19 Mar
2021
19 Mar
'21
9:53 p.m.
On 19/03/2021 20:06, Kees Cook wrote:
On Tue, Mar 16, 2021 at 09:42:48PM +0100, Mickaël Salaün wrote:
From: Mickaël Salaün mic@linux.microsoft.com
These 3 system calls are designed to be used by unprivileged processes to sandbox themselves:
- landlock_create_ruleset(2): Creates a ruleset and returns its file descriptor.
- landlock_add_rule(2): Adds a rule (e.g. file hierarchy access) to a ruleset, identified by the dedicated file descriptor.
- landlock_restrict_self(2): Enforces a ruleset on the calling thread and its future children (similar to seccomp). This syscall has the same usage restrictions as seccomp(2): the caller must have the no_new_privs attribute set or have CAP_SYS_ADMIN in the current user namespace.
All these syscalls have a "flags" argument (not currently used) to enable extensibility.
For the new-style extensible syscalls, you want only a "size" argument; "flags" should be within the argument structure.
Not necessarily, we should avoid complexity as much as possible. A flag argument is simple, and extensible arguments should be avoided as much as possible. Here it is only used for an extensible list of properties that can't be expressed otherwise.
(And to this end, why 3 syscalls instead of 1, if you're going to use extensibility anyway?)
This was discussed with people such as Arnd and Jann. Multiplexer syscalls should be avoided. Here are some background: https://lore.kernel.org/lkml/CAG48ez2V-eSH2+HL9zrYYD4QMpP4a5y8=mTQtk20PB0wUz...
+/**
- copy_min_struct_from_user - Safe future-proof argument copying
- Extend copy_struct_from_user() to check for consistent user buffer.
- @dst: Kernel space pointer or NULL.
- @ksize: Actual size of the data pointed to by @dst.
- @ksize_min: Minimal required size to be copied.
- @src: User space pointer or NULL.
- @usize: (Alleged) size of the data pointed to by @src.
- */
+static __always_inline int copy_min_struct_from_user(void *const dst,
const size_t ksize, const size_t ksize_min,const void __user *const src, const size_t usize)+{
- /* Checks buffer inconsistencies. */
- BUILD_BUG_ON(!dst);
- if (!src)
return -EFAULT;- /* Checks size ranges. */
- BUILD_BUG_ON(ksize <= 0);
- BUILD_BUG_ON(ksize < ksize_min);
- if (usize < ksize_min)
return -EINVAL;- if (usize > PAGE_SIZE)
return -E2BIG;- /* Copies user buffer and fills with zeros. */
- return copy_struct_from_user(dst, ksize, src, usize);
+}
I still wish this was built into copy_struct_from_user(). :) But yes, this appears to be the way to protect one's self when using copy_struct_from_user().
+/**
- sys_landlock_create_ruleset - Create a new ruleset
- @attr: Pointer to a &struct landlock_ruleset_attr identifying the scope of
the new ruleset.
- @size: Size of the pointed &struct landlock_ruleset_attr (needed for
backward and forward compatibility).
- @flags: Must be 0.
- This system call enables to create a new Landlock ruleset, and returns the
- related file descriptor on success.
- Possible returned errors are:
- EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
- EINVAL: @flags is not 0, or unknown access, or too small @size;
- E2BIG or EFAULT: @attr or @size inconsistencies;
- ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
- */
+SYSCALL_DEFINE3(landlock_create_ruleset,
const struct landlock_ruleset_attr __user *const, attr,const size_t, size, const __u32, flags)+{
- struct landlock_ruleset_attr ruleset_attr;
- struct landlock_ruleset *ruleset;
- int err, ruleset_fd;
- /* Build-time checks. */
- build_check_abi();
- if (!landlock_initialized)
return -EOPNOTSUPP;- /* No flag for now. */
- if (flags)
return -EINVAL;- /* Copies raw user space buffer. */
- err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr),
offsetofend(typeof(ruleset_attr), handled_access_fs),The use of offsetofend() here appears to be kind of the "V1", "V2", ... sizes used in other extensible syscall implementations?
ruleset_attr is an extensible argument.
