Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp684216pxb; Tue, 29 Mar 2022 09:26:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6qSDQkKRVvxA5RHJmgKXRn9lzjG9OHNJaHJjwMdPYQARqDkSneWDkXpxatO5VxN2QJWmr X-Received: by 2002:aa7:8556:0:b0:4fa:6d38:95e3 with SMTP id y22-20020aa78556000000b004fa6d3895e3mr28773968pfn.54.1648571159098; Tue, 29 Mar 2022 09:25:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648571159; cv=none; d=google.com; s=arc-20160816; b=AS0oALEKkKRmLGvgPd5MxZ2XfmYQlHXoqFGx2RnV/JIHc8KVeUHKxSTn6eSuYkIoD1 20TXXCMayK57/+e+96Fh69TOGF2uqSW/XYOVmGXvMaRErWhcr68N2haAsGLRfFlGJ/oI qAbWiZn+dSrn7XpcIKW+CEWqawGCAPmPrY4pgqau1NDyDGewsMZpoEAO3GoxqaYouXCK XjnNfdcfpFRownD8hl2tCA9qQbrDoXw+WAOuQDWNEGvn2eje3PgntgPoy6BVReUsM9+4 ANiilGqhriEJ2+GOs9q6GC0T+4/8i1eBO9m/E/IqvQaowkP0v3qqJ9DpRguwh3Lhf+t0 fgSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=OOiqZsV1UikXVOI7IIz8g+3QS3TMYcSEnXfHsUUNNdc=; b=Gp4nDNUs/i3N0nam3oBI/kh07INoxIbP9obetpZZo17OBoE37o+Q5TS4iz1+cIMZP0 kngjlo/amCybK6HE/IjFs0pWKKtqBu0uccc1i1Ki/yzO+S4Kw16tG6MKiBeSZC0Mh+i8 Gl9LjTNoHpU8XjQ9hLiSwvkd5KgrSbzH4j00mHzUChSR3k6vtFD2biDGioSzbGdZvk9+ oFM08Bu81g1ryzvtqqUr5tHWcsPlIKKrx3b4oX4SbXKKyH8tcTesHPjx2Virs3VcxUuJ RmxwQ/K2m7xerqlkHNMyFs3IWinqtIWCSruQC8Ivlxom6HoUU0sB1teOfovFAvggjcSR 9mxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=V2wEcZ4q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id lb8-20020a17090b4a4800b001c6596acc37si4286705pjb.106.2022.03.29.09.25.43; Tue, 29 Mar 2022 09:25:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=V2wEcZ4q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236936AbiC2Mx1 (ORCPT + 99 others); Tue, 29 Mar 2022 08:53:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237170AbiC2MxA (ORCPT ); Tue, 29 Mar 2022 08:53:00 -0400 Received: from smtp-42ae.mail.infomaniak.ch (smtp-42ae.mail.infomaniak.ch [84.16.66.174]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D83B13CDF for ; Tue, 29 Mar 2022 05:51:03 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KSTvT4R2wzMpqn6; Tue, 29 Mar 2022 14:51:01 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KSTvT2cKczlhMBy; Tue, 29 Mar 2022 14:51:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1648558261; bh=WnfPpQmWAAzIHJDB9oGoL2aI5wnbEGO8XYf1VIXPCkk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V2wEcZ4qpC3UvBVmxslejauEnYFEBb23jRgeFzDz9J6bt4wX1b+OikqmVINcdKWFS uIS7k35B7oLqU6PqMTVZEmVIJMm5MNqnsvxe6aDq9dFolC46H0RyUitepACRN6F1Wc hmUkisZeYuPrB4EZ26mb6E6rFxCmUuDC9INfSmWU= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Al Viro , Jann Horn , John Johansen , Kees Cook , Konstantin Meskhidze , Paul Moore , Shuah Khan , Tetsuo Handa , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Subject: [PATCH v2 05/12] landlock: Move filesystem helpers and add a new one Date: Tue, 29 Mar 2022 14:51:10 +0200 Message-Id: <20220329125117.1393824-6-mic@digikod.net> In-Reply-To: <20220329125117.1393824-1-mic@digikod.net> References: <20220329125117.1393824-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mickaël Salaün Move the SB_NOUSER and IS_PRIVATE dentry check to a standalone is_nouser_or_private() helper. This will be useful for a following commit. Move get_mode_access() and maybe_remove() to make them usable by new code provided by a following commit. Reviewed-by: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220329125117.1393824-6-mic@digikod.net --- Changes since v1: * Move is_nouser_or_private() explanation up to a function header comment block as suggested by Paul Moore. * Add Reviewed-by: Paul Moore. --- security/landlock/fs.c | 87 ++++++++++++++++++++++-------------------- 1 file changed, 46 insertions(+), 41 