Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1906349pxb;
        Sat, 21 Nov 2020 02:15:26 -0800 (PST)
X-Google-Smtp-Source: ABdhPJycNcCeI4VKFWNbxViPpDZ+v7mwA4J2K1a+hGKokoo+jA80Qpwi9E/t67SYdVeDw5zQWU5m
X-Received: by 2002:a17:906:2a09:: with SMTP id j9mr35613830eje.355.1605953726336;
        Sat, 21 Nov 2020 02:15:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1605953726; cv=none;
        d=google.com; s=arc-20160816;
        b=BHZygKpZXIrJROzo5qgS4M3oawmMBvTjezZwTDfPDn9SHTMdL7kE9Fyh3s+16KWnTp
         R4qIe9LzHUPYvazGAuDHj3ono0yHNPQue9v6V2X4EndNKTsYeIwg30b33Rjj7z6nXkcr
         gE36X8OcsHD9BoDlPhxVajr8MUm373hue2Szsvgpt/Zga//g0+ukrLDM2XbAxmMR0DPB
         KyCkQFbtk+xL3scI6Gy1JY96LE53gCp6Y5gaDOVanKbCcOVIzeeoHPIAsnnH0WEYiRnY
         1Ui30v+3OvVcCUTjcFQNgaIg4mAOpqjFw7ykBqqO9MpWg5bhKDKCGXlxMscb3XfBv/7M
         eZKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject;
        bh=yDnOHnmS1WUOHnFI7RlwLLUrMrbj2tMBMtgfJ9MmYpg=;
        b=psW9fjdBg7gkZCtC2icLkHn2big5KSorwZFKdNOK2Flcgr2b1VXex5cejQnKBfhL/8
         L68/3jSI5Vid/+FuQX3koLFiV/8AexeJaiCSd5YG64l3Zm7ASfheN8owVCP9CZu1K5wd
         EcQaJbFWXbpeX0aMeB1LrBNpoSabCa9AVjsBWrKJi/Nng6vV3JZ2UZUggid0EoonPbKE
         gr1A5Y5d4mh5M6Xzh8LyinziYgCAtyuTxPem1b46yU82gcZ0ABuyR4/s1SMZV0K0euhv
         bra5mAIZDyJBejzHwMCyWERxtjsWR0JK1lsUG/NnJ91cymtDBCnmOBfzw/U/3YwQKBNC
         nW6w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id l2si3240892edf.467.2020.11.21.02.15.02;
        Sat, 21 Nov 2020 02:15:26 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727443AbgKUKLb (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Sat, 21 Nov 2020 05:11:31 -0500
Received: from smtp-8fae.mail.infomaniak.ch ([83.166.143.174]:51277 "EHLO
        smtp-8fae.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1727350AbgKUKLb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Nov 2020 05:11:31 -0500
Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108])
        by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CdThx34w6zlhnKD;
        Sat, 21 Nov 2020 11:11:29 +0100 (CET)
Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103])
        by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CdThv53fQzlh8T9;
        Sat, 21 Nov 2020 11:11:27 +0100 (CET)
Subject: Re: [PATCH v24 01/12] landlock: Add object management
To:     Jann Horn <jannh@google.com>
Cc:     James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@amacapital.net>,
        Anton Ivanov <anton.ivanov@cambridgegreys.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Casey Schaufler <casey@schaufler-ca.com>,
        Jeff Dike <jdike@addtoit.com>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Richard Weinberger <richard@nod.at>,
        Shuah Khan <shuah@kernel.org>,
        Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        the arch/x86 maintainers <x86@kernel.org>,
        =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@linux.microsoft.com>
References: <20201112205141.775752-1-mic@digikod.net>
 <20201112205141.775752-2-mic@digikod.net>
 <CAG48ez0GryN4i0xCP22utLTqF5_o5J3nMBs+VC0DpQ+s09Bx6g@mail.gmail.com>
From:   =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
Message-ID: <b684a6b7-93d5-3040-32ca-caf4d244cd6f@digikod.net>
Date:   Sat, 21 Nov 2020 11:11:27 +0100
User-Agent: 
MIME-Version: 1.0
In-Reply-To: <CAG48ez0GryN4i0xCP22utLTqF5_o5J3nMBs+VC0DpQ+s09Bx6g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 21/11/2020 08:00, Jann Horn wrote:
> On Thu, Nov 12, 2020 at 9:51 PM Mickaël Salaün <mic@digikod.net> wrote:
>> A Landlock object enables to identify a kernel object (e.g. an inode).
>> A Landlock rule is a set of access rights allowed on an object.  Rules
>> are grouped in rulesets that may be tied to a set of processes (i.e.
>> subjects) to enforce a scoped access-control (i.e. a domain).
>>
>> Because Landlock's goal is to empower any process (especially
>> unprivileged ones) to sandbox themselves, we cannot rely on a
>> system-wide object identification such as file extended attributes.
>> Indeed, we need innocuous, composable and modular access-controls.
>>
>> The main challenge with these constraints is to identify kernel objects
>> while this identification is useful (i.e. when a security policy makes
>> use of this object).  But this identification data should be freed once
>> no policy is using it.  This ephemeral tagging should not and may not be
>> written in the filesystem.  We then need to manage the lifetime of a
>> rule according to the lifetime of its objects.  To avoid a global lock,
>> this implementation make use of RCU and counters to safely reference
>> objects.
>>
>> A following commit uses this generic object management for inodes.
>>
>> Cc: James Morris <jmorris@namei.org>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Serge E. Hallyn <serge@hallyn.com>
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>> Reviewed-by: Jann Horn <jannh@google.com>
> 
> Still looks good, except for one comment:
> 
> [...]
>> +       /**
>> +        * @lock: Guards against concurrent modifications.  This lock might be
>> +        * held from the time @usage drops to zero until any weak references
>> +        * from @underobj to this object have been cleaned up.
>> +        *
>> +        * Lock ordering: inode->i_lock nests inside this.
>> +        */
>> +       spinlock_t lock;
> 
> Why did you change this to "might be held" (v22 had "must")? Is the
> "might" a typo?
> 

Good catch, a typo indeed.