attr, size);- if (err)
return err;- /* Checks content (and 32-bits cast). */
- if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
LANDLOCK_MASK_ACCESS_FS)return -EINVAL;- /* Checks arguments and transforms to kernel struct. */
- ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs);
- if (IS_ERR(ruleset))
return PTR_ERR(ruleset);- /* Creates anonymous FD referring to the ruleset. */
- ruleset_fd = anon_inode_getfd("landlock-ruleset", &ruleset_fops,
ruleset, O_RDWR | O_CLOEXEC);- if (ruleset_fd < 0)
landlock_put_ruleset(ruleset);- return ruleset_fd;
+}
+/*
- Returns an owned ruleset from a FD. It is thus needed to call
- landlock_put_ruleset() on the return value.
- */
+static struct landlock_ruleset *get_ruleset_from_fd(const int fd,
const fmode_t mode)+{
- struct fd ruleset_f;
- struct landlock_ruleset *ruleset;
- ruleset_f = fdget(fd);
- if (!ruleset_f.file)
return ERR_PTR(-EBADF);- /* Checks FD type and access right. */
- if (ruleset_f.file->f_op != &ruleset_fops) {
ruleset = ERR_PTR(-EBADFD);goto out_fdput;- }
- if (!(ruleset_f.file->f_mode & mode)) {
ruleset = ERR_PTR(-EPERM);goto out_fdput;- }
- ruleset = ruleset_f.file->private_data;
- if (WARN_ON_ONCE(ruleset->num_layers != 1)) {
ruleset = ERR_PTR(-EINVAL);goto out_fdput;- }
- landlock_get_ruleset(ruleset);
+out_fdput:
- fdput(ruleset_f);
- return ruleset;
+}
+/* Path handling */
+/*
- @path: Must call put_path(@path) after the call if it succeeded.
- */
+static int get_path_from_fd(const s32 fd, struct path *const path) +{
- struct fd f;
- int err = 0;
- BUILD_BUG_ON(!__same_type(fd,
((struct landlock_path_beneath_attr *)NULL)->parent_fd));- /* Handles O_PATH. */
- f = fdget_raw(fd);
- if (!f.file)
return -EBADF;- /*
* Only allows O_PATH file descriptor: enables to restrict ambient* filesystem access without requiring to open and risk leaking or* misusing a file descriptor. Forbids ruleset FDs, internal* filesystems (e.g. nsfs), including pseudo filesystems that will* never be mountable (e.g. sockfs, pipefs).*/- if (!(f.file->f_mode & FMODE_PATH) ||
(f.file->f_op == &ruleset_fops) ||(f.file->f_path.mnt->mnt_flags & MNT_INTERNAL) ||(f.file->f_path.dentry->d_sb->s_flags & SB_NOUSER) ||d_is_negative(f.file->f_path.dentry) ||IS_PRIVATE(d_backing_inode(f.file->f_path.dentry))) {err = -EBADFD;goto out_fdput;- }
- *path = f.file->f_path;
- path_get(path);
+out_fdput:
- fdput(f);
- return err;
+}
+/**
- sys_landlock_add_rule - Add a new rule to a ruleset
- @ruleset_fd: File descriptor tied to the ruleset that should be extended
with the new rule.
- @rule_type: Identify the structure type pointed to by @rule_attr (only
LANDLOCK_RULE_PATH_BENEATH for now).
- @rule_attr: Pointer to a rule (only of type &struct
landlock_path_beneath_attr for now).
- @flags: Must be 0.
- This system call enables to define a new rule and add it to an existing
- ruleset.
- Possible returned errors are:
- EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
- EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
- &landlock_path_beneath_attr.allowed_access is not a subset of the rule's
- accesses);
- ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
- EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
- member of @rule_attr is not a file descriptor as expected;
- EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
- @rule_attr is not the expected file descriptor type (e.g. file open
- without O_PATH);
- EPERM: @ruleset_fd has no write access to the underlying ruleset;
- EFAULT: @rule_attr inconsistency.
- */
+SYSCALL_DEFINE4(landlock_add_rule,
const int, ruleset_fd, const enum landlock_rule_type, rule_type,const void __user *const, rule_attr, const __u32, flags)+{
If this is an extensible syscall, I'd expect a structure holding rule_type, rule_attr, and flags.
