[PATCH v10 02/13] landlock: Allow filesystem layout changes for domains without such rule type
Mickaël Salaün
mic at digikod.net
Sun Apr 16 16:09:08 UTC 2023
On 23/03/2023 09:52, Konstantin Meskhidze wrote:
> From: Mickaël Salaün <mic at digikod.net>
>
> Allow mount point and root directory changes when there is no filesystem
> rule tied to the current Landlock domain. This doesn't change anything
> for now because a domain must have at least a (filesystem) rule, but
> this will change when other rule types will come. For instance, a
> domain only restricting the network should have no impact on filesystem
> restrictions.
>
> Add a new get_current_fs_domain() helper to quickly check filesystem
> rule existence for all filesystem LSM hooks.
>
> Remove unnecessary inlining.
>
> Signed-off-by: Mickaël Salaün <mic at digikod.net>
> ---
>
> Changes since v9:
> * Refactors documentaion landlock.rst.
> * Changes ACCESS_FS_INITIALLY_DENIED constant
> to LANDLOCK_ACCESS_FS_INITIALLY_DENIED.
> * Gets rid of unnecessary masking of access_dom in
> get_raw_handled_fs_accesses() function.
>
> Changes since v8:
> * Refactors get_handled_fs_accesses().
> * Adds landlock_get_raw_fs_access_mask() helper.
>
> ---
> Documentation/userspace-api/landlock.rst | 6 +-
> security/landlock/fs.c | 78 ++++++++++++------------
> security/landlock/ruleset.h | 25 +++++++-
> security/landlock/syscalls.c | 6 +-
> 4 files changed, 68 insertions(+), 47 deletions(-)
>
[...]
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 71aca7f990bc..d35cd5d304db 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -310,6 +310,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
> struct path path;
> struct landlock_ruleset *ruleset;
> int res, err;
> + access_mask_t mask;
>
> if (!landlock_initialized)
> return -EOPNOTSUPP;
> @@ -348,9 +349,8 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
> * Checks that allowed_access matches the @ruleset constraints
> * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
> */
> - if ((path_beneath_attr.allowed_access |
> - landlock_get_fs_access_mask(ruleset, 0)) !=
> - landlock_get_fs_access_mask(ruleset, 0)) {
> + mask = landlock_get_raw_fs_access_mask(ruleset, 0);
> + if ((path_beneath_attr.allowed_access | mask) != mask) {
This hunk can be moved to the previous patch (i.e. mask = …). This patch
should only contains the new landlock_get_raw_fs_access_mask() call.
> err = -EINVAL;
> goto out_put_ruleset;
> }
> --
> 2.25.1
>
More information about the Linux-security-module-archive
mailing list