Received: by 2002:a05:6a10:144:0:0:0:0 with SMTP id 4csp602073pxw;
        Fri, 8 Apr 2022 16:22:01 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxiInVMVtpxk9hYFqFPHcZSiS1WxhJ/WarKZf4+xPl36/cX0tO/yhZJXg06SundzVlEmb66
X-Received: by 2002:a17:903:32c9:b0:154:3a2d:fa89 with SMTP id i9-20020a17090332c900b001543a2dfa89mr21387473plr.3.1649460120840;
        Fri, 08 Apr 2022 16:22:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649460120; cv=none;
        d=google.com; s=arc-20160816;
        b=WrATF5Xl7fT42PeZxxywsi9vU0l/isWzcL0b8zoeAOkdZRP2Ik0edCLA9oitnQfOLU
         SpHirgQ/PrHmgDsmLWUNc2biAlorSMV55NbY4ZeCniTp4e03WjEWHI1+43X0GyokJ9fh
         iscIRb6jbcEsNOTSrO9sLjqIjopoGffVy7LIsmZBZmJ0JOpkZXobGUmwu0a7Xyt8L8OF
         ccjX1UH1zm9oow8PmsByQY7BEWxekfJJUQ+Mp1LKaEyKpiyjoSTTU8t1g1sH6idL2C5y
         csK5H8znoGJWivqIWtUHZ8HVfu3fqyO+42qUDv9Yg6ROiK1jnL4CfuGUuW7faXJcIC/P
         FMdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=0o/SUj9l7QxccG0h5Jo/GmbooXfRNd11V119ZFnMckU=;
        b=Glj5EtEiwbsbndNbqgoYIWGRnT0hvWLtHHDOV3amAyRaBr0obmkxXAkgjRkYAtAe7X
         JlM/5x+ewjYNpCwD8SHiFpu2JngJiE7lVobWB7gf9oot1Dz7p0EHodB15nOx60yN6Co8
         eQMuTUwP/DNuP4G4gk5WIAF6Fl+SEq+1Ti0S5lhPWCOIarmQF0Ipq9wEsIQ7/qpg5/ZH
         EPP6gCLANXvFQkdmdokEpmz7NnalYaI4dpGmnQamFZ2k/OZf+w9QFt8+3B3R1wQOulqC
         ox2PPgXy8wgqfmxdV5E3TY6efoAAFYOJ8kemFfmhb7+/u7YKoy0S+rJkFmchjoG9g6j/
         cJUw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=Bcop1hZH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w4-20020a056a0014c400b004fa849f7ed6si2458199pfu.243.2022.04.08.16.21.37;
        Fri, 08 Apr 2022 16:22:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=Bcop1hZH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229934AbiDHRQT (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Fri, 8 Apr 2022 13:16:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37652 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231315AbiDHRQR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Apr 2022 13:16:17 -0400
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C5F226AF2
        for <linux-kernel@vger.kernel.org>; Fri,  8 Apr 2022 10:14:12 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id bg10so18633929ejb.4
        for <linux-kernel@vger.kernel.org>; Fri, 08 Apr 2022 10:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20210112.gappssmtp.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=0o/SUj9l7QxccG0h5Jo/GmbooXfRNd11V119ZFnMckU=;
        b=Bcop1hZHOgBQuDGa7QitchzS0rKGKo3Ujzo71w/Wg7uqUxCVHUVlo92yaoWsUMrhRj
         ESWDeJ108bo2TC+NhPefjFOhaRDCLsElwntWQdZsiIRsMFV+a5N26gAoJHqQ0NaNmC5N
         2j8VZstcNjF4gMMxOfs4qJxHsBKOOT+pM2XOXa5hn9gDbXYa/Q3BtQtEvlQ9AeoLxidO
         GjZSsNlAk/Y9LFNVvuDWh0aLFlTNhOXx8qHdOtx7pxqnWiEY05W9UsL2en5nX+x3eScQ
         Umlu4wdPONyvMdVp+Da+0cCRIW3ekitvW5oEav/ZqeLXGawpVHbb8fcdR5wvvBQ3NPeF
         cMkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=0o/SUj9l7QxccG0h5Jo/GmbooXfRNd11V119ZFnMckU=;
        b=pwK0KKQCYT3G8psi1q+knMeZvrgIsr7jVeP5xNljLalOJ0VkAPUBzpdj5mmyQ1cfWb
         xG2TXqWaBAbCcyqFQiAHONd7nf8IdJ3CD19z+5JsFV7vXQONvkyGxsk7/KU3cZR5vbUI
         NzzUQ/MAMfSzfx2Md2ji21iWUb1Atq1XbrWxbTVBZDiRAp9w3hWyhF71VYkGbCD83+F0
         yXXclZBHb7tSryxT1a7386FPAVLkmFgzMM6vmW/dTJykmbn/fn2X/oR0AuEby7X4ZWEt
         CsZ126LL1GLcb1Kmxkncm9CaBzoPmTS0H5J4s3xJHaaW/Ojpk99bBYee1Vepx6Ac371k
         anDQ==
X-Gm-Message-State: AOAM533UBu9Gtmi8F5QtqNMSYSX6yepGZkfQ3kwz/eurAgIn18TlZIlo
        PrXbDSb2hfwL6nTKgPPWRt+1LCT5QWUuJ88aNyaE
X-Received: by 2002:a17:907:216f:b0:6ce:d85f:35cf with SMTP id
 rl15-20020a170907216f00b006ced85f35cfmr20127403ejb.517.1649438050929; Fri, 08
 Apr 2022 10:14:10 -0700 (PDT)
MIME-Version: 1.0
References: <20220329125117.1393824-1-mic@digikod.net> <20220329125117.1393824-8-mic@digikod.net>
 <CAHC9VhQpZ12Chgd+xMibUxgvcPjTn9FMnCdMGYbLcWG3eTqDQg@mail.gmail.com> <3a5495b8-5d69-e327-1dfc-7a99257269ae@digikod.net>
In-Reply-To: <3a5495b8-5d69-e327-1dfc-7a99257269ae@digikod.net>
From:   Paul Moore <paul@paul-moore.com>
Date:   Fri, 8 Apr 2022 13:13:59 -0400
Message-ID: <CAHC9VhS0bYe9wOxuXoC2mw_K2g=Fw=LXiV+A_Z1vH_KqH-TBFA@mail.gmail.com>
Subject: Re: [PATCH v2 07/12] landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
To:     =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>
Cc:     James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Jann Horn <jannh@google.com>,
        John Johansen <john.johansen@canonical.com>,
