[PATCH v10 02/13] landlock: Allow filesystem layout changes for domains without such rule type

Mickaël Salaün mic at digikod.net
Thu Apr 20 17:32:35 UTC 2023


On 20/04/2023 13:42, Konstantin Meskhidze (A) wrote:
> 
> 
> 4/16/2023 7:09 PM, Mickaël Salaün пишет:
>>
>> On 23/03/2023 09:52, Konstantin Meskhidze wrote:
>>> From: Mickaël Salaün <mic at digikod.net>
>>>
>>> Allow mount point and root directory changes when there is no filesystem
>>> rule tied to the current Landlock domain.  This doesn't change anything
>>> for now because a domain must have at least a (filesystem) rule, but
>>> this will change when other rule types will come.  For instance, a
>>> domain only restricting the network should have no impact on filesystem
>>> restrictions.
>>>
>>> Add a new get_current_fs_domain() helper to quickly check filesystem
>>> rule existence for all filesystem LSM hooks.
>>>
>>> Remove unnecessary inlining.
>>>
>>> Signed-off-by: Mickaël Salaün <mic at digikod.net>
>>> ---
>>>
>>> Changes since v9:
>>> * Refactors documentaion landlock.rst.
>>> * Changes ACCESS_FS_INITIALLY_DENIED constant
>>> to LANDLOCK_ACCESS_FS_INITIALLY_DENIED.
>>> * Gets rid of unnecessary masking of access_dom in
>>> get_raw_handled_fs_accesses() function.
>>>
>>> Changes since v8:
>>> * Refactors get_handled_fs_accesses().
>>> * Adds landlock_get_raw_fs_access_mask() helper.
>>>
>>> ---
>>>    Documentation/userspace-api/landlock.rst |  6 +-
>>>    security/landlock/fs.c                   | 78 ++++++++++++------------
>>>    security/landlock/ruleset.h              | 25 +++++++-
>>>    security/landlock/syscalls.c             |  6 +-
>>>    4 files changed, 68 insertions(+), 47 deletions(-)
>>>
>>
>> [...]
>>
>>> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
>>> index 71aca7f990bc..d35cd5d304db 100644
>>> --- a/security/landlock/syscalls.c
>>> +++ b/security/landlock/syscalls.c
>>> @@ -310,6 +310,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
>>>    	struct path path;
>>>    	struct landlock_ruleset *ruleset;
>>>    	int res, err;
>>> +	access_mask_t mask;
>>>
>>>    	if (!landlock_initialized)
>>>    		return -EOPNOTSUPP;
>>> @@ -348,9 +349,8 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
>>>    	 * Checks that allowed_access matches the @ruleset constraints
>>>    	 * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
>>>    	 */
>>> -	if ((path_beneath_attr.allowed_access |
>>> -	     landlock_get_fs_access_mask(ruleset, 0)) !=
>>> -	    landlock_get_fs_access_mask(ruleset, 0)) {
>>> +	mask = landlock_get_raw_fs_access_mask(ruleset, 0);
>>> +	if ((path_beneath_attr.allowed_access | mask) != mask) {
>>
>> This hunk can be moved to the previous patch (i.e. mask = …). This patch
>> should only contains the new landlock_get_raw_fs_access_mask() call.
>>
> 
>    Sorry. Did not get this tip. Please can you explain what do you mean here?

You can squash this part in the previous patch:

-	if ((path_beneath_attr.allowed_access |
-	     landlock_get_fs_access_mask(ruleset, 0)) !=
-	    landlock_get_fs_access_mask(ruleset, 0)) {
+	mask = landlock_get_fs_access_mask(ruleset, 0);
+	if ((path_beneath_attr.allowed_access | mask) != mask) {

And this patch will then only include this part:

-	mask = landlock_get_fs_access_mask(ruleset, 0);
+	mask = landlock_get_raw_fs_access_mask(ruleset, 0);


>>
>>>    		err = -EINVAL;
>>>    		goto out_put_ruleset;
>>>    	}
>>> --
>>> 2.25.1
>>>
>> .



More information about the Linux-security-module-archive mailing list