Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1834692pxb;
        Fri, 20 Nov 2020 23:03:57 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxOt5hyL508Uwk7CO62YuL37sjzuAOWyNgw5awu+aenjEWU6+uykQs+D75S9w0Sj1ZuV5id
X-Received: by 2002:a17:906:26c7:: with SMTP id u7mr37116934ejc.494.1605942237714;
        Fri, 20 Nov 2020 23:03:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605942237; cv=none;
        d=google.com; s=arc-20160816;
        b=rl0eTff2+RGNqXHvAE8CzXpDBs3v/zQRERhB5T61stPzyi45s0anXLsnhKR0tABd4g
         B0lWbftg5HvsiaF5vRdjjzGU9Qn8cz71TfNwH4pgFjmmYE7ruokNOutdMl0bRBlEp3U5
         qdXtEHFYdZ6OHSPmsm8hI/wZMwxDyfDXdEgN10iQCz3+C+1YDaX0TYzxZ8vzdayreU0R
         EF26jTFzSJU3Cl8xIBdFGtu9hbBgJj+jJ0313Ia2z4kdWX91NZ21NlJJxD8H6rH0h9Sv
         tmghhETaMbHr3dPSzVPtDl2hDsgmALrYhK7U0nREP6z7kld3+pO2WQ6b7Ls57QdssHZc
         LmBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=3f33ZbSviSsNDuxIsWsq/8c0yuXyzvCPrqPtP0RGi80=;
        b=018+VZiX9/8i/bUUwGJiXH6oYBZzxpkv/RywHLWNrKvJ+G2Ig15lmwpwhTT9BM6OCe
         KM2TqG0g6me7TiN+DZ0F2umQp1AoVe2ffV1X+LYCl6xYfzkZH1vxGlAzHhE22ODGYVuF
         sfrKrR6b9c1KZbUp/D01VpvcUfajHf2j9kcY3RSi/dOmYdGIdp4IBZsgkeBSagG7lKs2
         jq5yqxLRdWHFjEQ6JjYh1ARLT6iOu0+hgvOgd5XkJrpHd2/LM6EDX+AHLPbtgU1nfeEB
         IKbEn9ecvtfPTKsPz/cQB0y+cVzKPD/8fJOd6qXD2E+ix8w8YOtcOQmBK1JHzrENzOdL
         r7qA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QTrvEtnW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c15si3301047edf.17.2020.11.20.23.03.35;
        Fri, 20 Nov 2020 23:03:57 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=QTrvEtnW;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727216AbgKUHBg (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Sat, 21 Nov 2020 02:01:36 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44618 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727164AbgKUHBf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Nov 2020 02:01:35 -0500
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04C6CC061A48
        for <linux-kernel@vger.kernel.org>; Fri, 20 Nov 2020 23:01:35 -0800 (PST)
Received: by mail-lf1-x143.google.com with SMTP id t6so503608lfl.13
        for <linux-kernel@vger.kernel.org>; Fri, 20 Nov 2020 23:01:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=3f33ZbSviSsNDuxIsWsq/8c0yuXyzvCPrqPtP0RGi80=;
        b=QTrvEtnWrrcbOEs5U2zsXrELZY0joXKYt35ttFIfE3ljFGqVTsE2HaDPetDIzNV0Z+
         SNm0nIBKP392yJ/12exSP2lHAsN3IW99XL9OvKJShdVvhx6hWk5FMgqMLPmf5TLsXGFG
         +iHnXGnR267ovUqsrTD7TknzGTTVMN0JBhDcMHYa6hy9vumiKnlHEoByxwYUqFCeOJcH
         8ci6aX3IWWZAS35E7ZUq2QiVC5E+16bSvaDHHgcz3hRf5R5Sqdh41qyVdf7c65t3ii9K
         kE9FBm0MLZ2YAKu0t3JfnrIMbZ8lpvjGGU8/1aoQSH1X5Qz/sPTU1Mx00P4k2W69USLS
         xiIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=3f33ZbSviSsNDuxIsWsq/8c0yuXyzvCPrqPtP0RGi80=;
        b=bsIA0p+OW+5FDAw6HlECBgY4U1yrBFzR8Pq/P8GctCIzMb9Nto231RFoomeb4BbhJ0
         MXh3BZDu8CrvPCqNsXjRCvltnNfpmB6gzqOdJjHnHamIdYywr8ut55oTW4Ggn/oSEqDj
         NwB3w4mJwh9zzJmsh8q1jdMuInUf4A11c65Wu+GDB3BOOzsPGMtQvsU3Xey4MQR6iM2W
         covgF6Etlg6dbF1BsdGqSdo3yNnqqz/w667q/vqgdkzC7itBx0Q72oa3v9RvAgEt1LT2
         Fqife9JMvVUYk4o/8hcI3zw9hztALiw5oxhVHwSHy63Nep9XJ1I6ttg1Tr2Wh1KaS0NC
         ozBA==
X-Gm-Message-State: AOAM533u8z9hXxlPEUamIsAx65BaucmyB7G/UJDGxKF1TOTbxSkS5sBD
        vnO6DQzdD+nwW5h4X8/xPar6bvAWlxgaBcuR+rxPQg==
