[RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring

Mickaël Salaün mic at digikod.net
Tue Mar 22 13:24:54 UTC 2022


On 22/03/2022 13:33, Konstantin Meskhidze wrote:
> 
> 
> 3/18/2022 9:33 PM, Mickaël Salaün пишет:
>>
>> On 17/03/2022 15:29, Konstantin Meskhidze wrote:
>>>
>>>
>>> 3/16/2022 11:27 AM, Mickaël Salaün пишет:
>>>>
>>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote:
>>>>> A new object union added to support a socket port
>>>>> rule type. To support it landlock_insert_rule() and
>>>>> landlock_find_rule() were refactored. Now adding
>>>>> or searching a rule in a ruleset depends on a
>>>>> rule_type argument provided in refactored
>>>>> functions mentioned above.
>>>>>
>>>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>>>>> ---

[...]

>>>>> @@ -156,26 +166,38 @@ static void build_check_ruleset(void)
>>>>>    * access rights.
>>>>>    */
>>>>>   static int insert_rule(struct landlock_ruleset *const ruleset,
>>>>> -        struct landlock_object *const object,
>>>>> +        struct landlock_object *const object_ptr,
>>>>> +        const uintptr_t object_data,
>>
>> Can you move rule_type here for this function and similar ones? It 
>> makes sense to group object-related arguments.
> 
>   Just to group them together, not putting rule_type in the end?

Yes

[...]

>>>>> @@ -465,20 +501,28 @@ struct landlock_ruleset *landlock_merge_ruleset(
>>>>>    */
>>>>>   const struct landlock_rule *landlock_find_rule(
>>>>>           const struct landlock_ruleset *const ruleset,
>>>>> -        const struct landlock_object *const object)
>>>>> +        const uintptr_t object_data, const u16 rule_type)
>>>>>   {
>>>>>       const struct rb_node *node;
>>>>>
>>>>> -    if (!object)
>>>>> +    if (!object_data)
>>>>
>>>> object_data can be 0. You need to add a test with such value.
>>>>
>>>> We need to be sure that this change cannot affect the current FS code.
>>>
>>>   I got it. I will refactor it.
>>
>> Well, 0 means a port 0, which might not be correct, but this check 
>> should not be performed by landlock_merge_ruleset().
>>
>   Do you mean landlock_find_rule()?? Cause this check is not
>   performed in landlock_merge_ruleset().

Yes, I was thinking about landlock_find_rule(). If you run your tests 
with the patch I proposed, you'll see that one of these tests will fail 
(when port equal 0). When creating a new network rule, 
add_rule_net_service() should check if the port value is valid. However, 
the above `if (!object_data)` is not correct anymore.

The remaining question is: should we need to accept 0 as a valid TCP 
port? Can it be used? How does the kernel handle it?

> 
>>
>>>>
>>>>
>>>>>           return NULL;
>>>>> -    node = ruleset->root.rb_node;
>>>>> +
>>>>> +    switch (rule_type) {
>>>>> +    case LANDLOCK_RULE_PATH_BENEATH:
>>>>> +        node = ruleset->root_inode.rb_node;
>>>>> +        break;
>>>>> +    default:
>>>>> +        return ERR_PTR(-EINVAL);
>>>>
>>>> This is a bug. There is no check for such value. You need to check 
>>>> and update all call sites to catch such errors. Same for all new use 
>>>> of ERR_PTR().
>>>
>>> Sorry, I did not get your point.
>>> Do you mean I should check the correctness of rule_type in above 
>>> function which calls landlock_find_rule() ??? Why can't I add such 
>>> check here?
>>
>> landlock_find_rule() only returns NULL or a valid pointer, not an error.
> 
>    What about incorrect rule_type?? Return NULL? Or final rule_checl 
> must be in upper function?

This case should never happen anyway. You should return NULL and call 
WARN_ON_ONCE(1) just before. The same kind of WARN_ON_ONCE(1) call 
should be part of all switch/cases of rule_type (except the two valid 
values of course).



More information about the Linux-security-module-archive mailing list