Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp284799pxx; Thu, 29 Oct 2020 02:32:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxx4MvqxL4evZoc33iJaGz9UZl7Y0DINOW4uNShgiaUwjvWQQ7+AJ9q79G5OcAm91LSRUuQ X-Received: by 2002:aa7:c9c3:: with SMTP id i3mr3091750edt.236.1603963925048; Thu, 29 Oct 2020 02:32:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603963925; cv=none; d=google.com; s=arc-20160816; b=Z9+cB15F0iavJwbOo22Mav9YBUCHCcLnhzkH9og/uJc/2YWeSZgB5wKQkQKv71frwZ eeSK4LF3dXugsXRBtYYIqmjJ7xvEecwU2I6yY+pUPhAOGMe+/e4zuaWTnPBePpIXMVGG IoDFIiXw717IUVlQBR7s7WDJzA21GayEgCGTWWnJvtsoCY8b80f0bQtyQxWtm4SHU0XG byIXnYDZYuwax4ZH+Ys5UUS3J/UPTeAX7anwZYoPiUvqlMkjVt96YTxmiK/WqNZSLT8e L8F4mnVadDnT815zQz/bqbrBuA+98xcTlm/5Ruaol2rQtCgd6nZV/ed/WdQFYb8J5Eac wouw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=N3R5Xy4ImXIRX50OPx3XiuKIoG5BkwuQZ9D/S2VbrMU=; b=zhQlWgli3NgrqY7T4KWLP7an1InTy79vdyYHQ9aCRzMQIkYvH7RQ7ddhS0hdyMh9rP S994yU0RourTcGEh+WKfIqJmJ3v9HMQCqvVUC8Pj8XSgfLVLZQR0fRcl+flN1guwy1G9 /zJBlGplFIIrvewn/6t84opqpjVDNsugUrp3iEETWvqid7TxmPhj9R7azooUeQjkbab2 MPUYYk9ow55RBVBSTr34ZA5ITho4H5EEWAUf51Pd/1CZ8+yPJzTlb5cRJG1LDvXgmvXg AFXDQt2rWTERKmfHM+RP4jsZOM1T0Jdt5tqgGZA1KIHG6bZA9UEyU0meEL5bllfr+cIn WkBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k17si2045048eds.337.2020.10.29.02.31.41; Thu, 29 Oct 2020 02:32:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726515AbgJ2JaM (ORCPT + 99 others); Thu, 29 Oct 2020 05:30:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726701AbgJ2JaK (ORCPT ); Thu, 29 Oct 2020 05:30:10 -0400 Received: from smtp-42ad.mail.infomaniak.ch (smtp-42ad.mail.infomaniak.ch [IPv6:2001:1600:3:17::42ad]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5C5BAC0613D2 for ; Thu, 29 Oct 2020 02:30:10 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CMKsq0bfrzljf95; Thu, 29 Oct 2020 10:30:07 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CMKsn1t98zlh8Tj; Thu, 29 Oct 2020 10:30:05 +0100 (CET) Subject: Re: [PATCH v22 01/12] landlock: Add object management To: Jann Horn Cc: James Morris , "Serge E . Hallyn" , Al Viro , Andy Lutomirski , Anton Ivanov , Arnd Bergmann , Casey Schaufler , Jeff Dike , Jonathan Corbet , Kees Cook , Michael Kerrisk , Richard Weinberger , Shuah Khan , Vincent Dagonneau , Kernel Hardening , Linux API , linux-arch , "open list:DOCUMENTATION" , linux-fsdevel , kernel list , "open list:KERNEL SELFTEST FRAMEWORK" , linux-security-module , the arch/x86 maintainers , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20201027200358.557003-1-mic@digikod.net> <20201027200358.557003-2-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: Date: Thu, 29 Oct 2020 10:30:04 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/10/2020 02:05, Jann Horn wrote: > On Tue, Oct 27, 2020 at 9:04 PM Mickaël Salaün wrote: >> A Landlock object enables to identify a kernel object (e.g. an inode). >> A Landlock rule is a set of access rights allowed on an object. Rules >> are grouped in rulesets that may be tied to a set of processes (i.e. >> subjects) to enforce a scoped access-control (i.e. a domain). >> >> Because Landlock's goal is to empower any process (especially >> unprivileged ones) to sandbox themselves, we cannot rely on a >> system-wide object identification such as file extended attributes. >> Indeed, we need innocuous, composable and modular access-controls. >> >> The main challenge with these constraints is to identify kernel objects >> while this identification is useful (i.e. when a security policy makes >> use of this object). But this identification data should be freed once >> no policy is using it. This ephemeral tagging should not and may not be >> written in the filesystem. We then need to manage the lifetime of a >> rule according to the lifetime of its objects. To avoid a global lock, >> this implementation make use of RCU and counters to safely reference >> objects. >> >> A following commit uses this generic object management for inodes. >> >> Cc: James Morris >> Cc: Jann Horn >> Cc: Kees Cook >> Cc: Serge E. Hallyn >> Signed-off-by: Mickaël Salaün > > Reviewed-by: Jann Horn Thanks for the review. > > except for some minor nits: > > [...] >> diff --git a/security/landlock/object.c b/security/landlock/object.c > [...] >> +void landlock_put_object(struct landlock_object *const object) >> +{ >> + /* >> + * The call to @object->underops->release(object) might sleep e.g., > > s/ e.g.,/, e.g./ I indeed prefer the comma preceding the "e.g.", but it seems that there is a difference between UK english and US english: https://english.stackexchange.com/questions/16172/should-i-always-use-a-comma-after-e-g-or-i-e Looking at the kernel documentation makes it clear: $ git grep -F 'e.g. ' | wc -l 1179 $ git grep -F 'e.g., ' | wc -l 160 I'll apply your fix in the whole patch series. > >> + * because of iput(). >> + */ >> + might_sleep(); >> + if (!object) >> + return; > [...] >> +} >> diff --git a/security/landlock/object.h b/security/landlock/object.h > [...] >> +struct landlock_object { >> + /** >> + * @usage: This counter is used to tie an object to the rules matching >> + * it or to keep it alive while adding a new rule. If this counter >> + * reaches zero, this struct must not be modified, but this counter can >> + * still be read from within an RCU read-side critical section. When >> + * adding a new rule to an object with a usage counter of zero, we must >> + * wait until the pointer to this object is set to NULL (or recycled). >> + */ >> + refcount_t usage; >> + /** >> + * @lock: Guards against concurrent modifications. This lock must be > > s/must be/must be held/ ? Right. > >> + * from the time @usage drops to zero until any weak references from >> + * @underobj to this object have been cleaned up. >> + * >> + * Lock ordering: inode->i_lock nests inside this. >> + */ >> + spinlock_t lock; > [...] >> +}; >> + >> +struct landlock_object *landlock_create_object( >> + const struct landlock_object_underops *const underops, >> + void *const underojb); > > nit: "underobj" > Good catch!