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 461751c01726..57dc3fb0c557 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -257,6 +257,18 @@ static inline bool unmask_layers(const struct landlock_rule *const rule, return false; } +/* + * Allows access to pseudo filesystems that will never be mountable (e.g. + * sockfs, pipefs), but can still be reachable through + * /proc//fd/ + */ +static inline bool is_nouser_or_private(const struct dentry *dentry) +{ + return (dentry->d_sb->s_flags & SB_NOUSER) || + (d_is_positive(dentry) && + unlikely(IS_PRIVATE(d_backing_inode(dentry)))); +} + static int check_access_path(const struct landlock_ruleset *const domain, const struct path *const path, const access_mask_t access_request) @@ -270,14 +282,7 @@ static int check_access_path(const struct landlock_ruleset *const domain, return 0; if (WARN_ON_ONCE(!domain || !path)) return 0; - /* - * Allows access to pseudo filesystems that will never be mountable - * (e.g. sockfs, pipefs), but can still be reachable through - * /proc//fd/ . - */ - if ((path->dentry->d_sb->s_flags & SB_NOUSER) || - (d_is_positive(path->dentry) && - unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))) + if (is_nouser_or_private(path->dentry)) return 0; if (WARN_ON_ONCE(domain->num_layers < 1)) return -EACCES; @@ -356,6 +361,39 @@ static inline int current_check_access_path(const struct path *const path, return check_access_path(dom, path, access_request); } +static inline access_mask_t get_mode_access(const umode_t mode) +{ + switch (mode & S_IFMT) { + case S_IFLNK: + return LANDLOCK_ACCESS_FS_MAKE_SYM; + case 0: + /* A zero mode translates to S_IFREG. */ + case S_IFREG: + return LANDLOCK_ACCESS_FS_MAKE_REG; + case S_IFDIR: + return LANDLOCK_ACCESS_FS_MAKE_DIR; + case S_IFCHR: + return LANDLOCK_ACCESS_FS_MAKE_CHAR; + case S_IFBLK: + return LANDLOCK_ACCESS_FS_MAKE_BLOCK; + case S_IFIFO: + return LANDLOCK_ACCESS_FS_MAKE_FIFO; + case S_IFSOCK: + return LANDLOCK_ACCESS_FS_MAKE_SOCK; + default: + WARN_ON_ONCE(1); + return 0; + } +} + +static inline access_mask_t maybe_remove(const struct dentry *const dentry) +{ + if (d_is_negative(dentry)) + return 0; + return d_is_dir(dentry) ? LANDLOCK_ACCESS_FS_REMOVE_DIR : + LANDLOCK_ACCESS_FS_REMOVE_FILE; +} + /* Inode hooks */ static void hook_inode_free_security(struct inode *const inode) @@ -549,31 +587,6 @@ static int hook_sb_pivotroot(const struct path *const old_path, /* Path hooks */ -static inline access_mask_t get_mode_access(const umode_t mode) -{ - switch (mode & S_IFMT) { - case S_IFLNK: - return LANDLOCK_ACCESS_FS_MAKE_SYM; - case 0: - /* A zero mode translates to S_IFREG. */ - case S_IFREG: - return LANDLOCK_ACCESS_FS_MAKE_REG; - case S_IFDIR: - return LANDLOCK_ACCESS_FS_MAKE_DIR; - case S_IFCHR: - return LANDLOCK_ACCESS_FS_MAKE_CHAR; - case S_IFBLK: - return LANDLOCK_ACCESS_FS_MAKE_BLOCK; - case S_IFIFO: - return LANDLOCK_ACCESS_FS_MAKE_FIFO; - case S_IFSOCK: - return LANDLOCK_ACCESS_FS_MAKE_SOCK; - default: - WARN_ON_ONCE(1); - return 0; - } -} - /* * Creating multiple links or renaming may lead to privilege escalations if not * handled properly. Indeed, we must be sure that the source doesn't gain more @@ -601,14 +614,6 @@ static int hook_path_link(struct dentry *const old_dentry, get_mode_access(d_backing_inode(old_dentry)->i_mode)); } -static inline access_mask_t maybe_remove(const struct dentry *const dentry) -{ - if (d_is_negative(dentry)) - return 0; - return d_is_dir(dentry) ? LANDLOCK_ACCESS_FS_REMOVE_DIR : - LANDLOCK_ACCESS_FS_REMOVE_FILE; -} - static int hook_path_rename(const struct path *const old_dir, struct dentry *const old_dentry, const struct path *const new_dir, -- 2.35.1