWrOgr/BwUhnqyNRpL5jMRGcr 8NhNdWjdVZQvCygzmBoOUUx7Ksgl/kBmwt7KxDVSCWN450gaI1GmneFPUn8XtAxO825f 576OaYgzB6q/4ntp4ubiELaBbD4N1GV7ZZoXregzEgyPWWnyCmDLauk2SDeWa8DyHXOF CLefCTz6Bnr6HWE9Y47UCU0E1Wueavo7Ts2SLpG6w+DdLXM8acwFnURhGsB5I75vOwK0 AdoMUEta3jeI+hhnmkTb2dN/4mDH7jySutFqiDfngGhcdDS1PRw8zwyPItb2B+iC+lEU BIBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543107; x=1714147907; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=mTpirY2EDqMuFXipxHHF5iZId6Sqj8pwgsZB0mt9fb0=; b=jIAdo4Yf2JS/Un+Eec1s6fGrls+82Cv8n9wRwUOj//DezehnmzfVwxFmtIRTdwmEQH lH7PpV3UxQ+X/7YUEPQYzMh9cG9KPJPi39mNbku4DA6p9LoHmKUg98Wvnf4iaQ8Y+YLU BMn8NjSYqzOEglUDculuajbp7KToIK34e3nyh3iHn5ThrtJBBXY43khkvpD9lwmQDakk /Ve3Ak1KjH2mjFyrAFJu1Am22rxMhrkMHiulsIS/i0Q9/omVtAcdNDFs3SUTIQaUZJzo 9rXCI9HfTHVeWmfD19EGe1MePBNfWz4SmI7Wv7ZnFWi4Oiui8MgoKEJxGZ95aBBEYk6J 8Icw== X-Gm-Message-State: AOJu0YzvQZxnod1Z4h8CJHQv3/oHIRhXQd/KuE3rFQBPaGyOJhGlis21 eu6gSg632M6DPqMVU6lSG8DgRz+O47VifIQggqqs/9bz3qPpj6hC85iuomksJjZnmCyDQgvd2fb xICPl6pUPFAQ397BTfKR5lF7ucNeV4aS9nBE2kehikwePOZhXIU/Je9bT7hm+AF+6WpirBjazXo mMjwkKvYQXCnWDVuqu9uR7sY3IdGbIuwZUBMIRAuuu/C2XUm3w0DxS X-Google-Smtp-Source: AGHT+IF0MJxi7LsjQ2UaIbU6BctiT4aGoxjEtTVhV3EMzDCyonyoshl62E/FaHeU8BLHZRnUM+6piP0TFrg= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a17:906:846f:b0:a55:68c2:5ccf with SMTP id hx15-20020a170906846f00b00a5568c25ccfmr2430ejc.2.1713543106958; Fri, 19 Apr 2024 09:11:46 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:18 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-8-gnoack@google.com> Subject: [PATCH v15 07/11] selftests/landlock: Exhaustive test for the IOCTL allow-list From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " This test checks all IOCTL commands implemented in do_vfs_ioctl(). Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- tools/testing/selftests/landlock/fs_test.c | 114 +++++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c index 232ab02f829d..beb79154a679 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -10,6 +10,7 @@ #define _GNU_SOURCE #include #include +#include #include #include #include @@ -3937,6 +3938,119 @@ TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl) ASSERT_EQ(0, close(fd)); } +/* + * ioctl_error - generically call the given ioctl with a pointer to a + * sufficiently large zeroed-out memory region. + * + * Returns the IOCTLs error, or 0. + */ +static int ioctl_error(struct __test_metadata *const _metadata, int fd, + unsigned int cmd) +{ + char buf[128]; /* sufficiently large */ + int res, stdinbak_fd; + + /* + * Depending on the IOCTL command, parts of the zeroed-out buffer might + * be interpreted as file descriptor numbers. We do not want to + * accidentally operate on file descriptor 0 (stdin), so we temporarily + * move stdin to a different FD and close FD 0 for the IOCTL call. + */ + stdinbak_fd = dup(0); + ASSERT_LT(0, stdinbak_fd); + ASSERT_EQ(0, close(0)); + + /* Invokes the IOCTL with a zeroed-out buffer. */ + bzero(&buf, sizeof(buf)); + res = ioctl(fd, cmd, &buf); + + /* Restores the old FD 0 and closes the backup FD. */ + ASSERT_EQ(0, dup2(stdinbak_fd, 0)); + ASSERT_EQ(0, close(stdinbak_fd)); + + if (res < 0) + return errno; + + return 0; +} + +/* Define some linux/falloc.h IOCTL commands which are not available in uapi headers. */ +struct space_resv { + __s16 l_type; + __s16 l_whence; + __s64 l_start; + __s64 l_len; /* len == 0 means until end of file */ + __s32 l_sysid; + __u32 l_pid; + __s32 l_pad[4]; /* reserved area */ +}; + +#define FS_IOC_RESVSP _IOW('X', 40, struct space_resv) +#define FS_IOC_UNRESVSP _IOW('X', 41, struct space_resv) +#define FS_IOC_RESVSP64 _IOW('X', 42, struct space_resv) +#define FS_IOC_UNRESVSP64 _IOW('X', 43, struct space_resv) +#define FS_IOC_ZERO_RANGE _IOW('X', 57, struct space_resv) + +/* + * Tests a series of blanket-permitted and denied IOCTLs. + */ +TEST_F_FORK(layout1, blanket_permitted_ioctls) +{ + const struct landlock_ruleset_attr attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_IOCTL_DEV, + }; + int ruleset_fd, fd; + + /* Enables Landlock. */ + ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + fd = open("/dev/null", O_RDWR | O_CLOEXEC); + ASSERT_LE(0, fd); + + /* + * Checks permitted commands. + * These ones may return errors, but should not be blocked by Landlock. + */ + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOCLEX)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONCLEX)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIONBIO)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOASYNC)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIOQSIZE)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIFREEZE)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FITHAW)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_FIEMAP)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIGETBSZ)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONE)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FICLONERANGE)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FIDEDUPERANGE)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSUUID)); + EXPECT_NE(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFSSYSFSPATH)); + + /* + * Checks blocked commands. + * A call to a blocked IOCTL command always returns EACCES. + */ + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIONREAD)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_GETFLAGS)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_SETFLAGS)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSGETXATTR)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_FSSETXATTR)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FIBMAP)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_RESVSP64)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_UNRESVSP64)); + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, FS_IOC_ZERO_RANGE)); + + /* Default case is also blocked. */ + EXPECT_EQ(EACCES, ioctl_error(_metadata, fd, 0xc00ffeee)); + + ASSERT_EQ(0, close(fd)); +} + /* * Named pipes are not governed by the LANDLOCK_ACCESS_FS_IOCTL_DEV right, * because they are not character or block devices. From patchwork Fri Apr 19 16:11:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636582 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yb1-f201.google.com (mail-yb1-f201.google.com [209.85.219.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E27E4132499 for ; Fri, 19 Apr 2024 16:11:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543112; cv=none; b=IZqaBW8ibuaMw2VOYJp8RW3z7S3PwdPlO8G1Typi6SUQqhpwAPEOb0mAvty2g7E/YhsAoxPSGv3fCKg2G0Xu0LsdFMDYDb8itQ6aAQFjuStvhH/pgxBOn6m8mMIO9FhBkpb/rCxAla2dAZPDeHfHp6+aPcdeBAo4IVwJZuKHTak= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543112; c=relaxed/simple; bh=VpfImLVWmm6H6uefDPKxeiHs9uTKfbONj+QPB74xvBA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=qprwVdgqXWUq+GWm/4iT0ColJ6ylijSY+yMuxLvQ63NniBEUhI+VDeR5QE/I5xsr2er6lveGht/CVS3OHdq/OUYVEKfWEuVjNFYNugfC5uzxBKDWT+KRuGxTscoxc9nQrv4oA/B75OlzsOvi5ErrILAHI1dl0HlAIjXTVy2j9pw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=it2eWAU5; arc=none smtp.client-ip=209.85.219.