Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4297636pxb; Mon, 21 Feb 2022 17:16:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJxQiinxGC14rG4A9VEXtJ3YRir3Q+LLHkFV34r7JXi8q7Ci0QT6B3MgekptcYZgr+bsU7a4 X-Received: by 2002:a63:90c4:0:b0:362:b60f:4344 with SMTP id a187-20020a6390c4000000b00362b60f4344mr18141481pge.573.1645492582906; Mon, 21 Feb 2022 17:16:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645492582; cv=none; d=google.com; s=arc-20160816; b=PmbxTvJC1b9ws5GQxkCckPwmWCRA2C1f9c5j8U+OnFWqaN2gloFo1v1Ml28WvUQcu9 5348jXjzqIvoQRdyYIJxa9SDUJmsuRL5XnpCGH8A61+gCT5FuEDRjXJmQOEWh1lBgs4Z 3Y29xZkjiE7iWbmQCvgFMYK7KK2cjB31YOPdrHXoOOWkYvkiMYXXY7PuTaqCnuHENGW2 4tKPrK83C4NOO3IA4fSxH/+szJXYi3spXi2E7UGinRBjd3ljbVcdFd+gAMsbZKaf4lno YRvHE/qHLs2hFWQYU7hAvJYw4AUD3zhvCxvLLarwdj0d+vzs1E4QBO+A21mZzNwoNY0k h/Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=6LxKAT+busZhb65/tHB5B4Itiuyo4FLqCiAgG+LKzJQ=; b=HbrbzqGieP780lIT79yUUIS0qJ3XZ62p2nx5KICvwrfw2hiNTAs5vUTpuse+2bqF9I p8Py6M6VzcrzYfO61mmLs7NCvNM7dtILPVAvmbhgsouno+UgxYE8lF4Q9UOqLLqfp4Pw vHFhzxzDhx96bDFuGjYkaR8DTxSDOzVYQX58zYqMmehZc6pGstY9hTr+lZ/uot0LoiNB /IXx9UzBoBOk9xVjBEQ7Jk8jkq3X3ckl3RzBsbwhmf57a+0+L85fnGuqG2wTRkse4SCx 9/hzfPfm+jZ5dALO/Xkco1gxPu7HNcupw1RjqTZf/9IQ3wnY76XYcL7if0RPQ0P6XkxA Xnkw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j185si17785051pge.679.2022.02.21.17.16.07; Mon, 21 Feb 2022 17:16:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234420AbiBUVPw (ORCPT + 99 others); Mon, 21 Feb 2022 16:15:52 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:41080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234310AbiBUVPl (ORCPT ); Mon, 21 Feb 2022 16:15:41 -0500 X-Greylist: delayed 19910 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 21 Feb 2022 13:15:12 PST Received: from smtp-bc09.mail.infomaniak.ch (smtp-bc09.mail.infomaniak.ch [45.157.188.9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 04D1923BF6; Mon, 21 Feb 2022 13:15:12 -0800 (PST) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4K2Znp6nTfzMqFht; Mon, 21 Feb 2022 22:15:10 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4K2Znp0FmxzljTg3; Mon, 21 Feb 2022 22:15:09 +0100 (CET) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Al Viro , Jann Horn , Kees Cook , Konstantin Meskhidze , Paul Moore , Shuah Khan , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v1 00/11] Landlock: file linking and renaming support Date: Mon, 21 Feb 2022 22:25:11 +0100 Message-Id: <20220221212522.320243-1-mic@digikod.net> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, One of the most annoying limitations of Landlock is that sandboxed processes can only link and rename files to the same directory (i.e. file reparenting is always denied). Indeed, because of the unprivileged nature of Landlock, file hierarchy are identified thanks to ephemeral inode tagging, which may cause arbitrary renaming and linking to change the security policy in an unexpected way. This patch series brings a new access right, LANDLOCK_ACCESS_FS_REFER, which enables to allow safe file linking and renaming. In a nutshell, Landlock checks that the inherited access rights of a moved or renamed file cannot increase but only reduce. Six new test suits cover file renaming and linking, which brings coverage for security/landlock/ from 93.5% of lines to 94.4%. The documentation and the tutorial is extended with this new access right, along with more explanations about backward and forward compatibility, good practices, and a bit about the current access rights rational. While developing this new feature, I also found an issue with the current implementation of Landlock. In some (rare) cases, sandboxed processes may be more restricted than intended. Indeed, because of the current way to check file hierarchy access rights, composition of rules may be incomplete when requesting multiple accesses at the same time. This is fixed with a dedicated patch involving some refactoring. A new test suite checks relevant new edge cases. As a side effect, and to limit the increased use of the stack, I reduced the number of Landlock nested domains from 64 to 16. I think this should be more than enough for legitimate use cases, but feel free to challenge this decision with real and legitimate use cases. Because of the current path_rename security hook, Landlock cannot yet return consistent error codes with RENAME_EXCHANGE. I plan to address this issue with a next series. This patch series was developed with some complementary new tests sent in a standalone patch series: https://lore.kernel.org/r/20220221155311.166278-1-mic@digikod.net Additionally, a new dedicated syzkaller test has been developed to cover new paths. Regards, Mickaël Salaün (11): landlock: Define access_mask_t to enforce a consistent access mask size landlock: Reduce the maximum number of layers to 16 landlock: Create find_rule() from unmask_layers() landlock: Fix same-layer rule unions landlock: Move filesystem helpers and add a new one landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER selftest/landlock: Add 6 new test suites dedicated to file reparenting samples/landlock: Add support for file reparenting landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning landlock: Document good practices about filesystem policies landlock: Add design choices documentation for filesystem access rights Documentation/security/landlock.rst | 17 +- Documentation/userspace-api/landlock.rst | 145 +++- include/uapi/linux/landlock.h | 27 +- samples/landlock/sandboxer.c | 37 +- security/landlock/fs.c | 721 +++++++++++++++---- security/landlock/fs.h | 2 +- security/landlock/limits.h | 6 +- security/landlock/ruleset.c | 6 +- security/landlock/ruleset.h | 23 +- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- tools/testing/selftests/landlock/fs_test.c | 634 +++++++++++++++- 12 files changed, 1447 insertions(+), 175 deletions(-) base-commit: cfb92440ee71adcc2105b0890bb01ac3cddb8507 -- 2.35.1