X-Received: by 2002:a19:4b48:: with SMTP id y69mr9985268lfa.576.1605942093292;
 Fri, 20 Nov 2020 23:01:33 -0800 (PST)
MIME-Version: 1.0
References: <20201112205141.775752-1-mic@digikod.net> <20201112205141.775752-3-mic@digikod.net>
In-Reply-To: <20201112205141.775752-3-mic@digikod.net>
From:   Jann Horn <jannh@google.com>
Date:   Sat, 21 Nov 2020 08:00:00 +0100
Message-ID: <CAG48ez2RE6S7jKQY3iyoNRM5vV67W4S7OwJ0gmNGy+MB8F56vg@mail.gmail.com>
Subject: Re: [PATCH v24 02/12] landlock: Add ruleset and domain management
To:     =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>
Cc:     James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@amacapital.net>,
        Anton Ivanov <anton.ivanov@cambridgegreys.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Jeff Dike <jdike@addtoit.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Shuah Khan <shuah@kernel.org>,
        Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@linux.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Nov 12, 2020 at 9:51 PM Micka=C3=ABl Sala=C3=BCn <mic@digikod.net> =
wrote:
> A Landlock ruleset is mainly a red-black tree with Landlock rules as
> nodes.  This enables quick update and lookup to match a requested
> access, e.g. to a file.  A ruleset is usable through a dedicated file
> descriptor (cf. following commit implementing syscalls) which enables a
> process to create and populate a ruleset with new rules.
>
> A domain is a ruleset tied to a set of processes.  This group of rules
> defines the security policy enforced on these processes and their future
> children.  A domain can transition to a new domain which is the
> intersection of all its constraints and those of a ruleset provided by
> the current process.  This modification only impact the current process.
> This means that a process can only gain more constraints (i.e. lose
> accesses) over time.
>
> Cc: James Morris <jmorris@namei.org>
> Cc: Jann Horn <jannh@google.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Serge E. Hallyn <serge@hallyn.com>
> Signed-off-by: Micka=C3=ABl Sala=C3=BCn <mic@linux.microsoft.com>
> ---
>
> Changes since v23:
> * Always intersect access rights.  Following the filesystem change
>   logic, make ruleset updates more consistent by always intersecting
>   access rights (boolean AND) instead of combining them (boolean OR) for
>   the same layer.

This seems wrong to me. If some software e.g. builds a policy that
allows it to execute specific libraries and to open input files
specified on the command line, and the user then specifies a library
as an input file, this change will make that fail unless the software
explicitly deduplicates the rules.
Userspace will be forced to add extra complexity to work around this.

>   This defensive approach could also help avoid user
>   space to inadvertently allow multiple access rights for the same
>   object (e.g.  write and execute access on a path hierarchy) instead of
>   dealing with such inconsistency.  This can happen when there is no
>   deduplication of objects (e.g. paths and underlying inodes) whereas
>   they get different access rights with landlock_add_rule(2).

I don't see why that's an issue. If userspace wants to be able to
access the same object in different ways for different purposes, it
should be able to do that, no?

I liked the semantics from the previous version.