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="it2eWAU5" Received: by mail-yb1-f201.google.com with SMTP id 3f1490d57ef6-dc6b26783b4so3590404276.0 for ; Fri, 19 Apr 2024 09:11:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543110; x=1714147910; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=VKW6w2RS2380Toaurtlz5H8ZXBYNt1ZDZxAwn64hjvU=; b=it2eWAU50k3dcXx1065yhX359jkzMLLBSFNg+1QxujPOz/TS7uxWi16G01PtUoUFK/ fV8gEFn0OTZLjtQThYSDkjn3Jfx/l1NmrZWexGcIlW7myaB8LpUjQcwJItsBwTTtjj+B wQgRpjW8MIeavvgPSr8Qh+k+owT4fXaBB7SzGYAkoQgzMvqvmNr8UjfiGRr9thdQbi7x Q53xEdNTG266IhsJfmer4eF4ZNwEL02sM3zGx9VnaPfouUjFsUBPJtGamnl15XiprrYU EGAUTRI6QnKaeCgfu0inK8fvLKBkndZPoQzm6baJYnCo2CKn2v9ROoKxuDDKlCV3FLOZ SwWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543110; x=1714147910; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=VKW6w2RS2380Toaurtlz5H8ZXBYNt1ZDZxAwn64hjvU=; b=HsQ6iBQ5wav8RZQ/545fEMgObgBOM/p5ENrifdi7IIu6q0K6lVDOUE+o/0oBSCLSrT HbZFU8xuGaXnsJMtGUuVSmxaTHklxbFaq60UcQXwQm6KNMciPBTBllYqLpcZRLQCnjS6 /CcCDBs6hp6ktt2ZZKQ/9gRTewGf17PRnIGmwiZPRPE10h9eyjUNhmfnq15aD8D500Fj uhsfbvpcZRNMFLc0jYNQhQSlfc4gdkSPN3OuXgQeK2ywjM6VNXbAWwx5WagY9UzN0XBi EiRMCIlnJ8Nglc4bBSax6+ugT+6Fy0OP4X73bZLw42Wh9TMZwO2A4uYr8Zp7UAAS1mXS ltWA== X-Gm-Message-State: AOJu0Yzl8u6XpcXsRDHT8/24dbmcwTLiEj0L44wL142t3WJCFRuDZGnE tw6W+Gr+gYV+eoYqJXrRS6ggmSeoOoxSIZ2dSjrITlaKLeRC5/brVnd20xsRkpOPWBvCTkiv8PO 34wYvgrY3LjseD5JR0au7vxqZG+/0HZn3ptoKWZxaG7BWm9u2NZs4OpeJw//3HHmpMcbV5kHG3/ xqbL/bp+YO2OVmGftI+4WuEfnwYIP24Qu6wpxyqEscQgkkoG9yTYKS X-Google-Smtp-Source: AGHT+IHUL4crRYZX6UP0KLDeyilKG8DboRSHVFY7n+VLdoKGJDafu9fh8eWSGzVE+Wn2lWOMbCBk3hjzUJE= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6902:2b05:b0:dc7:3189:4e75 with SMTP id fi5-20020a0569022b0500b00dc731894e75mr177661ybb.3.1713543109776; Fri, 19 Apr 2024 09:11:49 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:19 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-9-gnoack@google.com> Subject: [PATCH v15 08/11] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL_DEV From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Add IOCTL support to the Landlock sample tool. The IOCTL right is grouped with the read-write rights in the sample tool, as some IOCTL requests provide features that mutate state. Signed-off-by: Günther Noack --- samples/landlock/sandboxer.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 8b8ecd65c28c..e8223c3e781a 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -81,7 +81,8 @@ static int parse_path(char *env_path, const char ***const path_list) LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ LANDLOCK_ACCESS_FS_READ_FILE | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) /* clang-format on */ @@ -202,11 +203,12 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd, LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ LANDLOCK_ACCESS_FS_REFER | \ - LANDLOCK_ACCESS_FS_TRUNCATE) + LANDLOCK_ACCESS_FS_TRUNCATE | \ + LANDLOCK_ACCESS_FS_IOCTL_DEV) /* clang-format on */ -#define LANDLOCK_ABI_LAST 4 +#define LANDLOCK_ABI_LAST 5 int main(const int argc, char *const argv[], char *const *const envp) { @@ -320,6 +322,11 @@ int main(const int argc, char *const argv[], char *const *const envp) ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); + __attribute__((fallthrough)); + case 4: + /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; + fprintf(stderr, "Hint: You should update the running kernel " "to leverage Landlock features " From patchwork Fri Apr 19 16:11:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636583 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 551F0131193 for ; Fri, 19 Apr 2024 16:11:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543114; cv=none; b=rbrKyMONgLWk42Y3SAALi2kbA88ARN17WpgI9cE/ObzWdb3zYDY2G77m8urH4v218vWKf1xJq4iUq5oWxCzU4XdCsszWAREhAcrFgZ2FNsoCPfsiVrdrzzqNy/wCDTx1dIbt+3ky4cMF1RnCUu262NBxJYf3jjJTKtjj0ogWj3Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543114; c=relaxed/simple; bh=qBRUVLMksYCncLA1Jigb5b1u1GVtDCPYnfh7NqoVHf0=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=VY/gw9qjEvU5PX0AAGMgoZWVZOgNYksBbG/cWh991rFi9ROQfVltd/aV64cE1nJXctOwAws9ptKDJdRaN8hSWhK5ZUENjbQMNHJAl+BNylLqGywIdpcMqM1CKbb+EzW/YGt4GEOmgtpARy84cnlm50YvcjqCQu7bhUc5U3XaJpQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=O7gI5lxm; arc=none smtp.client-ip=209.85.219.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="O7gI5lxm" Received: by mail-yb1-f202.google.com with SMTP id 3f1490d57ef6-de46620afd7so3767983276.0 for ; Fri, 19 Apr 2024 09:11:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543112; x=1714147912; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=LraEFV96A/vOn+nAqLqEmp5EFnouRyKCSj401ys/k30=; b=O7gI5lxmv0hp1YLSTFdyc9rwKNVC2P9FVwfWVC2Vd9AogSV0a57/2Bx+hiNe8dWhIe nD+JQwz850VjB5zj91vyWQpEsA1LYJTSEU+uV4UFWrLbE4mgtRTiWzJ8geLiOHY0bO60 RiT/k9OiLlOjQeiNyQkt2XbldRWXkG/1/XK05KjI8xepZt+5YYF0otXXbrbiUcOGDZgL t2El5jqRg4afa+P2w5ImasGxRuliJ5pDqNbstMgpElSrDuVzJva9pxgJJ9i9idoGNEJR zR1DYbYCgz1OfluyOSgW+oB5r/aRqvJUKns45jWJ38PqoeCj81kh9cRN753lg33PkdFP x3+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543112; x=1714147912; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=LraEFV96A/vOn+nAqLqEmp5EFnouRyKCSj401ys/k30=; b=gmRx5gJ5OQA2bhfqPE/tGggKgEpogFR7RuWJFDbqNp2RT9DpGxPKT+URB/ziHK3Z3b aZTl29jWYv6uIZSG/sqqRMDSqd3GHO1YSflJY6zaqalCNR83AV10+b9r5qoWdLrvVEwM JE2kr90Am/ZzOfoq5hoHuuIjX8RAUjbpwfUT8hX3/ERSd+ErixQzTCcMqsIcesTrmjKt iix2AONr7hY6hi2t1MrfdTDQjNSxumOf5J8SZAhwo9FKQk7f41L5SYuMFEV1eo87wpFL 0WtsLmb6bVxQuOh4L5pe//tEVUjeC6hyyuGATMTOKzztD3KyIPl78K6NgknV/RmOkSc8 coLA== X-Gm-Message-State: AOJu0YyE2USQcIvNSfSQVNg/Bevr5ysOHsutEXHsdURa8GP1P32CMl0v f45ZGiVtjaADqWYphoDlJ0o3n2jAKiOQ7ZPuKXT+SnTVdWjAr4kb5wZYLrRbdFqOB2sAymW76RA inx2pMvPOcGY8k4Paco59ejjWW5DkVNKqxOw1fvW6ZFEc7juEgZFnL5ajm/7WBmjLVpn5uaW/lh SS0JOf3HyjsnCY7L1r/KDqa2ylCGrOmk8B4sYQGbx8ZEHeVtHfDURN X-Google-Smtp-Source: AGHT+IHEKV8bdodvTB1MPWMbIHFbcNPFyfDRhQzH2x5C8FjaRjiHheb5kVrDf5XzjPRk8YldlpfxG4Uw3+4= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6902:704:b0:dc6:dfd9:d423 with SMTP id k4-20020a056902070400b00dc6dfd9d423mr265680ybt.3.1713543112450; Fri, 19 Apr 2024 09:11:52 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:20 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-10-gnoack@google.com> Subject: [PATCH v15 09/11] landlock: Document IOCTL support From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " In the paragraph above the fallback logic, use the shorter phrasing from the landlock(7) man page. Signed-off-by: Günther Noack --- Documentation/userspace-api/landlock.rst | 76 +++++++++++++++++++----- 1 file changed, 61 insertions(+), 15 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 9dd636aaa829..145bd869c684 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -76,7 +76,8 @@ to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | LANDLOCK_ACCESS_FS_REFER | - LANDLOCK_ACCESS_FS_TRUNCATE, + LANDLOCK_ACCESS_FS_TRUNCATE | + LANDLOCK_ACCESS_FS_IOCTL_DEV, .