Hi,
This new patch series is a light update of the previous one, with some minor fixes and cosmetic changes. All reviews have been taken into account.
The SLOC count is 1299 for security/landlock/ and 1752 for tools/testing/selftest/landlock/ . Test coverage for security/landlock/ is 93.6% of lines. The code not covered only deals with internal kernel errors (e.g. memory allocation) and race conditions.
The compiled documentation is available here: https://landlock.io/linux-doc/landlock-v19/security/landlock/index.html
This series can be applied on top of v5.8-rc4 . This can be tested with CONFIG_SECURITY_LANDLOCK and CONFIG_SAMPLE_LANDLOCK. This patch series can be found in a Git repository here: https://github.com/landlock-lsm/linux/commits/landlock-v19 I would really appreciate constructive comments on this patch series.
# Landlock LSM
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable LSM [1], it makes possible to create safe security sandboxes as new security layers in addition to the existing system-wide access-controls. This kind of sandbox is expected to help mitigate the security impact of bugs or unexpected/malicious behaviors in user-space applications. Landlock empowers any process, including unprivileged ones, to securely restrict themselves.
Landlock is inspired by seccomp-bpf but instead of filtering syscalls and their raw arguments, a Landlock rule can restrict the use of kernel objects like file hierarchies, according to the kernel semantic. Landlock also takes inspiration from other OS sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD Pledge/Unveil.
In this current form, Landlock misses some access-control features. This enables to minimize this patch series and ease review. This series still addresses multiple use cases, especially with the combined use of seccomp-bpf: applications with built-in sandboxing, init systems, security sandbox tools and security-oriented APIs [2].
Previous version: https://lore.kernel.org/lkml/20200526205322.23465-1-mic@digikod.net/
[1] https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-... [2] https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.ne...
Casey Schaufler (1): LSM: Infrastructure management of the superblock
Mickaël Salaün (11): landlock: Add object management landlock: Add ruleset and domain management landlock: Set up the security framework and manage credentials landlock: Add ptrace restrictions fs,security: Add sb_delete hook landlock: Support filesystem access-control landlock: Add syscall implementation arch: Wire up landlock() syscall selftests/landlock: Add initial tests samples/landlock: Add a sandbox manager example landlock: Add user and kernel documentation
Documentation/security/index.rst | 1 + Documentation/security/landlock/index.rst | 18 + Documentation/security/landlock/kernel.rst | 69 + Documentation/security/landlock/user.rst | 268 +++ MAINTAINERS | 11 + arch/Kconfig | 7 + arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/um/Kconfig | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + fs/super.c | 1 + include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 3 + include/linux/security.h | 4 + include/linux/syscalls.h | 3 + include/uapi/asm-generic/unistd.h | 4 +- include/uapi/linux/landlock.h | 302 +++ kernel/sys_ni.c | 3 + samples/Kconfig | 7 + samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 15 + samples/landlock/sandboxer.c | 228 +++ security/Kconfig | 11 +- security/Makefile | 2 + security/landlock/Kconfig | 18 + security/landlock/Makefile | 4 + security/landlock/common.h | 20 + security/landlock/cred.c | 46 + security/landlock/cred.h | 58 + security/landlock/fs.c | 609 ++++++ security/landlock/fs.h | 60 + security/landlock/object.c | 66 + security/landlock/object.h | 91 + security/landlock/ptrace.c | 120 ++ security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 342 ++++ security/landlock/ruleset.h | 157 ++ security/landlock/setup.c | 40 + security/landlock/setup.h | 18 + security/landlock/syscall.c | 526 +++++ security/security.c | 51 +- security/selinux/hooks.c | 58 +- security/selinux/include/objsec.h | 6 + security/selinux/ss/services.c | 3 +- security/smack/smack.h | 6 + security/smack/smack_lsm.c | 35 +- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 2 + tools/testing/selftests/landlock/Makefile | 29 + tools/testing/selftests/landlock/base_test.c | 163 ++ tools/testing/selftests/landlock/common.h | 93 + tools/testing/selftests/landlock/config | 5 + tools/testing/selftests/landlock/fs_test.c | 1740 +++++++++++++++++ .../testing/selftests/landlock/ptrace_test.c | 321 +++ tools/testing/selftests/landlock/true.c | 5 + 71 files changed, 5611 insertions(+), 77 deletions(-) create mode 100644 Documentation/security/landlock/index.rst create mode 100644 Documentation/security/landlock/kernel.rst create mode 100644 Documentation/security/landlock/user.rst create mode 100644 include/uapi/linux/landlock.h create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/common.h create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscall.c create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/base_test.c create mode 100644 tools/testing/selftests/landlock/common.h create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/fs_test.c create mode 100644 tools/testing/selftests/landlock/ptrace_test.c create mode 100644 tools/testing/selftests/landlock/true.c
A Landlock object enables to identify a kernel object (e.g. an inode). A Landlock rule is a set of access rights allowed on an object. Rules are grouped in rulesets that may be tied to a set of processes (i.e. subjects) to enforce a scoped access-control (i.e. a domain).
Because Landlock's goal is to empower any process (especially unprivileged ones) to sandbox themselves, we can't rely on a system-wide object identification such as file extended attributes. Indeed, we need innocuous, composable and modular access-controls.
The main challenge with these constraints is to identify kernel objects while this identification is useful (i.e. when a security policy makes use of this object). But this identification data should be freed once no policy is using it. This ephemeral tagging should not and may not be written in the filesystem. We then need to manage the lifetime of a rule according to the lifetime of its object. To avoid a global lock, this implementation make use of RCU and counters to safely reference objects.
A following commit uses this generic object management for inodes.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v18: * Account objects to kmemcg.
Changes since v14: * Simplify the object, rule and ruleset management at the expense of a less aggressive memory freeing (contributed by Jann Horn, with additional modifications): - Remove object->list aggregating the rules tied to an object. - Remove landlock_get_object(), landlock_drop_object(), {get,put}_object_cleaner() and landlock_rule_is_disabled(). - Rewrite landlock_put_object() to use a more simple mechanism (no tricky RCU). - Replace enum landlock_object_type and landlock_release_object() with landlock_object_underops->release() - Adjust unions and Sparse annotations. Cf. https://lore.kernel.org/lkml/CAG48ez21bEn0wL1bbmTiiu8j9jP5iEWtHOwz4tURUJ+ki0... * Merge struct landlock_rule into landlock_ruleset_elem to simplify the rule management. * Constify variables. * Improve kernel documentation. * Cosmetic variable renames. * Remove the "default" in the Kconfig (suggested by Jann Horn). * Only use refcount_inc() through getter helpers. * Update Kconfig description.
Changes since v13: * New dedicated implementation, removing the need for eBPF.
Previous changes: https://lore.kernel.org/lkml/20190721213116.23476-6-mic@digikod.net/ --- MAINTAINERS | 10 +++++ security/Kconfig | 1 + security/Makefile | 2 + security/landlock/Kconfig | 18 ++++++++ security/landlock/Makefile | 3 ++ security/landlock/object.c | 66 +++++++++++++++++++++++++++ security/landlock/object.h | 91 ++++++++++++++++++++++++++++++++++++++ 7 files changed, 191 insertions(+) create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h
diff --git a/MAINTAINERS b/MAINTAINERS index 1d4aa7f942de..4c229c961d0d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9630,6 +9630,16 @@ F: net/core/sock_map.c F: net/ipv4/tcp_bpf.c F: net/ipv4/udp_bpf.c
+LANDLOCK SECURITY MODULE +M: Mickaël Salaün mic@digikod.net +L: linux-security-module@vger.kernel.org +S: Supported +W: https://landlock.io +T: git https://github.com/landlock-lsm/linux.git +F: security/landlock/ +K: landlock +K: LANDLOCK + LANTIQ / INTEL Ethernet drivers M: Hauke Mehrtens hauke@hauke-m.de L: netdev@vger.kernel.org diff --git a/security/Kconfig b/security/Kconfig index cd3cc7da3a55..582fd777a757 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -238,6 +238,7 @@ source "security/loadpin/Kconfig" source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" +source "security/landlock/Kconfig"
source "security/integrity/Kconfig"
diff --git a/security/Makefile b/security/Makefile index 3baf435de541..c688f4907a1b 100644 --- a/security/Makefile +++ b/security/Makefile @@ -13,6 +13,7 @@ subdir-$(CONFIG_SECURITY_LOADPIN) += loadpin subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown subdir-$(CONFIG_BPF_LSM) += bpf +subdir-$(CONFIG_SECURITY_LANDLOCK) += landlock
# always enable default capabilities obj-y += commoncap.o @@ -32,6 +33,7 @@ obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ +obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/
# Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig new file mode 100644 index 000000000000..9ec7593a534a --- /dev/null +++ b/security/landlock/Kconfig @@ -0,0 +1,18 @@ +# SPDX-License-Identifier: GPL-2.0-only + +config SECURITY_LANDLOCK + bool "Landlock support" + depends on SECURITY + select SECURITY_PATH + help + Landlock is a safe sandboxing mechanism which enables processes to + restrict themselves (and their future children) by gradually + enforcing tailored access control policies. A security policy is a + set of access rights (e.g. open a file in read-only, make a + directory) tied to a file hierarchy. The configuration can be set by + any processes, including unprivileged ones, thanks to the landlock() + system call. + + See Documentation/security/landlock/ for further information. + + If you are unsure how to answer this question, answer N. diff --git a/security/landlock/Makefile b/security/landlock/Makefile new file mode 100644 index 000000000000..cb6deefbf4c0 --- /dev/null +++ b/security/landlock/Makefile @@ -0,0 +1,3 @@ +obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o + +landlock-y := object.o diff --git a/security/landlock/object.c b/security/landlock/object.c new file mode 100644 index 000000000000..67937650885b --- /dev/null +++ b/security/landlock/object.c @@ -0,0 +1,66 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Object management + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#include <linux/bug.h> +#include <linux/compiler_types.h> +#include <linux/kernel.h> +#include <linux/rcupdate.h> +#include <linux/refcount.h> +#include <linux/slab.h> +#include <linux/spinlock.h> + +#include "object.h" + +struct landlock_object *landlock_create_object( + const struct landlock_object_underops *underops, + void *const underobj) +{ + struct landlock_object *new_object; + + if (WARN_ON_ONCE(!underops || !underobj)) + return NULL; + new_object = kzalloc(sizeof(*new_object), GFP_KERNEL_ACCOUNT); + if (!new_object) + return NULL; + refcount_set(&new_object->usage, 1); + spin_lock_init(&new_object->lock); + new_object->underops = underops; + new_object->underobj = underobj; + return new_object; +} + +/* + * The caller must own the object (i.e. thanks to object->usage) to safely put + * it. + */ +void landlock_put_object(struct landlock_object *const object) +{ + /* + * The call to @object->underops->release(object) might sleep e.g., + * because of iput(). + */ + might_sleep(); + if (!object) + return; + + /* + * If the @object's refcount can't drop to zero, we can just decrement + * the refcount without holding a lock. Otherwise, the decrement must + * happen under @object->lock for synchronization with things like + * get_inode_object(). + */ + if (refcount_dec_and_lock(&object->usage, &object->lock)) { + __acquire(&object->lock); + /* + * With @object->lock initially held, remove the reference from + * @object->underobj to @object (if it still exists). + */ + object->underops->release(object); + kfree_rcu(object, rcu_free); + } +} diff --git a/security/landlock/object.h b/security/landlock/object.h new file mode 100644 index 000000000000..942bc0e18064 --- /dev/null +++ b/security/landlock/object.h @@ -0,0 +1,91 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Object management + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_OBJECT_H +#define _SECURITY_LANDLOCK_OBJECT_H + +#include <linux/compiler_types.h> +#include <linux/refcount.h> +#include <linux/spinlock.h> + +struct landlock_object; + +/** + * struct landlock_object_underops - Operations on an underlying object + */ +struct landlock_object_underops { + /** + * @release: Releases the underlying object (e.g. iput() for an inode). + */ + void (*release)(struct landlock_object *const object) + __releases(object->lock); +}; + +/** + * struct landlock_object - Security blob tied to a kernel object + * + * The goal of this structure is to enable to tie a set of ephemeral access + * rights (pertaining to different domains) to a kernel object (e.g an inode) + * in a safe way. This imply to handle concurrent use and modification. + * + * The lifetime of a &struct landlock_object depends of the rules referring to + * it. + */ +struct landlock_object { + /** + * @usage: This counter is used to tie an object to the rules matching + * it or to keep it alive while adding a new rule. If this counter + * reaches zero, this struct must not be modified, but this counter can + * still be read from within an RCU read-side critical section. When + * adding a new rule to an object with a usage counter of zero, we must + * wait until the pointer to this object is set to NULL (or recycled). + */ + refcount_t usage; + /** + * @lock: Guards against concurrent modifications. This lock must be + * from the time @usage drops to zero until any weak references from + * @underobj to this object have been cleaned up. + * + * Lock ordering: inode->i_lock nests inside this. + */ + spinlock_t lock; + /** + * @underobj: Used when cleaning up an object and to mark an object as + * tied to its underlying kernel structure. This pointer is protected + * by @lock. Cf. landlock_release_inodes() and release_inode(). + */ + void *underobj; + union { + /** + * @rcu_free: Enables lockless use of @usage, @lock and + * @underobj from within an RCU read-side critical section. + * @rcu_free and @underops are only used by + * landlock_put_object(). + */ + struct rcu_head rcu_free; + /** + * @underops: Enables landlock_put_object() to release the + * underlying object (e.g. inode). + */ + const struct landlock_object_underops *underops; + }; +}; + +struct landlock_object *landlock_create_object( + const struct landlock_object_underops *const underops, + void *const underojb); + +void landlock_put_object(struct landlock_object *const object); + +static inline void landlock_get_object(struct landlock_object *const object) +{ + if (object) + refcount_inc(&object->usage); +} + +#endif /* _SECURITY_LANDLOCK_OBJECT_H */
A Landlock ruleset is mainly a red-black tree with Landlock rules as nodes. This enables quick update and lookup to match a requested access e.g., to a file. A ruleset is usable through a dedicated file descriptor (cf. following commit implementing the syscall) which enables a process to create and populate a ruleset with new rules.
A domain is a ruleset tied to a set of processes. This group of rules define the security policy enforced on these processes and their future children. A domain can transition to a new domain which is the intersection of all its constraints and those of a ruleset provided by the current process. This modification only impact the current process. This means that a process can only gain more constraints (i.e. lose accesses) over time.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v18: * Account rulesets to kmemcg. * Remove struct holes. * Cosmetic changes.
Changes since v17: * Move include/uapi/linux/landlock.h and _LANDLOCK_ACCESS_FS_* to a following patch.
Changes since v16: * Allow enforcement of empty ruleset, which enables deny-all policies.
Changes since v15: * Replace layer_levels and layer_depth with a bitfield of layers, cf. filesystem commit. * Rename the LANDLOCK_ACCESS_FS_{UNLINK,RMDIR} with LANDLOCK_ACCESS_FS_REMOVE_{FILE,DIR} because it makes sense to use them for the action of renaming a file or a directory, which may lead to the removal of the source file or directory. Removes the LANDLOCK_ACCESS_FS_{LINK_TO,RENAME_FROM,RENAME_TO} which are now replaced with LANDLOCK_ACCESS_FS_REMOVE_{FILE,DIR} and LANDLOCK_ACCESS_FS_MAKE_* . * Update the documentation accordingly and highlight how the access rights are taken into account. * Change nb_rules from atomic_t to u32 because it is not use anymore by show_fdinfo(). * Add safeguard for level variables types. * Check max number of rules. * Replace struct landlock_access (self and beneath bitfields) with one bitfield. * Remove useless variable. * Add comments.
Changes since v14: * Simplify the object, rule and ruleset management at the expense of a less aggressive memory freeing (contributed by Jann Horn, with additional modifications): - Make a domain immutable (remove the opportunistic cleaning). - Remove RCU pointers. - Merge struct landlock_ref and struct landlock_ruleset_elem into landlock_rule: get ride of rule's RCU. - Adjust union. - Remove the landlock_insert_rule() check about a new object with the same address as a previously disabled one, because it is not possible to disable a rule anymore. Cf. https://lore.kernel.org/lkml/CAG48ez21bEn0wL1bbmTiiu8j9jP5iEWtHOwz4tURUJ+ki0... * Fix nested domains by implementing a notion of layer level and depth: - Update landlock_insert_rule() to manage such layers. - Add an inherit_ruleset() helper to properly create a new domain. - Rename landlock_find_access() to landlock_find_rule() and return a full rule reference. - Add a layer_level and a layer_depth fields to struct landlock_rule. - Add a top_layer_level field to struct landlock_ruleset. * Remove access rights that may be required for FD-only requests: truncate, getattr, lock, chmod, chown, chgrp, ioctl. This will be handle in a future evolution of Landlock, but right now the goal is to lighten the code to ease review. * Remove LANDLOCK_ACCESS_FS_OPEN and rename LANDLOCK_ACCESS_FS_{READ,WRITE} with a FILE suffix. * Rename LANDLOCK_ACCESS_FS_READDIR to match the *_FILE pattern. * Remove LANDLOCK_ACCESS_FS_MAP which was useless. * Fix memory leak in put_hierarchy() (reported by Jann Horn). * Fix user-after-free and rename free_ruleset() (reported by Jann Horn). * Replace the for loops with rbtree_postorder_for_each_entry_safe(). * Constify variables. * Only use refcount_inc() through getter helpers. * Change Landlock_insert_ruleset_access() to Landlock_insert_ruleset_rule(). * Rename landlock_put_ruleset_enqueue() to landlock_put_ruleset_deferred(). * Improve kernel documentation and add a warning about the unhandled access/syscall families. * Move ABI check to syscall.c .
Changes since v13: * New implementation, inspired by the previous inode eBPF map, but agnostic to the underlying kernel object.
Previous changes: https://lore.kernel.org/lkml/20190721213116.23476-7-mic@digikod.net/ --- MAINTAINERS | 1 + security/landlock/Makefile | 2 +- security/landlock/ruleset.c | 342 ++++++++++++++++++++++++++++++++++++ security/landlock/ruleset.h | 157 +++++++++++++++++ 4 files changed, 501 insertions(+), 1 deletion(-) create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h
diff --git a/MAINTAINERS b/MAINTAINERS index 4c229c961d0d..f2c2480d8590 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -9636,6 +9636,7 @@ L: linux-security-module@vger.kernel.org S: Supported W: https://landlock.io T: git https://github.com/landlock-lsm/linux.git +F: include/uapi/linux/landlock.h F: security/landlock/ K: landlock K: LANDLOCK diff --git a/security/landlock/Makefile b/security/landlock/Makefile index cb6deefbf4c0..d846eba445bb 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -1,3 +1,3 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
-landlock-y := object.o +landlock-y := object.o ruleset.o diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c new file mode 100644 index 000000000000..f9ef8a6793e2 --- /dev/null +++ b/security/landlock/ruleset.c @@ -0,0 +1,342 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Ruleset management + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#include <linux/bits.h> +#include <linux/bug.h> +#include <linux/compiler_types.h> +#include <linux/err.h> +#include <linux/errno.h> +#include <linux/kernel.h> +#include <linux/limits.h> +#include <linux/rbtree.h> +#include <linux/refcount.h> +#include <linux/slab.h> +#include <linux/spinlock.h> +#include <linux/workqueue.h> + +#include "object.h" +#include "ruleset.h" + +static struct landlock_ruleset *create_ruleset(void) +{ + struct landlock_ruleset *new_ruleset; + + new_ruleset = kzalloc(sizeof(*new_ruleset), GFP_KERNEL_ACCOUNT); + if (!new_ruleset) + return ERR_PTR(-ENOMEM); + refcount_set(&new_ruleset->usage, 1); + mutex_init(&new_ruleset->lock); + /* + * root = RB_ROOT + * hierarchy = NULL + * nb_rules = 0 + * nb_layers = 0 + * fs_access_mask = 0 + */ + return new_ruleset; +} + +struct landlock_ruleset *landlock_create_ruleset(const u32 fs_access_mask) +{ + struct landlock_ruleset *new_ruleset; + + /* Informs about useless ruleset. */ + if (!fs_access_mask) + return ERR_PTR(-ENOMSG); + new_ruleset = create_ruleset(); + if (!IS_ERR(new_ruleset)) + new_ruleset->fs_access_mask = fs_access_mask; + return new_ruleset; +} + +static struct landlock_rule *duplicate_rule(struct landlock_rule *const src) +{ + struct landlock_rule *new_rule; + + new_rule = kzalloc(sizeof(*new_rule), GFP_KERNEL_ACCOUNT); + if (!new_rule) + return ERR_PTR(-ENOMEM); + RB_CLEAR_NODE(&new_rule->node); + landlock_get_object(src->object); + new_rule->object = src->object; + new_rule->access = src->access; + new_rule->layers = src->layers; + return new_rule; +} + +static void put_rule(struct landlock_rule *const rule) +{ + might_sleep(); + if (!rule) + return; + landlock_put_object(rule->object); + kfree(rule); +} + +/* + * Assumptions: + * - An inserted rule can not be removed. + * - The underlying kernel object must be held by the caller. + * + * @rule: Read-only payload to be inserted (not own by this function). + * @is_merge: If true, intersects access rights and updates the rule's layers + * (e.g. merge two rulesets), else do a union of access rights and keep the + * rule's layers (e.g. extend a ruleset) + */ +int landlock_insert_rule(struct landlock_ruleset *const ruleset, + struct landlock_rule *const rule, const bool is_merge) +{ + struct rb_node **walker_node; + struct rb_node *parent_node = NULL; + struct landlock_rule *new_rule; + + might_sleep(); + lockdep_assert_held(&ruleset->lock); + walker_node = &(ruleset->root.rb_node); + while (*walker_node) { + struct landlock_rule *const this = rb_entry(*walker_node, + struct landlock_rule, node); + + if (this->object != rule->object) { + parent_node = *walker_node; + if (this->object < rule->object) + walker_node = &((*walker_node)->rb_right); + else + walker_node = &((*walker_node)->rb_left); + continue; + } + + /* If there is a matching rule, updates it. */ + if (is_merge) { + /* Intersects access rights. */ + this->access &= rule->access; + + /* Updates the rule layers with the next one. */ + this->layers |= BIT_ULL(ruleset->nb_layers); + } else { + /* Extends access rights. */ + this->access |= rule->access; + } + return 0; + } + + /* There is no match for @rule->object. */ + if (ruleset->nb_rules == U32_MAX) + return -E2BIG; + new_rule = duplicate_rule(rule); + if (IS_ERR(new_rule)) + return PTR_ERR(new_rule); + if (is_merge) + /* Sets the rule layer to the next one. */ + new_rule->layers = BIT_ULL(ruleset->nb_layers); + rb_link_node(&new_rule->node, parent_node, walker_node); + rb_insert_color(&new_rule->node, &ruleset->root); + ruleset->nb_rules++; + return 0; +} + +static inline void get_hierarchy(struct landlock_hierarchy *const hierarchy) +{ + if (hierarchy) + refcount_inc(&hierarchy->usage); +} + +static void put_hierarchy(struct landlock_hierarchy *hierarchy) +{ + while (hierarchy && refcount_dec_and_test(&hierarchy->usage)) { + const struct landlock_hierarchy *const freeme = hierarchy; + + hierarchy = hierarchy->parent; + kfree(freeme); + } +} + +static int merge_ruleset(struct landlock_ruleset *const dst, + struct landlock_ruleset *const src) +{ + struct landlock_rule *walker_rule, *next_rule; + int err = 0; + + might_sleep(); + if (!src) + return 0; + /* Only merge into a domain. */ + if (WARN_ON_ONCE(!dst || !dst->hierarchy)) + return -EFAULT; + + mutex_lock(&dst->lock); + mutex_lock_nested(&src->lock, 1); + /* + * Makes a new layer, but only increments the number of layers after + * the rules are inserted. + */ + if (dst->nb_layers == sizeof(walker_rule->layers) * BITS_PER_BYTE) { + err = -E2BIG; + goto out_unlock; + } + dst->fs_access_mask |= src->fs_access_mask; + + /* Merges the @src tree. */ + rbtree_postorder_for_each_entry_safe(walker_rule, next_rule, + &src->root, node) { + err = landlock_insert_rule(dst, walker_rule, true); + if (err) + goto out_unlock; + } + dst->nb_layers++; + +out_unlock: + mutex_unlock(&src->lock); + mutex_unlock(&dst->lock); + return err; +} + +static struct landlock_ruleset *inherit_ruleset( + struct landlock_ruleset *const parent) +{ + struct landlock_rule *walker_rule, *next_rule; + struct landlock_ruleset *new_ruleset; + int err = 0; + + might_sleep(); + new_ruleset = create_ruleset(); + if (IS_ERR(new_ruleset)) + return new_ruleset; + + new_ruleset->hierarchy = kzalloc(sizeof(*new_ruleset->hierarchy), + GFP_KERNEL_ACCOUNT); + if (!new_ruleset->hierarchy) { + err = -ENOMEM; + goto out_put_ruleset; + } + refcount_set(&new_ruleset->hierarchy->usage, 1); + if (!parent) + return new_ruleset; + + mutex_lock(&new_ruleset->lock); + mutex_lock_nested(&parent->lock, 1); + new_ruleset->nb_layers = parent->nb_layers; + new_ruleset->fs_access_mask = parent->fs_access_mask; + WARN_ON_ONCE(!parent->hierarchy); + get_hierarchy(parent->hierarchy); + new_ruleset->hierarchy->parent = parent->hierarchy; + + /* Copies the @parent tree. */ + rbtree_postorder_for_each_entry_safe(walker_rule, next_rule, + &parent->root, node) { + err = landlock_insert_rule(new_ruleset, walker_rule, false); + if (err) + goto out_unlock; + } + mutex_unlock(&parent->lock); + mutex_unlock(&new_ruleset->lock); + return new_ruleset; + +out_unlock: + mutex_unlock(&parent->lock); + mutex_unlock(&new_ruleset->lock); + +out_put_ruleset: + landlock_put_ruleset(new_ruleset); + return ERR_PTR(err); +} + +static void free_ruleset(struct landlock_ruleset *const ruleset) +{ + struct landlock_rule *freeme, *next; + + might_sleep(); + rbtree_postorder_for_each_entry_safe(freeme, next, &ruleset->root, + node) + put_rule(freeme); + put_hierarchy(ruleset->hierarchy); + kfree(ruleset); +} + +void landlock_put_ruleset(struct landlock_ruleset *const ruleset) +{ + might_sleep(); + if (ruleset && refcount_dec_and_test(&ruleset->usage)) + free_ruleset(ruleset); +} + +static void free_ruleset_work(struct work_struct *const work) +{ + struct landlock_ruleset *ruleset; + + ruleset = container_of(work, struct landlock_ruleset, work_free); + free_ruleset(ruleset); +} + +void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset) +{ + if (ruleset && refcount_dec_and_test(&ruleset->usage)) { + INIT_WORK(&ruleset->work_free, free_ruleset_work); + schedule_work(&ruleset->work_free); + } +} + +/* + * Creates a new transition domain, intersection of @parent and @ruleset, or + * return @parent if @ruleset is empty. If @parent is empty, returns a + * duplicate of @ruleset. + */ +struct landlock_ruleset *landlock_merge_ruleset( + struct landlock_ruleset *const parent, + struct landlock_ruleset *const ruleset) +{ + struct landlock_ruleset *new_dom; + int err; + + might_sleep(); + /* + * Merging duplicates a ruleset, so a new ruleset can't be + * the same as the parent, but they can have similar content. + */ + if (WARN_ON_ONCE(!ruleset || parent == ruleset)) { + landlock_get_ruleset(parent); + return parent; + } + + new_dom = inherit_ruleset(parent); + if (IS_ERR(new_dom)) + return new_dom; + + err = merge_ruleset(new_dom, ruleset); + if (err) { + landlock_put_ruleset(new_dom); + return ERR_PTR(err); + } + return new_dom; +} + +/* + * The returned access has the same lifetime as @ruleset. + */ +const struct landlock_rule *landlock_find_rule( + const struct landlock_ruleset *const ruleset, + const struct landlock_object *const object) +{ + const struct rb_node *node; + + if (!object) + return NULL; + node = ruleset->root.rb_node; + while (node) { + struct landlock_rule *this = rb_entry(node, + struct landlock_rule, node); + + if (this->object == object) + return this; + if (this->object < object) + node = node->rb_right; + else + node = node->rb_left; + } + return NULL; +} diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h new file mode 100644 index 000000000000..d5fcec4c1a17 --- /dev/null +++ b/security/landlock/ruleset.h @@ -0,0 +1,157 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Ruleset management + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_RULESET_H +#define _SECURITY_LANDLOCK_RULESET_H + +#include <linux/mutex.h> +#include <linux/rbtree.h> +#include <linux/refcount.h> +#include <linux/workqueue.h> + +#include "object.h" + +/** + * struct landlock_rule - Access rights tied to an object + * + * When enforcing a ruleset (i.e. merging a ruleset into the current domain), + * the layer level of a new rule is the incremented top layer level (cf. + * &struct landlock_ruleset). If there is no rule (from this domain) tied to + * the same object, then the depth of the new rule is 1. However, if there is + * already a rule tied to the same object and if this rule's layer level is the + * previous top layer level, then the depth and the layer level are both + * incremented and the rule is updated with the new access rights (boolean + * AND). + */ +struct landlock_rule { + /** + * @node: Node in the red-black tree. + */ + struct rb_node node; + /** + * @object: Pointer to identify a kernel object (e.g. an inode). This + * is used as a key for this ruleset element. This pointer is set once + * and never modified. It always point to an allocated object because + * each rule increment the refcount of there object. + */ + struct landlock_object *object; + /** + * @layers: Bitfield to identify the layers which resulted to @access + * from different consecutive intersections. + */ + u64 layers; + /** + * @access: Bitfield of allowed actions on the kernel object. They are + * relative to the object type (e.g. %LANDLOCK_ACTION_FS_READ). This + * may be the result of the merged access rights (boolean AND) from + * multiple layers referring to the same object. + */ + u32 access; +}; + +/** + * struct landlock_hierarchy - Node in a ruleset hierarchy + */ +struct landlock_hierarchy { + /** + * @parent: Pointer to the parent node, or NULL if it is a root Lanlock + * domain. + */ + struct landlock_hierarchy *parent; + /** + * @usage: Number of potential children domains plus their parent + * domain. + */ + refcount_t usage; +}; + +/** + * struct landlock_ruleset - Landlock ruleset + * + * This data structure must contains unique entries, be updatable, and quick to + * match an object. + */ +struct landlock_ruleset { + /** + * @root: Root of a red-black tree containing &struct landlock_rule + * nodes. + */ + struct rb_root root; + /** + * @hierarchy: Enables hierarchy identification even when a parent + * domain vanishes. This is needed for the ptrace protection. + */ + struct landlock_hierarchy *hierarchy; + union { + /** + * @work_free: Enables to free a ruleset within a lockless + * section. This is only used by + * landlock_put_ruleset_deferred() when @usage reaches zero. + * The fields @lock, @usage, @nb_layers, @nb_rules and + * @fs_access_mask are then unused. + */ + struct work_struct work_free; + struct { + /** + * @lock: Guards against concurrent modifications of + * @root, if @usage is greater than zero. + */ + struct mutex lock; + /** + * @usage: Number of processes (i.e. domains) or file + * descriptors referencing this ruleset. + */ + refcount_t usage; + /** + * @nb_rules: Number of non-overlapping (i.e. not for + * the same object) rules in this ruleset. + */ + u32 nb_rules; + /** + * @nb_layers: Number of layers which are used in this + * ruleset. This enables to check that all the layers + * allow an access request. A value of 0 identify a + * non-merged ruleset (i.e. not a domain). + */ + u32 nb_layers; + /** + * @fs_access_mask: Contains the subset of filesystem + * actions which are restricted by a ruleset. This is + * used when merging rulesets and for user space + * backward compatibility (i.e. future-proof). Set + * once and never changed for the lifetime of the + * ruleset. + */ + u32 fs_access_mask; + }; + }; +}; + +struct landlock_ruleset *landlock_create_ruleset(const u32 fs_access_mask); + +void landlock_put_ruleset(struct landlock_ruleset *const ruleset); +void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); + +int landlock_insert_rule(struct landlock_ruleset *const ruleset, + struct landlock_rule *const rule, const bool is_merge); + +struct landlock_ruleset *landlock_merge_ruleset( + struct landlock_ruleset *const parent, + struct landlock_ruleset *const ruleset); + +const struct landlock_rule *landlock_find_rule( + const struct landlock_ruleset *const ruleset, + const struct landlock_object *const object); + +static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) +{ + if (ruleset) + refcount_inc(&ruleset->usage); +} + +#endif /* _SECURITY_LANDLOCK_RULESET_H */
A process credentials point to a Landlock domain, which is underneath implemented with a ruleset. In the following commits, this domain is used to check and enforce the ptrace and filesystem security policies. A domain is inherited from a parent to its child the same way a thread inherits a seccomp policy.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v17: * Constify returned domain pointers from landlock_get_current_domain() and landlock_get_task_domain() helpers.
Changes since v15: * Optimize landlocked() for current thread. * Display the greeting message when everything is initialized.
Changes since v14: * Uses pr_fmt from common.h . * Constify variables. * Remove useless NULL initialization.
Changes since v13: * totally get ride of the seccomp dependency * only keep credential management and LSM setup.
