Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1895707pxb;
        Sat, 21 Nov 2020 01:49:50 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyXS3k1emDSCFu9ipd8W9x5aj0LTuQ92Rz8OIoBI7AqpGbB4+A/uh36tkq6ac8j7tgkvuhQ
X-Received: by 2002:a17:906:b759:: with SMTP id fx25mr18800693ejb.347.1605952189953;
        Sat, 21 Nov 2020 01:49:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605952189; cv=none;
        d=google.com; s=arc-20160816;
        b=NRBNRw3C0znnEexT8VzI7XuMylWm4zKiTOZ0W5mYQGkCZ+sFOg89tqiCPBh+IGi8L1
         R+oG84oFy53tGA3P9iDenhRCnSMwNB+K51s+dzv00w21Nsd++e8ysVKWJtqka5/QHmKU
         4aYbTNWTflb1fOx8rk90crCJMqcRl9I6MKDbZvZOoecU7IPWLo/6UQ9JgTTrJI506r0R
         KypG9tfRYrPU8GZyfj+YQeRU/LokKt5u8ysdiiSRlJgpOaOpuKLhOCZIWlH/0X94pyt8
         QWvjPC751jpv2Qzsnzrx25tkAmxuD7R2HXZ4HFtSuYpD3szh5FH+I/zNlM8oQCk1DMCE
         1zPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=fYpZ4SjfGBVjz9pbdX1P1Gg0H9gZUN88ZNvEbTPO+c4=;
        b=lIRaZ75pgVU2HinSmBlICqN9XRwE8q/+g0f0ktXdbWUDPS/XMhA0o7QtAaTDy7fcpy
         L9n39cTNKd5Rut7CkLMvxSkfHMUSHN3YEOW+2MRWDDbu6wHqjVKGugVDdqU8VxydCRUw
         kaBsXhnWqRhQ/ACoMpDk8C2FER1NNFqjxii/QB8sWLdfsq5zutrFlNBvcLMETAbdM35o
         C8R1F9Yv0HOAJfAQTrjnvmfsWh/SjGIqycvAI9gdSsb26/PElebVSO8SYi+Tx3YacPpv
         QJHq9e2XnJ/frcrrQ/3M6k6dFq4Ud/ZB86TVZgZAc3XxDeeMv1X4oJztjdsuBuBLlkCc
         VPyQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w29si3248464edi.534.2020.11.21.01.49.23;
        Sat, 21 Nov 2020 01:49:49 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726629AbgKUJpH (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Sat, 21 Nov 2020 04:45:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41312 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727257AbgKUJpG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Nov 2020 04:45:06 -0500
Received: from smtp-42ab.mail.infomaniak.ch (smtp-42ab.mail.infomaniak.ch [IPv6:2001:1600:3:17::42ab])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5DF9EC061A49;
        Sat, 21 Nov 2020 01:45:06 -0800 (PST)
Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108])
        by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CdT6R6RqJzlhrhL;
        Sat, 21 Nov 2020 10:45:03 +0100 (CET)
Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103])
        by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CdT6P5kbjzlh8TD;
        Sat, 21 Nov 2020 10:45:01 +0100 (CET)
Subject: Re: [PATCH v24 02/12] landlock: Add ruleset and domain management
To:     Jann Horn <jannh@google.com>
Cc:     James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@amacapital.net>,
        Anton Ivanov <anton.ivanov@cambridgegreys.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Jeff Dike <jdike@addtoit.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Shuah Khan <shuah@kernel.org>,
        Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        the arch/x86 maintainers <x86@kernel.org>,
        =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@linux.microsoft.com>
References: <20201112205141.775752-1-mic@digikod.net>
 <20201112205141.775752-3-mic@digikod.net>
 <CAG48ez2RE6S7jKQY3iyoNRM5vV67W4S7OwJ0gmNGy+MB8F56vg@mail.gmail.com>
From:   =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
Message-ID: <28499c4b-d388-7bd1-046e-a775c326e156@digikod.net>
Date:   Sat, 21 Nov 2020 10:45:01 +0100
User-Agent: 
MIME-Version: 1.0
In-Reply-To: <CAG48ez2RE6S7jKQY3iyoNRM5vV67W4S7OwJ0gmNGy+MB8F56vg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 21/11/2020 08:00, Jann Horn wrote:
> On Thu, Nov 12, 2020 at 9:51 PM Mickaël Salaün <mic@digikod.net> wrote:
>> A Landlock ruleset is mainly a red-black tree with Landlock rules as
>> nodes.  This enables quick update and lookup to match a requested
>> access, e.g. to a file.  A ruleset is usable through a dedicated file
>> descriptor (cf. following commit implementing syscalls) which enables a
>> process to create and populate a ruleset with new rules.
>>
>> A domain is a ruleset tied to a set of processes.  This group of rules
>> defines the security policy enforced on these processes and their future
>> children.  A domain can transition to a new domain which is the
>> intersection of all its constraints and those of a ruleset provided by
>> the current process.  This modification only impact the current process.
>> This means that a process can only gain more constraints (i.e. lose
>> accesses) over time.
>>
>> Cc: James Morris <jmorris@namei.org>
>> Cc: Jann Horn <jannh@google.com>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>> ---
>>
>> Changes since v23:
>> * Always intersect access rights.  Following the filesystem change
>>   logic, make ruleset updates more consistent by always intersecting
>>   access rights (boolean AND) instead of combining them (boolean OR) for
>>   the same layer.
> 
> This seems wrong to me. If some software e.g. builds a policy that
> allows it to execute specific libraries and to open input files
> specified on the command line, and the user then specifies a library
> as an input file, this change will make that fail unless the software
> explicitly deduplicates the rules.
> Userspace will be forced to add extra complexity to work around this.

That's a valid use case I didn't think about. Reverting this change is
not an issue.

> 
>>   This defensive approach could also help avoid user
>>   space to inadvertently allow multiple access rights for the same
>>   object (e.g.  write and execute access on a path hierarchy) instead of
>>   dealing with such inconsistency.  This can happen when there is no
>>   deduplication of objects (e.g. paths and underlying inodes) whereas
>>   they get different access rights with landlock_add_rule(2).
> 
> I don't see why that's an issue. If userspace wants to be able to
> access the same object in different ways for different purposes, it
> should be able to do that, no?
> 
> I liked the semantics from the previous version.
> 

I agree, but the real issue is with the ruleset layers applied to the
filesystem, cf. patch 7.