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, @@ -85,10 +86,10 @@ to be explicit about the denied-by-default access rights. Because we may not know on which kernel version an application will be executed, it is safer to follow a best-effort security approach. Indeed, we should try to protect users as much as possible whatever the kernel they are -using. To avoid binary enforcement (i.e. either all security features or -none), we can leverage a dedicated Landlock command to get the current version -of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove access rights which are only supported in higher versions of the ABI. +using. + +To be compatible with older Linux versions, we detect the available Landlock ABI +version, and only use the available subset of access rights: .. code-block:: c @@ -114,6 +115,10 @@ remove access rights which are only supported in higher versions of the ABI. ruleset_attr.handled_access_net &= ~(LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP); + __attribute__((fallthrough)); + case 4: + /* Removes LANDLOCK_ACCESS_FS_IOCTL_DEV for ABI < 5 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL_DEV; } This enables to create an inclusive ruleset that will contain our rules. @@ -225,6 +230,7 @@ access rights per directory enables to change the location of such directory without relying on the destination directory access rights (except those that are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER`` documentation). + Having self-sufficient hierarchies also helps to tighten the required access rights to the minimal set of data. This also helps avoid sinkhole directories, i.e. directories where data can be linked to but not linked from. However, @@ -318,18 +324,26 @@ It should also be noted that truncating files does not require the system call, this can also be done through :manpage:`open(2)` with the flags ``O_RDONLY | O_TRUNC``. -When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` -right is associated with the newly created file descriptor and will be used for -subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is -similar to opening a file for reading or writing, where permissions are checked -during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and +The truncate right is associated with the opened file (see below). + +Rights associated with file descriptors +--------------------------------------- + +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` rights is associated with the newly created +file descriptor and will be used for subsequent truncation and ioctl attempts +using :manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar +to opening a file for reading or writing, where permissions are checked during +:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and :manpage:`write(2)` calls. -As a consequence, it is possible to have multiple open file descriptors for the -same file, where one grants the right to truncate the file and the other does -not. It is also possible to pass such file descriptors between processes, -keeping their Landlock properties, even when these processes do not have an -enforced Landlock ruleset. +As a consequence, it is possible that a process has multiple open file +descriptors referring to the same file, but Landlock enforces different things +when operating with these file descriptors. This can