Previous changes: https://lore.kernel.org/lkml/20191104172146.30797-4-mic@digikod.net/ --- security/Kconfig | 10 +++---- security/landlock/Makefile | 3 +- security/landlock/common.h | 20 +++++++++++++ security/landlock/cred.c | 46 ++++++++++++++++++++++++++++++ security/landlock/cred.h | 58 ++++++++++++++++++++++++++++++++++++++ security/landlock/setup.c | 31 ++++++++++++++++++++ security/landlock/setup.h | 16 +++++++++++ 7 files changed, 178 insertions(+), 6 deletions(-) create mode 100644 security/landlock/common.h create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h
diff --git a/security/Kconfig b/security/Kconfig index 582fd777a757..a96ee1c7fd25 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -278,11 +278,11 @@ endchoice
config LSM string "Ordered list of enabled LSMs" - default "lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC - default "lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list will be ignored. This can be diff --git a/security/landlock/Makefile b/security/landlock/Makefile index d846eba445bb..041ea242e627 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -1,3 +1,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
-landlock-y := object.o ruleset.o +landlock-y := setup.o object.o ruleset.o \ + cred.o diff --git a/security/landlock/common.h b/security/landlock/common.h new file mode 100644 index 000000000000..5dc0fe15707d --- /dev/null +++ b/security/landlock/common.h @@ -0,0 +1,20 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Common constants and helpers + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_COMMON_H +#define _SECURITY_LANDLOCK_COMMON_H + +#define LANDLOCK_NAME "landlock" + +#ifdef pr_fmt +#undef pr_fmt +#endif + +#define pr_fmt(fmt) LANDLOCK_NAME ": " fmt + +#endif /* _SECURITY_LANDLOCK_COMMON_H */ diff --git a/security/landlock/cred.c b/security/landlock/cred.c new file mode 100644 index 000000000000..7074149d2517 --- /dev/null +++ b/security/landlock/cred.c @@ -0,0 +1,46 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Credential hooks + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#include <linux/cred.h> +#include <linux/lsm_hooks.h> + +#include "common.h" +#include "cred.h" +#include "ruleset.h" +#include "setup.h" + +static int hook_cred_prepare(struct cred *const new, + const struct cred *const old, const gfp_t gfp) +{ + const struct landlock_cred_security *cred_old = landlock_cred(old); + struct landlock_cred_security *cred_new = landlock_cred(new); + struct landlock_ruleset *dom_old; + + dom_old = cred_old->domain; + if (dom_old) { + landlock_get_ruleset(dom_old); + cred_new->domain = dom_old; + } + return 0; +} + +static void hook_cred_free(struct cred *const cred) +{ + landlock_put_ruleset_deferred(landlock_cred(cred)->domain); +} + +static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(cred_prepare, hook_cred_prepare), + LSM_HOOK_INIT(cred_free, hook_cred_free), +}; + +__init void landlock_add_hooks_cred(void) +{ + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), + LANDLOCK_NAME); +} diff --git a/security/landlock/cred.h b/security/landlock/cred.h new file mode 100644 index 000000000000..2983dd4dda46 --- /dev/null +++ b/security/landlock/cred.h @@ -0,0 +1,58 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Credential hooks + * + * Copyright © 2019 Mickaël Salaün mic@digikod.net + * Copyright © 2019 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_CRED_H +#define _SECURITY_LANDLOCK_CRED_H + +#include <linux/cred.h> +#include <linux/init.h> +#include <linux/rcupdate.h> + +#include "ruleset.h" +#include "setup.h" + +struct landlock_cred_security { + struct landlock_ruleset *domain; +}; + +static inline struct landlock_cred_security *landlock_cred( + const struct cred *cred) +{ + return cred->security + landlock_blob_sizes.lbs_cred; +} + +static inline const struct landlock_ruleset *landlock_get_current_domain(void) +{ + return landlock_cred(current_cred())->domain; +} + +/* + * The call needs to come from an RCU read-side critical section. + */ +static inline const struct landlock_ruleset *landlock_get_task_domain( + const struct task_struct *const task) +{ + return landlock_cred(__task_cred(task))->domain; +} + +static inline bool landlocked(const struct task_struct *const task) +{ + bool has_dom; + + if (task == current) + return !!landlock_get_current_domain(); + + rcu_read_lock(); + has_dom = !!landlock_get_task_domain(task); + rcu_read_unlock(); + return has_dom; +} + +__init void landlock_add_hooks_cred(void); + +#endif /* _SECURITY_LANDLOCK_CRED_H */ diff --git a/security/landlock/setup.c b/security/landlock/setup.c new file mode 100644 index 000000000000..39ee1766f175 --- /dev/null +++ b/security/landlock/setup.c @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Security framework setup + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#include <linux/init.h> +#include <linux/lsm_hooks.h> + +#include "common.h" +#include "cred.h" +#include "setup.h" + +struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { + .lbs_cred = sizeof(struct landlock_cred_security), +}; + +static int __init landlock_init(void) +{ + landlock_add_hooks_cred(); + pr_info("Up and running.\n"); + return 0; +} + +DEFINE_LSM(LANDLOCK_NAME) = { + .name = LANDLOCK_NAME, + .init = landlock_init, + .blobs = &landlock_blob_sizes, +}; diff --git a/security/landlock/setup.h b/security/landlock/setup.h new file mode 100644 index 000000000000..9fdbf33fcc33 --- /dev/null +++ b/security/landlock/setup.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Security framework setup + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_SETUP_H +#define _SECURITY_LANDLOCK_SETUP_H + +#include <linux/lsm_hooks.h> + +extern struct lsm_blob_sizes landlock_blob_sizes; + +#endif /* _SECURITY_LANDLOCK_SETUP_H */
Using ptrace(2) and related debug features on a target process can lead to a privilege escalation. Indeed, ptrace(2) can be used by an attacker to impersonate another task and to remain undetected while performing malicious activities. Thanks to ptrace_may_access(), various part of the kernel can check if a tracer is more privileged than a tracee.
A landlocked process has fewer privileges than a non-landlocked process and must then be subject to additional restrictions when manipulating processes. To be allowed to use ptrace(2) and related syscalls on a target process, a landlocked process must have a subset of the target process' rules (i.e. the tracee must be in a sub-domain of the tracer).
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v14: * Constify variables.
Changes since v13: * Make the ptrace restriction mandatory, like in the v10. * Remove the eBPF dependency.
Previous changes: https://lore.kernel.org/lkml/20191104172146.30797-5-mic@digikod.net/ --- security/landlock/Makefile | 2 +- security/landlock/ptrace.c | 120 +++++++++++++++++++++++++++++++++++++ security/landlock/ptrace.h | 14 +++++ security/landlock/setup.c | 2 + 4 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h
diff --git a/security/landlock/Makefile b/security/landlock/Makefile index 041ea242e627..f1d1eb72fa76 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -1,4 +1,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
landlock-y := setup.o object.o ruleset.o \ - cred.o + cred.o ptrace.o diff --git a/security/landlock/ptrace.c b/security/landlock/ptrace.c new file mode 100644 index 000000000000..61df38b13f5c --- /dev/null +++ b/security/landlock/ptrace.c @@ -0,0 +1,120 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Ptrace hooks + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2020 ANSSI + */ + +#include <asm/current.h> +#include <linux/cred.h> +#include <linux/errno.h> +#include <linux/kernel.h> +#include <linux/lsm_hooks.h> +#include <linux/rcupdate.h> +#include <linux/sched.h> + +#include "common.h" +#include "cred.h" +#include "ptrace.h" +#include "ruleset.h" +#include "setup.h" + +/** + * domain_scope_le - Checks domain ordering for scoped ptrace + * + * @parent: Parent domain. + * @child: Potential child of @parent. + * + * Checks if the @parent domain is less or equal to (i.e. an ancestor, which + * means a subset of) the @child domain. + */ +static bool domain_scope_le(const struct landlock_ruleset *const parent, + const struct landlock_ruleset *const child) +{ + const struct landlock_hierarchy *walker; + + if (!parent) + return true; + if (!child) + return false; + for (walker = child->hierarchy; walker; walker = walker->parent) { + if (walker == parent->hierarchy) + /* @parent is in the scoped hierarchy of @child. */ + return true; + } + /* There is no relationship between @parent and @child. */ + return false; +} + +static bool task_is_scoped(const struct task_struct *const parent, + const struct task_struct *const child) +{ + bool is_scoped; + const struct landlock_ruleset *dom_parent, *dom_child; + + rcu_read_lock(); + dom_parent = landlock_get_task_domain(parent); + dom_child = landlock_get_task_domain(child); + is_scoped = domain_scope_le(dom_parent, dom_child); + rcu_read_unlock(); + return is_scoped; +} + +static int task_ptrace(const struct task_struct *const parent, + const struct task_struct *const child) +{ + /* Quick return for non-landlocked tasks. */ + if (!landlocked(parent)) + return 0; + if (task_is_scoped(parent, child)) + return 0; + return -EPERM; +} + +/** + * hook_ptrace_access_check - Determines whether the current process may access + * another + * + * @child: Process to be accessed. + * @mode: Mode of attachment. + * + * If the current task has Landlock rules, then the child must have at least + * the same rules. Else denied. + * + * Determines whether a process may access another, returning 0 if permission + * granted, -errno if denied. + */ +static int hook_ptrace_access_check(struct task_struct *const child, + const unsigned int mode) +{ + return task_ptrace(current, child); +} + +/** + * hook_ptrace_traceme - Determines whether another process may trace the + * current one + * + * @parent: Task proposed to be the tracer. + * + * If the parent has Landlock rules, then the current task must have the same + * or more rules. Else denied. + * + * Determines whether the nominated task is permitted to trace the current + * process, returning 0 if permission is granted, -errno if denied. + */ +static int hook_ptrace_traceme(struct task_struct *const parent) +{ + return task_ptrace(parent, current); +} + +static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check), + LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme), +}; + +__init void landlock_add_hooks_ptrace(void) +{ + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), + LANDLOCK_NAME); +} diff --git a/security/landlock/ptrace.h b/security/landlock/ptrace.h new file mode 100644 index 000000000000..6740c6a723de --- /dev/null +++ b/security/landlock/ptrace.h @@ -0,0 +1,14 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Ptrace hooks + * + * Copyright © 2017-2019 Mickaël Salaün mic@digikod.net + * Copyright © 2019 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_PTRACE_H +#define _SECURITY_LANDLOCK_PTRACE_H + +__init void landlock_add_hooks_ptrace(void); + +#endif /* _SECURITY_LANDLOCK_PTRACE_H */ diff --git a/security/landlock/setup.c b/security/landlock/setup.c index 39ee1766f175..5e7540fdeefa 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -11,6 +11,7 @@
#include "common.h" #include "cred.h" +#include "ptrace.h" #include "setup.h"
struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { @@ -20,6 +21,7 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { static int __init landlock_init(void) { landlock_add_hooks_cred(); + landlock_add_hooks_ptrace(); pr_info("Up and running.\n"); return 0; }
From: Casey Schaufler casey@schaufler-ca.com
Move management of the superblock->sb_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there.
Signed-off-by: Casey Schaufler casey@schaufler-ca.com Reviewed-by: Kees Cook keescook@chromium.org Reviewed-by: John Johansen john.johansen@canonical.com Reviewed-by: Stephen Smalley sds@tycho.nsa.gov Reviewed-by: Mickaël Salaün mic@digikod.net Link: https://lore.kernel.org/r/20190829232935.7099-2-casey@schaufler-ca.com ---
Changes since v17: * Rebase the original LSM stacking patch from v5.3 to v5.7: I fixed some diff conflicts caused by code moves and function renames in selinux/include/objsec.h and selinux/hooks.c . I checked that it builds but I didn't test the changes for SELinux nor SMACK. --- include/linux/lsm_hooks.h | 1 + security/security.c | 46 ++++++++++++++++++++---- security/selinux/hooks.c | 58 ++++++++++++------------------- security/selinux/include/objsec.h | 6 ++++ security/selinux/ss/services.c | 3 +- security/smack/smack.h | 6 ++++ security/smack/smack_lsm.c | 35 +++++-------------- 7 files changed, 85 insertions(+), 70 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 95b7c1d32062..80c629d8a2ad 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -1550,6 +1550,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_superblock; int lbs_ipc; int lbs_msg_msg; int lbs_task; diff --git a/security/security.c b/security/security.c index 70a7ad357bc6..d60aa835b670 100644 --- a/security/security.c +++ b/security/security.c @@ -201,6 +201,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); }
@@ -331,12 +332,13 @@ static void __init ordered_lsm_init(void) for (lsm = ordered_lsms; *lsm; lsm++) prepare_lsm(*lsm);
- init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); - init_debug("file blob size = %d\n", blob_sizes.lbs_file); - init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); - init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); - init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); - init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); + init_debug("file blob size = %d\n", blob_sizes.lbs_file); + init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); + init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); + init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); + init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); + init_debug("task blob size = %d\n", blob_sizes.lbs_task);
/* * Create any kmem_caches needed for blobs @@ -668,6 +670,27 @@ static void __init lsm_early_task(struct task_struct *task) panic("%s: Early task alloc failed.\n", __func__); }
+/** + * lsm_superblock_alloc - allocate a composite superblock blob + * @sb: the superblock that needs a blob + * + * Allocate the superblock blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_superblock_alloc(struct super_block *sb) +{ + if (blob_sizes.lbs_superblock == 0) { + sb->s_security = NULL; + return 0; + } + + sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL); + if (sb->s_security == NULL) + return -ENOMEM; + return 0; +} + /* * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and * can be accessed with: @@ -865,12 +888,21 @@ int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *
int security_sb_alloc(struct super_block *sb) { - return call_int_hook(sb_alloc_security, 0, sb); + int rc = lsm_superblock_alloc(sb); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sb_alloc_security, 0, sb); + if (unlikely(rc)) + security_sb_free(sb); + return rc; }
void security_sb_free(struct super_block *sb) { call_void_hook(sb_free_security, sb); + kfree(sb->s_security); + sb->s_security = NULL; }
void security_free_mnt_opts(void **mnt_opts) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index efa6108b1ce9..a88e21b90639 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -321,7 +321,7 @@ static void inode_free_security(struct inode *inode)
if (!isec) return; - sbsec = inode->i_sb->s_security; + sbsec = selinux_superblock(inode->i_sb); /* * As not all inode security structures are in a list, we check for * empty list outside of the lock to make sure that we won't waste @@ -339,13 +339,6 @@ static void inode_free_security(struct inode *inode) } }
-static void superblock_free_security(struct super_block *sb) -{ - struct superblock_security_struct *sbsec = sb->s_security; - sb->s_security = NULL; - kfree(sbsec); -} - struct selinux_mnt_opts { const char *fscontext, *context, *rootcontext, *defcontext; }; @@ -457,7 +450,7 @@ static int selinux_is_genfs_special_handling(struct super_block *sb)
static int selinux_is_sblabel_mnt(struct super_block *sb) { - struct superblock_security_struct *sbsec = sb->s_security; + struct superblock_security_struct *sbsec = selinux_superblock(sb);
/* * IMPORTANT: Double-check logic in this function when adding a new @@ -485,7 +478,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
static int sb_finish_set_opts(struct super_block *sb) { - struct superblock_security_struct *sbsec = sb->s_security; + struct superblock_security_struct *sbsec = selinux_superblock(sb); struct dentry *root = sb->s_root; struct inode *root_inode = d_backing_inode(root); int rc = 0; @@ -598,7 +591,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, unsigned long *set_kern_flags) { const struct cred *cred = current_cred(); - struct superblock_security_struct *sbsec = sb->s_security; + struct superblock_security_struct *sbsec = selinux_superblock(sb); struct dentry *root = sbsec->sb->s_root; struct selinux_mnt_opts *opts = mnt_opts; struct inode_security_struct *root_isec; @@ -835,8 +828,8 @@ static int selinux_set_mnt_opts(struct super_block *sb, static int selinux_cmp_sb_context(const struct super_block *oldsb, const struct super_block *newsb) { - struct superblock_security_struct *old = oldsb->s_security; - struct superblock_security_struct *new = newsb->s_security; + struct superblock_security_struct *old = selinux_superblock(oldsb); + struct superblock_security_struct *new = selinux_superblock(newsb); char oldflags = old->flags & SE_MNTMASK; char newflags = new->flags & SE_MNTMASK;
@@ -868,8 +861,9 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb, unsigned long *set_kern_flags) { int rc = 0; - const struct superblock_security_struct *oldsbsec = oldsb->s_security; - struct superblock_security_struct *newsbsec = newsb->s_security; + const struct superblock_security_struct *oldsbsec = + selinux_superblock(oldsb); + struct superblock_security_struct *newsbsec = selinux_superblock(newsb);
int set_fscontext = (oldsbsec->flags & FSCONTEXT_MNT); int set_context = (oldsbsec->flags & CONTEXT_MNT); @@ -1048,7 +1042,7 @@ static int show_sid(struct seq_file *m, u32 sid)
static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb) { - struct superblock_security_struct *sbsec = sb->s_security; + struct superblock_security_struct *sbsec = selinux_superblock(sb); int rc;
if (!(sbsec->flags & SE_SBINITIALIZED)) @@ -1398,7 +1392,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent if (isec->sclass == SECCLASS_FILE) isec->sclass = inode_mode_to_security_class(inode->i_mode);
- sbsec = inode->i_sb->s_security; + sbsec = selinux_superblock(inode->i_sb); if (!(sbsec->flags & SE_SBINITIALIZED)) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security @@ -1741,7 +1735,8 @@ selinux_determine_inode_label(const struct task_security_struct *tsec, const struct qstr *name, u16 tclass, u32 *_new_isid) { - const struct superblock_security_struct *sbsec = dir->i_sb->s_security; + const struct superblock_security_struct *sbsec = + selinux_superblock(dir->i_sb);
if ((sbsec->flags & SE_SBINITIALIZED) && (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { @@ -1772,7 +1767,7 @@ static int may_create(struct inode *dir, int rc;
dsec = inode_security(dir); - sbsec = dir->i_sb->s_security; + sbsec = selinux_superblock(dir->i_sb);
sid = tsec->sid;
@@ -1921,7 +1916,7 @@ static int superblock_has_perm(const struct cred *cred, struct superblock_security_struct *sbsec; u32 sid = cred_sid(cred);
- sbsec = sb->s_security; + sbsec = selinux_superblock(sb); return avc_has_perm(&selinux_state, sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad); } @@ -2550,11 +2545,7 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
static int selinux_sb_alloc_security(struct super_block *sb) { - struct superblock_security_struct *sbsec; - - sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL); - if (!sbsec) - return -ENOMEM; + struct superblock_security_struct *sbsec = selinux_superblock(sb);
mutex_init(&sbsec->lock); INIT_LIST_HEAD(&sbsec->isec_head); @@ -2563,16 +2554,10 @@ static int selinux_sb_alloc_security(struct super_block *sb) sbsec->sid = SECINITSID_UNLABELED; sbsec->def_sid = SECINITSID_FILE; sbsec->mntpoint_sid = SECINITSID_UNLABELED; - sb->s_security = sbsec;
return 0; }
-static void selinux_sb_free_security(struct super_block *sb) -{ - superblock_free_security(sb); -} - static inline int opt_len(const char *s) { bool open_quote = false; @@ -2651,7 +2636,7 @@ static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts) static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) { struct selinux_mnt_opts *opts = mnt_opts; - struct superblock_security_struct *sbsec = sb->s_security; + struct superblock_security_struct *sbsec = selinux_superblock(sb); u32 sid; int rc;
@@ -2889,7 +2874,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, int rc; char *context;
- sbsec = dir->i_sb->s_security; + sbsec = selinux_superblock(dir->i_sb);
newsid = tsec->create_sid;
@@ -3134,7 +3119,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, if (!selinux_initialized(&selinux_state)) return (inode_owner_or_capable(inode) ? 0 : -EPERM);
- sbsec = inode->i_sb->s_security; + sbsec = selinux_superblock(inode->i_sb); if (!(sbsec->flags & SBLABEL_MNT)) return -EOPNOTSUPP;
@@ -3368,13 +3353,14 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { struct inode_security_struct *isec = inode_security_novalidate(inode); - struct superblock_security_struct *sbsec = inode->i_sb->s_security; + struct superblock_security_struct *sbsec; u32 newsid; int rc;
if (strcmp(name, XATTR_SELINUX_SUFFIX)) return -EOPNOTSUPP;
+ sbsec = selinux_superblock(inode->i_sb); if (!(sbsec->flags & SBLABEL_MNT)) return -EOPNOTSUPP;
@@ -6870,6 +6856,7 @@ struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), + .lbs_superblock = sizeof(struct superblock_security_struct), };
#ifdef CONFIG_PERF_EVENTS @@ -6970,7 +6957,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
- LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), LSM_HOOK_INIT(sb_free_mnt_opts, selinux_free_mnt_opts), LSM_HOOK_INIT(sb_remount, selinux_sb_remount), LSM_HOOK_INIT(sb_kern_mount, selinux_sb_kern_mount), diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 330b7b6d44e0..dcebd2b95ca7 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -189,4 +189,10 @@ static inline u32 current_sid(void) return tsec->sid; }
+static inline struct superblock_security_struct *selinux_superblock( + const struct super_block *superblock) +{ + return superblock->s_security + selinux_blob_sizes.lbs_superblock; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index ef0afd878bfc..f838010cb0fe 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -47,6 +47,7 @@ #include <linux/sched.h> #include <linux/audit.h> #include <linux/vmalloc.h> +#include <linux/lsm_hooks.h> #include <net/netlabel.h>
#include "flask.h" @@ -2795,7 +2796,7 @@ int security_fs_use(struct selinux_state *state, struct super_block *sb) struct sidtab *sidtab; int rc = 0; struct ocontext *c; - struct superblock_security_struct *sbsec = sb->s_security; + struct superblock_security_struct *sbsec = selinux_superblock(sb); const char *fstype = sb->s_type->name;
read_lock(&state->ss->policy_rwlock); diff --git a/security/smack/smack.h b/security/smack/smack.h index e9e817d09785..d33d2a7b73a3 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -364,6 +364,12 @@ static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc) return ipc->security + smack_blob_sizes.lbs_ipc; }
+static inline struct superblock_smack *smack_superblock( + const struct super_block *superblock) +{ + return superblock->s_security + smack_blob_sizes.lbs_superblock; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8ffbf951b7ed..8d8f70a99374 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -535,12 +535,7 @@ static int smack_syslog(int typefrom_file) */ static int smack_sb_alloc_security(struct super_block *sb) { - struct superblock_smack *sbsp; - - sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); - - if (sbsp == NULL) - return -ENOMEM; + struct superblock_smack *sbsp = smack_superblock(sb);
sbsp->smk_root = &smack_known_floor; sbsp->smk_default = &smack_known_floor; @@ -549,22 +544,10 @@ static int smack_sb_alloc_security(struct super_block *sb) /* * SMK_SB_INITIALIZED will be zero from kzalloc. */ - sb->s_security = sbsp;
return 0; }
-/** - * smack_sb_free_security - free a superblock blob - * @sb: the superblock getting the blob - * - */ -static void smack_sb_free_security(struct super_block *sb) -{ - kfree(sb->s_security); - sb->s_security = NULL; -} - struct smack_mnt_opts { const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; }; @@ -772,7 +755,7 @@ static int smack_set_mnt_opts(struct super_block *sb, { struct dentry *root = sb->s_root; struct inode *inode = d_backing_inode(root); - struct superblock_smack *sp = sb->s_security; + struct superblock_smack *sp = smack_superblock(sb); struct inode_smack *isp; struct smack_known *skp; struct smack_mnt_opts *opts = mnt_opts; @@ -871,7 +854,7 @@ static int smack_set_mnt_opts(struct super_block *sb, */ static int smack_sb_statfs(struct dentry *dentry) { - struct superblock_smack *sbp = dentry->d_sb->s_security; + struct superblock_smack *sbp = smack_superblock(dentry->d_sb); int rc; struct smk_audit_info ad;
@@ -905,7 +888,7 @@ static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0;
- sbsp = inode->i_sb->s_security; + sbsp = smack_superblock(inode->i_sb); if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && isp->smk_task != sbsp->smk_root) return 0; @@ -1157,7 +1140,7 @@ static int smack_inode_rename(struct inode *old_inode, */ static int smack_inode_permission(struct inode *inode, int mask) { - struct superblock_smack *sbsp = inode->i_sb->s_security; + struct superblock_smack *sbsp = smack_superblock(inode->i_sb); struct smk_audit_info ad; int no_block = mask & MAY_NOT_BLOCK; int rc; @@ -1398,7 +1381,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) */ if (strcmp(name, XATTR_NAME_SMACK) == 0) { struct super_block *sbp = dentry->d_sb; - struct superblock_smack *sbsp = sbp->s_security; + struct superblock_smack *sbsp = smack_superblock(sbp);
isp->smk_inode = sbsp->smk_default; } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) @@ -1668,7 +1651,7 @@ static int smack_mmap_file(struct file *file, isp = smack_inode(file_inode(file)); if (isp->smk_mmap == NULL) return 0; - sbsp = file_inode(file)->i_sb->s_security; + sbsp = smack_superblock(file_inode(file)->i_sb); if (sbsp->smk_flags & SMK_SB_UNTRUSTED && isp->smk_mmap != sbsp->smk_root) return -EACCES; @@ -3268,7 +3251,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) return;
sbp = inode->i_sb; - sbsp = sbp->s_security; + sbsp = smack_superblock(sbp); /* * We're going to use the superblock default label * if there's no label on the file. @@ -4653,6 +4636,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), + .lbs_superblock = sizeof(struct superblock_smack), };
static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { @@ -4664,7 +4648,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param),
LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), - LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
The sb_delete security hook is called when shutting down a superblock, which may be useful to release kernel objects tied to the superblock's lifetime (e.g. inodes).
This new hook is needed by Landlock to release (ephemerally) tagged struct inodes. This comes from the unprivileged nature of Landlock described in the next commit.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: Alexander Viro viro@zeniv.linux.org.uk Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v17: * Initial patch to replace the direct call to landlock_release_inodes() (requested by James Morris). https://lore.kernel.org/lkml/alpine.LRH.2.21.2005150536440.7929@namei.org/ --- fs/super.c | 1 + include/linux/lsm_hook_defs.h | 1 + include/linux/lsm_hooks.h | 2 ++ include/linux/security.h | 4 ++++ security/security.c | 5 +++++ 5 files changed, 13 insertions(+)
diff --git a/fs/super.c b/fs/super.c index 904459b35119..d5517e49ccdf 100644 --- a/fs/super.c +++ b/fs/super.c @@ -454,6 +454,7 @@ void generic_shutdown_super(struct super_block *sb) evict_inodes(sb); /* only nonzero refcount inodes can have marks */ fsnotify_sb_delete(sb); + security_sb_delete(sb);
if (sb->s_dio_done_wq) { destroy_workqueue(sb->s_dio_done_wq); diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index af998f93d256..2b855d6a299e 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -59,6 +59,7 @@ LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc, LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc, struct fs_parameter *param) LSM_HOOK(int, 0, sb_alloc_security, struct super_block *sb) +LSM_HOOK(void, LSM_RET_VOID, sb_delete, struct super_block *sb) LSM_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb) LSM_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts) LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 80c629d8a2ad..499f19a70a19 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -108,6 +108,8 @@ * allocated. * @sb contains the super_block structure to be modified. * Return 0 if operation was successful. + * @sb_delete: + * Release objects tied to a superblock (e.g. inodes). * @sb_free_security: * Deallocate and clear the sb->s_security field. * @sb contains the super_block structure to be modified. diff --git a/include/linux/security.h b/include/linux/security.h index 0a0a03b36a3b..28b0ee6c7239 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -286,6 +286,7 @@ void security_bprm_committed_creds(struct linux_binprm *bprm); int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc); int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param); int security_sb_alloc(struct super_block *sb); +void security_sb_delete(struct super_block *sb); void security_sb_free(struct super_block *sb); void security_free_mnt_opts(void **mnt_opts); int security_sb_eat_lsm_opts(char *options, void **mnt_opts); @@ -614,6 +615,9 @@ static inline int security_sb_alloc(struct super_block *sb) return 0; }
+static inline void security_sb_delete(struct super_block *sb) +{ } + static inline void security_sb_free(struct super_block *sb) { }
diff --git a/security/security.c b/security/security.c index d60aa835b670..9337b511306c 100644 --- a/security/security.c +++ b/security/security.c @@ -898,6 +898,11 @@ int security_sb_alloc(struct super_block *sb) return rc; }
+void security_sb_delete(struct super_block *sb) +{ + call_void_hook(sb_delete, sb); +} + void security_sb_free(struct super_block *sb) { call_void_hook(sb_free_security, sb);
Thanks to the Landlock objects and ruleset, it is possible to identify inodes according to a process's domain. To enable an unprivileged process to express a file hierarchy, it first needs to open a directory (or a file) and pass this file descriptor to the kernel through landlock(2). When checking if a file access request is allowed, we walk from the requested dentry to the real root, following the different mount layers. The access to each "tagged" inodes are collected according to their rule layer level, and ANDed to create access to the requested file hierarchy. This makes possible to identify a lot of files without tagging every inodes nor modifying the filesystem, while still following the view and understanding the user has from the filesystem.
Add a new ARCH_EPHEMERAL_STATES for UML because it currently does not keep the same struct inodes for the same inodes whereas these inodes are in use.
This commit adds a minimal set of supported filesystem access-control which doesn't enable to restrict all file-related actions. This is the result of multiple discussions to minimize the code of Landlock to ease review. Thanks to the Landlock design, extending this access-control without breaking user space will not be a problem. Moreover, seccomp filters can be used to restrict the use of syscall families which may not be currently handled by Landlock.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: Alexander Viro viro@zeniv.linux.org.uk Cc: Anton Ivanov anton.ivanov@cambridgegreys.com Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Jeff Dike jdike@addtoit.com Cc: Kees Cook keescook@chromium.org Cc: Richard Weinberger richard@nod.at Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v18: * Remove useless include. * Fix spelling.
Changes since v17: * Replace landlock_release_inodes() with security_sb_delete() (requested by James Morris). * Replace struct super_block->s_landlock_inode_refs with the LSM infrastructure management of the superblock (requested by James Morris). * Fix mknod restriction with a zero mode (spotted by Vincent Dagonneau). * Minimize executed code in path_mknod and file_open hooks when the current tasks is not sandboxed. * Remove useless checks on the file pointer and inode in hook_file_open() . * Constify domain pointers. * Rename inode_landlock() to landlock_inode(). * Import include/uapi/linux/landlock.h and _LANDLOCK_ACCESS_FS_* from the ruleset and domain management patch. * Explain the rational of this minimal set of access-control. https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.ne...
Changes since v16: * Add ARCH_EPHEMERAL_STATES and enable it for UML.
Changes since v15: * Replace layer_levels and layer_depth with a bitfield of layers: this enables to properly manage superset and subset of access rights, whatever their order in the stack of layers. Cf. https://lore.kernel.org/lkml/e07fe473-1801-01cc-12ae-b3167f95250e@digikod.ne... * Allow to open pipes and similar special files through /proc/self/fd/. * Properly handle internal filesystems such as nsfs: always allow these kind of roots because disconnected path cannot be evaluated. * Remove the LANDLOCK_ACCESS_FS_LINK_TO and LANDLOCK_ACCESS_FS_RENAME_{TO,FROM}, but use the LANDLOCK_ACCESS_FS_REMOVE_{FILE,DIR} and LANDLOCK_ACCESS_FS_MAKE_* instead. Indeed, it is not possible for now (and not really useful) to express the semantic of a source and a destination. * Check access rights to remove a directory or a file with rename(2). * Forbid reparenting when linking or renaming. This is needed to easily protect against possible privilege escalation by changing the place of a file or directory in relation to an enforced access policy (from the set of layers). This will be relaxed in the future. * Update hooks to take into account replacement of the object's self and beneath access bitfields with one. Simplify the code. * Check file related access rights. * Check d_is_negative() instead of !d_backing_inode() in check_access_path_continue(), and continue the path walk while there is no mapped inode e.g., with rename(2). * Check private inode in check_access_path(). * Optimize get_file_access() when dealing with a directory. * Add missing atomic.h .
Changes since v14: * Simplify the object, rule and ruleset management at the expense of a less aggressive memory freeing (contributed by Jann Horn, with additional modifications): - Rewrite release_inode() to use inode->sb->s_landlock_inode_refs. - Remove useless checks in landlock_release_inodes(), clean object pointer according to the new struct landlock_object and wait for all iput() to complete. - Rewrite get_inode_object() according to the new struct landlock_object. If there is a race-condition when cleaning up an object, we retry until the concurrent thread finished the object cleaning. Cf. https://lore.kernel.org/lkml/CAG48ez21bEn0wL1bbmTiiu8j9jP5iEWtHOwz4tURUJ+ki0... * Fix nested domains by implementing a notion of layer level and depth: - Check for matching level ranges when walking through a file path. - Only allow access if every layer granted the access request. * Handles files without mount points (e.g. pipes). * Hardens path walk by checking inode pointer values. * Prefetches d_parent when walking to the root directory. * Remove useless inode_alloc_security hook() (suggested by Jann Horn): already initialized by lsm_inode_alloc(). * Remove the inode_free_security hook. * Remove access checks that may be required for FD-only requests: truncate, getattr, lock, chmod, chown, chgrp, ioctl. This will be handle in a future evolution of Landlock, but right now the goal is to lighten the code to ease review. * Constify variables. * Move ABI checks into syscall.c . * Cosmetic variable renames.
Changes since v11: * Add back, revamp and make a fully working filesystem access-control based on paths and inodes. * Remove the eBPF dependency.
