[RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring
Mickaël Salaün
mic at digikod.net
Tue Mar 22 13:24:54 UTC 2022
On 22/03/2022 13:33, Konstantin Meskhidze wrote:
>
>
> 3/18/2022 9:33 PM, Mickaël Salaün пишет:
>>
>> On 17/03/2022 15:29, Konstantin Meskhidze wrote:
>>>
>>>
>>> 3/16/2022 11:27 AM, Mickaël Salaün пишет:
>>>>
>>>> On 09/03/2022 14:44, Konstantin Meskhidze wrote:
>>>>> A new object union added to support a socket port
>>>>> rule type. To support it landlock_insert_rule() and
>>>>> landlock_find_rule() were refactored. Now adding
>>>>> or searching a rule in a ruleset depends on a
>>>>> rule_type argument provided in refactored
>>>>> functions mentioned above.
>>>>>
>>>>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
>>>>> ---
[...]
>>>>> @@ -156,26 +166,38 @@ static void build_check_ruleset(void)
>>>>> * access rights.
>>>>> */
>>>>> static int insert_rule(struct landlock_ruleset *const ruleset,
>>>>> - struct landlock_object *const object,
>>>>> + struct landlock_object *const object_ptr,
>>>>> + const uintptr_t object_data,
>>
>> Can you move rule_type here for this function and similar ones? It
>> makes sense to group object-related arguments.
>
> Just to group them together, not putting rule_type in the end?
Yes
[...]
>>>>> @@ -465,20 +501,28 @@ struct landlock_ruleset *landlock_merge_ruleset(
>>>>> */
>>>>> const struct landlock_rule *landlock_find_rule(
>>>>> const struct landlock_ruleset *const ruleset,
>>>>> - const struct landlock_object *const object)
>>>>> + const uintptr_t object_data, const u16 rule_type)
>>>>> {
>>>>> const struct rb_node *node;
>>>>>
>>>>> - if (!object)
>>>>> + if (!object_data)
>>>>
>>>> object_data can be 0. You need to add a test with such value.
>>>>
>>>> We need to be sure that this change cannot affect the current FS code.
>>>
>>> I got it. I will refactor it.
>>
>> Well, 0 means a port 0, which might not be correct, but this check
>> should not be performed by landlock_merge_ruleset().
>>
> Do you mean landlock_find_rule()?? Cause this check is not
> performed in landlock_merge_ruleset().
Yes, I was thinking about landlock_find_rule(). If you run your tests
with the patch I proposed, you'll see that one of these tests will fail
(when port equal 0). When creating a new network rule,
add_rule_net_service() should check if the port value is valid. However,
the above `if (!object_data)` is not correct anymore.
The remaining question is: should we need to accept 0 as a valid TCP
port? Can it be used? How does the kernel handle it?
>
>>
>>>>
>>>>
>>>>> return NULL;
>>>>> - node = ruleset->root.rb_node;
>>>>> +
>>>>> + switch (rule_type) {
>>>>> + case LANDLOCK_RULE_PATH_BENEATH:
>>>>> + node = ruleset->root_inode.rb_node;
>>>>> + break;
>>>>> + default:
>>>>> + return ERR_PTR(-EINVAL);
>>>>
>>>> This is a bug. There is no check for such value. You need to check
>>>> and update all call sites to catch such errors. Same for all new use
>>>> of ERR_PTR().
>>>
>>> Sorry, I did not get your point.
>>> Do you mean I should check the correctness of rule_type in above
>>> function which calls landlock_find_rule() ??? Why can't I add such
>>> check here?
>>
>> landlock_find_rule() only returns NULL or a valid pointer, not an error.
>
> What about incorrect rule_type?? Return NULL? Or final rule_checl
> must be in upper function?
This case should never happen anyway. You should return NULL and call
WARN_ON_ONCE(1) just before. The same kind of WARN_ON_ONCE(1) call
should be part of all switch/cases of rule_type (except the two valid
values of course).
More information about the Linux-security-module-archive
mailing list