happen when a Landlock +ruleset gets enforced and the process keeps file descriptors which were opened +both before and after the enforcement. It is also possible to pass such file +descriptors between processes, keeping their Landlock properties, even when some +of the involved processes do not have an enforced Landlock ruleset. Compatibility ============= @@ -458,6 +472,28 @@ Memory usage Kernel memory allocated to create rulesets is accounted and can be restricted by the Documentation/admin-guide/cgroup-v1/memory.rst. +IOCTL support +------------- + +The ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right restricts the use of +:manpage:`ioctl(2)`, but it only applies to *newly opened* device files. This +means specifically that pre-existing file descriptors like stdin, stdout and +stderr are unaffected. + +Users should be aware that TTY devices have traditionally permitted to control +other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL +commands. Both of these require ``CAP_SYS_ADMIN`` on modern Linux systems, but +the behavior is configurable for ``TIOCSTI``. + +On older systems, it is therefore recommended to close inherited TTY file +descriptors, or to reopen them from ``/proc/self/fd/*`` without the +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right, if possible. + +Landlock's IOCTL support is coarse-grained at the moment, but may become more +fine-grained in the future. Until then, users are advised to establish the +guarantees that they need through the file hierarchy, by only allowing the +``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right on files where it is really required. + Previous limitations ==================== @@ -495,6 +531,16 @@ bind and connect actions to only a set of allowed ports thanks to the new ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` access rights. +IOCTL (ABI < 5) +--------------- + +IOCTL operations could not be denied before the fifth Landlock ABI, so +:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an +earlier ABI. + +Starting with the Landlock ABI version 5, it is possible to restrict the use of +:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` access right. + .. _kernel_support: Kernel support From patchwork Fri Apr 19 16:11:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636584 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-yw1-f201.google.com (mail-yw1-f201.google.com [209.85.128.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1EFCC13172D for ; Fri, 19 Apr 2024 16:11:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543117; cv=none; b=AtCT0dTHiR3wwRzzP/D5e1JjqnnxxbEWFjthZ7AwK58l9pPDj3LAjTWEp2t5FBMdzTHlgwXrebz6/c6+bHuTK90nMkGQJa7547bEJkEsWQqQaAkIHrP0L1dt/0Qqpgkj31Y8zaWcGK4u4D8oCzHZa7pgUK+e7oum6Q1YpgJM14w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543117; c=relaxed/simple; bh=JGHfnorzKyjPYbTCQHV6WC4mgXFe8OWcyk7jdOEJxuY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=akIWGelKu2Jkck/+RonC8mL1PhlWi6l26vj/yzsGthgrSIVqaXNVnW8lVaMqrca1FoO2lxGFPOZBEsmmShHIlVYR9jVyyeGCRFHs8Au7x1OUX/959hX2kDNl79dWL7fBnPMM52pwOGQ85kSmx2eQFgZtbcS8TqvNELoXuFqN0Sw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Q6DfJIPm; arc=none smtp.client-ip=209.85.128.