Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1344059pxp; Thu, 17 Mar 2022 07:43:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJypSp3zMXkXQGA/YhE2ralm7oFEcOh4fCiQ+0h7K+XTbMeugZpnBTpviITpIPeIxmlkNXRj X-Received: by 2002:a17:902:9346:b0:14f:2b9c:ad2f with SMTP id g6-20020a170902934600b0014f2b9cad2fmr5563344plp.174.1647528195900; Thu, 17 Mar 2022 07:43:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647528195; cv=none; d=google.com; s=arc-20160816; b=kMy0tT1xWgn4qM0vzfQw/1HX1tB8E+Od/LZ/RwzLA/xKcegT9OEVAJRjjfc4dVuHGA +DFMvCjKGvHSlKmARL2s/DhthfNjsgah/9UoXsij0ZN7Pj5jQ0oKNZfC5a/U4xH243gE HLxWaSLt+O+3Krx7veQv/w1kNqJ/pcftwNd7L1Ey6nyprxzjv5NjkLb4xDylPqxwn86k JQcwz2PzLUO/Zypypo7sJSJafeIGtjtJxKCRfAUjONLVhBe7iKefOO/RnqVqvWjk4aFk bXp60eX2NJPW4LfH3KZyieWRPEyuoPbj3+aEsfIDh8wQD3EvQTck7IvxWfv7QrA4EhhV FjEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id; bh=TKBR2p+o6MyF0xthhaR4ZFdT4dGTZQIlp6N/7wgTag0=; b=kmcGdPqi+oLZO0Z1f/Nzqjc33b7Yd2donV68bWTUj1vHR3nhGni9mPQrHy275UO6Gg 2myfy86OPUVVUC3pkl4wPSJdM/j5q5QBjoAz6ZMf+4r7PSG2v6qe7n5VidNnT9Uzs5WB xRv4rXST0Gi5xUuAcE65qnbP2JwDCNqWluAizI03bX+akjVBmJBMZdZ29x16y2LPu8bt RDy8mo/4hqFEollO4WmWJ+9DsX6z+nM2fGWdccNXYsNtnfCwqtO/mkkH8dI3DNUVM8gW v56fkXlDBQYO2J9RPh+aJE6bg6I4hpOeoyjVUsryz/I2KWCzXJONeNT/qGS8gj7LlVJa sltA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g1-20020a632001000000b003816043eeb4si2070179pgg.169.2022.03.17.07.43.01; Thu, 17 Mar 2022 07:43:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233217AbiCQMGk (ORCPT + 99 others); Thu, 17 Mar 2022 08:06:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40794 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231928AbiCQMGi (ORCPT ); Thu, 17 Mar 2022 08:06:38 -0400 Received: from smtp-bc0f.mail.infomaniak.ch (smtp-bc0f.mail.infomaniak.ch [IPv6:2001:1600:3:17::bc0f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3D421A6E6A; Thu, 17 Mar 2022 05:05:20 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KK5SH2RZ2zMqNN2; Thu, 17 Mar 2022 13:05:19 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KK5SG3DNhzlhSMF; Thu, 17 Mar 2022 13:05:18 +0100 (CET) Message-ID: Date: Thu, 17 Mar 2022 13:06:02 +0100 MIME-Version: 1.0 User-Agent: Content-Language: en-US To: Paul Moore Cc: James Morris , "Serge E . Hallyn" , Al Viro , Jann Horn , Kees Cook , Konstantin Meskhidze , Shuah Khan , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= References: <20220221212522.320243-1-mic@digikod.net> <20220221212522.320243-10-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Subject: Re: [PATCH v1 09/11] landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 17/03/2022 02:27, Paul Moore wrote: > On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün wrote: >> >> From: Mickaël Salaün >> >> Add LANDLOCK_ACCESS_FS_REFER in the example and properly check to only >> use it if the current kernel support it thanks to the Landlock ABI >> version. >> >> Move the file renaming and linking limitation to a new "Previous >> limitations" section. >> >> Improve documentation about the backward and forward compatibility, >> including the rational for ruleset's handled_access_fs. >> >> Signed-off-by: Mickaël Salaün >> Link: https://lore.kernel.org/r/20220221212522.320243-10-mic@digikod.net >> --- >> Documentation/userspace-api/landlock.rst | 124 +++++++++++++++++++---- >> 1 file changed, 104 insertions(+), 20 deletions(-) > > Thanks for remembering to update the docs :) I made a few phrasing > suggestions below, but otherwise it looks good to me. Thanks Paul! I'll take them. > > Reviewed-by: Paul Moore > >> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst >> index f35552ff19ba..97db09d36a5c 100644 >> --- a/Documentation/userspace-api/landlock.rst >> +++ b/Documentation/userspace-api/landlock.rst >> @@ -281,6 +347,24 @@ Memory usage >> Kernel memory allocated to create rulesets is accounted and can be restricted >> by the Documentation/admin-guide/cgroup-v1/memory.rst. >> >> +Previous limitations >> +==================== >> + >> +File renaming and linking (ABI 1) >> +--------------------------------- >> + >> +Because Landlock targets unprivileged access controls, it is needed to properly > ^^^^^ > "... controls, it needs to ..." > >> +handle composition of rules. Such property also implies rules nesting. >> +Properly handling multiple layers of ruleset, each one of them able to restrict > ^^^^^^^ > "rulesets," > >> +access to files, also implies to inherit the ruleset restrictions from a parent > ^^^^^^^^^^ > "... implies inheritance of the ..." > >> +to its hierarchy. Because files are identified and restricted by their >> +hierarchy, moving or linking a file from one directory to another implies to >> +propagate the hierarchy constraints. > > "... one directory to another implies propagation of the hierarchy constraints." > >> + To protect against privilege escalations > >> +through renaming or linking, and for the sake of simplicity, Landlock previously >> +limited linking and renaming to the same directory. Starting with the Landlock >> +ABI version 2, it is now possible to securely control renaming and linking >> +thanks to the new `LANDLOCK_ACCESS_FS_REFER` access right. > > -- > paul-moore.com