Previous changes: https://lore.kernel.org/lkml/20190721213116.23476-6-mic@digikod.net/ --- arch/Kconfig | 7 + arch/um/Kconfig | 1 + include/uapi/linux/landlock.h | 78 +++++ security/landlock/Kconfig | 2 +- security/landlock/Makefile | 2 +- security/landlock/fs.c | 609 ++++++++++++++++++++++++++++++++++ security/landlock/fs.h | 60 ++++ security/landlock/setup.c | 7 + security/landlock/setup.h | 2 + 9 files changed, 766 insertions(+), 2 deletions(-) create mode 100644 include/uapi/linux/landlock.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h
diff --git a/arch/Kconfig b/arch/Kconfig index 8cc35dc556c7..483b7476ac69 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -845,6 +845,13 @@ config COMPAT_32BIT_TIME config ARCH_NO_PREEMPT bool
+config ARCH_EPHEMERAL_STATES + def_bool n + help + An arch should select this symbol if it do not keep an internal kernel + state for kernel objects such as inodes, but instead rely on something + else (e.g. the host kernel for an UML kernel). + config ARCH_SUPPORTS_RT bool
diff --git a/arch/um/Kconfig b/arch/um/Kconfig index 9318dc6d1a0c..4109fdc36adb 100644 --- a/arch/um/Kconfig +++ b/arch/um/Kconfig @@ -5,6 +5,7 @@ menu "UML-specific options" config UML bool default y + select ARCH_EPHEMERAL_STATES select ARCH_HAS_KCOV select ARCH_NO_PREEMPT select HAVE_ARCH_AUDITSYSCALL diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h new file mode 100644 index 000000000000..5141185e6487 --- /dev/null +++ b/include/uapi/linux/landlock.h @@ -0,0 +1,78 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +/* + * Landlock - UAPI headers + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _UAPI__LINUX_LANDLOCK_H__ +#define _UAPI__LINUX_LANDLOCK_H__ + +/** + * DOC: fs_access + * + * A set of actions on kernel objects may be defined by an attribute (e.g. + * &struct landlock_attr_path_beneath) and a bitmask of access. + * + * Filesystem flags + * ~~~~~~~~~~~~~~~~ + * + * These flags enable to restrict a sandbox process to a set of actions on + * files and directories. Files or directories opened before the sandboxing + * are not subject to these restrictions. + * + * A file can only receive these access rights: + * + * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. + * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. + * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access. + * + * A directory can receive access rights related to files or directories. This + * set of access rights is applied to the directory itself, and the directories + * beneath it: + * + * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content. + * - %LANDLOCK_ACCESS_FS_CHROOT: Change the root directory of the current + * process. + * + * However, the following access rights only apply to the content of a + * directory, not the directory itself: + * + * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one. + * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file. + * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character + * device. + * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory. + * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file. + * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain + * socket. + * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe. + * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device. + * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link. + * + * .. warning:: + * + * It is currently not possible to restrict some file-related actions + * accessible through these syscall families: :manpage:`chdir(2)`, + * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`, + * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`, + * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`. + * Future Landlock evolutions will enable to restrict them. + */ +#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0) +#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1) +#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2) +#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3) +#define LANDLOCK_ACCESS_FS_CHROOT (1ULL << 4) +#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 5) +#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 6) +#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 7) +#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 8) +#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 9) +#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 10) +#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 11) +#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 12) +#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 13) + +#endif /* _UAPI__LINUX_LANDLOCK_H__ */ diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig index 9ec7593a534a..487d88328d98 100644 --- a/security/landlock/Kconfig +++ b/security/landlock/Kconfig @@ -2,7 +2,7 @@
config SECURITY_LANDLOCK bool "Landlock support" - depends on SECURITY + depends on SECURITY && !ARCH_EPHEMERAL_STATES select SECURITY_PATH help Landlock is a safe sandboxing mechanism which enables processes to diff --git a/security/landlock/Makefile b/security/landlock/Makefile index f1d1eb72fa76..92e3d80ab8ed 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -1,4 +1,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
landlock-y := setup.o object.o ruleset.o \ - cred.o ptrace.o + cred.o ptrace.o fs.o diff --git a/security/landlock/fs.c b/security/landlock/fs.c new file mode 100644 index 000000000000..7d5df26c3441 --- /dev/null +++ b/security/landlock/fs.c @@ -0,0 +1,609 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - Filesystem management and hooks + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#include <linux/atomic.h> +#include <linux/compiler_types.h> +#include <linux/dcache.h> +#include <linux/fs.h> +#include <linux/init.h> +#include <linux/kernel.h> +#include <linux/list.h> +#include <linux/lsm_hooks.h> +#include <linux/mount.h> +#include <linux/namei.h> +#include <linux/path.h> +#include <linux/prefetch.h> +#include <linux/rcupdate.h> +#include <linux/spinlock.h> +#include <linux/stat.h> +#include <linux/types.h> +#include <linux/wait_bit.h> +#include <linux/workqueue.h> +#include <uapi/linux/landlock.h> + +#include "common.h" +#include "cred.h" +#include "fs.h" +#include "object.h" +#include "ruleset.h" +#include "setup.h" + +/* Underlying object management */ + +static void release_inode(struct landlock_object *const object) + __releases(object->lock) +{ + struct inode *const inode = object->underobj; + struct super_block *sb; + + if (!inode) { + spin_unlock(&object->lock); + return; + } + + spin_lock(&inode->i_lock); + /* + * Make sure that if the filesystem is concurrently unmounted, + * hook_sb_delete() will wait for us to finish iput(). + */ + sb = inode->i_sb; + atomic_long_inc(&landlock_superblock(sb)->inode_refs); + rcu_assign_pointer(landlock_inode(inode)->object, NULL); + spin_unlock(&inode->i_lock); + spin_unlock(&object->lock); + /* + * Now, new rules can safely be tied to @inode. + */ + + iput(inode); + if (atomic_long_dec_and_test(&landlock_superblock(sb)->inode_refs)) + wake_up_var(&landlock_superblock(sb)->inode_refs); +} + +static const struct landlock_object_underops landlock_fs_underops = { + .release = release_inode +}; + +/* Ruleset management */ + +static struct landlock_object *get_inode_object(struct inode *const inode) +{ + struct landlock_object *object, *new_object; + struct landlock_inode_security *inode_sec = landlock_inode(inode); + + rcu_read_lock(); +retry: + object = rcu_dereference(inode_sec->object); + if (object) { + if (likely(refcount_inc_not_zero(&object->usage))) { + rcu_read_unlock(); + return object; + } + /* + * We're racing with release_inode(), the object is going away. + * Wait for release_inode(), then retry. + */ + spin_lock(&object->lock); + spin_unlock(&object->lock); + goto retry; + } + rcu_read_unlock(); + + /* + * If there is no object tied to @inode, then create a new one (without + * holding any locks). + */ + new_object = landlock_create_object(&landlock_fs_underops, inode); + + spin_lock(&inode->i_lock); + object = rcu_dereference_protected(inode_sec->object, + lockdep_is_held(&inode->i_lock)); + if (unlikely(object)) { + /* Someone else just created the object, bail out and retry. */ + kfree(new_object); + spin_unlock(&inode->i_lock); + + rcu_read_lock(); + goto retry; + } else { + rcu_assign_pointer(inode_sec->object, new_object); + /* + * @inode will be released by hook_sb_delete() on its + * superblock shutdown. + */ + ihold(inode); + spin_unlock(&inode->i_lock); + return new_object; + } +} + +/* All access rights which can be tied to files. */ +#define ACCESS_FILE ( \ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE) + +/* + * @path: Should have been checked by get_path_from_fd(). + */ +int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, + const struct path *const path, u32 access_rights) +{ + int err; + struct landlock_rule rule = {}; + + /* Files only get access rights that make sense. */ + if (!d_is_dir(path->dentry) && (access_rights | ACCESS_FILE) != + ACCESS_FILE) + return -EINVAL; + + /* Transforms relative access rights to absolute ones. */ + access_rights |= _LANDLOCK_ACCESS_FS_MASK & ~ruleset->fs_access_mask; + rule.access = access_rights; + rule.object = get_inode_object(d_backing_inode(path->dentry)); + mutex_lock(&ruleset->lock); + err = landlock_insert_rule(ruleset, &rule, false); + mutex_unlock(&ruleset->lock); + /* + * No need to check for an error because landlock_insert_rule() + * increments the refcount for the new rule, if any. + */ + landlock_put_object(rule.object); + return err; +} + +/* Access-control management */ + +static bool check_access_path_continue( + const struct landlock_ruleset *const domain, + const struct path *const path, const u32 access_request, + bool *const allow, u64 *const layer_mask) +{ + const struct landlock_rule *rule; + const struct inode *inode; + bool next = true; + + prefetch(path->dentry->d_parent); + if (d_is_negative(path->dentry)) + /* Continues to walk while there is no mapped inode. */ + return true; + inode = d_backing_inode(path->dentry); + rcu_read_lock(); + rule = landlock_find_rule(domain, + rcu_dereference(landlock_inode(inode)->object)); + rcu_read_unlock(); + + /* Checks for matching layers. */ + if (rule && (rule->layers | *layer_mask)) { + *allow = (rule->access & access_request) == access_request; + if (*allow) { + *layer_mask &= ~rule->layers; + /* Stops when a rule from each layer granted access. */ + next = !!*layer_mask; + } else { + next = false; + } + } + return next; +} + +static int check_access_path(const struct landlock_ruleset *const domain, + const struct path *const path, u32 access_request) +{ + bool allow = false; + struct path walker_path; + u64 layer_mask; + + if (WARN_ON_ONCE(!domain || !path)) + return 0; + /* + * Allows access to pseudo filesystems that will never be mountable + * (e.g. sockfs, pipefs), but can still be reachable through + * /proc/self/fd . + */ + if ((path->dentry->d_sb->s_flags & SB_NOUSER) || + (d_is_positive(path->dentry) && + unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))) + return 0; + if (WARN_ON_ONCE(domain->nb_layers < 1)) + return -EACCES; + + layer_mask = GENMASK_ULL(domain->nb_layers - 1, 0); + /* + * An access request which is not handled by the domain should be + * allowed. + */ + access_request &= domain->fs_access_mask; + if (access_request == 0) + return 0; + walker_path = *path; + path_get(&walker_path); + /* + * We need to walk through all the hierarchy to not miss any relevant + * restriction. + */ + while (check_access_path_continue(domain, &walker_path, access_request, + &allow, &layer_mask)) { + struct dentry *parent_dentry; + +jump_up: + /* + * Does not work with orphaned/private mounts like overlayfs + * layers for now (cf. ovl_path_real() and ovl_path_open()). + */ + if (walker_path.dentry == walker_path.mnt->mnt_root) { + if (follow_up(&walker_path)) { + /* Ignores hidden mount points. */ + goto jump_up; + } else { + /* + * Stops at the real root. Denies access + * because not all layers have granted access. + */ + allow = false; + break; + } + } + if (unlikely(IS_ROOT(walker_path.dentry))) { + /* + * Stops at disconnected root directories. Only allows + * access to internal filesystems (e.g. nsfs which is + * reachable through /proc/self/ns). + */ + allow = !!(walker_path.mnt->mnt_flags & MNT_INTERNAL); + break; + } + parent_dentry = dget_parent(walker_path.dentry); + dput(walker_path.dentry); + walker_path.dentry = parent_dentry; + } + path_put(&walker_path); + return allow ? 0 : -EACCES; +} + +static inline int current_check_access_path(const struct path *const path, + const u32 access_request) +{ + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + + if (!dom) + return 0; + return check_access_path(dom, path, access_request); +} + +/* Super-block hooks */ + +/* + * Release the inodes used in a security policy. + * + * Cf. fsnotify_unmount_inodes() + */ +static void hook_sb_delete(struct super_block *const sb) +{ + struct inode *inode, *iput_inode = NULL; + + if (!landlock_initialized) + return; + + spin_lock(&sb->s_inode_list_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + struct landlock_inode_security *inode_sec = + landlock_inode(inode); + struct landlock_object *object; + bool do_put = false; + + rcu_read_lock(); + object = rcu_dereference(inode_sec->object); + if (!object) { + rcu_read_unlock(); + continue; + } + + spin_lock(&object->lock); + if (object->underobj) { + object->underobj = NULL; + do_put = true; + spin_lock(&inode->i_lock); + rcu_assign_pointer(inode_sec->object, NULL); + spin_unlock(&inode->i_lock); + } + spin_unlock(&object->lock); + rcu_read_unlock(); + if (!do_put) + /* + * A concurrent iput() in release_inode() is ongoing + * and we will just wait for it to finish. + */ + continue; + + /* + * At this point, we own the ihold() reference that was + * originally set up by get_inode_object(). Therefore we can + * drop the list lock and know that the inode won't disappear + * from under us until the next loop walk. + */ + spin_unlock(&sb->s_inode_list_lock); + /* + * We can now actually put the previous inode, which is not + * needed anymore for the loop walk. + */ + if (iput_inode) + iput(iput_inode); + iput_inode = inode; + spin_lock(&sb->s_inode_list_lock); + } + spin_unlock(&sb->s_inode_list_lock); + if (iput_inode) + iput(iput_inode); + + /* + * Wait for pending iput() in release_inode(). + */ + wait_var_event(&landlock_superblock(sb)->inode_refs, !atomic_long_read( + &landlock_superblock(sb)->inode_refs)); +} + +/* + * Because a Landlock security policy is defined according to the filesystem + * layout (i.e. the mount namespace), changing it may grant access to files not + * previously allowed. + * + * To make it simple, deny any filesystem layout modification by landlocked + * processes. Non-landlocked processes may still change the namespace of a + * landlocked process, but this kind of threat must be handled by a system-wide + * access-control security policy. + * + * This could be lifted in the future if Landlock can safely handle mount + * namespace updates requested by a landlocked process. Indeed, we could + * update the current domain (which is currently read-only) by taking into + * account the accesses of the source and the destination of a new mount point. + * However, it would also require to make all the child domains dynamically + * inherit these new constraints. Anyway, for backward compatibility reasons, + * a dedicated user space option would be required (e.g. as a ruleset command + * option). + */ +static int hook_sb_mount(const char *const dev_name, + const struct path *const path, const char *const type, + const unsigned long flags, void *const data) +{ + if (!landlock_get_current_domain()) + return 0; + return -EPERM; +} + +static int hook_move_mount(const struct path *const from_path, + const struct path *const to_path) +{ + if (!landlock_get_current_domain()) + return 0; + return -EPERM; +} + +/* + * Removing a mount point may reveal a previously hidden file hierarchy, which + * may then grant access to files, which may have previously been forbidden. + */ +static int hook_sb_umount(struct vfsmount *const mnt, const int flags) +{ + if (!landlock_get_current_domain()) + return 0; + return -EPERM; +} + +static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts) +{ + if (!landlock_get_current_domain()) + return 0; + return -EPERM; +} + +/* + * pivot_root(2), like mount(2), changes the current mount namespace. It must + * then be forbidden for a landlocked process. + * + * However, chroot(2) may be allowed because it only changes the relative root + * directory of the current process. + */ +static int hook_sb_pivotroot(const struct path *const old_path, + const struct path *const new_path) +{ + if (!landlock_get_current_domain()) + return 0; + return -EPERM; +} + +/* Path hooks */ + +static inline u32 get_mode_access(const umode_t mode) +{ + switch (mode & S_IFMT) { + case S_IFLNK: + return LANDLOCK_ACCESS_FS_MAKE_SYM; + case 0: + /* A zero mode translates to S_IFREG. */ + case S_IFREG: + return LANDLOCK_ACCESS_FS_MAKE_REG; + case S_IFDIR: + return LANDLOCK_ACCESS_FS_MAKE_DIR; + case S_IFCHR: + return LANDLOCK_ACCESS_FS_MAKE_CHAR; + case S_IFBLK: + return LANDLOCK_ACCESS_FS_MAKE_BLOCK; + case S_IFIFO: + return LANDLOCK_ACCESS_FS_MAKE_FIFO; + case S_IFSOCK: + return LANDLOCK_ACCESS_FS_MAKE_SOCK; + default: + WARN_ON_ONCE(1); + return 0; + } +} + +/* + * Creating multiple links or renaming may lead to privilege escalations if not + * handled properly. Indeed, we must be sure that the source doesn't gain more + * privileges by being accessible from the destination. This is getting more + * complex when dealing with multiple layers. The whole picture can be seen as + * a multilayer partial ordering problem. A future version of Landlock will + * deal with that. + */ +static int hook_path_link(struct dentry *const old_dentry, + const struct path *const new_dir, + struct dentry *const new_dentry) +{ + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + + if (!dom) + return 0; + /* The mount points are the same for old and new paths, cf. EXDEV. */ + if (old_dentry->d_parent != new_dir->dentry) + /* For now, forbid reparenting. */ + return -EACCES; + if (unlikely(d_is_negative(old_dentry))) + return -EACCES; + return check_access_path(dom, new_dir, + get_mode_access(d_backing_inode(old_dentry)->i_mode)); +} + +static inline u32 maybe_remove(const struct dentry *const dentry) +{ + if (d_is_negative(dentry)) + return 0; + return d_is_dir(dentry) ? LANDLOCK_ACCESS_FS_REMOVE_DIR : + LANDLOCK_ACCESS_FS_REMOVE_FILE; +} + +static int hook_path_rename(const struct path *const old_dir, + struct dentry *const old_dentry, + const struct path *const new_dir, + struct dentry *const new_dentry) +{ + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + + if (!dom) + return 0; + /* The mount points are the same for old and new paths, cf. EXDEV. */ + if (old_dir->dentry != new_dir->dentry) + /* For now, forbid reparenting. */ + return -EACCES; + if (WARN_ON_ONCE(d_is_negative(old_dentry))) + return -EACCES; + /* RENAME_EXCHANGE is handled because directories are the same. */ + return check_access_path(dom, old_dir, maybe_remove(old_dentry) | + maybe_remove(new_dentry) | + get_mode_access(d_backing_inode(old_dentry)->i_mode)); +} + +static int hook_path_mkdir(const struct path *const dir, + struct dentry *const dentry, const umode_t mode) +{ + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_DIR); +} + +static int hook_path_mknod(const struct path *const dir, + struct dentry *const dentry, const umode_t mode, + const unsigned int dev) +{ + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + + if (!dom) + return 0; + return check_access_path(dom, dir, get_mode_access(mode)); +} + +static int hook_path_symlink(const struct path *const dir, + struct dentry *const dentry, const char *const old_name) +{ + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_SYM); +} + +static int hook_path_unlink(const struct path *const dir, + struct dentry *const dentry) +{ + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_FILE); +} + +static int hook_path_rmdir(const struct path *const dir, + struct dentry *const dentry) +{ + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_DIR); +} + +static int hook_path_chroot(const struct path *const path) +{ + return current_check_access_path(path, LANDLOCK_ACCESS_FS_CHROOT); +} + +/* File hooks */ + +static inline u32 get_file_access(const struct file *const file) +{ + u32 access = 0; + + if (file->f_mode & FMODE_READ) { + /* A directory can only be opened in read mode. */ + if (S_ISDIR(file_inode(file)->i_mode)) + return LANDLOCK_ACCESS_FS_READ_DIR; + access = LANDLOCK_ACCESS_FS_READ_FILE; + } + /* + * A LANDLOCK_ACCESS_FS_APPEND could be added but we also need to check + * fcntl(2). + */ + if (file->f_mode & FMODE_WRITE) + access |= LANDLOCK_ACCESS_FS_WRITE_FILE; + /* __FMODE_EXEC is indeed part of f_flags, not f_mode. */ + if (file->f_flags & __FMODE_EXEC) + access |= LANDLOCK_ACCESS_FS_EXECUTE; + return access; +} + +static int hook_file_open(struct file *const file) +{ + const struct landlock_ruleset *const dom = + landlock_get_current_domain(); + + if (!dom) + return 0; + /* + * Because a file may be opened with O_PATH, get_file_access() may + * return 0. This case will be handled with a future Landlock + * evolution. + */ + return current_check_access_path(&file->f_path, get_file_access(file)); +} + +static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = { + LSM_HOOK_INIT(sb_delete, hook_sb_delete), + LSM_HOOK_INIT(sb_mount, hook_sb_mount), + LSM_HOOK_INIT(move_mount, hook_move_mount), + LSM_HOOK_INIT(sb_umount, hook_sb_umount), + LSM_HOOK_INIT(sb_remount, hook_sb_remount), + LSM_HOOK_INIT(sb_pivotroot, hook_sb_pivotroot), + + LSM_HOOK_INIT(path_link, hook_path_link), + LSM_HOOK_INIT(path_rename, hook_path_rename), + LSM_HOOK_INIT(path_mkdir, hook_path_mkdir), + LSM_HOOK_INIT(path_mknod, hook_path_mknod), + LSM_HOOK_INIT(path_symlink, hook_path_symlink), + LSM_HOOK_INIT(path_unlink, hook_path_unlink), + LSM_HOOK_INIT(path_rmdir, hook_path_rmdir), + LSM_HOOK_INIT(path_chroot, hook_path_chroot), + + LSM_HOOK_INIT(file_open, hook_file_open), +}; + +__init void landlock_add_hooks_fs(void) +{ + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks), + LANDLOCK_NAME); +} diff --git a/security/landlock/fs.h b/security/landlock/fs.h new file mode 100644 index 000000000000..58b462eb7f10 --- /dev/null +++ b/security/landlock/fs.h @@ -0,0 +1,60 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock LSM - Filesystem management and hooks + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#ifndef _SECURITY_LANDLOCK_FS_H +#define _SECURITY_LANDLOCK_FS_H + +#include <linux/fs.h> +#include <linux/init.h> +#include <linux/rcupdate.h> +#include <uapi/linux/landlock.h> + +#include "ruleset.h" +#include "setup.h" + +#define _LANDLOCK_ACCESS_FS_LAST LANDLOCK_ACCESS_FS_MAKE_SYM +#define _LANDLOCK_ACCESS_FS_MASK ((_LANDLOCK_ACCESS_FS_LAST << 1) - 1) + +struct landlock_inode_security { + /* + * @object: Weak pointer to an allocated object. All writes (i.e. + * creating a new object or removing one) are protected by the + * underlying inode->i_lock. Disassociating @object from the inode is + * additionally protected by @object->lock, from the time @object's + * usage refcount drops to zero to the time this pointer is nulled out. + * Cf. release_inode(). + */ + struct landlock_object __rcu *object; +}; + +struct landlock_superblock_security { + /* + * @inode_refs: References to Landlock underlying objects. + * Cf. struct super_block->s_fsnotify_inode_refs . + */ + atomic_long_t inode_refs; +}; + +static inline struct landlock_inode_security *landlock_inode( + const struct inode *const inode) +{ + return inode->i_security + landlock_blob_sizes.lbs_inode; +} + +static inline struct landlock_superblock_security *landlock_superblock( + const struct super_block *const superblock) +{ + return superblock->s_security + landlock_blob_sizes.lbs_superblock; +} + +__init void landlock_add_hooks_fs(void); + +int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, + const struct path *const path, u32 access_hierarchy); + +#endif /* _SECURITY_LANDLOCK_FS_H */ diff --git a/security/landlock/setup.c b/security/landlock/setup.c index 5e7540fdeefa..722cbea82324 100644 --- a/security/landlock/setup.c +++ b/security/landlock/setup.c @@ -11,17 +11,24 @@
#include "common.h" #include "cred.h" +#include "fs.h" #include "ptrace.h" #include "setup.h"
+bool landlock_initialized __lsm_ro_after_init = false; + struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = { .lbs_cred = sizeof(struct landlock_cred_security), + .lbs_inode = sizeof(struct landlock_inode_security), + .lbs_superblock = sizeof(struct landlock_superblock_security), };
static int __init landlock_init(void) { landlock_add_hooks_cred(); landlock_add_hooks_ptrace(); + landlock_add_hooks_fs(); + landlock_initialized = true; pr_info("Up and running.\n"); return 0; } diff --git a/security/landlock/setup.h b/security/landlock/setup.h index 9fdbf33fcc33..1daffab1ab4b 100644 --- a/security/landlock/setup.h +++ b/security/landlock/setup.h @@ -11,6 +11,8 @@
#include <linux/lsm_hooks.h>
+extern bool landlock_initialized; + extern struct lsm_blob_sizes landlock_blob_sizes;
#endif /* _SECURITY_LANDLOCK_SETUP_H */
Hi--
On 7/7/20 11:09 AM, Mickaël Salaün wrote:
arch/Kconfig | 7 + arch/um/Kconfig | 1 + include/uapi/linux/landlock.h | 78 +++++ security/landlock/Kconfig | 2 +- security/landlock/Makefile | 2 +- security/landlock/fs.c | 609 ++++++++++++++++++++++++++++++++++ security/landlock/fs.h | 60 ++++ security/landlock/setup.c | 7 + security/landlock/setup.h | 2 + 9 files changed, 766 insertions(+), 2 deletions(-) create mode 100644 include/uapi/linux/landlock.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h
diff --git a/arch/Kconfig b/arch/Kconfig index 8cc35dc556c7..483b7476ac69 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -845,6 +845,13 @@ config COMPAT_32BIT_TIME config ARCH_NO_PREEMPT bool +config ARCH_EPHEMERAL_STATES
- def_bool n
- help
An arch should select this symbol if it do not keep an internal kernel
it does not
state for kernel objects such as inodes, but instead rely on something
instead relies on
else (e.g. the host kernel for an UML kernel).
config ARCH_SUPPORTS_RT bool
thanks.
On 07/07/2020 22:11, Randy Dunlap wrote:
Hi--
On 7/7/20 11:09 AM, Mickaël Salaün wrote:
arch/Kconfig | 7 + arch/um/Kconfig | 1 + include/uapi/linux/landlock.h | 78 +++++ security/landlock/Kconfig | 2 +- security/landlock/Makefile | 2 +- security/landlock/fs.c | 609 ++++++++++++++++++++++++++++++++++ security/landlock/fs.h | 60 ++++ security/landlock/setup.c | 7 + security/landlock/setup.h | 2 + 9 files changed, 766 insertions(+), 2 deletions(-) create mode 100644 include/uapi/linux/landlock.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h
diff --git a/arch/Kconfig b/arch/Kconfig index 8cc35dc556c7..483b7476ac69 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -845,6 +845,13 @@ config COMPAT_32BIT_TIME config ARCH_NO_PREEMPT bool +config ARCH_EPHEMERAL_STATES
- def_bool n
- help
An arch should select this symbol if it do not keep an internal kernel
it does not
state for kernel objects such as inodes, but instead rely on something
instead relies on
else (e.g. the host kernel for an UML kernel).
config ARCH_SUPPORTS_RT bool
thanks.
Thanks Randy!
This system call, inspired from seccomp(2) and bpf(2), is designed to be used by unprivileged processes to sandbox themselves. It has the same usage restrictions as seccomp(2): the caller must have the no_new_privs attribute set or have CAP_SYS_ADMIN in the current user namespace.
Here are the motivations for this new syscall: * A sandboxed process may not have access to file systems, including /dev, /sys or /proc, but it should still be able to add more restrictions to itself. * Neither prctl(2) nor seccomp(2) (which was used in a previous version) fit well with the current definition of a Landlock security policy. * It is quite easy to whitelist this syscall with seccomp-bpf to enable all processes to use it. It is also easy to filter specific commands or options to restrict a process to a subset of Landlock features.
There is currently four commands: * LANDLOCK_CMD_GET_FEATURES: Gets the supported features (required for backward and forward compatibility, and best-effort security). * LANDLOCK_CMD_CREATE_RULESET: Creates a ruleset and returns its file descriptor. * LANDLOCK_CMD_ADD_RULE: Adds a rule (e.g. file hierarchy access) to a ruleset, identified by the dedicated file descriptor. * LANDLOCK_CMD_ENFORCE_RULESET: Enforces a ruleset on the current thread and its future children (similar to seccomp).
Each command has at least one option, which enables to define the attribute types passed to the syscall. All attribute types (structures) are checked at build time to ensure that they don't contain holes and that they are aligned the same way for each architecture. The struct landlock_attr_features contains __u32 options_* fields which is enough to store 32-bits syscall arguments, and __u16 size_attr_* fields which is enough for the maximal struct size (i.e. page size) passed through the landlock syscall. The other fields can have __u64 type for flags and bitfields, and __s32 type for file descriptors.
See the user and kernel documentation for more details (provided by a following commit): Documentation/security/landlock/
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: Arnd Bergmann arnd@arndb.de Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v18: * Remove useless include. * Remove LLATTR_SIZE() which was only used to shorten lines. Cf. commit bdc48fa11e46 ("checkpatch/coding-style: deprecate 80-column warning").
Changes since v17: * Synchronize syscall declaration. * Fix comment.
Changes since v16: * Add a size_attr_features field to struct landlock_attr_features for self-introspection, and move the access_fs field to be more consistent. * Replace __aligned_u64 types of attribute fields with __u16, __s32, __u32 and __u64, and check at build time that these structures does not contain hole and that they are aligned the same way (8-bits) on all architectures. This shrinks the size of the userspace ABI, which may be appreciated especially for struct landlock_attr_features which could grow a lot in the future. For instance, struct landlock_attr_features shrinks from 72 bytes to 32 bytes. This change also enables to remove 64-bits to 32-bits conversion checks. * Switch syscall attribute pointer and size arguments to follow similar syscall argument order (e.g. bpf, clone3, openat2). * Set LANDLOCK_OPT_* types to 32-bits. * Allow enforcement of empty ruleset, which enables deny-all policies. * Fix documentation inconsistency.
Changes since v15: * Do not add file descriptors referring to internal filesystems (e.g. nsfs) in a ruleset. * Replace is_user_mountable() with in-place clean checks. * Replace EBADR with EBADFD in get_ruleset_from_fd() and get_path_from_fd(). * Remove ruleset's show_fdinfo() for now.
Changes since v14: * Remove the security_file_open() check in get_path_from_fd(): an opened FD should not be restricted here, and even less with this hook. As a result, it is now allowed to add a path to a ruleset even if the access to this path is not allowed (without O_PATH). This doesn't change the fact that enforcing a ruleset can't grant any right, only remove some rights. The new layer levels add more consistent restrictions. * Check minimal landlock_attr_* size/content. This fix the case when no data was provided and e.g., FD 0 was interpreted as ruleset_fd. Now this leads to a returned -EINVAL. * Fix credential double-free error case. * Complete struct landlock_attr_size with size_attr_enforce. * Fix undefined reference to syscall when Landlock is not selected. * Remove f.file->f_path.mnt check (suggested by Al Viro). * Add build-time checks. * Move ABI checks from fs.c . * Constify variables. * Fix spelling. * Add comments.