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Q6DfJIPm" Received: by mail-yw1-f201.google.com with SMTP id 00721157ae682-61b36187e6bso8713587b3.0 for ; Fri, 19 Apr 2024 09:11:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543115; x=1714147915; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=KCoDsQ7XD45afcaMZJLZHwcegiMaHQmobdPwX+hCXpE=; b=Q6DfJIPmvK8xHj01v0jhyPIw4NpvVCJEmE++BpuKANXlSNM87cFdbNPk2A0lRlhcCF 8olfdpXt/+2PVuZjGH7xDn6g23VS9giCEhqMifRfv7I6BBhiaGwafWlPd77VhuxV1gCw QJOtXCIO2gE0ud9kV4/PG6DMDbSMCOFQ4c19MkkPTXMvvFvLp3rQera0nB+wx6xnXTU1 gKYueedtl8BDPDmfbU6F9SrSL/iHMlYXTwMpTBG8ArB6svtG6gNDWD64nUh6bg5Apl3Y 3e8ob4FudBOZoJE7liQj+q7TM19kGclwfOxw0+egurWlFGChD66gvOGoOToluNSSPExx ScIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543115; x=1714147915; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=KCoDsQ7XD45afcaMZJLZHwcegiMaHQmobdPwX+hCXpE=; b=FKj3AB5a3kegSN4K7znkoN844gl0k14mDci4qRqVMw3VI22Xs9pkSKHJwchSJRUFlE X6SVr5f7X+ILFDs31phdodhStPl9NaTT4NEiW539ZsEX2kXuP5pzXif9omQH160kS3+p LL2FAcbb7LcJVQXpKWLW+n6HoPwscVJ9E2KfmaFbCIHZ3pki6/W9gc1lQovg8VcU/Ady O433oc1ELhD1reQKkaUmQcxJrB5lBOYOPyLd7w5f/I6hB61dz/Y+YO1DJFv87wzX5v44 Mbe0rE8DJ9+7cRXk4V0gdee88fzL5sW3RoJBPwdyntQxNhJYXhcy8PDNN+tNt/b+jTB4 ajeg== X-Gm-Message-State: AOJu0Yys9Zu1O7Z9SQnWVVsWiU/TSAYOiFmZgINrvE+5ogzHtuHR55Vh MjkQTIuVTyjJ0nT1G9PkPpII5XeMURD0SUY6wMIewoc0eUz1Ay/YUvRUgnkvdKwVhFoYbORNuQ3 fAjkvVCRT+6jud/IKPD6NYx8NELQR/ALMWtZrPmtpXML2n/l8CfXUbUkvDRLM6t71H4c+nKjOZ4 RZn+E96S4hsy7BT1Ixejpz0cmnVOZORFQ//AsOut6ur7tAwkmlgcCY X-Google-Smtp-Source: AGHT+IGDj7hCCHr63zw4z/0pItHtM9agU4Yatj8GBpkc9lMWNVcckNPIVAM4if8OXD8TF/ChBL9OUINVabg= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a25:2606:0:b0:de4:6b9f:1b2f with SMTP id m6-20020a252606000000b00de46b9f1b2fmr1068950ybm.6.1713543115010; Fri, 19 Apr 2024 09:11:55 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:21 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-11-gnoack@google.com> Subject: [PATCH v15 10/11] MAINTAINERS: Notify Landlock maintainers about changes to fs/ioctl.c From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Landlock needs to track changes to do_vfs_ioctl() when new IOCTL implementations are added to it. Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- MAINTAINERS | 1 + 1 file changed, 1 insertion(+) diff --git a/MAINTAINERS b/MAINTAINERS index aa3b947fb080..c95dabf4ecc9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -12222,6 +12222,7 @@ W: https://landlock.io T: git https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git F: Documentation/security/landlock.rst F: Documentation/userspace-api/landlock.rst +F: fs/ioctl.c F: include/uapi/linux/landlock.h F: samples/landlock/ F: security/landlock/ From patchwork Fri Apr 19 16:11:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?G=C3=BCnther_Noack?= X-Patchwork-Id: 13636585 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17B3F1311BF for ; Fri, 19 Apr 2024 16:11:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543121; cv=none; b=VhKf7llhE37Lu2hnL4Y15xNa0qtBk4fJsDA0hTXmdjuqW7aukLrPbnpXtIOMoXN8YTJ8UWmD2IABQo9/lWI0Fd0KL4HMez6WS3pVZTKtmykA8ee8UF+GjukHmRnMey2QyGAcLpRFrcRXeOrAY4iXdYkqD02AouoVsHU7GVY8/a4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713543121; c=relaxed/simple; bh=8Sbz6xPy4d51xqBFXjUr7rr4WXtoUD0T6JNeQh6Hv+s=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=jRKXLMzV1Ck3TWZLG8JhQVwCPt7GNei3Zkt6/qBcS+28lcf4BI1KfaY4JjqhuDOYdrksisnfZbtwFuX8ntiE6SezPJ6WexMpu5ZThvw62Ro4hBuVpnZrnCec6P1x0NDDPCbfSbpUAyRAq+ueg4StPz4U2cu3cpeXWZUmqDJAJVI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=4LK2No8l; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--gnoack.