[PATCH 0/3] Implement LANDLOCK_ADD_RULE_NO_INHERIT

[Justin Suess]

Hi,

This patch builds on version 3 of the the "quiet flag" series by Tingmao Wang.

v3: https://lore.kernel.org/linux-security-module/cover.1761511023.git.m@maowtm.org/

It implements a new flag that prevents inheriting access rights from parent
objects within a single landlock layer. This is useful for policies
where a parent directory requires looser access grants that its
children.

For example, within a single ruleset / layer, given:
    /a = rw
    /a/b = ro

Under the current featureset, /a/b recieves rw permissions because it
inherits the w permission from /a

To solve this, I add a new flag LANDLOCK_RULE_ADD_NO_INHERIT which
suppresses parent permissions.

For example:
    /a = rw
    /a/b = ro + LANDLOCK_RULE_ADD_NO_INHERIT

This grants /a/b only read permissions.

Design:
- When this flag is added to a rule, the landlock_unmask_layers function will 
  track encounters of this flag in the rule_flags as it traverses up the fs tree.
  When this flag is encountered, the access grants of the current rule will be allowed, 
  but further access grants by rules within that layer will be suppressed.
- Access grants made by rules in other layers will continue until the access requirements are satisfied.

Demo:
~ # LL_FS_RW="/" LL_FS_RO="" LL_FS_RO_NO_INHERIT="/tmp" landlock-sandboxer touch fi
    Executing the sandboxed command...
    ~ # ls
    bin   dev   etc   fi    init  proc  root  sbin  sys   tmp   usr
    ~ # LL_FS_RW="/" LL_FS_RO="" LL_FS_RO_NO_INHERIT="/tmp" landlock-sandboxer touch /tmp/fi
    Executing the sandboxed command...
    touch: /tmp/fi: Permission denied
    ~ # LL_FS_RW="/" LL_FS_RO="" LL_FS_RO_NO_INHERIT="/tmp" landlock-sandboxer sh
    Executing the sandboxed command...
    sh: can't access tty; job control turned off
    ~ # cd tmp
    /tmp # LL_FS_RW="/" LL_FS_RO="" LL_FS_RO_NO_INHERIT="/tmp" landlock-sandboxer ls
    Executing the sandboxed command...
    /tmp # LL_FS_RW="/" LL_FS_RO="" LL_FS_RO_NO_INHERIT="/tmp" landlock-sandboxer touch fifi
    Executing the sandboxed command...
    touch: fifi: Permission denied
    /tmp # LL_FS_RW="/" LL_FS_RO=""  landlock-sandboxer touch fifi
    Executing the sandboxed command...
    touch: fifi: Permission denied
    /tmp #

This is my first patch/contribution to the LSM subsystem (and the linux
kernel as a whole), so any feedback and corrections on mailing list
ettiquite would be appreciated. 

Very Respectfully,
Justin Suess

Justin Suess (3):
  landlock: Add flag to supress access rule inheritence within a layer
  samples/landlock: Add no inherit support to sandboxer
  selftests/landlock: Add test for new no inherit flag

 include/uapi/linux/landlock.h              |  9 ++++
 samples/landlock/sandboxer.c               | 39 ++++++++++++----
 security/landlock/ruleset.c                |  8 ++++
 security/landlock/ruleset.h                | 10 ++++
 security/landlock/syscalls.c               |  3 +-
 tools/testing/selftests/landlock/fs_test.c | 53 +++++++++++++++++-----
 6 files changed, 99 insertions(+), 23 deletions(-)

base-commit: 77903de728f2a1ef40a31a3babf861b8fbf9530f
--
2.51.0