Changes since v13: * New implementation, replacing the dependency on seccomp(2) and bpf(2). --- include/linux/syscalls.h | 3 + include/uapi/linux/landlock.h | 224 +++++++++++++++ kernel/sys_ni.c | 3 + security/landlock/Makefile | 2 +- security/landlock/syscall.c | 526 ++++++++++++++++++++++++++++++++++ 5 files changed, 757 insertions(+), 1 deletion(-) create mode 100644 security/landlock/syscall.c
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index b951a87da987..3c0d8830d3bc 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -1005,6 +1005,9 @@ asmlinkage long sys_pidfd_send_signal(int pidfd, int sig, siginfo_t __user *info, unsigned int flags); asmlinkage long sys_pidfd_getfd(int pidfd, int fd, unsigned int flags); +asmlinkage long sys_landlock(unsigned int command, unsigned int options, + void __user *attr1_ptr, size_t attr1_size, + void __user *attr2_ptr, size_t attr2_size);
/* * Architecture-specific system calls diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 5141185e6487..0e5829f2178b 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -9,6 +9,230 @@ #ifndef _UAPI__LINUX_LANDLOCK_H__ #define _UAPI__LINUX_LANDLOCK_H__
+#include <linux/types.h> + +/** + * enum landlock_cmd - Landlock commands + * + * First argument of sys_landlock(). + */ +enum landlock_cmd { + /** + * @LANDLOCK_CMD_GET_FEATURES: Asks the kernel for supported Landlock + * features. The option argument must contains + * %LANDLOCK_OPT_GET_FEATURES. This commands fills the &struct + * landlock_attr_features provided as first attribute. + */ + LANDLOCK_CMD_GET_FEATURES = 1, + /** + * @LANDLOCK_CMD_CREATE_RULESET: Creates a new ruleset and return its + * file descriptor on success. The option argument must contains + * %LANDLOCK_OPT_CREATE_RULESET. The ruleset is defined by the &struct + * landlock_attr_ruleset provided as first attribute. + */ + LANDLOCK_CMD_CREATE_RULESET, + /** + * @LANDLOCK_CMD_ADD_RULE: Adds a rule to a ruleset. The option + * argument must contains %LANDLOCK_OPT_ADD_RULE_PATH_BENEATH. The + * ruleset and the rule are both defined by the &struct + * landlock_attr_path_beneath provided as first attribute. + */ + LANDLOCK_CMD_ADD_RULE, + /** + * @LANDLOCK_CMD_ENFORCE_RULESET: Enforces a ruleset on the current + * process. The option argument must contains + * %LANDLOCK_OPT_ENFORCE_RULESET. The ruleset is defined by the + * &struct landlock_attr_enforce provided as first attribute. + */ + LANDLOCK_CMD_ENFORCE_RULESET, +}; + +/** + * DOC: options_intro + * + * These options may be used as second argument of sys_landlock(). Each + * command have a dedicated set of options, represented as bitmasks. For two + * different commands, their options may overlap. Each command have at least + * one option defining the used attribute type. This also enables to always + * have a usable &struct landlock_attr_features (i.e. filled with bits). + */ + +/** + * DOC: options_get_features + * + * Options for ``LANDLOCK_CMD_GET_FEATURES`` + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * + * - %LANDLOCK_OPT_GET_FEATURES: the attr type is `struct + * landlock_attr_features`. + */ +#define LANDLOCK_OPT_GET_FEATURES (1 << 0) + +/** + * DOC: options_create_ruleset + * + * Options for ``LANDLOCK_CMD_CREATE_RULESET`` + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * + * - %LANDLOCK_OPT_CREATE_RULESET: the attr type is `struct + * landlock_attr_ruleset`. + */ +#define LANDLOCK_OPT_CREATE_RULESET (1 << 0) + +/** + * DOC: options_add_rule + * + * Options for ``LANDLOCK_CMD_ADD_RULE`` + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * + * - %LANDLOCK_OPT_ADD_RULE_PATH_BENEATH: the attr type is `struct + * landlock_attr_path_beneath`. + */ +#define LANDLOCK_OPT_ADD_RULE_PATH_BENEATH (1 << 0) + +/** + * DOC: options_enforce_ruleset + * + * Options for ``LANDLOCK_CMD_ENFORCE_RULESET`` + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * + * - %LANDLOCK_OPT_ENFORCE_RULESET: the attr type is `struct + * landlock_attr_enforce`. + */ +#define LANDLOCK_OPT_ENFORCE_RULESET (1 << 0) + +/** + * struct landlock_attr_features - Receives the supported features + * + * This struct should be allocated by user space but it will be filled by the + * kernel to indicate the subset of Landlock features effectively handled by + * the running kernel. This enables backward compatibility for applications + * which are developed on a newer kernel than the one running the application. + * This helps avoid hard errors that may entirely disable the use of Landlock + * features because some of them may not be supported. Indeed, because + * Landlock is a security feature, even if the kernel doesn't support all the + * requested features, user space applications should still use the subset + * which is supported by the running kernel. Indeed, a partial security policy + * can still improve the security of the application and better protect the + * user (i.e. best-effort approach). The %LANDLOCK_CMD_GET_FEATURES command + * and &struct landlock_attr_features are future-proof because the future + * unknown fields requested by user space (i.e. a larger &struct + * landlock_attr_features) can still be filled with zeros. + * + * The Landlock commands will fail if an unsupported option or access is + * requested. By firstly requesting the supported options and accesses, it is + * quite easy for the developer to binary AND these returned bitmasks with the + * used options and accesses from the attribute structs (e.g. &struct + * landlock_attr_ruleset), and even infer the supported Landlock commands. + * Indeed, because each command must support at least one option, the options_* + * fields are always filled if the related commands are supported. The + * supported attributes are also discoverable thanks to the size_* fields. All + * this data enable to create applications doing their best to sandbox + * themselves regardless of the running kernel. + */ +struct landlock_attr_features { + /** + * @options_get_features: Options supported by the + * %LANDLOCK_CMD_GET_FEATURES command. Cf. `Options`_. + */ + __u32 options_get_features; + /** + * @options_create_ruleset: Options supported by the + * %LANDLOCK_CMD_CREATE_RULESET command. Cf. `Options`_. + */ + __u32 options_create_ruleset; + /** + * @options_add_rule: Options supported by the %LANDLOCK_CMD_ADD_RULE + * command. Cf. `Options`_. + */ + __u32 options_add_rule; + /** + * @options_enforce_ruleset: Options supported by the + * %LANDLOCK_CMD_ENFORCE_RULESET command. Cf. `Options`_. + */ + __u32 options_enforce_ruleset; + /** + * @size_attr_features: Size of the &struct landlock_attr_features as + * known by the kernel (i.e. ``sizeof(struct + * landlock_attr_features)``). + */ + __u16 size_attr_features; + /** + * @size_attr_ruleset: Size of the &struct landlock_attr_ruleset as + * known by the kernel (i.e. ``sizeof(struct + * landlock_attr_ruleset)``). + */ + __u16 size_attr_ruleset; + /** + * @size_attr_path_beneath: Size of the &struct + * landlock_attr_path_beneath as known by the kernel (i.e. + * ``sizeof(struct landlock_path_beneath)``). + */ + __u16 size_attr_path_beneath; + /** + * @size_attr_enforce: Size of the &struct landlock_attr_enforce as + * known by the kernel (i.e. ``sizeof(struct landlock_enforce)``). + */ + __u16 size_attr_enforce; + /** + * @access_fs: Subset of file system access supported by the running + * kernel, used in &struct landlock_attr_ruleset and &struct + * landlock_attr_path_beneath. Cf. `Filesystem flags`_. + */ + __u64 access_fs; +}; + +/** + * struct landlock_attr_ruleset- Defines a new ruleset + * + * Used as first attribute for the %LANDLOCK_CMD_CREATE_RULESET command and + * with the %LANDLOCK_OPT_CREATE_RULESET option. + */ +struct landlock_attr_ruleset { + /** + * @handled_access_fs: Bitmask of actions (cf. `Filesystem flags`_) + * that is handled by this ruleset and should then be forbidden if no + * rule explicitly allow them. This is needed for backward + * compatibility reasons. The user space code should check the + * effectively supported actions thanks to %LANDLOCK_CMD_GET_SUPPORTED + * and &struct landlock_attr_features, and then adjust the arguments of + * the next calls to sys_landlock() accordingly. + */ + __u64 handled_access_fs; +}; + +/** + * struct landlock_attr_path_beneath - Defines a path hierarchy + */ +struct landlock_attr_path_beneath { + /** + * @ruleset_fd: File descriptor tied to the ruleset which should be + * extended with this new access. + */ + __s32 ruleset_fd; + /** + * @parent_fd: File descriptor, open with ``O_PATH``, which identify + * the parent directory of a file hierarchy, or just a file. + */ + __s32 parent_fd; + /** + * @allowed_access: Bitmask of allowed actions for this file hierarchy + * (cf. `Filesystem flags`_). + */ + __u64 allowed_access; +}; + +/** + * struct landlock_attr_enforce - Describes the enforcement + */ +struct landlock_attr_enforce { + /** + * @ruleset_fd: File descriptor tied to the ruleset to merge with the + * current domain. + */ + __s32 ruleset_fd; +}; + /** * DOC: fs_access * diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c index 3b69a560a7ac..70cea36eb7ce 100644 --- a/kernel/sys_ni.c +++ b/kernel/sys_ni.c @@ -264,6 +264,9 @@ COND_SYSCALL(request_key); COND_SYSCALL(keyctl); COND_SYSCALL_COMPAT(keyctl);
+/* security/landlock/syscall.c */ +COND_SYSCALL(landlock); + /* arch/example/kernel/sys_example.c */
/* mm/fadvise.c */ diff --git a/security/landlock/Makefile b/security/landlock/Makefile index 92e3d80ab8ed..4388494779ec 100644 --- a/security/landlock/Makefile +++ b/security/landlock/Makefile @@ -1,4 +1,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
-landlock-y := setup.o object.o ruleset.o \ +landlock-y := setup.o syscall.o object.o ruleset.o \ cred.o ptrace.o fs.o diff --git a/security/landlock/syscall.c b/security/landlock/syscall.c new file mode 100644 index 000000000000..1559304bcfec --- /dev/null +++ b/security/landlock/syscall.c @@ -0,0 +1,526 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Landlock LSM - System call and user space interfaces + * + * Copyright © 2016-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2018-2020 ANSSI + */ + +#include <asm/current.h> +#include <linux/anon_inodes.h> +#include <linux/build_bug.h> +#include <linux/capability.h> +#include <linux/compiler_types.h> +#include <linux/dcache.h> +#include <linux/err.h> +#include <linux/errno.h> +#include <linux/fs.h> +#include <linux/limits.h> +#include <linux/mount.h> +#include <linux/path.h> +#include <linux/sched.h> +#include <linux/security.h> +#include <linux/stddef.h> +#include <linux/syscalls.h> +#include <linux/types.h> +#include <linux/uaccess.h> +#include <uapi/linux/landlock.h> + +#include "cred.h" +#include "fs.h" +#include "ruleset.h" +#include "setup.h" + +/** + * copy_struct_if_any_from_user - Safe future-proof argument copying + * + * Extend copy_struct_from_user() to handle NULL @src, which allows for future + * use of @src even if it is not used right now. + * + * @dst: Kernel space pointer or NULL. + * @ksize: Actual size of the data pointed to by @dst. + * @ksize_min: Minimal required size to be copied. + * @src: User space pointer or NULL. + * @usize: (Alleged) size of the data pointed to by @src. + */ +static int copy_struct_if_any_from_user(void *const dst, const size_t ksize, + const size_t ksize_min, const void __user *const src, + const size_t usize) +{ + int ret; + + /* Checks kernel buffer size inconsistencies. */ + if (dst) { + if (WARN_ON_ONCE(ksize == 0)) + return -EFAULT; + } else { + if (WARN_ON_ONCE(ksize != 0)) + return -EFAULT; + } + + /* Checks minimal size. */ + if (WARN_ON_ONCE(ksize < ksize_min)) + return -EFAULT; + if (usize < ksize_min) + return -EINVAL; + + /* Handles empty user buffer. */ + if (!src) { + if (usize != 0) + return -EFAULT; + if (dst) + memset(dst, 0, ksize); + return 0; + } + + /* Checks user buffer size inconsistency and limit. */ + if (usize == 0) + return -ENODATA; + if (usize > PAGE_SIZE) + return -E2BIG; + + /* Copies user buffer and fills with zeros. */ + if (dst) + return copy_struct_from_user(dst, ksize, src, usize); + + /* Checks unknown user data. */ + ret = check_zeroed_user(src, usize); + if (ret <= 0) + return ret ?: -E2BIG; + return 0; +} + +/* Features */ + +#define _LANDLOCK_OPT_GET_FEATURES_LAST LANDLOCK_OPT_GET_FEATURES +#define _LANDLOCK_OPT_GET_FEATURES_MASK ((_LANDLOCK_OPT_GET_FEATURES_LAST << 1) - 1) + +#define _LANDLOCK_OPT_CREATE_RULESET_LAST LANDLOCK_OPT_CREATE_RULESET +#define _LANDLOCK_OPT_CREATE_RULESET_MASK ((_LANDLOCK_OPT_CREATE_RULESET_LAST << 1) - 1) + +#define _LANDLOCK_OPT_ADD_RULE_LAST LANDLOCK_OPT_ADD_RULE_PATH_BENEATH +#define _LANDLOCK_OPT_ADD_RULE_MASK ((_LANDLOCK_OPT_ADD_RULE_LAST << 1) - 1) + +#define _LANDLOCK_OPT_ENFORCE_RULESET_LAST LANDLOCK_OPT_ENFORCE_RULESET +#define _LANDLOCK_OPT_ENFORCE_RULESET_MASK ((_LANDLOCK_OPT_ENFORCE_RULESET_LAST << 1) - 1) + +static int syscall_get_features(void __user *const attr_ptr, + const size_t attr_size) +{ + size_t data_size, fill_size; + const struct landlock_attr_features supported = { + .options_get_features = _LANDLOCK_OPT_GET_FEATURES_MASK, + .options_create_ruleset = _LANDLOCK_OPT_CREATE_RULESET_MASK, + .options_add_rule = _LANDLOCK_OPT_ADD_RULE_MASK, + .options_enforce_ruleset = _LANDLOCK_OPT_ENFORCE_RULESET_MASK, + .size_attr_features = sizeof(struct landlock_attr_features), + .size_attr_ruleset = sizeof(struct landlock_attr_ruleset), + .size_attr_path_beneath = sizeof(struct + landlock_attr_path_beneath), + .size_attr_enforce = sizeof(struct landlock_attr_enforce), + .access_fs = _LANDLOCK_ACCESS_FS_MASK, + }; + + BUILD_BUG_ON(!__same_type(supported.access_fs, + ((struct landlock_attr_ruleset *)NULL)->handled_access_fs)); + BUILD_BUG_ON(!__same_type(supported.access_fs, + ((struct landlock_attr_path_beneath *)NULL)->allowed_access)); + + /* Checks attribute consistency. */ + if (attr_size == 0) + return -ENODATA; + if (attr_size > PAGE_SIZE) + return -E2BIG; + + /* Copy a subset of features to user space. */ + data_size = min(sizeof(supported), attr_size); + if (copy_to_user(attr_ptr, &supported, data_size)) + return -EFAULT; + + /* Fills with zeros. */ + fill_size = attr_size - data_size; + if (fill_size > 0 && clear_user(attr_ptr + data_size, fill_size)) + return -EFAULT; + return 0; +} + +/* Ruleset handling */ + +static int fop_ruleset_release(struct inode *const inode, + struct file *const filp) +{ + struct landlock_ruleset *ruleset = filp->private_data; + + landlock_put_ruleset(ruleset); + return 0; +} + +static ssize_t fop_dummy_read(struct file *const filp, char __user *const buf, + const size_t size, loff_t *const ppos) +{ + /* Dummy handler to enable FMODE_CAN_READ. */ + return -EINVAL; +} + +static ssize_t fop_dummy_write(struct file *const filp, + const char __user *const buf, const size_t size, + loff_t *const ppos) +{ + /* Dummy handler to enable FMODE_CAN_WRITE. */ + return -EINVAL; +} + +/* + * A ruleset file descriptor enables to build a ruleset by adding (i.e. + * writing) rule after rule, without relying on the task's context. This + * reentrant design is also used in a read way to enforce the ruleset on the + * current task. + */ +static const struct file_operations ruleset_fops = { + .release = fop_ruleset_release, + .read = fop_dummy_read, + .write = fop_dummy_write, +}; + +static int syscall_create_ruleset(const void __user *const attr_ptr, + const size_t attr_size) +{ + struct landlock_attr_ruleset attr_ruleset; + struct landlock_ruleset *ruleset; + int err, ruleset_fd; + + /* Copies raw user space buffer. */ + err = copy_struct_if_any_from_user(&attr_ruleset, sizeof(attr_ruleset), + offsetofend(typeof(attr_ruleset), handled_access_fs), + attr_ptr, attr_size); + if (err) + return err; + + /* Checks content (and 32-bits cast). */ + if ((attr_ruleset.handled_access_fs | _LANDLOCK_ACCESS_FS_MASK) != + _LANDLOCK_ACCESS_FS_MASK) + return -EINVAL; + + /* Checks arguments and transforms to kernel struct. */ + ruleset = landlock_create_ruleset(attr_ruleset.handled_access_fs); + if (IS_ERR(ruleset)) + return PTR_ERR(ruleset); + + /* Creates anonymous FD referring to the ruleset. */ + ruleset_fd = anon_inode_getfd("landlock-ruleset", &ruleset_fops, + ruleset, O_RDWR | O_CLOEXEC); + if (ruleset_fd < 0) + landlock_put_ruleset(ruleset); + return ruleset_fd; +} + +/* + * Returns an owned ruleset from a FD. It is thus needed to call + * landlock_put_ruleset() on the return value. + */ +static struct landlock_ruleset *get_ruleset_from_fd(const s32 fd, + const fmode_t mode) +{ + struct fd ruleset_f; + struct landlock_ruleset *ruleset; + int err; + + BUILD_BUG_ON(!__same_type(fd, + ((struct landlock_attr_path_beneath *)NULL)->ruleset_fd)); + BUILD_BUG_ON(!__same_type(fd, + ((struct landlock_attr_enforce *)NULL)->ruleset_fd)); + + ruleset_f = fdget(fd); + if (!ruleset_f.file) + return ERR_PTR(-EBADF); + + /* Checks FD type and access right. */ + err = 0; + if (ruleset_f.file->f_op != &ruleset_fops) + err = -EBADFD; + else if (!(ruleset_f.file->f_mode & mode)) + err = -EPERM; + if (!err) { + ruleset = ruleset_f.file->private_data; + landlock_get_ruleset(ruleset); + } + fdput(ruleset_f); + return err ? ERR_PTR(err) : ruleset; +} + +/* Path handling */ + +/* + * @path: Must call put_path(@path) after the call if it succeeded. + */ +static int get_path_from_fd(const s32 fd, struct path *const path) +{ + struct fd f; + int err = 0; + + BUILD_BUG_ON(!__same_type(fd, + ((struct landlock_attr_path_beneath *)NULL)->parent_fd)); + + /* Handles O_PATH. */ + f = fdget_raw(fd); + if (!f.file) + return -EBADF; + /* + * Only allows O_PATH file descriptor: enables to restrict ambient + * filesystem access without requiring to open and risk leaking or + * misusing a file descriptor. Forbid internal filesystems (e.g. + * nsfs), including pseudo filesystems that will never be mountable + * (e.g. sockfs, pipefs). + */ + if (!(f.file->f_mode & FMODE_PATH) || + (f.file->f_path.mnt->mnt_flags & MNT_INTERNAL) || + (f.file->f_path.dentry->d_sb->s_flags & SB_NOUSER) || + d_is_negative(f.file->f_path.dentry) || + IS_PRIVATE(d_backing_inode(f.file->f_path.dentry))) { + err = -EBADFD; + goto out_fdput; + } + path->mnt = f.file->f_path.mnt; + path->dentry = f.file->f_path.dentry; + path_get(path); + +out_fdput: + fdput(f); + return err; +} + +static int syscall_add_rule_path_beneath(const void __user *const attr_ptr, + const size_t attr_size) +{ + struct landlock_attr_path_beneath attr_path_beneath; + struct path path; + struct landlock_ruleset *ruleset; + int err; + + /* Copies raw user space buffer. */ + err = copy_struct_if_any_from_user(&attr_path_beneath, + sizeof(attr_path_beneath), + offsetofend(typeof(attr_path_beneath), allowed_access), + attr_ptr, attr_size); + if (err) + return err; + + /* Gets and checks the ruleset. */ + ruleset = get_ruleset_from_fd(attr_path_beneath.ruleset_fd, + FMODE_CAN_WRITE); + if (IS_ERR(ruleset)) + return PTR_ERR(ruleset); + + /* + * Checks that allowed_access matches the @ruleset constraints + * (ruleset->fs_access_mask is automatically upgraded to 64-bits). + * Allows empty allowed_access i.e., deny @ruleset->fs_access_mask . + */ + if ((attr_path_beneath.allowed_access | ruleset->fs_access_mask) != + ruleset->fs_access_mask) { + err = -EINVAL; + goto out_put_ruleset; + } + + /* Gets and checks the new rule. */ + err = get_path_from_fd(attr_path_beneath.parent_fd, &path); + if (err) + goto out_put_ruleset; + + /* Imports the new rule. */ + err = landlock_append_fs_rule(ruleset, &path, + attr_path_beneath.allowed_access); + path_put(&path); + +out_put_ruleset: + landlock_put_ruleset(ruleset); + return err; +} + +/* Enforcement */ + +static int syscall_enforce_ruleset(const void __user *const attr_ptr, + const size_t attr_size) +{ + struct landlock_ruleset *new_dom, *ruleset; + struct cred *new_cred; + struct landlock_cred_security *new_llcred; + struct landlock_attr_enforce attr_enforce; + int err; + + /* + * Enforcing a Landlock ruleset requires that the task has + * CAP_SYS_ADMIN in its namespace or be running with no_new_privs. + * This avoids scenarios where unprivileged tasks can affect the + * behavior of privileged children. These are similar checks as for + * seccomp(2), except that an -EPERM may be returned. + */ + if (!task_no_new_privs(current)) { + err = security_capable(current_cred(), current_user_ns(), + CAP_SYS_ADMIN, CAP_OPT_NOAUDIT); + if (err) + return err; + } + + /* Copies raw user space buffer. */ + err = copy_struct_if_any_from_user(&attr_enforce, sizeof(attr_enforce), + offsetofend(typeof(attr_enforce), ruleset_fd), + attr_ptr, attr_size); + if (err) + return err; + + /* Gets and checks the ruleset. */ + ruleset = get_ruleset_from_fd(attr_enforce.ruleset_fd, FMODE_CAN_READ); + if (IS_ERR(ruleset)) + return PTR_ERR(ruleset); + + /* Prepares new credentials. */ + new_cred = prepare_creds(); + if (!new_cred) { + err = -ENOMEM; + goto out_put_ruleset; + } + new_llcred = landlock_cred(new_cred); + + /* + * There is no possible race condition while copying and manipulating + * the current credentials because they are dedicated per thread. + */ + new_dom = landlock_merge_ruleset(new_llcred->domain, ruleset); + if (IS_ERR(new_dom)) { + err = PTR_ERR(new_dom); + goto out_put_creds; + } + + /* Replaces the old (prepared) domain. */ + landlock_put_ruleset(new_llcred->domain); + new_llcred->domain = new_dom; + + landlock_put_ruleset(ruleset); + return commit_creds(new_cred); + +out_put_creds: + abort_creds(new_cred); + return err; + +out_put_ruleset: + landlock_put_ruleset(ruleset); + return err; +} + +/* + * This function only contains arithmetic operations with constants, leading to + * BUILD_BUG_ON(). The related code is evaluated and checked at build time, + * but it is then ignored thanks to compiler optimizations. + */ +static void build_check_abi(void) +{ + size_t size_features, size_ruleset, size_path_beneath, size_enforce; + + /* + * For each user space ABI structures, first checks that there is no + * hole in them, then checks that all architectures have the same + * struct size. + */ + size_features = sizeof_field(struct landlock_attr_features, options_get_features); + size_features += sizeof_field(struct landlock_attr_features, options_create_ruleset); + size_features += sizeof_field(struct landlock_attr_features, options_add_rule); + size_features += sizeof_field(struct landlock_attr_features, options_enforce_ruleset); + size_features += sizeof_field(struct landlock_attr_features, size_attr_features); + size_features += sizeof_field(struct landlock_attr_features, size_attr_ruleset); + size_features += sizeof_field(struct landlock_attr_features, size_attr_path_beneath); + size_features += sizeof_field(struct landlock_attr_features, size_attr_enforce); + size_features += sizeof_field(struct landlock_attr_features, access_fs); + BUILD_BUG_ON(sizeof(struct landlock_attr_features) != size_features); + BUILD_BUG_ON(sizeof(struct landlock_attr_features) != 32); + + size_ruleset = sizeof_field(struct landlock_attr_ruleset, handled_access_fs); + BUILD_BUG_ON(sizeof(struct landlock_attr_ruleset) != size_ruleset); + BUILD_BUG_ON(sizeof(struct landlock_attr_ruleset) != 8); + + size_path_beneath = sizeof_field(struct landlock_attr_path_beneath, ruleset_fd); + size_path_beneath += sizeof_field(struct landlock_attr_path_beneath, parent_fd); + size_path_beneath += sizeof_field(struct landlock_attr_path_beneath, allowed_access); + BUILD_BUG_ON(sizeof(struct landlock_attr_path_beneath) != size_path_beneath); + BUILD_BUG_ON(sizeof(struct landlock_attr_path_beneath) != 16); + + size_enforce = sizeof_field(struct landlock_attr_enforce, ruleset_fd); + BUILD_BUG_ON(sizeof(struct landlock_attr_enforce) != size_enforce); + BUILD_BUG_ON(sizeof(struct landlock_attr_enforce) != 4); +} + +/** + * sys_landlock - System call to enable a process to safely sandbox itself + * + * @command: Landlock command to perform miscellaneous, but safe, actions. Cf. + * `Commands`_. + * @options: Bitmask of options dedicated to one command. Cf. `Options`_. + * @attr1_ptr: Pointer to the first attribute. Cf. `Attributes`_. + * @attr1_size: First attribute size (i.e. size of the struct). + * @attr2_ptr: Unused for now, must be NULL. + * @attr2_size: Unused for now, must be 0. + * + * The @command and @options arguments enable a seccomp-bpf policy to control + * the requested actions. However, it should be noted that Landlock is + * designed from the ground to enable unprivileged process to drop privileges + * and accesses in a way that can not harm other processes. This syscall and + * all its arguments should then be allowed for any process, which will then + * enable applications to strengthen the security of the whole system. + * + * @attr2_ptr and @attr2_size describe a second attribute which could be used + * in the future to compose with the first attribute (e.g. a + * landlock_attr_path_beneath with a landlock_attr_ioctl). + * + * The order of return errors begins with ENOPKG (disabled Landlock), + * EOPNOTSUPP (unknown command or option) and then EINVAL (invalid attribute). + * The other error codes may be specific to each command. + */ +SYSCALL_DEFINE6(landlock, const unsigned int, command, + const unsigned int, options, + void __user *const, attr1_ptr, const size_t, attr1_size, + void __user *const, attr2_ptr, const size_t, attr2_size) +{ + build_check_abi(); + /* + * Enables user space to identify if Landlock is disabled, thanks to a + * specific error code. + */ + if (!landlock_initialized) + return -ENOPKG; + + switch ((enum landlock_cmd)command) { + case LANDLOCK_CMD_GET_FEATURES: + if (options == LANDLOCK_OPT_GET_FEATURES) { + if (attr2_ptr || attr2_size) + return -EINVAL; + return syscall_get_features(attr1_ptr, attr1_size); + } + return -EOPNOTSUPP; + + case LANDLOCK_CMD_CREATE_RULESET: + if (options == LANDLOCK_OPT_CREATE_RULESET) { + if (attr2_ptr || attr2_size) + return -EINVAL; + return syscall_create_ruleset(attr1_ptr, attr1_size); + } + return -EOPNOTSUPP; + + case LANDLOCK_CMD_ADD_RULE: + if (options == LANDLOCK_OPT_ADD_RULE_PATH_BENEATH) { + if (attr2_ptr || attr2_size) + return -EINVAL; + return syscall_add_rule_path_beneath(attr1_ptr, + attr1_size); + } + return -EOPNOTSUPP; + + case LANDLOCK_CMD_ENFORCE_RULESET: + if (options == LANDLOCK_OPT_ENFORCE_RULESET) { + if (attr2_ptr || attr2_size) + return -EINVAL; + return syscall_enforce_ruleset(attr1_ptr, attr1_size); + } + return -EOPNOTSUPP; + } + return -EOPNOTSUPP; +}
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
This system call, inspired from seccomp(2) and bpf(2), is designed to be used by unprivileged processes to sandbox themselves. It has the same usage restrictions as seccomp(2): the caller must have the no_new_privs attribute set or have CAP_SYS_ADMIN in the current user namespace.
Here are the motivations for this new syscall:
- A sandboxed process may not have access to file systems, including /dev, /sys or /proc, but it should still be able to add more restrictions to itself.
- Neither prctl(2) nor seccomp(2) (which was used in a previous version) fit well with the current definition of a Landlock security policy.
- It is quite easy to whitelist this syscall with seccomp-bpf to enable all processes to use it. It is also easy to filter specific commands or options to restrict a process to a subset of Landlock features.
There is currently four commands:
- LANDLOCK_CMD_GET_FEATURES: Gets the supported features (required for backward and forward compatibility, and best-effort security).
- LANDLOCK_CMD_CREATE_RULESET: Creates a ruleset and returns its file descriptor.
- LANDLOCK_CMD_ADD_RULE: Adds a rule (e.g. file hierarchy access) to a ruleset, identified by the dedicated file descriptor.
- LANDLOCK_CMD_ENFORCE_RULESET: Enforces a ruleset on the current thread and its future children (similar to seccomp).
I never paid attention to the patch series so far, so I'm sorry if this has all been discussed before, but I think the syscall prototype needs to be different, with *much* less extensibility built in.
Each command has at least one option, which enables to define the attribute types passed to the syscall. All attribute types (structures) are checked at build time to ensure that they don't contain holes and that they are aligned the same way for each architecture. The struct landlock_attr_features contains __u32 options_* fields which is enough to store 32-bits syscall arguments, and __u16 size_attr_* fields which is enough for the maximal struct size (i.e. page size) passed through the landlock syscall. The other fields can have __u64 type for flags and bitfields, and __s32 type for file descriptors.
See the user and kernel documentation for more details (provided by a following commit): Documentation/security/landlock/
System calls with their own sub-commands have turned out to be a bad idea many times in the past and cause more problems than they solve. See sys_ipc, sys_socketcall and sys_futex for common examples.
The first step I would recommend is to split out the individual commands into separate syscalls. For each one of those, pick a simple prototype that can do what it needs, with one 'flags' argument for extensibility.
+/**
- DOC: options_intro
- These options may be used as second argument of sys_landlock(). Each
- command have a dedicated set of options, represented as bitmasks. For two
- different commands, their options may overlap. Each command have at least
- one option defining the used attribute type. This also enables to always
- have a usable &struct landlock_attr_features (i.e. filled with bits).
- */
+/**
- DOC: options_get_features
- Options for ``LANDLOCK_CMD_GET_FEATURES``
- %LANDLOCK_OPT_GET_FEATURES: the attr type is `struct
- landlock_attr_features`.
- */
+#define LANDLOCK_OPT_GET_FEATURES (1 << 0)
For each command, you currently have one attribute that is defined to have a name directly corresponding to the command, making it entirely redundant. I'd suggest just check the 'flags' argument for being zero at syscall entry for future extension if you think there may be a need to extend it, or completely leave out attributes and flags.
+static int syscall_create_ruleset(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_ruleset attr_ruleset;
struct landlock_ruleset *ruleset;
int err, ruleset_fd;
/* Copies raw user space buffer. */
err = copy_struct_if_any_from_user(&attr_ruleset, sizeof(attr_ruleset),
offsetofend(typeof(attr_ruleset), handled_access_fs),
attr_ptr, attr_size);
if (err)
return err;
/* Checks content (and 32-bits cast). */
if ((attr_ruleset.handled_access_fs | _LANDLOCK_ACCESS_FS_MASK) !=
_LANDLOCK_ACCESS_FS_MASK)
return -EINVAL;
/* Checks arguments and transforms to kernel struct. */
ruleset = landlock_create_ruleset(attr_ruleset.handled_access_fs);
if (IS_ERR(ruleset))
return PTR_ERR(ruleset);
/* Creates anonymous FD referring to the ruleset. */
ruleset_fd = anon_inode_getfd("landlock-ruleset", &ruleset_fops,
ruleset, O_RDWR | O_CLOEXEC);
if (ruleset_fd < 0)
landlock_put_ruleset(ruleset);
return ruleset_fd;
+}
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
+struct landlock_attr_path_beneath {
/**
* @ruleset_fd: File descriptor tied to the ruleset which should be
* extended with this new access.
*/
__s32 ruleset_fd;
/**
* @parent_fd: File descriptor, open with ``O_PATH``, which identify
* the parent directory of a file hierarchy, or just a file.
*/
__s32 parent_fd;
/**
* @allowed_access: Bitmask of allowed actions for this file hierarchy
* (cf. `Filesystem flags`_).
*/
__u64 allowed_access;
+};
+static int syscall_add_rule_path_beneath(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_path_beneath attr_path_beneath;
struct path path;
struct landlock_ruleset *ruleset;
int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
+static int syscall_enforce_ruleset(const void __user *const attr_ptr,
const size_t attr_size)
Here it seems like you just need to pass the file descriptor, or maybe
SYSCALL_DEFINE2(landlock_enforce, int, ruleset, __u32 flags);
if you need flags for extensibility.
Arnd
On 08/07/2020 10:57, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
This system call, inspired from seccomp(2) and bpf(2), is designed to be used by unprivileged processes to sandbox themselves. It has the same usage restrictions as seccomp(2): the caller must have the no_new_privs attribute set or have CAP_SYS_ADMIN in the current user namespace.
Here are the motivations for this new syscall:
- A sandboxed process may not have access to file systems, including /dev, /sys or /proc, but it should still be able to add more restrictions to itself.
- Neither prctl(2) nor seccomp(2) (which was used in a previous version) fit well with the current definition of a Landlock security policy.
- It is quite easy to whitelist this syscall with seccomp-bpf to enable all processes to use it. It is also easy to filter specific commands or options to restrict a process to a subset of Landlock features.
There is currently four commands:
- LANDLOCK_CMD_GET_FEATURES: Gets the supported features (required for backward and forward compatibility, and best-effort security).
- LANDLOCK_CMD_CREATE_RULESET: Creates a ruleset and returns its file descriptor.
- LANDLOCK_CMD_ADD_RULE: Adds a rule (e.g. file hierarchy access) to a ruleset, identified by the dedicated file descriptor.
- LANDLOCK_CMD_ENFORCE_RULESET: Enforces a ruleset on the current thread and its future children (similar to seccomp).
I never paid attention to the patch series so far, so I'm sorry if this has all been discussed before, but I think the syscall prototype needs to be different, with *much* less extensibility built in.
Each command has at least one option, which enables to define the attribute types passed to the syscall. All attribute types (structures) are checked at build time to ensure that they don't contain holes and that they are aligned the same way for each architecture. The struct landlock_attr_features contains __u32 options_* fields which is enough to store 32-bits syscall arguments, and __u16 size_attr_* fields which is enough for the maximal struct size (i.e. page size) passed through the landlock syscall. The other fields can have __u64 type for flags and bitfields, and __s32 type for file descriptors.
See the user and kernel documentation for more details (provided by a following commit): Documentation/security/landlock/
System calls with their own sub-commands have turned out to be a bad idea many times in the past and cause more problems than they solve. See sys_ipc, sys_socketcall and sys_futex for common examples.
The first step I would recommend is to split out the individual commands into separate syscalls. For each one of those, pick a simple prototype that can do what it needs, with one 'flags' argument for extensibility.
OK, I'll replace each command with a specific syscall. I don't think there will be much more commands/syscalls than these four and it will make a better API.