This does not use an extensible argument. rule_type specifies a type and rule_attr specifies the content of this type. This is simpler and sufficient.
- struct landlock_path_beneath_attr path_beneath_attr;
- struct path path;
- struct landlock_ruleset *ruleset;
- int res, err;
- if (!landlock_initialized)
return -EOPNOTSUPP;- /* No flag for now. */
- if (flags)
return -EINVAL;- if (rule_type != LANDLOCK_RULE_PATH_BENEATH)
return -EINVAL;- /* Copies raw user space buffer, only one type for now. */
- res = copy_from_user(&path_beneath_attr, rule_attr,
sizeof(path_beneath_attr));- if (res)
return -EFAULT;- /* Gets and checks the ruleset. */
- ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
- if (IS_ERR(ruleset))
return PTR_ERR(ruleset);- /*
* Informs about useless rule: empty allowed_access (i.e. deny rules)* are ignored in path walks.*/- if (!path_beneath_attr.allowed_access) {
err = -ENOMSG;goto out_put_ruleset;- }
- /*
* Checks that allowed_access matches the @ruleset constraints* (ruleset->fs_access_masks[0] is automatically upgraded to 64-bits).*/- if ((path_beneath_attr.allowed_access | ruleset->fs_access_masks[0]) !=
ruleset->fs_access_masks[0]) {err = -EINVAL;goto out_put_ruleset;- }
- /* Gets and checks the new rule. */
- err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
- if (err)
goto out_put_ruleset;- /* Imports the new rule. */
- err = landlock_append_fs_rule(ruleset, &path,
path_beneath_attr.allowed_access);- path_put(&path);
+out_put_ruleset:
- landlock_put_ruleset(ruleset);
- return err;
+}
+/* Enforcement */
+/**
- sys_landlock_restrict_self - Enforce a ruleset on the calling thread
- @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
- @flags: Must be 0.
- This system call enables to enforce a Landlock ruleset on the current
- thread. Enforcing a ruleset requires that the task has CAP_SYS_ADMIN in its
- namespace or is running with no_new_privs. This avoids scenarios where
- unprivileged tasks can affect the behavior of privileged children.
- Possible returned errors are:
- EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
- EINVAL: @flags is not 0.
- EBADF: @ruleset_fd is not a file descriptor for the current thread;
- EBADFD: @ruleset_fd is not a ruleset file descriptor;
- EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
- current thread is not running with no_new_privs, or it doesn't have
- CAP_SYS_ADMIN in its namespace.
- E2BIG: The maximum number of stacked rulesets is reached for the current
- thread.
- */
+SYSCALL_DEFINE2(landlock_restrict_self,
const int, ruleset_fd, const __u32, flags)+{
Same observation about new style syscalls.
This design is simpler.
- struct landlock_ruleset *new_dom, *ruleset;
- struct cred *new_cred;
- struct landlock_cred_security *new_llcred;
- int err;
- if (!landlock_initialized)
return -EOPNOTSUPP;- /* No flag for now. */
- if (flags)
return -EINVAL;- /*
* Similar checks as for seccomp(2), except that an -EPERM may be* returned.*/- if (!task_no_new_privs(current) &&
!ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))return -EPERM;- /* Gets and checks the ruleset. */
- ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
- if (IS_ERR(ruleset))
return PTR_ERR(ruleset);- /* Prepares new credentials. */
- new_cred = prepare_creds();
- if (!new_cred) {
err = -ENOMEM;goto out_put_ruleset;- }
- new_llcred = landlock_cred(new_cred);
- /*
* There is no possible race condition while copying and manipulating* the current credentials because they are dedicated per thread.*/- new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset);
- if (IS_ERR(new_dom)) {
err = PTR_ERR(new_dom);goto out_put_creds;- }
- /* Replaces the old (prepared) domain. */
- landlock_put_ruleset(new_llcred->domain);
- new_llcred->domain = new_dom;
- landlock_put_ruleset(ruleset);
- return commit_creds(new_cred);
+out_put_creds:
- abort_creds(new_cred);
+out_put_ruleset:
- landlock_put_ruleset(ruleset);
- return err;
+}
2.30.2