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="4LK2No8l" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-a5568b24531so167069866b.1 for ; Fri, 19 Apr 2024 09:11:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1713543118; x=1714147918; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:from:to:cc:subject:date:message-id :reply-to; bh=uYJ1G6THEcze8HV6qNPokLaKgVvE2KbB4dc/k79IC8Q=; b=4LK2No8loMrTom6nTOt5Upwto8B+/3gWA4nfb6XfjTaj1MMf3bg7wUsZ0SrSRpGGea i/mXaNJkzbxSuiWPh5VIK5l76pVasaY0kHba8GfTK+CtB8Qak/0xoA8cdG7BdrlTLYLB kr8edCqt+MLM+YT07m+z0POlwYNXF4L8ofnfXZy4u0wGBGFbaZhTGHAtjPAC8ngZTQev lhVRDIn4VDRFDZJVHsqo0mDaJYnnUVuVZzgjbgma9R/BSlg2Ejkf9OQVtDHKEGFbve+j FeCnO4Yk328RqRLDIwAtBf2ysBICS948Cafi9LVmemwfEniLBAhHgtwEbbS7eTRhb/Yz 4PkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713543118; x=1714147918; h=content-transfer-encoding:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=uYJ1G6THEcze8HV6qNPokLaKgVvE2KbB4dc/k79IC8Q=; b=pMj1gsGG9o9qwIUOoXzh+ynk+dF+bZq+rG7wziE1Y+tl2GYLwX4zEOO+EaVbxIWChl zFK5UCpEq8Jno7bmDxO9uneUkQ8aAX26lGWE6c3WyErstOLdw7k+PSRJOy94Fm05ZEXZ 85WFpT0dRAi5pbUcx7wVhis1fex5zxu58WObd5CyfpoUS3fiyvBV7WZslx0AIyxKS7lA OkHwiWpfjLxOQOf0B1J69eK4TX3y4CM9KGJwel2PXKrRMBez87rtNFG7rJtVe8kkUMab JfZ4J7fA07g8Rg1HgT29cX2YFtbLOEvQQor9tmdb8sk1s+x/+Q3xcy2g3rpPiOuGH3Eg qIDg== X-Gm-Message-State: AOJu0YyxmM8VDsjvOhpcsR+bOJvRVjX7we/8wd90WKB3RjbHxoQkcbq1 DA94+cdZdtLwlpAJsfd5er/SP/Su+MfWdyJema3tcdt/po7ttPvDRstrCOzuP5/+PlJn6EVncuu RZI0uvMH5b23KtRam634gQacpK72aP0pEmyPC2ir8Ezh0B4qQkBznLTWLDQL6mCuHozcuZym5Nq RNSBTGU1oFa/s8CCtqiFwpva3plJdg1/SsdjZaF7ks8FYuzigBsIx9 X-Google-Smtp-Source: AGHT+IHuqJ6fDnXePgWibwQg8qrPjCoaQNWEKwLlyy2KbeP1gomSkjsl8Zno26ZWu1ih/CLcKUSmw/5lUOY= X-Received: from swim.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:1605]) (user=gnoack job=sendgmr) by 2002:a05:6402:5408:b0:56e:480f:c98c with SMTP id ev8-20020a056402540800b0056e480fc98cmr3192edb.5.1713543117257; Fri, 19 Apr 2024 09:11:57 -0700 (PDT) Date: Fri, 19 Apr 2024 16:11:22 +0000 In-Reply-To: <20240419161122.2023765-1-gnoack@google.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240419161122.2023765-1-gnoack@google.com> X-Mailer: git-send-email 2.44.0.769.g3c40516874-goog Message-ID: <20240419161122.2023765-12-gnoack@google.com> Subject: [PATCH v15 11/11] fs/ioctl: Add a comment to keep the logic in sync with LSM policies From: " =?utf-8?q?G=C3=BCnther_Noack?= " To: linux-security-module@vger.kernel.org, " =?utf-8?q?Micka=C3=ABl_Sala?= =?utf-8?q?=C3=BCn?= " Cc: Jeff Xu , Arnd Bergmann , Jorge Lucangeli Obes , Allen Webb , Dmitry Torokhov , Paul Moore , Konstantin Meskhidze , Matt Bobrowski , linux-fsdevel@vger.kernel.org, " =?utf-8?q?G=C3=BCnther_Noack?= " Landlock's IOCTL support needs to partially replicate the list of IOCTLs from do_vfs_ioctl(). The list of commands implemented in do_vfs_ioctl() should be kept in sync with Landlock's IOCTL policies. Suggested-by: Paul Moore Suggested-by: Mickaël Salaün Signed-off-by: Günther Noack --- fs/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/ioctl.c b/fs/ioctl.c index fb0628e680c4..64776891120c 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -796,6 +796,9 @@ static int ioctl_get_fs_sysfs_path(struct file *file, void __user *argp) * * When you add any new common ioctls to the switches above and below, * please ensure they have compatible arguments in compat mode. + * + * The LSM mailing list should also be notified of any command additions or + * changes, as specific LSMs may be affected. */ static int do_vfs_ioctl(struct file *filp, unsigned int fd, unsigned int cmd, unsigned long arg)