+/**
- DOC: options_intro
- These options may be used as second argument of sys_landlock(). Each
- command have a dedicated set of options, represented as bitmasks. For two
- different commands, their options may overlap. Each command have at least
- one option defining the used attribute type. This also enables to always
- have a usable &struct landlock_attr_features (i.e. filled with bits).
- */
+/**
- DOC: options_get_features
- Options for ``LANDLOCK_CMD_GET_FEATURES``
- %LANDLOCK_OPT_GET_FEATURES: the attr type is `struct
- landlock_attr_features`.
- */
+#define LANDLOCK_OPT_GET_FEATURES (1 << 0)
For each command, you currently have one attribute that is defined to have a name directly corresponding to the command, making it entirely redundant. I'd suggest just check the 'flags' argument for being zero at syscall entry for future extension if you think there may be a need to extend it, or completely leave out attributes and flags.
The goal is to easily "type" the attr pointers (arguments 3 to 6), not the command, to avoid future attr composability issues (for the same command). However, with one syscall per command, these kind of options may not be required.
The other reason to set an option bit for each command is to avoid empty fields in struct landlock_attr_features, which enables to detect if a specific command is supported. However, if necessary, a "commands" field can be use for such usage.
+static int syscall_create_ruleset(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_ruleset attr_ruleset;
struct landlock_ruleset *ruleset;
int err, ruleset_fd;
/* Copies raw user space buffer. */
err = copy_struct_if_any_from_user(&attr_ruleset, sizeof(attr_ruleset),
offsetofend(typeof(attr_ruleset), handled_access_fs),
attr_ptr, attr_size);
if (err)
return err;
/* Checks content (and 32-bits cast). */
if ((attr_ruleset.handled_access_fs | _LANDLOCK_ACCESS_FS_MASK) !=
_LANDLOCK_ACCESS_FS_MASK)
return -EINVAL;
/* Checks arguments and transforms to kernel struct. */
ruleset = landlock_create_ruleset(attr_ruleset.handled_access_fs);
if (IS_ERR(ruleset))
return PTR_ERR(ruleset);
/* Creates anonymous FD referring to the ruleset. */
ruleset_fd = anon_inode_getfd("landlock-ruleset", &ruleset_fops,
ruleset, O_RDWR | O_CLOEXEC);
if (ruleset_fd < 0)
landlock_put_ruleset(ruleset);
return ruleset_fd;
+}
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
We need the attr_ptr/attr_size pattern because the number of ruleset properties will increase (e.g. network access mask).
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
This may be a good idea in general, but in the case of Landlock, because this kind of (discretionary) sandboxing should be a best-effort security feature, we should avoid incompatible behavior. In practice, every unknown bit returns an error because userland can probe for available bits thanks to the get_features command. This kind of (in)compatibility can then be handled by userland.
I suggest this syscall signature: SYSCALL_DEFINE3(landlock_create_ruleset, __u32, options, const struct landlock_attr_ruleset __user *, ruleset_ptr, size_t, ruleset_size);
+struct landlock_attr_path_beneath {
/**
* @ruleset_fd: File descriptor tied to the ruleset which should be
* extended with this new access.
*/
__s32 ruleset_fd;
/**
* @parent_fd: File descriptor, open with ``O_PATH``, which identify
* the parent directory of a file hierarchy, or just a file.
*/
__s32 parent_fd;
/**
* @allowed_access: Bitmask of allowed actions for this file hierarchy
* (cf. `Filesystem flags`_).
*/
__u64 allowed_access;
+};
+static int syscall_add_rule_path_beneath(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_path_beneath attr_path_beneath;
struct path path;
struct landlock_ruleset *ruleset;
int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
To avoid adding a new syscall for each new rule type (e.g. path_beneath, path_range, net_ipv4_range, etc.), I think it would be better to keep the attr_ptr/attr_size pattern and to explicitely set a dedicated option flag to specify the attr type.
This would look like this: SYSCALL_DEFINE4(landlock_add_rule, __u32, options, int, ruleset, const void __user *, rule_ptr, size_t, rule_size);
The rule_ptr could then point to multiple types like struct landlock_attr_path_beneath (without the current ruleset_fd field).
+static int syscall_enforce_ruleset(const void __user *const attr_ptr,
const size_t attr_size)
Here it seems like you just need to pass the file descriptor, or maybe
SYSCALL_DEFINE2(landlock_enforce, int, ruleset, __u32 flags);
if you need flags for extensibility.
Right, but for consistency I prefer to change the arguments like this: SYSCALL_DEFINE2(landlock_enforce, __u32 options, int, ruleset);
About the get_features command, because the number of features will increase, the corresponding syscall should look like this: SYSCALL_DEFINE3(landlock_get_features, __u32, options, struct landlock_attr_features __user *, features_ptr, size_t features_size);
On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 10:57, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
We need the attr_ptr/attr_size pattern because the number of ruleset properties will increase (e.g. network access mask).
But how many bits do you think you will *actually* need in total that this needs to be a two-dimensional set of flags? At the moment you only have a single bit that you interpret.
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
This may be a good idea in general, but in the case of Landlock, because this kind of (discretionary) sandboxing should be a best-effort security feature, we should avoid incompatible behavior. In practice, every unknown bit returns an error because userland can probe for available bits thanks to the get_features command. This kind of (in)compatibility can then be handled by userland.
If there are not going to be incompatible extensions, then just ignore all unknown bits and never return an error but get rid of the user space probing that just complicates the interface.
In general, it's hard to rely on user space to first ask the kernel what it can do, the way this normally works is that user space asks the kernel for something and it either does it or not, but gives an indication of whether it worked.
I suggest this syscall signature: SYSCALL_DEFINE3(landlock_create_ruleset, __u32, options, const struct landlock_attr_ruleset __user *, ruleset_ptr, size_t, ruleset_size);
The other problem here is that indirect variable-size structured arguments are a pain to instrument with things like strace or seccomp, so you should first try to use a fixed argument list, and fall back to a fixed structure if that fails.
+static int syscall_add_rule_path_beneath(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_path_beneath attr_path_beneath;
struct path path;
struct landlock_ruleset *ruleset;
int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
To avoid adding a new syscall for each new rule type (e.g. path_beneath, path_range, net_ipv4_range, etc.), I think it would be better to keep the attr_ptr/attr_size pattern and to explicitely set a dedicated option flag to specify the attr type.
This would look like this: SYSCALL_DEFINE4(landlock_add_rule, __u32, options, int, ruleset, const void __user *, rule_ptr, size_t, rule_size);
The rule_ptr could then point to multiple types like struct landlock_attr_path_beneath (without the current ruleset_fd field).
This again introduces variable-sized structured data. How many different kinds of rule types do you think there will be (most likely, and maybe an upper bound)?
Could (some of) these be generalized to use the same data structure?
+static int syscall_enforce_ruleset(const void __user *const attr_ptr,
const size_t attr_size)
Here it seems like you just need to pass the file descriptor, or maybe
SYSCALL_DEFINE2(landlock_enforce, int, ruleset, __u32 flags);
if you need flags for extensibility.
Right, but for consistency I prefer to change the arguments like this: SYSCALL_DEFINE2(landlock_enforce, __u32 options, int, ruleset);
Most system calls pass the object they work on as the first argument, in this case this would be the ruleset file descriptor.
Arnd
On 08/07/2020 15:49, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 10:57, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
We need the attr_ptr/attr_size pattern because the number of ruleset properties will increase (e.g. network access mask).
But how many bits do you think you will *actually* need in total that this needs to be a two-dimensional set of flags? At the moment you only have a single bit that you interpret.
I think there is a misunderstanding. For this syscall I wasn't talking about the "options" field but about the "handled_access_fs" field which has 14 bits dedicated to control access to the file system: https://landlock.io/linux-doc/landlock-v19/security/landlock/user.html#files... The idea is to add other handled_access_* fields for other kernel object types (e.g. network, process, etc.).
The "options" field is fine as a raw __u32 syscall argument.
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
This may be a good idea in general, but in the case of Landlock, because this kind of (discretionary) sandboxing should be a best-effort security feature, we should avoid incompatible behavior. In practice, every unknown bit returns an error because userland can probe for available bits thanks to the get_features command. This kind of (in)compatibility can then be handled by userland.
If there are not going to be incompatible extensions, then just ignore all unknown bits and never return an error but get rid of the user space probing that just complicates the interface.
There was multiple discussions about ABI compatibility, especially inspired by open(2) vs. openat2(2), and ignoring flags seems to be a bad idea. In the "sandboxer" example, we first probe the supported features and then mask unknown bits (i.e. access rights) at run time in userland. This strategy is quite straightforward, backward compatible and future-proof.
What does the linux-api folks think about this?
In general, it's hard to rely on user space to first ask the kernel what it can do, the way this normally works is that user space asks the kernel for something and it either does it or not, but gives an indication of whether it worked.
Right, but this is a special case (i.e. best-effort security, not a required feature to run an application properly). As previously discussed, this kind of security feature should be used as much as possible by userland, but it may run on a system without Landlock. To encourage a wide use of this kind of security sandboxing by userland developers we should avoid the case when all the sandboxing is disabled because not all sandboxing features are supported by the running kernel.
I suggest this syscall signature: SYSCALL_DEFINE3(landlock_create_ruleset, __u32, options, const struct landlock_attr_ruleset __user *, ruleset_ptr, size_t, ruleset_size);
The other problem here is that indirect variable-size structured arguments are a pain to instrument with things like strace or seccomp, so you should first try to use a fixed argument list, and fall back to a fixed structure if that fails.
I agree that it is not perfect with the current tools but this kind of extensible structs are becoming common and well defined (e.g. openat2). Moreover there is some work going on for seccomp to support "extensible argument" syscalls: https://lwn.net/Articles/822256/
+static int syscall_add_rule_path_beneath(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_path_beneath attr_path_beneath;
struct path path;
struct landlock_ruleset *ruleset;
int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
To avoid adding a new syscall for each new rule type (e.g. path_beneath, path_range, net_ipv4_range, etc.), I think it would be better to keep the attr_ptr/attr_size pattern and to explicitely set a dedicated option flag to specify the attr type.
This would look like this: SYSCALL_DEFINE4(landlock_add_rule, __u32, options, int, ruleset, const void __user *, rule_ptr, size_t, rule_size);
The rule_ptr could then point to multiple types like struct landlock_attr_path_beneath (without the current ruleset_fd field).
This again introduces variable-sized structured data. How many different kinds of rule types do you think there will be (most likely, and maybe an upper bound)?
I don't know how many rule types will come, but right now I think it may be less than 10.
Could (some of) these be generalized to use the same data structure?
I don't think so, file path and network addresses are an example of very different types.
+static int syscall_enforce_ruleset(const void __user *const attr_ptr,
const size_t attr_size)
Here it seems like you just need to pass the file descriptor, or maybe
SYSCALL_DEFINE2(landlock_enforce, int, ruleset, __u32 flags);
if you need flags for extensibility.
Right, but for consistency I prefer to change the arguments like this: SYSCALL_DEFINE2(landlock_enforce, __u32 options, int, ruleset);
Most system calls pass the object they work on as the first argument, in this case this would be the ruleset file descriptor.
OK, makes sense, I'll try to follow this as much as possible then.
On Wed, Jul 8, 2020 at 7:50 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 15:49, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 10:57, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
We need the attr_ptr/attr_size pattern because the number of ruleset properties will increase (e.g. network access mask).
But how many bits do you think you will *actually* need in total that this needs to be a two-dimensional set of flags? At the moment you only have a single bit that you interpret.
I think there is a misunderstanding. For this syscall I wasn't talking about the "options" field but about the "handled_access_fs" field which has 14 bits dedicated to control access to the file system: https://landlock.io/linux-doc/landlock-v19/security/landlock/user.html#files...
Ok, got it. I didn't read far enough there.
The idea is to add other handled_access_* fields for other kernel object types (e.g. network, process, etc.).
The "options" field is fine as a raw __u32 syscall argument.
I'd still like to avoid having it variable-length and structured though. How about having a __u32 "options" flag, plus an indirect argument with 32 fixed-length (all 32 bit or all 64 bit) flag words, each of which corresponds to one of the option bits?
It's still fairly complex that way, but not as much as the version you have right now that can be extended in multiple dimensions.
This could possibly also help avoid the need for the get_features syscall: If user space just passes the bitmap of all the access flags it wants to use in a fixed-size structure, the kernel can update the bits to mask out the ones it does not understand and write back that bitmap as the result of create_ruleset().
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
This may be a good idea in general, but in the case of Landlock, because this kind of (discretionary) sandboxing should be a best-effort security feature, we should avoid incompatible behavior. In practice, every unknown bit returns an error because userland can probe for available bits thanks to the get_features command. This kind of (in)compatibility can then be handled by userland.
If there are not going to be incompatible extensions, then just ignore all unknown bits and never return an error but get rid of the user space probing that just complicates the interface.
There was multiple discussions about ABI compatibility, especially inspired by open(2) vs. openat2(2), and ignoring flags seems to be a bad idea. In the "sandboxer" example, we first probe the supported features and then mask unknown bits (i.e. access rights) at run time in userland. This strategy is quite straightforward, backward compatible and future-proof.
For behavior changing flags, I agree they should be seen as incompatible flags (i.e. return an error if an unknown bit is set).
However, for the flags you pass in in an allowlist, treating them as compatible (i.e. ignore any unknown flags, allowing everything you are not forbidding already) seems completely reasonable to me. Do you foresee user space doing anything other than masking out the bits that the kernel doesn't know about? If not, then doing it in the kernel should always be simpler.
I suggest this syscall signature: SYSCALL_DEFINE3(landlock_create_ruleset, __u32, options, const struct landlock_attr_ruleset __user *, ruleset_ptr, size_t, ruleset_size);
The other problem here is that indirect variable-size structured arguments are a pain to instrument with things like strace or seccomp, so you should first try to use a fixed argument list, and fall back to a fixed structure if that fails.
I agree that it is not perfect with the current tools but this kind of extensible structs are becoming common and well defined (e.g. openat2). Moreover there is some work going on for seccomp to support "extensible argument" syscalls: https://lwn.net/Articles/822256/
openat2() is already more complex than we'd ideally want, I think we should try hard to make new syscalls simpler than that, following the rule that any interface should be as simple as possible, but no simpler.
+static int syscall_add_rule_path_beneath(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_path_beneath attr_path_beneath;
struct path path;
struct landlock_ruleset *ruleset;
int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
To avoid adding a new syscall for each new rule type (e.g. path_beneath, path_range, net_ipv4_range, etc.), I think it would be better to keep the attr_ptr/attr_size pattern and to explicitely set a dedicated option flag to specify the attr type.
This would look like this: SYSCALL_DEFINE4(landlock_add_rule, __u32, options, int, ruleset, const void __user *, rule_ptr, size_t, rule_size);
The rule_ptr could then point to multiple types like struct landlock_attr_path_beneath (without the current ruleset_fd field).
This again introduces variable-sized structured data. How many different kinds of rule types do you think there will be (most likely, and maybe an upper bound)?
I don't know how many rule types will come, but right now I think it may be less than 10.
Ok,
Could (some of) these be generalized to use the same data structure?
I don't think so, file path and network addresses are an example of very different types.
Clearly the target object is something different, but maybe there is enough commonality to still make them fit into a more regular form.
For the file system case, you have an identify for an object (the file descriptor) and the '__u64 allowed_access'. I would expect that the 'allowed_access' concept is generic enough that you can make it a direct argument (32 bit register arg, or pointer to a __u64). Do you expect others to need something besides an object identifier and a permission bitmask? Maybe it could be something like
SYSCALL_DEFINE4(landlock_add_rule, int, ruleset, __u32, options, const void __user *, object, const __u64 __user *, allowed_access, __u32, flags);
with a fixed-length 'object' identifier type (file descriptor, sockaddr_storage, ...) for each option.
Arnd
On Thu, Jul 09, 2020 at 07:26:18PM +0200, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 7:50 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 15:49, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 10:57, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
We need the attr_ptr/attr_size pattern because the number of ruleset properties will increase (e.g. network access mask).
But how many bits do you think you will *actually* need in total that this needs to be a two-dimensional set of flags? At the moment you only have a single bit that you interpret.
I think there is a misunderstanding. For this syscall I wasn't talking about the "options" field but about the "handled_access_fs" field which has 14 bits dedicated to control access to the file system: https://landlock.io/linux-doc/landlock-v19/security/landlock/user.html#files...
Ok, got it. I didn't read far enough there.
The idea is to add other handled_access_* fields for other kernel object types (e.g. network, process, etc.).
The "options" field is fine as a raw __u32 syscall argument.
I'd still like to avoid having it variable-length and structured though. How about having a __u32 "options" flag, plus an indirect argument with 32 fixed-length (all 32 bit or all 64 bit) flag words, each of which corresponds to one of the option bits?
It's still fairly complex that way, but not as much as the version you have right now that can be extended in multiple dimensions.
This could possibly also help avoid the need for the get_features
What is this fresh hell again, please?
syscall: If user space just passes the bitmap of all the access flags it wants to use in a fixed-size structure, the kernel can update the bits to mask out the ones it does not understand and write back that bitmap as the result of create_ruleset().
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
This may be a good idea in general, but in the case of Landlock, because this kind of (discretionary) sandboxing should be a best-effort security feature, we should avoid incompatible behavior. In practice, every unknown bit returns an error because userland can probe for available bits thanks to the get_features command. This kind of (in)compatibility can then be handled by userland.
If there are not going to be incompatible extensions, then just ignore all unknown bits and never return an error but get rid of the user space probing that just complicates the interface.
There was multiple discussions about ABI compatibility, especially inspired by open(2) vs. openat2(2), and ignoring flags seems to be a bad idea. In the "sandboxer" example, we first probe the supported features and then mask unknown bits (i.e. access rights) at run time in userland. This strategy is quite straightforward, backward compatible and future-proof.
For behavior changing flags, I agree they should be seen as incompatible flags (i.e. return an error if an unknown bit is set).
However, for the flags you pass in in an allowlist, treating them as compatible (i.e. ignore any unknown flags, allowing everything you are not forbidding already) seems completely reasonable to me. Do you foresee user space doing anything other than masking out the bits that the kernel doesn't know about? If not, then doing it in the kernel should always be simpler.
I suggest this syscall signature: SYSCALL_DEFINE3(landlock_create_ruleset, __u32, options, const struct landlock_attr_ruleset __user *, ruleset_ptr, size_t, ruleset_size);
The other problem here is that indirect variable-size structured arguments are a pain to instrument with things like strace or seccomp, so you should first try to use a fixed argument list, and fall back to a fixed structure if that fails.
I agree that it is not perfect with the current tools but this kind of extensible structs are becoming common and well defined (e.g. openat2). Moreover there is some work going on for seccomp to support "extensible argument" syscalls: https://lwn.net/Articles/822256/
openat2() is already more complex than we'd ideally want, I think we should try hard to make new syscalls simpler than that, following the rule that any interface should be as simple as possible, but no simpler.
Extensible structs are targeted at system calls that are either known to grow a lot of features or we already have prior versions that have accumulated quite a lot of features or that by their nature need to be more complex. openat2() is not really complex per se (At least not yet. It will likely grow quite a bit in the future...). The kernel now has infrastructure since clone3() and later generalized with openat2() and is well-equipped with a consistent api to deal with such syscalls so I don't see how this is really an issue in the first place. Yes, syscalls should be kept as simple as possible but we don't need to lock us into a "structs as arguments" are inherently bad mindset. That will also cause us to end up with crappy syscalls that are awkward to use for userspace. (Second-level pointers is a whole different issue of course.)
(Arnd, you should also note that we're giving a talk at kernel summit about new syscall conventions and I'm syncing with Florian who'll be talking about the userspace side and requirements of this.)
Christian
+static int syscall_add_rule_path_beneath(const void __user *const attr_ptr,
const size_t attr_size)
+{
struct landlock_attr_path_beneath attr_path_beneath;
struct path path;
struct landlock_ruleset *ruleset;
int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
To avoid adding a new syscall for each new rule type (e.g. path_beneath, path_range, net_ipv4_range, etc.), I think it would be better to keep the attr_ptr/attr_size pattern and to explicitely set a dedicated option flag to specify the attr type.
This would look like this: SYSCALL_DEFINE4(landlock_add_rule, __u32, options, int, ruleset, const void __user *, rule_ptr, size_t, rule_size);
The rule_ptr could then point to multiple types like struct landlock_attr_path_beneath (without the current ruleset_fd field).
This again introduces variable-sized structured data. How many different kinds of rule types do you think there will be (most likely, and maybe an upper bound)?
I don't know how many rule types will come, but right now I think it may be less than 10.
Ok,
Could (some of) these be generalized to use the same data structure?
I don't think so, file path and network addresses are an example of very different types.
Clearly the target object is something different, but maybe there is enough commonality to still make them fit into a more regular form.
For the file system case, you have an identify for an object (the file descriptor) and the '__u64 allowed_access'. I would expect that the 'allowed_access' concept is generic enough that you can make it a direct argument (32 bit register arg, or pointer to a __u64). Do you expect others to need something besides an object identifier and a permission bitmask? Maybe it could be something like
SYSCALL_DEFINE4(landlock_add_rule, int, ruleset, __u32, options, const void __user *, object, const __u64 __user *, allowed_access, __u32, flags);
with a fixed-length 'object' identifier type (file descriptor, sockaddr_storage, ...) for each option.
Arnd
On 09/07/2020 19:47, Christian Brauner wrote:
On Thu, Jul 09, 2020 at 07:26:18PM +0200, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 7:50 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 15:49, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 3:04 PM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 10:57, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
It looks like all you need here today is a single argument bit, plus possibly some room for extensibility. I would suggest removing all the extra bits and using a syscall like
SYSCALL_DEFINE1(landlock_create_ruleset, u32, flags);
I don't really see how this needs any variable-length arguments, it really doesn't do much.
We need the attr_ptr/attr_size pattern because the number of ruleset properties will increase (e.g. network access mask).
But how many bits do you think you will *actually* need in total that this needs to be a two-dimensional set of flags? At the moment you only have a single bit that you interpret.
I think there is a misunderstanding. For this syscall I wasn't talking about the "options" field but about the "handled_access_fs" field which has 14 bits dedicated to control access to the file system: https://landlock.io/linux-doc/landlock-v19/security/landlock/user.html#files...
Ok, got it. I didn't read far enough there.
The idea is to add other handled_access_* fields for other kernel object types (e.g. network, process, etc.).
The "options" field is fine as a raw __u32 syscall argument.
I'd still like to avoid having it variable-length and structured though. How about having a __u32 "options" flag, plus an indirect argument with 32 fixed-length (all 32 bit or all 64 bit) flag words, each of which corresponds to one of the option bits?
It's still fairly complex that way, but not as much as the version you have right now that can be extended in multiple dimensions.
It seems simpler at first glance, but I prefer to follow the same implementation as clone3(2) and openat2(2) because it is the same (generic) struct argument parsing, which may then be handled by seccomp and others, while adding a variable struct size depending on some flags seems more complex to handle correctly and error-prone.
This could possibly also help avoid the need for the get_features
What is this fresh hell again, please?
As explained in the commit message, this command/syscall enables to get the Landlock supported features (i.e. option flags, commands, etc.), which is required for backward and forward compatibility, and best-effort security, while having strict kernel errors when encountering unknown features. Cf. https://landlock.io/linux-doc/landlock-v19/security/landlock/user.html See the following arguments.
syscall: If user space just passes the bitmap of all the access flags it wants to use in a fixed-size structure, the kernel can update the bits to mask out the ones it does not understand and write back that bitmap as the result of create_ruleset().
To be on the safe side, you might split up the flags into either the upper/lower 16 bits or two u32 arguments, to allow both compatible (ignored by older kernels if flag is set) and incompatible (return error when an unknown flag is set) bits.
This may be a good idea in general, but in the case of Landlock, because this kind of (discretionary) sandboxing should be a best-effort security feature, we should avoid incompatible behavior. In practice, every unknown bit returns an error because userland can probe for available bits thanks to the get_features command. This kind of (in)compatibility can then be handled by userland.
If there are not going to be incompatible extensions, then just ignore all unknown bits and never return an error but get rid of the user space probing that just complicates the interface.
There was multiple discussions about ABI compatibility, especially inspired by open(2) vs. openat2(2), and ignoring flags seems to be a bad idea. In the "sandboxer" example, we first probe the supported features and then mask unknown bits (i.e. access rights) at run time in userland. This strategy is quite straightforward, backward compatible and future-proof.
For behavior changing flags, I agree they should be seen as incompatible flags (i.e. return an error if an unknown bit is set).
However, for the flags you pass in in an allowlist, treating them as compatible (i.e. ignore any unknown flags, allowing everything you are not forbidding already) seems completely reasonable to me. Do you foresee user space doing anything other than masking out the bits that the kernel doesn't know about? If not, then doing it in the kernel should always be simpler.
There is some use cases where userspace would benefit from this:
Because of backward and forward compatibility, one important case is for common usage libraries, to help and encourage developers to not ignore all security features if some are missing. Indeed, if from the start we have get_features(), userland logic will be able to leverage it to seamlessly enforce access-controls as much as possible whatever is the running kernel.
For userland, being able to not trigger kernel errors (because userland knows what is supported) enables to log them as real anomalies, which can then help for debugging and understanding issues.
Landlock may also be combined with seccomp, but with different filters according to the number of features the running kernel supports (e.g. an app could filter some syscalls if they can't be restricted by the running kernel through Landlock). Another point is that while seccomp could be used as an alternative for some missing access-control from Landlock, using seccomp for this could have a different impact on performances (i.e. running BPF filters for each syscalls vs. controlling access to kernel objects).
Another use case is that a system integrator should be aware that some security features required by applications are not available. This may be implemented as logging some warnings, or displaying the supported security features as Chromium does (i.e. chrome://sandbox/).
This is also useful for (self)tests to ensure that a specific security feature works as intended.
To sum up, get_features() and the strict kernel error codes enable application developers to have a contract with the kernel. Multiple use-cases can then be managed in userspace.
I suggest this syscall signature: SYSCALL_DEFINE3(landlock_create_ruleset, __u32, options, const struct landlock_attr_ruleset __user *, ruleset_ptr, size_t, ruleset_size);
The other problem here is that indirect variable-size structured arguments are a pain to instrument with things like strace or seccomp, so you should first try to use a fixed argument list, and fall back to a fixed structure if that fails.
I agree that it is not perfect with the current tools but this kind of extensible structs are becoming common and well defined (e.g. openat2). Moreover there is some work going on for seccomp to support "extensible argument" syscalls: https://lwn.net/Articles/822256/
openat2() is already more complex than we'd ideally want, I think we should try hard to make new syscalls simpler than that, following the rule that any interface should be as simple as possible, but no simpler.
Extensible structs are targeted at system calls that are either known to grow a lot of features or we already have prior versions that have accumulated quite a lot of features or that by their nature need to be more complex. openat2() is not really complex per se (At least not yet. It will likely grow quite a bit in the future...). The kernel now has infrastructure since clone3() and later generalized with openat2() and is well-equipped with a consistent api to deal with such syscalls so I don't see how this is really an issue in the first place. Yes, syscalls should be kept as simple as possible but we don't need to lock us into a "structs as arguments" are inherently bad mindset. That will also cause us to end up with crappy syscalls that are awkward to use for userspace. (Second-level pointers is a whole different issue of course.)
I agree.
(Arnd, you should also note that we're giving a talk at kernel summit about new syscall conventions and I'm syncing with Florian who'll be talking about the userspace side and requirements of this.)
Good! What do you think about these 4 new Landlock syscalls?
Christian
> +static int syscall_add_rule_path_beneath(const void __user *const attr_ptr, > + const size_t attr_size) > +{ > + struct landlock_attr_path_beneath attr_path_beneath; > + struct path path; > + struct landlock_ruleset *ruleset; > + int err;
Similarly, it looks like this wants to be
SYSCALL_DEFINE3(landlock_add_rule_path_beneath, int, ruleset, int, path, __u32, flags)
I don't see any need to extend this in a way that wouldn't already be served better by adding another system call. You might argue that 'flags' and 'allowed_access' could be separate, with the latter being an indirect in/out argument here, like
SYSCALL_DEFINE4(landlock_add_rule_path_beneath, int, ruleset, int, path, __u64 *, allowed_acces, __u32, flags)
To avoid adding a new syscall for each new rule type (e.g. path_beneath, path_range, net_ipv4_range, etc.), I think it would be better to keep the attr_ptr/attr_size pattern and to explicitely set a dedicated option flag to specify the attr type.
This would look like this: SYSCALL_DEFINE4(landlock_add_rule, __u32, options, int, ruleset, const void __user *, rule_ptr, size_t, rule_size);
The rule_ptr could then point to multiple types like struct landlock_attr_path_beneath (without the current ruleset_fd field).
This again introduces variable-sized structured data. How many different kinds of rule types do you think there will be (most likely, and maybe an upper bound)?
I don't know how many rule types will come, but right now I think it may be less than 10.
Ok,
Could (some of) these be generalized to use the same data structure?
I don't think so, file path and network addresses are an example of very different types.
Clearly the target object is something different, but maybe there is enough commonality to still make them fit into a more regular form.
Because they don't exist yet, it seems risky to assume that they could fit into a common form.
For the file system case, you have an identify for an object (the file descriptor) and the '__u64 allowed_access'. I would expect that the 'allowed_access' concept is generic enough that you can make it a direct argument (32 bit register arg, or pointer to a __u64). Do you expect others to need something besides an object identifier and a permission bitmask?
Yes, a file descriptor (i.e. parent_fd) may not make sense to identify every rule types. For example, it does not help to identify a network subnet.
Even if it may be "shared", the allowed_access semantic depends on the object type. It should also remain a 64-bits value to hold enough access rights. I think it is more consistent, safer, and simpler to keep it in the same pointed struct.
Maybe it could be something like
SYSCALL_DEFINE4(landlock_add_rule, int, ruleset, __u32, options, const void __user *, object, const __u64 __user *, allowed_access, __u32, flags);
with a fixed-length 'object' identifier type (file descriptor, sockaddr_storage, ...) for each option.
This would freeze the pointed struct to a fixed size, which may lead to redundant struct parsing in the kernel. For example, the current extended struct enables to extend struct landlock_attr_path_beneath with a "path" field, which could have the same usage as in openat(2) to avoid multiple calls to open(2) and close(2) to add new paths. If we have a fixed-size struct, adding such field would require to create a new type and I think it would make the kernel code more complex.
The "options" and "flags" seems confusing. For optional future flags, I think that the name "options" is more explicit than "flags". What about an "options" (set to zero for now) and a "rule_type" field to clearly differentiate the rule type identifier (and use an enum)? This would look like this: SYSCALL_DEFINE5(landlock_add_rule, int, ruleset, __u32, options, __u32, rule_type, const void __user *, rule_ptr, size_t, rule_size);
Wire up the landlock() system call for all architectures.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: Arnd Bergmann arnd@arndb.de Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v18: * Increase the syscall number because of the new faccessat2(2).
Changes since v14: * Add all architectures.
Changes since v13: * New implementation. --- arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 ++ arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + include/uapi/asm-generic/unistd.h | 4 +++- 19 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl index 5ddd128d4b7a..f11e690e0419 100644 --- a/arch/alpha/kernel/syscalls/syscall.tbl +++ b/arch/alpha/kernel/syscalls/syscall.tbl @@ -478,3 +478,4 @@ 547 common openat2 sys_openat2 548 common pidfd_getfd sys_pidfd_getfd 549 common faccessat2 sys_faccessat2 +550 common landlock sys_landlock diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl index d5cae5ffede0..1ebac2411785 100644 --- a/arch/arm/tools/syscall.tbl +++ b/arch/arm/tools/syscall.tbl @@ -452,3 +452,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h index 3b859596840d..b3b2019f8d16 100644 --- a/arch/arm64/include/asm/unistd.h +++ b/arch/arm64/include/asm/unistd.h @@ -38,7 +38,7 @@ #define __ARM_NR_compat_set_tls (__ARM_NR_COMPAT_BASE + 5) #define __ARM_NR_COMPAT_END (__ARM_NR_COMPAT_BASE + 0x800)
-#define __NR_compat_syscalls 440 +#define __NR_compat_syscalls 441 #endif
#define __ARCH_WANT_SYS_CLONE diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 6d95d0c8bf2f..083f7994d924 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -885,6 +885,8 @@ __SYSCALL(__NR_openat2, sys_openat2) __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) #define __NR_faccessat2 439 __SYSCALL(__NR_faccessat2, sys_faccessat2) +#define __NR_landlock 440 +__SYSCALL(__NR_landlock, sys_landlock)
/* * Please add new compat syscalls above this comment and update diff --git a/arch/ia64/kernel/syscalls/syscall.tbl b/arch/ia64/kernel/syscalls/syscall.tbl index 49e325b604b3..210692084aff 100644 --- a/arch/ia64/kernel/syscalls/syscall.tbl +++ b/arch/ia64/kernel/syscalls/syscall.tbl @@ -359,3 +359,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl index f71b1bbcc198..31ed52871053 100644 --- a/arch/m68k/kernel/syscalls/syscall.tbl +++ b/arch/m68k/kernel/syscalls/syscall.tbl @@ -438,3 +438,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl index edacc4561f2b..56a1d49884a5 100644 --- a/arch/microblaze/kernel/syscalls/syscall.tbl +++ b/arch/microblaze/kernel/syscalls/syscall.tbl @@ -444,3 +444,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl index f777141f5256..37457511334a 100644 --- a/arch/mips/kernel/syscalls/syscall_n32.tbl +++ b/arch/mips/kernel/syscalls/syscall_n32.tbl @@ -377,3 +377,4 @@ 437 n32 openat2 sys_openat2 438 n32 pidfd_getfd sys_pidfd_getfd 439 n32 faccessat2 sys_faccessat2 +440 n32 landlock sys_landlock diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl index da8c76394e17..0c68b01f47d2 100644 --- a/arch/mips/kernel/syscalls/syscall_n64.tbl +++ b/arch/mips/kernel/syscalls/syscall_n64.tbl @@ -353,3 +353,4 @@ 437 n64 openat2 sys_openat2 438 n64 pidfd_getfd sys_pidfd_getfd 439 n64 faccessat2 sys_faccessat2 +440 n64 landlock sys_landlock diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl index 13280625d312..7e4ba2c41f8c 100644 --- a/arch/mips/kernel/syscalls/syscall_o32.tbl +++ b/arch/mips/kernel/syscalls/syscall_o32.tbl @@ -426,3 +426,4 @@ 437 o32 openat2 sys_openat2 438 o32 pidfd_getfd sys_pidfd_getfd 439 o32 faccessat2 sys_faccessat2 +440 o32 landlock sys_landlock diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl index 5a758fa6ec52..40d14e1480cb 100644 --- a/arch/parisc/kernel/syscalls/syscall.tbl +++ b/arch/parisc/kernel/syscalls/syscall.tbl @@ -436,3 +436,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl index f833a3190822..1615462665e1 100644 --- a/arch/powerpc/kernel/syscalls/syscall.tbl +++ b/arch/powerpc/kernel/syscalls/syscall.tbl @@ -528,3 +528,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl index bfdcb7633957..5f0835738e90 100644 --- a/arch/s390/kernel/syscalls/syscall.tbl +++ b/arch/s390/kernel/syscalls/syscall.tbl @@ -441,3 +441,4 @@ 437 common openat2 sys_openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 sys_faccessat2 +440 common landlock sys_landlock sys_landlock diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl index acc35daa1b79..6e7414763f10 100644 --- a/arch/sh/kernel/syscalls/syscall.tbl +++ b/arch/sh/kernel/syscalls/syscall.tbl @@ -441,3 +441,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl index 8004a276cb74..b9996e1f70f0 100644 --- a/arch/sparc/kernel/syscalls/syscall.tbl +++ b/arch/sparc/kernel/syscalls/syscall.tbl @@ -484,3 +484,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl index d8f8a1a69ed1..1673c287f2e6 100644 --- a/arch/x86/entry/syscalls/syscall_32.tbl +++ b/arch/x86/entry/syscalls/syscall_32.tbl @@ -443,3 +443,4 @@ 437 i386 openat2 sys_openat2 438 i386 pidfd_getfd sys_pidfd_getfd 439 i386 faccessat2 sys_faccessat2 +440 i386 landlock sys_landlock diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl index 78847b32e137..b3bae66a2c7c 100644 --- a/arch/x86/entry/syscalls/syscall_64.tbl +++ b/arch/x86/entry/syscalls/syscall_64.tbl @@ -360,6 +360,7 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock
# # x32-specific system call numbers start at 512 to avoid cache impact diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl index 69d0d73876b3..ea0f0b186e8e 100644 --- a/arch/xtensa/kernel/syscalls/syscall.tbl +++ b/arch/xtensa/kernel/syscalls/syscall.tbl @@ -409,3 +409,4 @@ 437 common openat2 sys_openat2 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 +440 common landlock sys_landlock diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h index f4a01305d9a6..a63a411a74d5 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -857,9 +857,11 @@ __SYSCALL(__NR_openat2, sys_openat2) __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) #define __NR_faccessat2 439 __SYSCALL(__NR_faccessat2, sys_faccessat2) +#define __NR_landlock 440 +__SYSCALL(__NR_landlock, sys_landlock)
#undef __NR_syscalls -#define __NR_syscalls 440 +#define __NR_syscalls 441
/* * 32 bit systems traditionally used different
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
index f4a01305d9a6..a63a411a74d5 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -857,9 +857,11 @@ __SYSCALL(__NR_openat2, sys_openat2) __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) #define __NR_faccessat2 439 __SYSCALL(__NR_faccessat2, sys_faccessat2) +#define __NR_landlock 440 +__SYSCALL(__NR_landlock, sys_landlock)
#undef __NR_syscalls -#define __NR_syscalls 440 +#define __NR_syscalls 441
In linux-next, we already have:
+#define __NR_watch_mount 440 +#define __NR_watch_sb 441 +#define __NR_fsinfo 442 +#define __NR_process_madvise 443
You may want to increase the number again.
Arnd
On 08/07/2020 09:22, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
index f4a01305d9a6..a63a411a74d5 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h @@ -857,9 +857,11 @@ __SYSCALL(__NR_openat2, sys_openat2) __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) #define __NR_faccessat2 439 __SYSCALL(__NR_faccessat2, sys_faccessat2) +#define __NR_landlock 440 +__SYSCALL(__NR_landlock, sys_landlock)
#undef __NR_syscalls -#define __NR_syscalls 440 +#define __NR_syscalls 441
In linux-next, we already have:
+#define __NR_watch_mount 440 +#define __NR_watch_sb 441 +#define __NR_fsinfo 442 +#define __NR_process_madvise 443
You may want to increase the number again.
Arnd
OK, I'll rebase the next series on linux-next. Do you know if there is other syscalls on their way to linux-next?
Are the other parts of arch/syscall OK for you?
On Wed, Jul 8, 2020 at 9:31 AM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 09:22, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
index f4a01305d9a6..a63a411a74d5 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h
OK, I'll rebase the next series on linux-next.
Just change the number to the next free one, without actually rebasing. It's always a bit messy to have multiple syscalls added, but I think that causes the least confusion.
Do you know if there is other syscalls on their way to linux-next?
None that I'm aware of.
Are the other parts of arch/syscall OK for you?
The arch/* and include/uapi/asm-generic changes look ok to me. I'll reply to the syscall implementation separately/
Arnd
On 08/07/2020 09:47, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 9:31 AM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 09:22, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
index f4a01305d9a6..a63a411a74d5 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h
OK, I'll rebase the next series on linux-next.
Just change the number to the next free one, without actually rebasing. It's always a bit messy to have multiple syscalls added, but I think that causes the least confusion.
OK, but this will lead to two merge conflicts: patch 8 (asmlinkage) and patch 9 (tbl files).
Do you want me to update the tools/perf/arch/*.tbl too?
On Wed, Jul 8, 2020 at 10:23 AM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 09:47, Arnd Bergmann wrote:
On Wed, Jul 8, 2020 at 9:31 AM Mickaël Salaün mic@digikod.net wrote:
On 08/07/2020 09:22, Arnd Bergmann wrote:
On Tue, Jul 7, 2020 at 8:10 PM Mickaël Salaün mic@digikod.net wrote:
index f4a01305d9a6..a63a411a74d5 100644 --- a/include/uapi/asm-generic/unistd.h +++ b/include/uapi/asm-generic/unistd.h
OK, I'll rebase the next series on linux-next.
Just change the number to the next free one, without actually rebasing. It's always a bit messy to have multiple syscalls added, but I think that causes the least confusion.
OK, but this will lead to two merge conflicts: patch 8 (asmlinkage) and patch 9 (tbl files).
Yes, there isn't really much one can do about that.
Do you want me to update the tools/perf/arch/*.tbl too?
No, I would leave them unchanged.
Arnd
Test landlock syscall, ptrace hooks semantic and filesystem access-control.
Test coverage for security/landlock/ is 93.6% of lines. The code not covered only deals with internal kernel errors (e.g. memory allocation) and race conditions.
Signed-off-by: Mickaël Salaün mic@digikod.net Reviewed-by: Vincent Dagonneau vincent.dagonneau@ssi.gouv.fr Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com Cc: Shuah Khan shuah@kernel.org ---
Changes since v18: * Replace ruleset_rw.inval with layout1.inval to avoid inexistent test layout. * Use the new FIXTURE_VARIANT for ptrace_test: makes the tests more readable and usable. * Add ARRAY_SIZE() macro to please checkpatch.
Changes since v17: * Add new test for mknod with a zero mode. * Use memset(3) to initialize attr_features in base_test.
Changes since v16: * Add new unpriv_enforce_without_no_new_privs test: check that ruleset enforcing is forbiden without no_new_privs and CAP_SYS_ADMIN. * Drop capabilities when useful. * Check the new size_attr_features field from struct landlock_attr_features. * Update the empty_or_same_ruleset test to check complementary empty ruleset. * Update base_test according to the new attribute structures and fix the inconsistent_attr test accordingly. * Switch syscall attribute pointer and size arguments. * Rename test files with a "_test" suffix.
Changes since v14: * Add new tests: - superset: check new layer bitmask. - max_layers: check maximum number of layers. - release_inodes: check that umount work well. - empty_or_same_ruleset. - inconsistent_attr: checks copy_to_user limits. - in ruleset_rw.inval to check ruleset FD. - proc_unlinked_file: check file access through /proc/self/fd . - file_access_rights: check that a file can only get consistent access rights. - unpriv: check that NO_NEW_PRIVS or CAP_SYS_ADMIN is required. - check pipe access through /proc/self/fd . - check move_mount(2). - check ruleset file descriptor properties. - proc_nsfs: extend to check that internal filesystems (e.g. nsfs) are allowed. * Double-check read and write effective actions. * Fix potential desynchronization between the kernel sources and installed headers by overriding the build step in the Makefile. This also enable to build with Clang. * Add two files in the test directories (for link test and rename test). * Remove test for ruleset's show_fdinfo(). * Replace EBADR with EBADFD. * Update tests accordingly to the changes of rename and link rights. * Fix (now) illegal access rights tied to files. * Update rename and link tests. * Remove superfluous '\n' in TH_LOG() calls. * Make assert calls consistent and readable. * Fix the execute test. * Make tests future-proof. * Cosmetic fixes.
Changes since v14: * Add new tests: - Compatibility: empty_attr_{ruleset,path_beneath,enforce} to check minimal attr size. - Access types: link_to, rename_from, rename_to, rmdir, unlink, make_char, make_block, make_reg, make_sock, make_fifo, make_sym, make_dir, chroot, execute. - Test privilege escalation prevention by enforcing a nested rule, on a parent directory, with less restrictions than one on a child directory. - Test for empty and more than 32-bits allowed_access * Merge the two test mount hierarchies. * Complete relative path tests by combining chdir and chroot. * Adjust tests: - Remove the layout1/extend_ruleset_with_denied_path test. - Extend layout1/whitelist test with checks on file. - Add and use create_dir_and_file(). * Only use read/write checks but not stat(2) for tests. * Rename test.h to common.h and improve it. * Rename path name to make them more consistent, easy to understand and make them in a common directory. * Make create_ruleset() more generic. * Constify variables. * Re-add static global variables. * Remove useless openat(2). * Fix and complete kernel config. * Set umask and clean up file modes. * Clean up open flags. * Improve Makefile. * Fix spelling. * Improve comments and error messages.
Changes since v13: * Add back the filesystem tests (from v10) and extend them. * Add tests for the new syscall.
Previous changes: https://lore.kernel.org/lkml/20191104172146.30797-7-mic@digikod.net/ --- tools/testing/selftests/Makefile | 1 + tools/testing/selftests/landlock/.gitignore | 2 + tools/testing/selftests/landlock/Makefile | 29 + tools/testing/selftests/landlock/base_test.c | 163 ++ tools/testing/selftests/landlock/common.h | 93 + tools/testing/selftests/landlock/config | 5 + tools/testing/selftests/landlock/fs_test.c | 1740 +++++++++++++++++ .../testing/selftests/landlock/ptrace_test.c | 321 +++ tools/testing/selftests/landlock/true.c | 5 + 9 files changed, 2359 insertions(+) create mode 100644 tools/testing/selftests/landlock/.gitignore create mode 100644 tools/testing/selftests/landlock/Makefile create mode 100644 tools/testing/selftests/landlock/base_test.c create mode 100644 tools/testing/selftests/landlock/common.h create mode 100644 tools/testing/selftests/landlock/config create mode 100644 tools/testing/selftests/landlock/fs_test.c create mode 100644 tools/testing/selftests/landlock/ptrace_test.c create mode 100644 tools/testing/selftests/landlock/true.c
diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 1195bd85af38..25f00c514cc1 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -24,6 +24,7 @@ TARGETS += ir TARGETS += kcmp TARGETS += kexec TARGETS += kvm +TARGETS += landlock TARGETS += lib TARGETS += livepatch TARGETS += lkdtm diff --git a/tools/testing/selftests/landlock/.gitignore b/tools/testing/selftests/landlock/.gitignore new file mode 100644 index 000000000000..470203a7cd73 --- /dev/null +++ b/tools/testing/selftests/landlock/.gitignore @@ -0,0 +1,2 @@ +/*_test +/true diff --git a/tools/testing/selftests/landlock/Makefile b/tools/testing/selftests/landlock/Makefile new file mode 100644 index 000000000000..d29bd0804c14 --- /dev/null +++ b/tools/testing/selftests/landlock/Makefile @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: GPL-2.0 + +src_test := $(wildcard *_test.c) + +TEST_GEN_PROGS := $(src_test:.c=) + +TEST_GEN_PROGS_EXTENDED := true + +KSFT_KHDR_INSTALL := 1 +OVERRIDE_TARGETS := 1 +include ../lib.mk + +# Cf. tools/testing/selftests/arm64/Makefile +ifeq ($(KBUILD_OUTPUT),) +khdr_dir = $(top_srcdir)/usr/include +else +khdr_dir = $(KBUILD_OUTPUT)/kselftest/usr/include +endif + +CFLAGS += -Wall -O2 + +$(khdr_dir)/linux/landlock.h: khdr + @: + +$(OUTPUT)/true: true.c + $(LINK.c) $< $(LDLIBS) -o $@ -static + +$(OUTPUT)/%_test: %_test.c $(khdr_dir)/linux/landlock.h ../kselftest_harness.h common.h + $(LINK.c) $< $(LDLIBS) -o $@ -lcap -I$(khdr_dir) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c new file mode 100644 index 000000000000..f6bc8d6419f8 --- /dev/null +++ b/tools/testing/selftests/landlock/base_test.c @@ -0,0 +1,163 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - Common user space base + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2019-2020 ANSSI + */ + +#define _GNU_SOURCE +#include <errno.h> +#include <fcntl.h> +#include <linux/landlock.h> +#include <string.h> +#include <sys/prctl.h> + +#include "common.h" + +#ifndef O_PATH +#define O_PATH 010000000 +#endif + +TEST(features) +{ + struct landlock_attr_features attr_features; + + /* Tests that all fields are properly initialized. */ + memset(&attr_features, 0xff, sizeof(attr_features)); + ASSERT_EQ(0, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, + &attr_features, sizeof(attr_features))); + ASSERT_EQ(((LANDLOCK_OPT_GET_FEATURES << 1) - 1), + attr_features.options_get_features); + ASSERT_EQ(((LANDLOCK_OPT_CREATE_RULESET << 1) - 1), + attr_features.options_create_ruleset); + ASSERT_EQ(((LANDLOCK_OPT_ADD_RULE_PATH_BENEATH << 1) - 1), + attr_features.options_add_rule); + ASSERT_EQ(((LANDLOCK_OPT_ENFORCE_RULESET << 1) - 1), + attr_features.options_enforce_ruleset); + ASSERT_EQ(sizeof(struct landlock_attr_features), + attr_features.size_attr_features); + ASSERT_EQ(sizeof(struct landlock_attr_ruleset), + attr_features.size_attr_ruleset); + ASSERT_EQ(sizeof(struct landlock_attr_path_beneath), + attr_features.size_attr_path_beneath); + ASSERT_EQ(sizeof(struct landlock_attr_enforce), + attr_features.size_attr_enforce); + ASSERT_EQ(((LANDLOCK_ACCESS_FS_MAKE_SYM << 1) - 1), + attr_features.access_fs); +} + +TEST(inconsistent_attr) { + const long page_size = sysconf(_SC_PAGESIZE); + char *buf = malloc(page_size + 1); + + /* Checks copy_from_user(). */ + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, buf, 0)); + /* The size if less than sizeof(struct landlock_attr_enforce). */ + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, NULL, 1)); + /* The size if less than sizeof(struct landlock_attr_enforce). */ + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, + NULL, sizeof(struct landlock_attr_ruleset))); + ASSERT_EQ(EFAULT, errno); + + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, buf, page_size + 1)); + ASSERT_EQ(E2BIG, errno); + + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, buf, page_size)); + ASSERT_EQ(ENOMSG, errno); + + /* Checks non-zero value. */ + buf[page_size - 2] = '.'; + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, buf, page_size)); + ASSERT_EQ(E2BIG, errno); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, buf, page_size + 1)); + ASSERT_EQ(E2BIG, errno); + + /* Checks copy_to_user(). */ + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, NULL, 0)); + ASSERT_EQ(ENODATA, errno); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, buf, 0)); + ASSERT_EQ(ENODATA, errno); + ASSERT_EQ(0, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, buf, 1)); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, buf, page_size + 1)); + ASSERT_EQ(E2BIG, errno); + ASSERT_EQ('.', buf[page_size - 2]); + ASSERT_EQ(0, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, buf, page_size)); + ASSERT_EQ('\0', buf[page_size - 2]); + + free(buf); +} + +TEST(empty_attr_ruleset) { + /* Similar to struct landlock_attr_ruleset.handled_access_fs = 0 */ + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, NULL, 0)); + ASSERT_EQ(EINVAL, errno); +} + +TEST(empty_attr_path_beneath) { + /* Similar to struct landlock_attr_path_beneath.*_fd = 0 */ + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, NULL, 0)); + ASSERT_EQ(EINVAL, errno); +} + +TEST(empty_attr_enforce) { + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + + /* Similar to struct landlock_attr_enforce.ruleset_fd = 0 */ + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, NULL, 0)); + ASSERT_EQ(EINVAL, errno); +} + +TEST(unpriv_enforce_without_no_new_privs) { + int err; + + disable_caps(_metadata); + err = landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, NULL, 0); + ASSERT_EQ(errno, EPERM); + ASSERT_EQ(err, -1); +} + +TEST(ruleset_fd) +{ + struct landlock_attr_ruleset attr_ruleset = { + .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, + }; + int ruleset_fd; + char buf; + + disable_caps(_metadata); + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(-1, write(ruleset_fd, ".", 1)); + ASSERT_EQ(EINVAL, errno); + ASSERT_EQ(-1, read(ruleset_fd, &buf, 1)); + ASSERT_EQ(EINVAL, errno); + + ASSERT_EQ(0, close(ruleset_fd)); +} + +TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h new file mode 100644 index 000000000000..f5459ab85cfd --- /dev/null +++ b/tools/testing/selftests/landlock/common.h @@ -0,0 +1,93 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Landlock test helpers + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2019-2020 ANSSI + */ + +#include <errno.h> +#include <linux/landlock.h> +#include <sys/capability.h> +#include <sys/syscall.h> + +#include "../kselftest_harness.h" + +#ifndef ARRAY_SIZE +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) +#endif + +#ifndef landlock +static inline int landlock(const unsigned int command, + const unsigned int options, + void *const attr_ptr, const size_t attr_size) +{ + errno = 0; + return syscall(__NR_landlock, command, options, attr_ptr, attr_size, + NULL, 0); +} +#endif + +static void disable_caps(struct __test_metadata *const _metadata) +{ + cap_t cap_p; + /* Only these two capabilities are useful for the tests. */ + const cap_value_t caps[] = { + CAP_MKNOD, + CAP_SYS_ADMIN, + CAP_SYS_CHROOT, + }; + + cap_p = cap_get_proc(); + ASSERT_NE(NULL, cap_p) { + TH_LOG("Failed to cap_get_proc: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_clear(cap_p)) { + TH_LOG("Failed to cap_clear: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_set_flag(cap_p, CAP_PERMITTED, ARRAY_SIZE(caps), + caps, CAP_SET)) { + TH_LOG("Failed to cap_set_flag: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_set_proc(cap_p)) { + TH_LOG("Failed to cap_set_proc: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_free(cap_p)) { + TH_LOG("Failed to cap_free: %s", strerror(errno)); + } +} + +static void effective_cap(struct __test_metadata *const _metadata, + const cap_value_t caps, const cap_flag_value_t value) +{ + cap_t cap_p; + + cap_p = cap_get_proc(); + ASSERT_NE(NULL, cap_p) { + TH_LOG("Failed to cap_get_proc: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_set_flag(cap_p, CAP_EFFECTIVE, 1, &caps, value)) { + TH_LOG("Failed to cap_set_flag: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_set_proc(cap_p)) { + TH_LOG("Failed to cap_set_proc: %s", strerror(errno)); + } + ASSERT_NE(-1, cap_free(cap_p)) { + TH_LOG("Failed to cap_free: %s", strerror(errno)); + } +} + +/* We can't put such helpers in a library because of kselftest_harness.h . */ +__attribute__((__unused__)) +static void set_cap(struct __test_metadata *const _metadata, + const cap_value_t caps) +{ + effective_cap(_metadata, caps, CAP_SET); +} + +__attribute__((__unused__)) +static void clear_cap(struct __test_metadata *const _metadata, + const cap_value_t caps) +{ + effective_cap(_metadata, caps, CAP_CLEAR); +} diff --git a/tools/testing/selftests/landlock/config b/tools/testing/selftests/landlock/config new file mode 100644 index 000000000000..042298105821 --- /dev/null +++ b/tools/testing/selftests/landlock/config @@ -0,0 +1,5 @@ +CONFIG_SECURITY_LANDLOCK=y +CONFIG_SECURITY_PATH=y +CONFIG_SECURITY=y +CONFIG_SHMEM=y +CONFIG_TMPFS=y diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c new file mode 100644 index 000000000000..6847a6730df6 --- /dev/null +++ b/tools/testing/selftests/landlock/fs_test.c @@ -0,0 +1,1740 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - Filesystem + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2020 ANSSI + */ + +#define _GNU_SOURCE +#include <fcntl.h> +#include <linux/landlock.h> +#include <sched.h> +#include <string.h> +#include <sys/capability.h> +#include <sys/mount.h> +#include <sys/prctl.h> +#include <sys/sendfile.h> +#include <sys/stat.h> +#include <sys/sysmacros.h> +#include <unistd.h> + +#include "common.h" + +#define TMP_DIR "tmp/" +#define FILE_1 "file1" +#define FILE_2 "file2" +#define BINARY_PATH "./true" + +/* Paths (sibling number and depth) */ +static const char dir_s1d1[] = TMP_DIR "s1d1"; +static const char file1_s1d1[] = TMP_DIR "s1d1/" FILE_1; +static const char file2_s1d1[] = TMP_DIR "s1d1/" FILE_2; +static const char dir_s1d2[] = TMP_DIR "s1d1/s1d2"; +static const char file1_s1d2[] = TMP_DIR "s1d1/s1d2/" FILE_1; +static const char file2_s1d2[] = TMP_DIR "s1d1/s1d2/" FILE_2; +static const char dir_s1d3[] = TMP_DIR "s1d1/s1d2/s1d3"; +static const char file1_s1d3[] = TMP_DIR "s1d1/s1d2/s1d3/" FILE_1; +static const char file2_s1d3[] = TMP_DIR "s1d1/s1d2/s1d3/" FILE_2; + +static const char dir_s2d1[] = TMP_DIR "s2d1"; +static const char file1_s2d1[] = TMP_DIR "s2d1/" FILE_1; +static const char dir_s2d2[] = TMP_DIR "s2d1/s2d2"; +static const char file1_s2d2[] = TMP_DIR "s2d1/s2d2/" FILE_1; +static const char dir_s2d3[] = TMP_DIR "s2d1/s2d2/s2d3"; +static const char file1_s2d3[] = TMP_DIR "s2d1/s2d2/s2d3/" FILE_1; +static const char file2_s2d3[] = TMP_DIR "s2d1/s2d2/s2d3/" FILE_2; + +static const char dir_s3d1[] = TMP_DIR "s3d1"; +/* dir_s3d2 is a mount point. */ +static const char dir_s3d2[] = TMP_DIR "s3d1/s3d2"; +static const char dir_s3d3[] = TMP_DIR "s3d1/s3d2/s3d3"; + +static void create_dir_and_file(struct __test_metadata *const _metadata, + const char *const dir_path) +{ + int file_fd; + char *const file1_path = alloca(strlen(dir_path) + sizeof(FILE_1) + 2); + char *const file2_path = alloca(strlen(dir_path) + sizeof(FILE_2) + 2); + + strcpy(file1_path, dir_path); + strcat(file1_path, "/"); + strcat(file1_path, FILE_1); + + strcpy(file2_path, dir_path); + strcat(file2_path, "/"); + strcat(file2_path, FILE_2); + + ASSERT_EQ(0, mkdir(dir_path, 0700)) { + TH_LOG("Failed to create directory "%s": %s", dir_path, + strerror(errno)); + } + file_fd = open(file1_path, O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC, + 0700); + ASSERT_LE(0, file_fd); + ASSERT_EQ(0, close(file_fd)); + + file_fd = open(file2_path, O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC, + 0700); + ASSERT_LE(0, file_fd); + ASSERT_EQ(0, close(file_fd)); +} + +static void delete_dir_and_file(const char *const dir_path) +{ + char *const file1_path = alloca(strlen(dir_path) + + sizeof(FILE_1) + 2); + char *const file2_path = alloca(strlen(dir_path) + + sizeof(FILE_2) + 2); + + strcpy(file1_path, dir_path); + strcat(file1_path, "/"); + strcat(file1_path, FILE_1); + + strcpy(file2_path, dir_path); + strcat(file2_path, "/"); + strcat(file2_path, FILE_2); + + unlink(file1_path); + unlink(file2_path); + /* file1_path may be a directory, cf. layout1/make_directory. */ + rmdir(file1_path); + rmdir(dir_path); +} + +static void cleanup_layout1(struct __test_metadata *const _metadata) +{ + delete_dir_and_file(dir_s1d3); + delete_dir_and_file(dir_s1d2); + delete_dir_and_file(dir_s1d1); + + delete_dir_and_file(dir_s2d3); + delete_dir_and_file(dir_s2d2); + delete_dir_and_file(dir_s2d1); + + delete_dir_and_file(dir_s3d3); + set_cap(_metadata, CAP_SYS_ADMIN); + umount(dir_s3d2); + clear_cap(_metadata, CAP_SYS_ADMIN); + delete_dir_and_file(dir_s3d2); + delete_dir_and_file(dir_s3d1); + + delete_dir_and_file(TMP_DIR); +} + +FIXTURE(layout1) { +}; + +FIXTURE_SETUP(layout1) +{ + disable_caps(_metadata); + cleanup_layout1(_metadata); + + /* Do not pollute the rest of the system. */ + set_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_EQ(0, unshare(CLONE_NEWNS)); + clear_cap(_metadata, CAP_SYS_ADMIN); + umask(0077); + create_dir_and_file(_metadata, TMP_DIR); + + create_dir_and_file(_metadata, dir_s1d1); + create_dir_and_file(_metadata, dir_s1d2); + create_dir_and_file(_metadata, dir_s1d3); + + create_dir_and_file(_metadata, dir_s2d1); + create_dir_and_file(_metadata, dir_s2d2); + create_dir_and_file(_metadata, dir_s2d3); + + create_dir_and_file(_metadata, dir_s3d1); + create_dir_and_file(_metadata, dir_s3d2); + set_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_EQ(0, mount("tmp", dir_s3d2, "tmpfs", 0, "size=4m,mode=700")); + clear_cap(_metadata, CAP_SYS_ADMIN); + create_dir_and_file(_metadata, dir_s3d3); +} + +FIXTURE_TEARDOWN(layout1) +{ + /* + * cleanup_layout1() would be denied here, use TEST(cleanup) instead. + */ +} + +static void test_path_rel(struct __test_metadata *const _metadata, + const int dirfd, const char *const path, const int ret) +{ + int fd; + + /* Works with file and directories. */ + fd = openat(dirfd, path, O_RDONLY | O_CLOEXEC); + if (ret) { + ASSERT_EQ(-1, fd) { + TH_LOG("Successfully opened "%s": %s", path, + strerror(errno)); + } + ASSERT_EQ(EACCES, errno) { + TH_LOG("Wrong error code to open "%s": %s", path, + strerror(errno)); + } + } else { + ASSERT_LE(0, fd) { + TH_LOG("Failed to open "%s": %s", path, + strerror(errno)); + } + EXPECT_EQ(0, close(fd)); + } +} + +static void test_path(struct __test_metadata *const _metadata, + const char *const path, const int ret) +{ + return test_path_rel(_metadata, AT_FDCWD, path, ret); +} + +TEST_F(layout1, no_restriction) +{ + test_path(_metadata, dir_s1d1, 0); + test_path(_metadata, file1_s1d1, 0); + test_path(_metadata, file2_s1d1, 0); + test_path(_metadata, dir_s1d2, 0); + test_path(_metadata, file1_s1d2, 0); + test_path(_metadata, file2_s1d2, 0); + test_path(_metadata, dir_s1d3, 0); + test_path(_metadata, file1_s1d3, 0); + + test_path(_metadata, dir_s2d1, 0); + test_path(_metadata, file1_s2d1, 0); + test_path(_metadata, dir_s2d2, 0); + test_path(_metadata, file1_s2d2, 0); + test_path(_metadata, dir_s2d3, 0); + test_path(_metadata, file1_s2d3, 0); + + test_path(_metadata, dir_s3d1, 0); + test_path(_metadata, dir_s3d2, 0); + test_path(_metadata, dir_s3d3, 0); +} + +TEST_F(layout1, inval) +{ + struct landlock_attr_path_beneath path_beneath = { + .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, + .parent_fd = -1, + }; + struct landlock_attr_ruleset attr_ruleset = { + .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, + }; + struct landlock_attr_enforce attr_enforce = {}; + const int ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, + &attr_ruleset, sizeof(attr_ruleset)); + + ASSERT_LE(0, ruleset_fd); + path_beneath.parent_fd = open(dir_s1d2, O_PATH | O_DIRECTORY | + O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd); + + path_beneath.ruleset_fd = open(dir_s1d1, O_PATH | O_DIRECTORY | + O_CLOEXEC); + ASSERT_LE(0, path_beneath.ruleset_fd); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + /* Returns EBADF because ruleset_fd contains O_PATH. */ + ASSERT_EQ(EBADF, errno); + ASSERT_EQ(0, close(path_beneath.ruleset_fd)); + + path_beneath.ruleset_fd = open(dir_s1d1, O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, path_beneath.ruleset_fd); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + /* Returns EBADFD because ruleset_fd is not a valid ruleset. */ + ASSERT_EQ(EBADFD, errno); + ASSERT_EQ(0, close(path_beneath.ruleset_fd)); + + path_beneath.ruleset_fd = ruleset_fd; + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + ASSERT_EQ(0, close(path_beneath.parent_fd)); + + /* Tests without O_PATH. */ + path_beneath.parent_fd = open(dir_s1d2, O_DIRECTORY | + O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + ASSERT_EQ(EBADFD, errno); + ASSERT_EQ(0, close(path_beneath.parent_fd)); + + /* Checks unhandled allowed_access. */ + path_beneath.parent_fd = open(dir_s1d2, O_PATH | O_DIRECTORY | + O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd); + + /* Test with legitimate values. */ + path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_EXECUTE; + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + ASSERT_EQ(EINVAL, errno); + path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE; + + /* Test with unknown (64-bits) value. */ + path_beneath.allowed_access |= (1ULL << 60); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + ASSERT_EQ(EINVAL, errno); + path_beneath.allowed_access &= ~(1ULL << 60); + + /* Test with no access. */ + path_beneath.allowed_access = 0; + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + path_beneath.allowed_access &= ~(1ULL << 60); + + ASSERT_EQ(0, close(path_beneath.parent_fd)); + + /* Enforces the ruleset. */ + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + + attr_enforce.ruleset_fd = ruleset_fd; + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce, + sizeof(attr_enforce))); + + ASSERT_EQ(0, close(ruleset_fd)); +} + +#define ACCESS_FILE ( \ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE) + +#define ACCESS_LAST LANDLOCK_ACCESS_FS_MAKE_SYM + +#define ACCESS_ALL ( \ + ACCESS_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_CHROOT | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + ACCESS_LAST) + +TEST_F(layout1, file_access_rights) +{ + __u64 access; + int err; + struct landlock_attr_path_beneath path_beneath = {}; + struct landlock_attr_ruleset attr_ruleset = { + .handled_access_fs = ACCESS_ALL, + }; + + path_beneath.ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(0, path_beneath.ruleset_fd); + + /* Tests access rights for files. */ + path_beneath.parent_fd = open(file1_s1d2, O_PATH | O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd); + for (access = 1; access <= ACCESS_LAST; access <<= 1) { + path_beneath.allowed_access = access; + err = landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath)); + if ((access | ACCESS_FILE) == ACCESS_FILE) { + ASSERT_EQ(0, err); + } else { + ASSERT_EQ(-1, err); + ASSERT_EQ(EINVAL, errno); + } + } + ASSERT_EQ(0, close(path_beneath.parent_fd)); +} + +static void add_path_beneath(struct __test_metadata *const _metadata, + const int ruleset_fd, const __u64 allowed_access, + const char *const path) +{ + struct landlock_attr_path_beneath path_beneath = { + .ruleset_fd = ruleset_fd, + .allowed_access = allowed_access, + }; + + path_beneath.parent_fd = open(path, O_PATH | O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd) { + TH_LOG("Failed to open directory "%s": %s", path, + strerror(errno)); + } + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))) { + TH_LOG("Failed to update the ruleset with "%s": %s", path, + strerror(errno)); + } + ASSERT_EQ(0, close(path_beneath.parent_fd)); +} + +struct rule { + const char *path; + __u64 access; +}; + +#define ACCESS_RO ( \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR) + +#define ACCESS_RW ( \ + ACCESS_RO | \ + LANDLOCK_ACCESS_FS_WRITE_FILE) + +static int create_ruleset(struct __test_metadata *const _metadata, + const __u64 handled_access_fs, const struct rule rules[]) +{ + int ruleset_fd, i; + struct landlock_attr_features attr_features = {}; + struct landlock_attr_ruleset attr_ruleset = { + .handled_access_fs = handled_access_fs, + }; + + ASSERT_NE(NULL, rules) { + TH_LOG("No rule list"); + } + ASSERT_NE(NULL, rules[0].path) { + TH_LOG("Empty rule list"); + } + + ASSERT_EQ(0, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, &attr_features, + sizeof(attr_features))); + /* Only for test, use a binary AND for real application instead. */ + ASSERT_EQ(attr_ruleset.handled_access_fs, + attr_ruleset.handled_access_fs & + attr_features.access_fs); + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(0, ruleset_fd) { + TH_LOG("Failed to create a ruleset: %s", strerror(errno)); + } + + for (i = 0; rules[i].path; i++) { + ASSERT_EQ(rules[i].access, rules[i].access & + attr_features.access_fs); + add_path_beneath(_metadata, ruleset_fd, rules[i].access, + rules[i].path); + } + return ruleset_fd; +} + +static void enforce_ruleset(struct __test_metadata *const _metadata, + const int ruleset_fd) +{ + struct landlock_attr_enforce attr_enforce = { + .ruleset_fd = ruleset_fd, + }; + + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce, + sizeof(attr_enforce))) { + TH_LOG("Failed to enforce ruleset: %s", strerror(errno)); + } +} + +TEST_F(layout1, proc_nsfs) +{ + const struct rule rules[] = { + { + .path = "/dev/null", + .access = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, + }, + {} + }; + struct landlock_attr_path_beneath path_beneath; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access | + LANDLOCK_ACCESS_FS_READ_DIR, rules); + + test_path(_metadata, "/proc/self/ns/mnt", 0); + + enforce_ruleset(_metadata, ruleset_fd); + + test_path(_metadata, "/", -1); + test_path(_metadata, "/dev", -1); + test_path(_metadata, "/dev/null", 0); + test_path(_metadata, "/dev/full", -1); + + test_path(_metadata, "/proc", -1); + test_path(_metadata, "/proc/self", -1); + test_path(_metadata, "/proc/self/ns", -1); + /* + * Because nsfs is an internal filesystem, /proc/self/ns/mnt is a + * disconnected path. Such path cannot be identified and must then be + * allowed. + */ + test_path(_metadata, "/proc/self/ns/mnt", 0); + + /* + * Checks that it is not possible to add nsfs-like filesystem + * references to a ruleset. + */ + path_beneath.ruleset_fd = ruleset_fd; + path_beneath.allowed_access = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, + path_beneath.parent_fd = open("/proc/self/ns/mnt", O_PATH | O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + ASSERT_EQ(EBADFD, errno); + ASSERT_EQ(0, close(path_beneath.parent_fd)); +} + +static void drop_privileges(struct __test_metadata *const _metadata) +{ + cap_t caps; + const cap_value_t cap_val = CAP_SYS_ADMIN; + + caps = cap_get_proc(); + ASSERT_NE(NULL, caps); + ASSERT_EQ(0, cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, + CAP_CLEAR)); + ASSERT_EQ(0, cap_set_proc(caps)); + ASSERT_EQ(0, cap_free(caps)); +} + +TEST_F(layout1, unpriv) { + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = ACCESS_RO, + }, + {} + }; + struct landlock_attr_enforce attr_enforce = {}; + + drop_privileges(_metadata); + attr_enforce.ruleset_fd = create_ruleset(_metadata, ACCESS_RO, rules); + ASSERT_LE(0, attr_enforce.ruleset_fd); + ASSERT_EQ(-1, landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce, + sizeof(attr_enforce))); + ASSERT_EQ(EPERM, errno); + + /* enforce_ruleset() calls prctl(no_new_privs). */ + enforce_ruleset(_metadata, attr_enforce.ruleset_fd); + EXPECT_EQ(0, close(attr_enforce.ruleset_fd)); +} + +TEST_F(layout1, whitelist) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = ACCESS_RO, + }, + { + .path = file1_s2d2, + .access = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + char buf; + int reg_fd; + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Tests on a directory. */ + test_path(_metadata, "/", -1); + test_path(_metadata, dir_s1d1, -1); + test_path(_metadata, file1_s1d1, -1); + test_path(_metadata, dir_s1d2, 0); + test_path(_metadata, file1_s1d2, 0); + test_path(_metadata, dir_s1d3, 0); + test_path(_metadata, file1_s1d3, 0); + + /* Tests on a file. */ + test_path(_metadata, dir_s2d2, -1); + test_path(_metadata, file1_s2d2, 0); + + /* Checks effective read and write actions. */ + reg_fd = open(file1_s2d2, O_RDWR | O_CLOEXEC); + ASSERT_LE(0, reg_fd); + ASSERT_EQ(1, write(reg_fd, ".", 1)); + ASSERT_LE(0, lseek(reg_fd, 0, SEEK_SET)); + ASSERT_EQ(1, read(reg_fd, &buf, 1)); + ASSERT_EQ('.', buf); + ASSERT_EQ(0, close(reg_fd)); + + /* Just in case, double-checks effective actions. */ + reg_fd = open(file1_s2d2, O_RDONLY | O_CLOEXEC); + ASSERT_LE(0, reg_fd); + ASSERT_EQ(-1, write(reg_fd, &buf, 1)); + ASSERT_EQ(EBADF, errno); + ASSERT_EQ(0, close(reg_fd)); +} + +TEST_F(layout1, unhandled_access) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + set_cap(_metadata, CAP_SYS_CHROOT); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* + * Because the policy does not handle LANDLOCK_ACCESS_FS_CHROOT, + * chroot(2) should be allowed. + */ + ASSERT_EQ(0, chroot(dir_s1d1)); + ASSERT_EQ(0, chroot(dir_s1d2)); + ASSERT_EQ(0, chroot(dir_s1d3)); +} + +TEST_F(layout1, ruleset_overlap) +{ + const struct rule rules[] = { + /* These rules should be ORed among them. */ + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_WRITE_FILE, + }, + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_READ_DIR, + }, + {} + }; + int open_fd; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, open(file1_s1d1, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, open(dir_s1d1, O_RDONLY | O_DIRECTORY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + + open_fd = open(file1_s1d2, O_WRONLY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + EXPECT_EQ(0, close(open_fd)); + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + EXPECT_EQ(0, close(open_fd)); + + open_fd = open(file1_s1d3, O_WRONLY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + EXPECT_EQ(0, close(open_fd)); + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + EXPECT_EQ(0, close(open_fd)); +} + +TEST_F(layout1, inherit_subset) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR, + }, + {} + }; + int open_fd; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + + ASSERT_EQ(-1, open(file1_s1d1, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, open(dir_s1d1, O_RDONLY | O_DIRECTORY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + + /* Write access is forbidden. */ + ASSERT_EQ(-1, open(file1_s1d2, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* Readdir access is allowed. */ + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* Write access is forbidden. */ + ASSERT_EQ(-1, open(file1_s1d3, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* Readdir access is allowed. */ + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* + * Tests shared rule extension: the following rules should not grant + * any new access, only remove some. Once enforced, these rules are + * ANDed with the previous ones. + */ + add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, + dir_s1d2); + /* + * According to ruleset_fd, dir_s1d2 should now have the + * LANDLOCK_ACCESS_FS_READ_FILE and LANDLOCK_ACCESS_FS_WRITE_FILE + * access rights (even if this directory is opened a second time). + * However, when enforcing this updated ruleset, the ruleset tied to + * the current process (i.e. its domain) will still only have the + * dir_s1d2 with LANDLOCK_ACCESS_FS_READ_FILE and + * LANDLOCK_ACCESS_FS_READ_DIR accesses, but + * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would + * be a privilege escalation. + */ + enforce_ruleset(_metadata, ruleset_fd); + + /* Same tests and results as above. */ + ASSERT_EQ(-1, open(file1_s1d1, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, open(dir_s1d1, O_RDONLY | O_DIRECTORY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + + /* It is still forbidden to write in file1_s1d2. */ + ASSERT_EQ(-1, open(file1_s1d2, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* Readdir access is still allowed. */ + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* It is still forbidden to write in file1_s1d3. */ + ASSERT_EQ(-1, open(file1_s1d3, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* Readdir access is still allowed. */ + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* + * Try to get more privileges by adding new access rights to the parent + * directory: dir_s1d1. + */ + add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1); + enforce_ruleset(_metadata, ruleset_fd); + + /* Same tests and results as above. */ + ASSERT_EQ(-1, open(file1_s1d1, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, open(dir_s1d1, O_RDONLY | O_DIRECTORY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + + /* It is still forbidden to write in file1_s1d2. */ + ASSERT_EQ(-1, open(file1_s1d2, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* Readdir access is still allowed. */ + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* It is still forbidden to write in file1_s1d3. */ + ASSERT_EQ(-1, open(file1_s1d3, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* Readdir access is still allowed. */ + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* + * Now, dir_s1d3 get a new rule tied to it, only allowing + * LANDLOCK_ACCESS_FS_WRITE_FILE. The (kernel internal) difference is + * that there was no rule tied to it before. + */ + add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, + dir_s1d3); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* + * Same tests and results as above, except for open(dir_s1d3) which is + * now denied because the new rule mask the rule previously inherited + * from dir_s1d2. + */ + + /* Same tests and results as above. */ + ASSERT_EQ(-1, open(file1_s1d1, O_WRONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, open(dir_s1d1, O_RDONLY | O_DIRECTORY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + + /* It is still forbidden to write in file1_s1d2. */ + ASSERT_EQ(-1, open(file1_s1d2, O_WRONLY | O_CLOEXEC)); + /* Readdir access is still allowed. */ + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* It is still forbidden to write in file1_s1d3. */ + ASSERT_EQ(-1, open(file1_s1d3, O_WRONLY | O_CLOEXEC)); + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + /* Readdir of dir_s1d3 is now forbidden too. */ + ASSERT_EQ(-1, open_fd); + ASSERT_EQ(EACCES, errno); +} + +TEST_F(layout1, inherit_superset) +{ + const struct rule rules[] = { + { + .path = dir_s1d3, + .access = ACCESS_RO, + }, + {} + }; + int open_fd; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + + /* Readdir access is denied for dir_s1d2. */ + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_EQ(-1, open_fd); + ASSERT_EQ(EACCES, errno); + /* Readdir access is allowed for dir_s1d3. */ + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); + + /* Now dir_s1d2, parent of dir_s1d3, gets a new rule tied to it. */ + add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR, dir_s1d2); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Readdir access is still denied for dir_s1d2. */ + open_fd = open(dir_s1d2, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_EQ(-1, open_fd); + ASSERT_EQ(EACCES, errno); + /* Readdir access is still allowed for dir_s1d3. */ + open_fd = open(dir_s1d3, O_RDONLY | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, open_fd); + ASSERT_EQ(0, close(open_fd)); +} + +TEST_F(layout1, max_layers) +{ + int i, err; + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + struct landlock_attr_enforce attr_enforce = { + .ruleset_fd = ruleset_fd, + }; + + ASSERT_LE(0, ruleset_fd); + for (i = 0; i < 64; i++) + enforce_ruleset(_metadata, ruleset_fd); + + for (i = 0; i < 2; i++) { + err = landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce, + sizeof(attr_enforce)); + ASSERT_EQ(-1, err); + ASSERT_EQ(E2BIG, errno); + } + EXPECT_EQ(0, close(ruleset_fd)); +} + +TEST_F(layout1, empty_or_same_ruleset) +{ + struct landlock_attr_enforce attr_enforce = {}; + struct landlock_attr_ruleset attr_ruleset = {}; + + /* Tests empty handled_access_fs. */ + attr_enforce.ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(-1, attr_enforce.ruleset_fd); + ASSERT_EQ(ENOMSG, errno); + + /* Enforces policy which deny read access to all files. */ + attr_ruleset.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE; + attr_enforce.ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(0, attr_enforce.ruleset_fd); + enforce_ruleset(_metadata, attr_enforce.ruleset_fd); + test_path(_metadata, file1_s1d1, -1); + test_path(_metadata, dir_s1d1, 0); + + /* Nests a policy which deny read access to all directories. */ + attr_ruleset.handled_access_fs = LANDLOCK_ACCESS_FS_READ_DIR; + attr_enforce.ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(0, attr_enforce.ruleset_fd); + enforce_ruleset(_metadata, attr_enforce.ruleset_fd); + test_path(_metadata, file1_s1d1, -1); + test_path(_metadata, dir_s1d1, -1); + + /* Enforces a second time with the same ruleset. */ + enforce_ruleset(_metadata, attr_enforce.ruleset_fd); + EXPECT_EQ(0, close(attr_enforce.ruleset_fd)); +} + +TEST_F(layout1, rule_on_mountpoint) +{ + const struct rule rules[] = { + { + .path = dir_s1d1, + .access = ACCESS_RO, + }, + { + /* dir_s3d2 is a mount point. */ + .path = dir_s3d2, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + test_path(_metadata, dir_s1d1, 0); + + test_path(_metadata, dir_s2d1, -1); + + test_path(_metadata, dir_s3d1, -1); + test_path(_metadata, dir_s3d2, 0); + test_path(_metadata, dir_s3d3, 0); +} + +TEST_F(layout1, rule_over_mountpoint) +{ + const struct rule rules[] = { + { + .path = dir_s1d1, + .access = ACCESS_RO, + }, + { + /* dir_s3d2 is a mount point. */ + .path = dir_s3d1, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + test_path(_metadata, dir_s1d1, 0); + + test_path(_metadata, dir_s2d1, -1); + + test_path(_metadata, dir_s3d1, 0); + test_path(_metadata, dir_s3d2, 0); + test_path(_metadata, dir_s3d3, 0); +} + +/* + * This test verifies that we can apply a landlock rule on the root (/), it + * might require special handling. + */ +TEST_F(layout1, rule_over_root) +{ + const struct rule rules[] = { + { + .path = "/", + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + test_path(_metadata, "/", 0); + test_path(_metadata, dir_s1d1, 0); +} + +TEST_F(layout1, rule_inside_mount_ns) +{ + const struct rule rules[] = { + { + .path = "s3d3", + .access = ACCESS_RO, + }, + {} + }; + int ruleset_fd; + + set_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_EQ(0, mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL)); + ASSERT_EQ(0, syscall(SYS_pivot_root, dir_s3d2, dir_s3d3)) { + TH_LOG("Failed to pivot_root into "%s": %s", dir_s3d2, + strerror(errno)); + }; + ASSERT_EQ(0, chdir("/")); + clear_cap(_metadata, CAP_SYS_ADMIN); + + ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + test_path(_metadata, "s3d3", 0); + test_path(_metadata, "/", -1); +} + +TEST_F(layout1, mount_and_pivot) +{ + const struct rule rules[] = { + { + .path = dir_s3d2, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + set_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_EQ(0, mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(-1, syscall(SYS_pivot_root, dir_s3d2, dir_s3d3)); + ASSERT_EQ(EPERM, errno); +} + +TEST_F(layout1, move_mount) +{ + const struct rule rules[] = { + { + .path = dir_s3d2, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + + set_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_EQ(0, mount(NULL, "/", NULL, MS_PRIVATE | MS_REC, NULL)); + ASSERT_EQ(0, syscall(SYS_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, + dir_s1d2, 0)) { + TH_LOG("Failed to move_mount: %s", strerror(errno)); + } + ASSERT_EQ(0, syscall(SYS_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, + dir_s3d2, 0)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, syscall(SYS_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, + dir_s1d2, 0)); + ASSERT_EQ(EPERM, errno); +} + +TEST_F(layout1, release_inodes) +{ + const struct rule rules[] = { + { + .path = dir_s1d1, + .access = ACCESS_RO, + }, + { + .path = dir_s3d2, + .access = ACCESS_RO, + }, + { + .path = dir_s3d3, + .access = ACCESS_RO, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + int test_fd; + + ASSERT_LE(0, ruleset_fd); + /* Unmount a file hierarchy while it is being used by a ruleset. */ + set_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_EQ(0, umount(dir_s3d2)); + clear_cap(_metadata, CAP_SYS_ADMIN); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + test_fd = open(file1_s1d1, O_RDONLY | O_CLOEXEC); + ASSERT_LE(0, test_fd); + /* This dir_s3d2 is not allowed, only the tmpfs on it was. */ + ASSERT_EQ(-1, open(dir_s3d2, O_RDONLY | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + /* This dir_s3d3 would not be allowed and does not exist anyway. */ + ASSERT_EQ(-1, open(dir_s3d3, O_RDONLY | O_CLOEXEC)); + ASSERT_EQ(ENOENT, errno); +} + +enum relative_access { + REL_OPEN, + REL_CHDIR, + REL_CHROOT_ONLY, + REL_CHROOT_CHDIR, +}; + +static void test_relative_path(struct __test_metadata *const _metadata, + const enum relative_access rel) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = ACCESS_RO, + }, + { + .path = dir_s2d2, + .access = ACCESS_RO, + }, + {} + }; + int dirfd; + const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules); + + ASSERT_LE(0, ruleset_fd); + switch (rel) { + case REL_OPEN: + case REL_CHDIR: + break; + case REL_CHROOT_ONLY: + ASSERT_EQ(0, chdir(dir_s2d2)); + break; + case REL_CHROOT_CHDIR: + ASSERT_EQ(0, chdir(dir_s1d2)); + break; + default: + ASSERT_TRUE(false); + return; + } + + set_cap(_metadata, CAP_SYS_CHROOT); + enforce_ruleset(_metadata, ruleset_fd); + + switch (rel) { + case REL_OPEN: + dirfd = open(dir_s1d2, O_DIRECTORY); + ASSERT_LE(0, dirfd); + break; + case REL_CHDIR: + ASSERT_EQ(0, chdir(dir_s1d2)); + dirfd = AT_FDCWD; + break; + case REL_CHROOT_ONLY: + /* Do chroot into dir_s1d2 (relative to dir_s2d2). */ + ASSERT_EQ(0, chroot("../../s1d1/s1d2")) { + TH_LOG("Failed to chroot: %s", strerror(errno)); + } + dirfd = AT_FDCWD; + break; + case REL_CHROOT_CHDIR: + /* Do chroot into dir_s1d2. */ + ASSERT_EQ(0, chroot(".")) { + TH_LOG("Failed to chroot: %s", strerror(errno)); + } + dirfd = AT_FDCWD; + break; + } + + test_path_rel(_metadata, dirfd, "..", + (rel == REL_CHROOT_CHDIR) ? 0 : -1); + test_path_rel(_metadata, dirfd, ".", 0); + + if (rel == REL_CHROOT_ONLY) + /* The current directory is dir_s2d2. */ + test_path_rel(_metadata, dirfd, "./s2d3", 0); + else + /* The current directory is dir_s1d2. */ + test_path_rel(_metadata, dirfd, "./s1d3", 0); + + if (rel != REL_CHROOT_CHDIR) { + test_path_rel(_metadata, dirfd, "../../s1d1", -1); + test_path_rel(_metadata, dirfd, "../../s1d1/s1d2", 0); + test_path_rel(_metadata, dirfd, "../../s1d1/s1d2/s1d3", 0); + + test_path_rel(_metadata, dirfd, "../../s2d1", -1); + test_path_rel(_metadata, dirfd, "../../s2d1/s2d2", 0); + test_path_rel(_metadata, dirfd, "../../s2d1/s2d2/s2d3", 0); + } + + if (rel == REL_OPEN) + EXPECT_EQ(0, close(dirfd)); + EXPECT_EQ(0, close(ruleset_fd)); +} + +TEST_F(layout1, relative_open) +{ + test_relative_path(_metadata, REL_OPEN); +} + +TEST_F(layout1, relative_chdir) +{ + test_relative_path(_metadata, REL_CHDIR); +} + +TEST_F(layout1, relative_chroot_only) +{ + test_relative_path(_metadata, REL_CHROOT_ONLY); +} + +TEST_F(layout1, relative_chroot_chdir) +{ + test_relative_path(_metadata, REL_CHROOT_CHDIR); +} + +TEST_F(layout1, chroot) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_CHROOT, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + set_cap(_metadata, CAP_SYS_CHROOT); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, chroot(dir_s1d1)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, chroot(dir_s1d2)) { + TH_LOG("Failed to chroot into "%s": %s", file1_s1d2, + strerror(errno)); + }; + /* This chroot still works because we didn't chdir(dir_s1d2). */ + ASSERT_EQ(0, chroot(dir_s1d3)); +} + +static void copy_binary(struct __test_metadata *const _metadata, + const char *const dst_path) +{ + int dst_fd, src_fd; + struct stat statbuf; + + dst_fd = open(dst_path, O_WRONLY | O_TRUNC | O_CLOEXEC); + ASSERT_LE(0, dst_fd) { + TH_LOG("Failed to open "%s": %s", dst_path, + strerror(errno)); + } + src_fd = open(BINARY_PATH, O_RDONLY | O_CLOEXEC); + ASSERT_LE(0, src_fd) { + TH_LOG("Failed to open "" BINARY_PATH "": %s", + strerror(errno)); + } + ASSERT_EQ(0, fstat(src_fd, &statbuf)); + ASSERT_EQ(statbuf.st_size, sendfile(dst_fd, src_fd, 0, + statbuf.st_size)); + ASSERT_EQ(0, close(src_fd)); + ASSERT_EQ(0, close(dst_fd)); +} + +static void test_execute(struct __test_metadata *const _metadata, + const char *const path, const int ret) +{ + int status; + char *const argv[] = {(char *)path, NULL}; + const pid_t child = fork(); + + ASSERT_LE(0, child); + if (child == 0) { + ASSERT_EQ(ret, execve(path, argv, NULL)) { + TH_LOG("Failed to execute "%s": %s", path, + strerror(errno)); + }; + ASSERT_EQ(EACCES, errno); + _exit(_metadata->passed ? 2 : 1); + return; + } + ASSERT_EQ(child, waitpid(child, &status, 0)); + ASSERT_EQ(1, WIFEXITED(status)); + ASSERT_EQ(ret ? 2 : 0, WEXITSTATUS(status)) { + TH_LOG("Unexpected return code for "%s": %s", path, + strerror(errno)); + }; +} + +TEST_F(layout1, execute) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_EXECUTE, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + copy_binary(_metadata, file1_s1d1); + copy_binary(_metadata, file1_s1d2); + copy_binary(_metadata, file1_s1d3); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + test_execute(_metadata, file1_s1d1, -1); + test_execute(_metadata, file1_s1d2, 0); + test_execute(_metadata, file1_s1d3, 0); +} + +TEST_F(layout1, link) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_MAKE_REG, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(0, unlink(file1_s1d1)); + ASSERT_EQ(0, unlink(file1_s1d2)); + ASSERT_EQ(0, unlink(file1_s1d3)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); + ASSERT_EQ(EACCES, errno); + /* Denies linking because of reparenting. */ + ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); + ASSERT_EQ(EACCES, errno); + + ASSERT_EQ(0, link(file2_s1d2, file1_s1d2)) { + TH_LOG("Failed to link file to "%s": %s", file2_s1d2, + strerror(errno)); + }; + ASSERT_EQ(0, link(file2_s1d3, file1_s1d3)); +} + +TEST_F(layout1, rename_file) +{ + const struct rule rules[] = { + { + .path = dir_s1d3, + .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, + }, + { + .path = dir_s2d2, + .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(0, unlink(file1_s1d1)); + ASSERT_EQ(0, unlink(file1_s1d2)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Replaces file. */ + ASSERT_EQ(-1, rename(file1_s2d3, file1_s1d3)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); + ASSERT_EQ(EACCES, errno); + /* Same parent. */ + ASSERT_EQ(0, rename(file2_s2d3, file1_s2d3)) { + TH_LOG("Failed to rename file "%s": %s", file2_s2d3, + strerror(errno)); + }; + + /* Renames files. */ + ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, unlink(file1_s1d3)); + ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); + ASSERT_EQ(EACCES, errno); + /* Same parent. */ + ASSERT_EQ(0, rename(file2_s1d3, file1_s1d3)); +} + +TEST_F(layout1, rename_dir) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, + }, + { + .path = dir_s2d1, + .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + /* Empties dir_s1d3. */ + ASSERT_EQ(0, unlink(file1_s1d3)); + ASSERT_EQ(0, unlink(file2_s1d3)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Renames directory. */ + ASSERT_EQ(-1, rename(dir_s2d3, dir_s1d3)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, unlink(file1_s1d2)); + ASSERT_EQ(0, rename(dir_s1d3, file1_s1d2)) { + TH_LOG("Failed to rename directory "%s": %s", dir_s1d3, + strerror(errno)); + }; + ASSERT_EQ(0, rmdir(file1_s1d2)); +} + +TEST_F(layout1, rmdir) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_REMOVE_DIR, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(0, unlink(file1_s1d1)); + ASSERT_EQ(0, unlink(file1_s1d2)); + ASSERT_EQ(0, unlink(file1_s1d3)); + ASSERT_EQ(0, unlink(file2_s1d3)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(0, rmdir(dir_s1d3)); + /* dir_s1d2 itself cannot be removed. */ + ASSERT_EQ(-1, rmdir(dir_s1d2)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, rmdir(dir_s1d1)); + ASSERT_EQ(EACCES, errno); +} + +TEST_F(layout1, unlink) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_REMOVE_FILE, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, unlink(file1_s1d1)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, unlink(file1_s1d2)) { + TH_LOG("Failed to unlink file "%s": %s", file1_s1d2, + strerror(errno)); + }; + ASSERT_EQ(0, unlink(file1_s1d3)); +} + +static void test_make_file(struct __test_metadata *const _metadata, + const __u64 access, const mode_t mode, const dev_t dev) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = access, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, access, rules); + + ASSERT_LE(0, ruleset_fd); + + unlink(file1_s1d1); + unlink(file1_s1d2); + unlink(file1_s1d3); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, mknod(file1_s1d1, mode | 0400, dev)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, mknod(file1_s1d2, mode | 0400, dev)) { + TH_LOG("Failed to make file "%s": %s", + file1_s1d2, strerror(errno)); + }; + ASSERT_EQ(0, mknod(file1_s1d3, mode | 0400, dev)); +} + +TEST_F(layout1, make_char) +{ + /* Creates a /dev/null device. */ + set_cap(_metadata, CAP_MKNOD); + test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_CHAR, S_IFCHR, + major(1) | minor(3)); +} + +TEST_F(layout1, make_block) +{ + /* Creates a /dev/loop0 device. */ + set_cap(_metadata, CAP_MKNOD); + test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_BLOCK, S_IFBLK, + major(7) | minor(0)); +} + +TEST_F(layout1, make_reg) +{ + test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, S_IFREG, 0); + test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_REG, 0, 0); +} + +TEST_F(layout1, make_sock) +{ + test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_SOCK, S_IFSOCK, 0); +} + +TEST_F(layout1, make_fifo) +{ + test_make_file(_metadata, LANDLOCK_ACCESS_FS_MAKE_FIFO, S_IFIFO, 0); +} + +TEST_F(layout1, make_sym) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_MAKE_SYM, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(0, unlink(file1_s1d1)); + ASSERT_EQ(0, unlink(file1_s1d2)); + ASSERT_EQ(0, unlink(file1_s1d3)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, symlink("none", file1_s1d1)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, symlink("none", file1_s1d2)) { + TH_LOG("Failed to make symlink "%s": %s", + file1_s1d2, strerror(errno)); + }; + ASSERT_EQ(0, symlink("none", file1_s1d3)); +} + +TEST_F(layout1, make_dir) +{ + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_MAKE_DIR, + }, + {} + }; + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(0, unlink(file1_s1d1)); + ASSERT_EQ(0, unlink(file1_s1d2)); + ASSERT_EQ(0, unlink(file1_s1d3)); + + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Uses file_* as directory names. */ + ASSERT_EQ(-1, mkdir(file1_s1d1, 0700)); + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(0, mkdir(file1_s1d2, 0700)) { + TH_LOG("Failed to make directory "%s": %s", + file1_s1d2, strerror(errno)); + }; + ASSERT_EQ(0, mkdir(file1_s1d3, 0700)); +} + +static int open_proc_fd(struct __test_metadata *const _metadata, const int fd, + const int open_flags) +{ + static const char path_template[] = "/proc/self/fd/%d"; + char procfd_path[sizeof(path_template) + 10]; + const int procfd_path_size = snprintf(procfd_path, sizeof(procfd_path), + path_template, fd); + + ASSERT_LE(procfd_path_size, sizeof(procfd_path)); + return open(procfd_path, open_flags); +} + +TEST_F(layout1, proc_unlinked_file) +{ + const struct rule rules[] = { + { + .path = file1_s1d2, + .access = LANDLOCK_ACCESS_FS_READ_FILE, + }, + {} + }; + int reg_fd, proc_fd; + const int ruleset_fd = create_ruleset(_metadata, + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + ASSERT_EQ(-1, open(file1_s1d2, O_RDWR | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + reg_fd = open(file1_s1d2, O_RDONLY | O_CLOEXEC); + ASSERT_LE(0, reg_fd); + test_path(_metadata, file1_s1d2, 0); + ASSERT_EQ(0, unlink(file1_s1d2)); + + proc_fd = open_proc_fd(_metadata, reg_fd, O_RDONLY | O_CLOEXEC); + ASSERT_LE(0, proc_fd); + EXPECT_EQ(0, close(proc_fd)); + + proc_fd = open_proc_fd(_metadata, reg_fd, O_RDWR | O_CLOEXEC); + ASSERT_EQ(-1, proc_fd) { + TH_LOG("Successfully opened /proc/self/fd/%d: %s", + reg_fd, strerror(errno)); + } + ASSERT_EQ(EACCES, errno); + + EXPECT_EQ(0, close(reg_fd)); +} + +TEST_F(layout1, proc_pipe) +{ + int reg_fd, proc_fd; + int pipe_fds[2]; + char buf = '\0'; + const struct rule rules[] = { + { + .path = dir_s1d2, + .access = LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_WRITE_FILE, + }, + {} + }; + /* Limits read and write access to files tied to the filesystem. */ + const int ruleset_fd = create_ruleset(_metadata, rules[0].access, + rules); + + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Checks enforcement for normal files. */ + reg_fd = open(file1_s1d2, O_RDWR | O_CLOEXEC); + ASSERT_LE(0, reg_fd); + EXPECT_EQ(0, close(reg_fd)); + ASSERT_EQ(-1, open(file1_s1d1, O_RDWR | O_CLOEXEC)); + ASSERT_EQ(EACCES, errno); + + /* Checks access to pipes through FD. */ + ASSERT_EQ(0, pipe(pipe_fds)); + ASSERT_EQ(1, write(pipe_fds[1], ".", 1)) { + TH_LOG("Failed to write in pipe: %s", strerror(errno)); + } + ASSERT_EQ(1, read(pipe_fds[0], &buf, 1)); + ASSERT_EQ('.', buf); + + /* Checks write access to pipe through /proc/self/fd . */ + proc_fd = open_proc_fd(_metadata, pipe_fds[1], O_WRONLY | O_CLOEXEC); + ASSERT_LE(0, proc_fd); + ASSERT_EQ(1, write(proc_fd, ".", 1)) { + TH_LOG("Failed to write through /proc/self/fd/%d: %s", + pipe_fds[1], strerror(errno)); + } + EXPECT_EQ(0, close(proc_fd)); + + /* Checks read access to pipe through /proc/self/fd . */ + proc_fd = open_proc_fd(_metadata, pipe_fds[0], O_RDONLY | O_CLOEXEC); + ASSERT_LE(0, proc_fd); + buf = '\0'; + ASSERT_EQ(1, read(proc_fd, &buf, 1)) { + TH_LOG("Failed to read through /proc/self/fd/%d: %s", + pipe_fds[1], strerror(errno)); + } + EXPECT_EQ(0, close(proc_fd)); + + EXPECT_EQ(0, close(pipe_fds[0])); + EXPECT_EQ(0, close(pipe_fds[1])); +} + +TEST(cleanup) +{ + cleanup_layout1(_metadata); +} + +TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c new file mode 100644 index 000000000000..87d1b9ae35f5 --- /dev/null +++ b/tools/testing/selftests/landlock/ptrace_test.c @@ -0,0 +1,321 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Landlock tests - Ptrace + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2019-2020 ANSSI + */ + +#define _GNU_SOURCE +#include <errno.h> +#include <fcntl.h> +#include <linux/landlock.h> +#include <signal.h> +#include <sys/prctl.h> +#include <sys/ptrace.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <unistd.h> + +#include "common.h" + +static void create_domain(struct __test_metadata *const _metadata) +{ + int ruleset_fd; + struct landlock_attr_features attr_features; + struct landlock_attr_enforce attr_enforce; + struct landlock_attr_ruleset attr_ruleset = { + .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, + }; + struct landlock_attr_path_beneath path_beneath = { + .allowed_access = LANDLOCK_ACCESS_FS_READ_FILE, + }; + + ASSERT_EQ(0, landlock(LANDLOCK_CMD_GET_FEATURES, + LANDLOCK_OPT_GET_FEATURES, + &attr_features, sizeof(attr_features))); + /* Only for test, use a binary AND for real application instead. */ + ASSERT_EQ(attr_ruleset.handled_access_fs, + attr_ruleset.handled_access_fs & + attr_features.access_fs); + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &attr_ruleset, + sizeof(attr_ruleset)); + ASSERT_LE(0, ruleset_fd) { + TH_LOG("Failed to create a ruleset: %s", strerror(errno)); + } + path_beneath.ruleset_fd = ruleset_fd; + path_beneath.parent_fd = open("/tmp", O_PATH | O_NOFOLLOW | O_DIRECTORY + | O_CLOEXEC); + ASSERT_LE(0, path_beneath.parent_fd); + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))); + ASSERT_EQ(0, errno); + ASSERT_EQ(0, close(path_beneath.parent_fd)); + + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + ASSERT_EQ(0, errno); + + attr_enforce.ruleset_fd = ruleset_fd; + ASSERT_EQ(0, landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce, + sizeof(attr_enforce))); + ASSERT_EQ(0, errno); + + ASSERT_EQ(0, close(ruleset_fd)); +} + +FIXTURE(hierarchy) { }; + +FIXTURE_VARIANT(hierarchy) { + bool domain_both; + bool domain_parent; + bool domain_child; +}; + +/* + * Test multiple tracing combinations between a parent process P1 and a child + * process P2. + * + * Yama's scoped ptrace is presumed disabled. If enabled, this optional + * restriction is enforced in addition to any Landlock check, which means that + * all P2 requests to trace P1 would be denied. + */ + +/* + * No domain + * + * P1-. P1 -> P2 : allow + * \ P2 -> P1 : allow + * 'P2 + */ +FIXTURE_VARIANT_ADD(hierarchy, allow_without_domain) { + .domain_both = false, + .domain_parent = false, + .domain_child = false, +}; + +/* + * Child domain + * + * P1--. P1 -> P2 : allow + * \ P2 -> P1 : deny + * .'-----. + * | P2 | + * '------' + */ +FIXTURE_VARIANT_ADD(hierarchy, allow_with_one_domain) { + .domain_both = false, + .domain_parent = false, + .domain_child = true, +}; + +/* + * Parent domain + * .------. + * | P1 --. P1 -> P2 : deny + * '------' \ P2 -> P1 : allow + * ' + * P2 + */ +FIXTURE_VARIANT_ADD(hierarchy, deny_with_parent_domain) { + .domain_both = false, + .domain_parent = true, + .domain_child = false, +}; + +/* + * Parent + child domain (siblings) + * .------. + * | P1 ---. P1 -> P2 : deny + * '------' \ P2 -> P1 : deny + * .---'--. + * | P2 | + * '------' + */ +FIXTURE_VARIANT_ADD(hierarchy, deny_with_sibling_domain) { + .domain_both = false, + .domain_parent = true, + .domain_child = true, +}; + +/* + * Same domain (inherited) + * .-------------. + * | P1----. | P1 -> P2 : allow + * | \ | P2 -> P1 : allow + * | ' | + * | P2 | + * '-------------' + */ +FIXTURE_VARIANT_ADD(hierarchy, allow_sibling_domain) { + .domain_both = true, + .domain_parent = false, + .domain_child = false, +}; + +/* + * Inherited + child domain + * .-----------------. + * | P1----. | P1 -> P2 : allow + * | \ | P2 -> P1 : deny + * | .-'----. | + * | | P2 | | + * | '------' | + * '-----------------' + */ +FIXTURE_VARIANT_ADD(hierarchy, allow_with_nested_domain) { + .domain_both = true, + .domain_parent = false, + .domain_child = true, +}; + +/* + * Inherited + parent domain + * .-----------------. + * |.------. | P1 -> P2 : deny + * || P1 ----. | P2 -> P1 : allow + * |'------' \ | + * | ' | + * | P2 | + * '-----------------' + */ +FIXTURE_VARIANT_ADD(hierarchy, deny_with_nested_and_parent_domain) { + .domain_both = true, + .domain_parent = true, + .domain_child = false, +}; + +/* + * Inherited + parent and child domain (siblings) + * .-----------------. + * | .------. | P1 -> P2 : deny + * | | P1 . | P2 -> P1 : deny + * | '------'\ | + * | \ | + * | .--'---. | + * | | P2 | | + * | '------' | + * '-----------------' + */ +FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) { + .domain_both = true, + .domain_parent = true, + .domain_child = true, +}; + +FIXTURE_SETUP(hierarchy) +{ } + +FIXTURE_TEARDOWN(hierarchy) +{ } + +/* test PTRACE_TRACEME and PTRACE_ATTACH for parent and child */ +TEST_F(hierarchy, trace) +{ + pid_t child, parent; + int status; + int pipe_child[2], pipe_parent[2]; + char buf_parent; + + disable_caps(_metadata); + + parent = getpid(); + ASSERT_EQ(0, pipe(pipe_child)); + ASSERT_EQ(0, pipe(pipe_parent)); + if (variant->domain_both) + create_domain(_metadata); + + child = fork(); + ASSERT_LE(0, child); + if (child == 0) { + char buf_child; + + EXPECT_EQ(0, close(pipe_parent[1])); + EXPECT_EQ(0, close(pipe_child[0])); + if (variant->domain_child) + create_domain(_metadata); + + /* sync #1 */ + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)) { + TH_LOG("Failed to read() sync #1 from parent"); + } + ASSERT_EQ('.', buf_child); + + /* Tests the parent protection. */ + ASSERT_EQ(variant->domain_child ? -1 : 0, + ptrace(PTRACE_ATTACH, parent, NULL, 0)); + if (variant->domain_child) { + ASSERT_EQ(EPERM, errno); + } else { + ASSERT_EQ(parent, waitpid(parent, &status, 0)); + ASSERT_EQ(1, WIFSTOPPED(status)); + ASSERT_EQ(0, ptrace(PTRACE_DETACH, parent, NULL, 0)); + } + + /* sync #2 */ + ASSERT_EQ(1, write(pipe_child[1], ".", 1)) { + TH_LOG("Failed to write() sync #2 to parent"); + } + + /* Tests traceme. */ + ASSERT_EQ(variant->domain_parent ? -1 : 0, ptrace(PTRACE_TRACEME)); + if (variant->domain_parent) { + ASSERT_EQ(EPERM, errno); + } else { + ASSERT_EQ(0, raise(SIGSTOP)); + } + + /* sync #3 */ + ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)) { + TH_LOG("Failed to read() sync #3 from parent"); + } + ASSERT_EQ('.', buf_child); + _exit(_metadata->passed ? EXIT_SUCCESS : EXIT_FAILURE); + } + + EXPECT_EQ(0, close(pipe_child[1])); + EXPECT_EQ(0, close(pipe_parent[0])); + if (variant->domain_parent) + create_domain(_metadata); + + /* sync #1 */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)) { + TH_LOG("Failed to write() sync #1 to child"); + } + + /* Tests the parent protection. */ + /* sync #2 */ + ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1)) { + TH_LOG("Failed to read() sync #2 from child"); + } + ASSERT_EQ('.', buf_parent); + + /* Tests traceme. */ + if (!variant->domain_parent) { + ASSERT_EQ(child, waitpid(child, &status, 0)); + ASSERT_EQ(1, WIFSTOPPED(status)); + ASSERT_EQ(0, ptrace(PTRACE_DETACH, child, NULL, 0)); + } + /* Tests attach. */ + ASSERT_EQ(variant->domain_parent ? -1 : 0, + ptrace(PTRACE_ATTACH, child, NULL, 0)); + if (variant->domain_parent) { + ASSERT_EQ(EPERM, errno); + } else { + ASSERT_EQ(child, waitpid(child, &status, 0)); + ASSERT_EQ(1, WIFSTOPPED(status)); + ASSERT_EQ(0, ptrace(PTRACE_DETACH, child, NULL, 0)); + } + + /* sync #3 */ + ASSERT_EQ(1, write(pipe_parent[1], ".", 1)) { + TH_LOG("Failed to write() sync #3 to child"); + } + ASSERT_EQ(child, waitpid(child, &status, 0)); + if (WIFSIGNALED(status) || WEXITSTATUS(status)) + _metadata->passed = 0; +} + +TEST_HARNESS_MAIN diff --git a/tools/testing/selftests/landlock/true.c b/tools/testing/selftests/landlock/true.c new file mode 100644 index 000000000000..3f9ccbf52783 --- /dev/null +++ b/tools/testing/selftests/landlock/true.c @@ -0,0 +1,5 @@ +// SPDX-License-Identifier: GPL-2.0 +int main(void) +{ + return 0; +}
Add a basic sandbox tool to launch a command which can only access a whitelist of file hierarchies in a read-only or read-write way.
Signed-off-by: Mickaël Salaün mic@digikod.net Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v16: * Switch syscall attribute pointer and size arguments.
Changes since v15: * Update access right names. * Properly assign access right to files according to the new related syscall restriction. * Replace "select" with "depends on" HEADERS_INSTALL (suggested by Randy Dunlap).
Changes since v14: * Fix Kconfig dependency. * Remove access rights that may be required for FD-only requests: mmap, truncate, getattr, lock, chmod, chown, chgrp, ioctl. * Fix useless hardcoded syscall number. * Use execvpe(). * Follow symlinks. * Extend help with common file paths. * Constify variables. * Clean up comments. * Improve error message.
Changes since v11: * Add back the filesystem sandbox manager and update it to work with the new Landlock syscall.
Previous changes: https://lore.kernel.org/lkml/20190721213116.23476-9-mic@digikod.net/ --- samples/Kconfig | 7 ++ samples/Makefile | 1 + samples/landlock/.gitignore | 1 + samples/landlock/Makefile | 15 +++ samples/landlock/sandboxer.c | 228 +++++++++++++++++++++++++++++++++++ 5 files changed, 252 insertions(+) create mode 100644 samples/landlock/.gitignore create mode 100644 samples/landlock/Makefile create mode 100644 samples/landlock/sandboxer.c
diff --git a/samples/Kconfig b/samples/Kconfig index 0ed6e4d71d87..092962924f0d 100644 --- a/samples/Kconfig +++ b/samples/Kconfig @@ -124,6 +124,13 @@ config SAMPLE_HIDRAW bool "hidraw sample" depends on CC_CAN_LINK && HEADERS_INSTALL
+config SAMPLE_LANDLOCK + bool "Build Landlock sample code" + depends on HEADERS_INSTALL + help + Build a simple Landlock sandbox manager able to launch a process + restricted by a user-defined filesystem access-control security policy. + config SAMPLE_PIDFD bool "pidfd sample" depends on CC_CAN_LINK && HEADERS_INSTALL diff --git a/samples/Makefile b/samples/Makefile index 754553597581..4a6ce8f64a4c 100644 --- a/samples/Makefile +++ b/samples/Makefile @@ -11,6 +11,7 @@ obj-$(CONFIG_SAMPLE_KDB) += kdb/ obj-$(CONFIG_SAMPLE_KFIFO) += kfifo/ obj-$(CONFIG_SAMPLE_KOBJECT) += kobject/ obj-$(CONFIG_SAMPLE_KPROBES) += kprobes/ +subdir-$(CONFIG_SAMPLE_LANDLOCK) += landlock obj-$(CONFIG_SAMPLE_LIVEPATCH) += livepatch/ subdir-$(CONFIG_SAMPLE_PIDFD) += pidfd obj-$(CONFIG_SAMPLE_QMI_CLIENT) += qmi/ diff --git a/samples/landlock/.gitignore b/samples/landlock/.gitignore new file mode 100644 index 000000000000..f43668b2d318 --- /dev/null +++ b/samples/landlock/.gitignore @@ -0,0 +1 @@ +/sandboxer diff --git a/samples/landlock/Makefile b/samples/landlock/Makefile new file mode 100644 index 000000000000..9dfb571641ba --- /dev/null +++ b/samples/landlock/Makefile @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: BSD-3-Clause + +hostprogs-y := sandboxer + +always := $(hostprogs-y) + +KBUILD_HOSTCFLAGS += -I$(objtree)/usr/include + +.PHONY: all clean + +all: + $(MAKE) -C ../.. samples/landlock/ + +clean: + $(MAKE) -C ../.. M=samples/landlock/ clean diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c new file mode 100644 index 000000000000..e0059706c11f --- /dev/null +++ b/samples/landlock/sandboxer.c @@ -0,0 +1,228 @@ +// SPDX-License-Identifier: BSD-3-Clause +/* + * Simple Landlock sandbox manager able to launch a process restricted by a + * user-defined filesystem access-control security policy. + * + * Copyright © 2017-2020 Mickaël Salaün mic@digikod.net + * Copyright © 2020 ANSSI + */ + +#define _GNU_SOURCE +#include <errno.h> +#include <fcntl.h> +#include <linux/landlock.h> +#include <linux/prctl.h> +#include <stddef.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/prctl.h> +#include <sys/stat.h> +#include <sys/syscall.h> +#include <unistd.h> + +#ifndef landlock +static inline int landlock(const unsigned int command, + const unsigned int options, void *const attr_ptr, + const size_t attr_size) +{ + errno = 0; + return syscall(__NR_landlock, command, options, attr_ptr, attr_size, + NULL, 0); +} +#endif + +#define ENV_FS_RO_NAME "LL_FS_RO" +#define ENV_FS_RW_NAME "LL_FS_RW" +#define ENV_PATH_TOKEN ":" + +static int parse_path(char *env_path, const char ***const path_list) +{ + int i, path_nb = 0; + + if (env_path) { + path_nb++; + for (i = 0; env_path[i]; i++) { + if (env_path[i] == ENV_PATH_TOKEN[0]) + path_nb++; + } + } + *path_list = malloc(path_nb * sizeof(**path_list)); + for (i = 0; i < path_nb; i++) + (*path_list)[i] = strsep(&env_path, ENV_PATH_TOKEN); + + return path_nb; +} + +#define ACCESS_FILE ( \ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_READ_FILE) + +static int populate_ruleset( + const struct landlock_attr_features *const attr_features, + const char *const env_var, const int ruleset_fd, + const __u64 allowed_access) +{ + int path_nb, i; + char *env_path_name; + const char **path_list = NULL; + struct landlock_attr_path_beneath path_beneath = { + .ruleset_fd = ruleset_fd, + .parent_fd = -1, + }; + + env_path_name = getenv(env_var); + if (!env_path_name) { + fprintf(stderr, "Missing environment variable %s\n", env_var); + return 1; + } + env_path_name = strdup(env_path_name); + unsetenv(env_var); + path_nb = parse_path(env_path_name, &path_list); + if (path_nb == 1 && path_list[0][0] == '\0') { + fprintf(stderr, "Missing path in %s\n", env_var); + goto err_free_name; + } + + for (i = 0; i < path_nb; i++) { + struct stat statbuf; + + path_beneath.parent_fd = open(path_list[i], O_PATH | + O_CLOEXEC); + if (path_beneath.parent_fd < 0) { + fprintf(stderr, "Failed to open "%s": %s\n", + path_list[i], + strerror(errno)); + goto err_free_name; + } + if (fstat(path_beneath.parent_fd, &statbuf)) { + close(path_beneath.parent_fd); + goto err_free_name; + } + /* Follows a best-effort approach. */ + path_beneath.allowed_access = allowed_access & + attr_features->access_fs; + if (!S_ISDIR(statbuf.st_mode)) + path_beneath.allowed_access &= ACCESS_FILE; + if (landlock(LANDLOCK_CMD_ADD_RULE, + LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + &path_beneath, sizeof(path_beneath))) { + fprintf(stderr, "Failed to update the ruleset with "%s": %s\n", + path_list[i], strerror(errno)); + close(path_beneath.parent_fd); + goto err_free_name; + } + close(path_beneath.parent_fd); + } + free(env_path_name); + return 0; + +err_free_name: + free(env_path_name); + return 1; +} + +#define ACCESS_FS_ROUGHLY_READ ( \ + LANDLOCK_ACCESS_FS_EXECUTE | \ + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_READ_DIR | \ + LANDLOCK_ACCESS_FS_CHROOT) + +#define ACCESS_FS_ROUGHLY_WRITE ( \ + LANDLOCK_ACCESS_FS_WRITE_FILE | \ + LANDLOCK_ACCESS_FS_REMOVE_DIR | \ + LANDLOCK_ACCESS_FS_REMOVE_FILE | \ + LANDLOCK_ACCESS_FS_MAKE_CHAR | \ + LANDLOCK_ACCESS_FS_MAKE_DIR | \ + LANDLOCK_ACCESS_FS_MAKE_REG | \ + LANDLOCK_ACCESS_FS_MAKE_SOCK | \ + LANDLOCK_ACCESS_FS_MAKE_FIFO | \ + LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ + LANDLOCK_ACCESS_FS_MAKE_SYM) + +int main(const int argc, char *const argv[], char *const *const envp) +{ + const char *cmd_path; + char *const *cmd_argv; + int ruleset_fd; + struct landlock_attr_features attr_features; + struct landlock_attr_ruleset ruleset = { + .handled_access_fs = ACCESS_FS_ROUGHLY_READ | + ACCESS_FS_ROUGHLY_WRITE, + }; + struct landlock_attr_enforce attr_enforce = {}; + + if (argc < 2) { + fprintf(stderr, "usage: %s="..." %s="..." %s <cmd> [args]...\n\n", + ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]); + fprintf(stderr, "Launch a command in a restricted environment.\n\n"); + fprintf(stderr, "Environment variables containing paths, each separated by a colon:\n"); + fprintf(stderr, "* %s: list of paths allowed to be used in a read-only way.\n", + ENV_FS_RO_NAME); + fprintf(stderr, "* %s: list of paths allowed to be used in a read-write way.\n", + ENV_FS_RO_NAME); + fprintf(stderr, "\nexample:\n" + "%s="/bin:/lib:/usr:/proc:/etc:/dev/urandom" " + "%s="/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp" " + "%s bash -i\n", + ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]); + return 1; + } + + if (landlock(LANDLOCK_CMD_GET_FEATURES, LANDLOCK_OPT_GET_FEATURES, + &attr_features, sizeof(attr_features))) { + perror("Failed to probe the Landlock supported features"); + switch (errno) { + case ENOSYS: + fprintf(stderr, "Hint: this kernel does not support Landlock.\n"); + break; + case ENOPKG: + fprintf(stderr, "Hint: Landlock is currently disabled. It can be enabled in the kernel configuration or at boot with the "lsm=landlock" parameter.\n"); + break; + } + return 1; + } + /* Follows a best-effort approach. */ + ruleset.handled_access_fs &= attr_features.access_fs; + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, &ruleset, + sizeof(ruleset)); + if (ruleset_fd < 0) { + perror("Failed to create a ruleset"); + return 1; + } + if (populate_ruleset(&attr_features, ENV_FS_RO_NAME, ruleset_fd, + ACCESS_FS_ROUGHLY_READ)) { + goto err_close_ruleset; + } + if (populate_ruleset(&attr_features, ENV_FS_RW_NAME, ruleset_fd, + ACCESS_FS_ROUGHLY_READ | + ACCESS_FS_ROUGHLY_WRITE)) { + goto err_close_ruleset; + } + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("Failed to restrict privileges"); + goto err_close_ruleset; + } + attr_enforce.ruleset_fd = ruleset_fd; + if (landlock(LANDLOCK_CMD_ENFORCE_RULESET, + LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce, + sizeof(attr_enforce))) { + perror("Failed to enforce ruleset"); + goto err_close_ruleset; + } + close(ruleset_fd); + + cmd_path = argv[1]; + cmd_argv = argv + 1; + execvpe(cmd_path, cmd_argv, envp); + fprintf(stderr, "Failed to execute "%s": %s\n", cmd_path, + strerror(errno)); + fprintf(stderr, "Hint: access to the binary, the interpreter or shared libraries may be denied.\n"); + return 1; + +err_close_ruleset: + close(ruleset_fd); + return 1; +}
This documentation can be built with the Sphinx framework.
Signed-off-by: Mickaël Salaün mic@digikod.net Reviewed-by: Vincent Dagonneau vincent.dagonneau@ssi.gouv.fr Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com ---
Changes since v15: * Add current limitations.
Changes since v14: * Fix spelling (contributed by Randy Dunlap). * Extend documentation about inheritance and explain layer levels. * Remove the use of now-removed access rights. * Use GitHub links. * Improve kernel documentation. * Add section for tests. * Update example.
Changes since v13: * Rewrote the documentation according to the major revamp.
Previous changes: https://lore.kernel.org/lkml/20191104172146.30797-8-mic@digikod.net/ --- Documentation/security/index.rst | 1 + Documentation/security/landlock/index.rst | 18 ++ Documentation/security/landlock/kernel.rst | 69 ++++++ Documentation/security/landlock/user.rst | 268 +++++++++++++++++++++ 4 files changed, 356 insertions(+) create mode 100644 Documentation/security/landlock/index.rst create mode 100644 Documentation/security/landlock/kernel.rst create mode 100644 Documentation/security/landlock/user.rst
diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst index 8129405eb2cc..e3f2bf4fef77 100644 --- a/Documentation/security/index.rst +++ b/Documentation/security/index.rst @@ -16,3 +16,4 @@ Security Documentation siphash tpm/index digsig + landlock/index diff --git a/Documentation/security/landlock/index.rst b/Documentation/security/landlock/index.rst new file mode 100644 index 000000000000..2520f8f33f5e --- /dev/null +++ b/Documentation/security/landlock/index.rst @@ -0,0 +1,18 @@ +========================================= +Landlock LSM: unprivileged access control +========================================= + +:Author: Mickaël Salaün + +The goal of Landlock is to enable to restrict ambient rights (e.g. global +filesystem access) for a set of processes. Because Landlock is a stackable +LSM, it makes possible to create safe security sandboxes as new security layers +in addition to the existing system-wide access-controls. This kind of sandbox +is expected to help mitigate the security impact of bugs or +unexpected/malicious behaviors in user-space applications. Landlock empowers +any process, including unprivileged ones, to securely restrict themselves. + +.. toctree:: + + user + kernel diff --git a/Documentation/security/landlock/kernel.rst b/Documentation/security/landlock/kernel.rst new file mode 100644 index 000000000000..f8e2b8f5c824 --- /dev/null +++ b/Documentation/security/landlock/kernel.rst @@ -0,0 +1,69 @@ +============================== +Landlock: kernel documentation +============================== + +Landlock's goal is to create scoped access-control (i.e. sandboxing). To +harden a whole system, this feature should be available to any process, +including unprivileged ones. Because such process may be compromised or +backdoored (i.e. untrusted), Landlock's features must be safe to use from the +kernel and other processes point of view. Landlock's interface must therefore +expose a minimal attack surface. + +Landlock is designed to be usable by unprivileged processes while following the +system security policy enforced by other access control mechanisms (e.g. DAC, +LSM). Indeed, a Landlock rule shall not interfere with other access-controls +enforced on the system, only add more restrictions. + +Any user can enforce Landlock rulesets on their processes. They are merged and +evaluated according to the inherited ones in a way that ensures that only more +constraints can be added. + +Guiding principles for safe access controls +=========================================== + +* A Landlock rule shall be focused on access control on kernel objects instead + of syscall filtering (i.e. syscall arguments), which is the purpose of + seccomp-bpf. +* To avoid multiple kinds of side-channel attacks (e.g. leak of security + policies, CPU-based attacks), Landlock rules shall not be able to + programmatically communicate with user space. +* Kernel access check shall not slow down access request from unsandboxed + processes. +* Computation related to Landlock operations (e.g. enforce a ruleset) shall + only impact the processes requesting them. + +Tests +===== + +Userspace tests for backward compatibility, ptrace restrictions and filesystem +support can be found here: `tools/testing/selftests/landlock/`_. + +Kernel structures +================= + +Object +------ + +.. kernel-doc:: security/landlock/object.h + :identifiers: + +Ruleset and domain +------------------ + +A domain is a read-only ruleset tied to a set of subjects (i.e. tasks' +credentials). Each time a ruleset is enforced on a task, the current domain is +duplicated and the ruleset is imported as a new layer of rules in the new +domain. Indeed, once in a domain, each rule is tied to a layer level. To +grant access to an object, at least one rule of each layer must allow the +requested action on the object. A task can then only transit to a new domain +which is the intersection of the constraints from the current domain and those +of a ruleset provided by the task. + +The definition of a subject is implicit for a task sandboxing itself, which +makes the reasoning much easier and helps avoid pitfalls. + +.. kernel-doc:: security/landlock/ruleset.h + :identifiers: + +.. Links +.. _tools/testing/selftests/landlock/: https://github.com/landlock-lsm/linux/tree/landlock-v19/tools/testing/selfte... diff --git a/Documentation/security/landlock/user.rst b/Documentation/security/landlock/user.rst new file mode 100644 index 000000000000..5420f74d9158 --- /dev/null +++ b/Documentation/security/landlock/user.rst @@ -0,0 +1,268 @@ +================================= +Landlock: userspace documentation +================================= + +Landlock rules +============== + +A Landlock rule enables to describe an action on an object. An object is +currently a file hierarchy, and the related filesystem actions are defined in +`Access rights`_. A set of rules is aggregated in a ruleset, which can then +restrict the thread enforcing it, and its future children. + +Defining and enforcing a security policy +---------------------------------------- + +Before defining a security policy, an application should first probe for the +features supported by the running kernel, which is important to be compatible +with older kernels. This can be done thanks to the `landlock` syscall (cf. +:ref:`syscall`). + +.. code-block:: c + + struct landlock_attr_features attr_features; + + if (landlock(LANDLOCK_CMD_GET_FEATURES, LANDLOCK_OPT_GET_FEATURES, + sizeof(attr_features), &attr_features)) { + perror("Failed to probe the Landlock supported features"); + return 1; + } + +Then, we need to create the ruleset that will contain our rules. For this +example, the ruleset will contain rules which only allow read actions, but +write actions will be denied. The ruleset then needs to handle both of these +kind of actions. To have a backward compatibility, these actions should be +ANDed with the supported ones. + +.. code-block:: c + + int ruleset_fd; + struct landlock_attr_ruleset ruleset = { + .handled_access_fs = + LANDLOCK_ACCESS_FS_EXECUTE | + LANDLOCK_ACCESS_FS_WRITE_FILE | + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR | + LANDLOCK_ACCESS_FS_REMOVE_DIR | + LANDLOCK_ACCESS_FS_REMOVE_FILE | + LANDLOCK_ACCESS_FS_MAKE_CHAR | + LANDLOCK_ACCESS_FS_MAKE_DIR | + LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_MAKE_SOCK | + LANDLOCK_ACCESS_FS_MAKE_FIFO | + LANDLOCK_ACCESS_FS_MAKE_BLOCK | + LANDLOCK_ACCESS_FS_MAKE_SYM, + }; + + ruleset.handled_access_fs &= attr_features.access_fs; + ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET, + LANDLOCK_OPT_CREATE_RULESET, sizeof(ruleset), &ruleset); + if (ruleset_fd < 0) { + perror("Failed to create a ruleset"); + return 1; + } + +We can now add a new rule to this ruleset thanks to the returned file +descriptor referring to this ruleset. The rule will only enable to read the +file hierarchy ``/usr``. Without another rule, write actions would then be +denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the +``O_PATH`` flag and fill the &struct landlock_attr_path_beneath with this file +descriptor. + +.. code-block:: c + + int err; + struct landlock_attr_path_beneath path_beneath = { + .ruleset_fd = ruleset_fd, + .allowed_access = + LANDLOCK_ACCESS_FS_EXECUTE | + LANDLOCK_ACCESS_FS_READ_FILE | + LANDLOCK_ACCESS_FS_READ_DIR, + }; + + path_beneath.allowed_access &= attr_features.access_fs; + path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); + if (path_beneath.parent_fd < 0) { + perror("Failed to open file"); + close(ruleset_fd); + return 1; + } + err = landlock(LANDLOCK_CMD_ADD_RULE, LANDLOCK_OPT_ADD_RULE_PATH_BENEATH, + sizeof(path_beneath), &path_beneath); + close(path_beneath.parent_fd); + if (err) { + perror("Failed to update ruleset"); + close(ruleset_fd); + return 1; + } + +We now have a ruleset with one rule allowing read access to ``/usr`` while +denying all accesses featured in ``attr_features.access_fs`` to everything else +on the filesystem. The next step is to restrict the current thread from +gaining more privileges (e.g. thanks to a SUID binary). + +.. code-block:: c + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { + perror("Failed to restrict privileges"); + close(ruleset_fd); + return 1; + } + +The current thread is now ready to sandbox itself with the ruleset. + +.. code-block:: c + + struct landlock_attr_enforce attr_enforce = { + .ruleset_fd = ruleset_fd, + }; + + if (landlock(LANDLOCK_CMD_ENFORCE_RULESET, LANDLOCK_OPT_ENFORCE_RULESET, + sizeof(attr_enforce), &attr_enforce)) { + perror("Failed to enforce ruleset"); + close(ruleset_fd); + return 1; + } + close(ruleset_fd); + +If the last `landlock` system call succeeds, the current thread is now +restricted and this policy will be enforced on all its subsequently created +children as well. Once a thread is landlocked, there is no way to remove its +security policy; only adding more restrictions is allowed. These threads are +now in a new Landlock domain, merge of their parent one (if any) with the new +ruleset. + +Full working code can be found in `samples/landlock/sandboxer.c`_. + +Inheritance +----------- + +Every new thread resulting from a :manpage:`clone(2)` inherits Landlock domain +restrictions from its parent. This is similar to the seccomp inheritance (cf. +:doc:`/userspace-api/seccomp_filter`) or any other LSM dealing with task's +:manpage:`credentials(7)`. For instance, one process's thread may apply +Landlock rules to itself, but they will not be automatically applied to other +sibling threads (unlike POSIX thread credential changes, cf. +:manpage:`nptl(7)`). + +When a thread sandbox itself, we have the grantee that the related security +policy will stay enforced on all this thread's descendants. This enables to +create standalone and modular security policies per application, which will +automatically be composed between themselves according to their runtime parent +policies. + +Ptrace restrictions +------------------- + +A sandboxed process has less privileges than a non-sandboxed process and must +then be subject to additional restrictions when manipulating another process. +To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target +process, a sandboxed process should have a subset of the target process rules, +which means the tracee must be in a sub-domain of the tracer. + +.. _syscall: + +The `landlock` syscall and its arguments +======================================== + +.. kernel-doc:: security/landlock/syscall.c + :identifiers: sys_landlock + +Commands +-------- + +.. kernel-doc:: include/uapi/linux/landlock.h + :identifiers: landlock_cmd + +Options +------- + +.. kernel-doc:: include/uapi/linux/landlock.h + :identifiers: options_intro + options_get_features options_create_ruleset + options_add_rule options_enforce_ruleset + +Attributes +---------- + +.. kernel-doc:: include/uapi/linux/landlock.h + :identifiers: landlock_attr_features landlock_attr_ruleset + landlock_attr_path_beneath landlock_attr_enforce + +Access rights +------------- + +.. kernel-doc:: include/uapi/linux/landlock.h + :identifiers: fs_access + +Current limitations +=================== + +File renaming and linking +------------------------- + +Because Landlock targets unprivileged access controls, it is needed to properly +handle composition of rules. Such property also implies rules nesting. +Properly handling multiple layers of ruleset, each one of them able to restrict +access to files, also imply to inherit the ruleset restrictions from a parent +to its hierarchy. Because files are identified and restricted by their +hierarchy, moving or linking a file from one directory to another imply to +propagate the hierarchy constraints. To protect against privilege escalations +through renaming or linking, and for the sack of simplicity, Landlock currently +limits linking and renaming to the same directory. Future Landlock evolutions +will enable more flexibility for renaming and linking, with dedicated ruleset +options. + +OverlayFS +--------- + +An OverlayFS mount point consists of upper and lower layers. It is currently +not possible to reliably infer which underlying file hierarchy matches an +OverlayFS path composed of such layers. It is then not currently possible to +track the source of an indirect access-request, and then not possible to +properly identify and allow an unified OverlayFS hierarchy. Restricting files +in an OverlayFS mount point works, but files allowed in one layer may not be +allowed in a related OverlayFS mount point. A future Landlock evolution will +make possible to properly work with OverlayFS, according to a dedicated ruleset +option. + + +Special filesystems +------------------- + +Access to regular files and directories can be restricted by Landlock, +according to the handled accesses of a ruleset. However, files which do not +come from a user-visible filesystem (e.g. pipe, socket), but can still be +accessed through /proc/self/fd/, cannot currently be restricted. Likewise, +some special kernel filesystems such as nsfs which can be accessed through +/proc/self/ns/, cannot currently be restricted. For now, these kind of special +paths are then always allowed. Future Landlock evolutions will enable to +restrict such paths, with dedicated ruleset options. + +Questions and answers +===================== + +What about user space sandbox managers? +--------------------------------------- + +Using user space process to enforce restrictions on kernel resources can lead +to race conditions or inconsistent evaluations (i.e. `Incorrect mirroring of +the OS code and state +https://www.ndss-symposium.org/ndss2003/traps-and-pitfalls-practical-problems-system-call-interposition-based-security-tools/`_). + +What about namespaces and containers? +------------------------------------- + +Namespaces can help create sandboxes but they are not designed for +access-control and then miss useful features for such use case (e.g. no +fine-grained restrictions). Moreover, their complexity can lead to security +issues, especially when untrusted processes can manipulate them (cf. +`Controlling access to user namespaces https://lwn.net/Articles/673597/`_). + +Additional documentation +======================== + +See https://landlock.io + +.. Links +.. _samples/landlock/sandboxer.c: https://github.com/landlock-lsm/linux/tree/landlock-v19/samples/landlock/san...
linux-kselftest-mirror@lists.linaro.org