        Kees Cook <keescook@chromium.org>,
        Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
        Shuah Khan <shuah@kernel.org>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@linux.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Apr 8, 2022 at 12:07 PM Micka=C3=ABl Sala=C3=BCn <mic@digikod.net> =
wrote:
> On 08/04/2022 03:42, Paul Moore wrote:
> > On Tue, Mar 29, 2022 at 8:51 AM Micka=C3=ABl Sala=C3=BCn <mic@digikod.n=
et> wrote:
> >>
> >> From: Micka=C3=ABl Sala=C3=BCn <mic@linux.microsoft.com>
> >>
> >> Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy write=
rs
> >> to allow sandboxed processes to link and rename files from and to a
> >> specific set of file hierarchies.  This access right should be compose=
d
> >> with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename=
,
> >> and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename.  This
> >> lift a Landlock limitation that always denied changing the parent of a=
n
> >> inode.
> >>
> >> Renaming or linking to the same directory is still always allowed,
> >> whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not
> >> considered a threat to user data.
> >>
> >> However, creating multiple links or renaming to a different parent
> >> directory may lead to privilege escalations if not handled properly.
> >> Indeed, we must be sure that the source doesn't gain more privileges b=
y
> >> being accessible from the destination.  This is handled by making sure
> >> that the source hierarchy (including the referenced file or directory
> >> itself) restricts at least as much the destination hierarchy.  If it i=
s
> >> not the case, an EXDEV error is returned, making it potentially possib=
le
> >> for user space to copy the file hierarchy instead of moving or linking
> >> it.
> >>
> >> Instead of creating different access rights for the source and the
> >> destination, we choose to make it simple and consistent for users.
> >> Indeed, considering the previous constraint, it would be weird to
> >> require such destination access right to be also granted to the source
> >> (to make it a superset).  Moreover, RENAME_EXCHANGE would also add to
> >> the confusion because of paths being both a source and a destination.
> >>
> >> See the provided documentation for additional details.
> >>
> >> New tests are provided with a following commit.
> >>
> >> Cc: Paul Moore <paul@paul-moore.com>
> >> Signed-off-by: Micka=C3=ABl Sala=C3=BCn <mic@linux.microsoft.com>
> >> Link: https://lore.kernel.org/r/20220329125117.1393824-8-mic@digikod.n=
et
> >> ---
> >>
> >> Changes since v1:
> >> * Update current_check_access_path() to efficiently handle
> >>    RENAME_EXCHANGE thanks to the updated LSM hook (see previous patch)=
.
> >>    Only one path walk is performed per rename arguments until their
> >>    common mount point is reached.  Superset of access rights is correc=
tly
> >>    checked, including when exchanging a file with a directory.  This
> >>    requires to store another matrix of layer masks.
> >> * Reorder and rename check_access_path_dual() arguments in a more
> >>    generic way: switch from src/dst to 1/2.  This makes it easier to
> >>    understand the RENAME_EXCHANGE cases alongs with the others.  Updat=
e
> >>    and improve check_access_path_dual() documentation accordingly.
> >> * Clean up the check_access_path_dual() loop: set both allowed_parent*
> >>    when reaching internal filesystems and remove a useless one.  This
> >>    allows potential renames in internal filesystems (like for other
> >>    operations).
> >> * Move the function arguments checks from BUILD_BUG_ON() to
> >>    WARN_ON_ONCE() to avoid clang build error.
> >> * Rename is_superset() to no_more_access() and make it handle superset
> >>    checks of source and destination for simple and exchange cases.
> >> * Move the layer_masks_child* creation from current_check_refer_path()
> >>    to check_access_path_dual(): this is simpler and less error-prone,
> >>    especially with RENAME_EXCHANGE.
> >> * Remove one optimization in current_check_refer_path() to make the co=
de
> >>    simpler, especially with the RENAME_EXCHANGE handling.
> >> * Remove overzealous WARN_ON_ONCE() for !access_request check in
> >>    init_layer_masks().
> >> ---
> >>   include/uapi/linux/landlock.h                |  27 +-
> >>   security/landlock/fs.c                       | 607 ++++++++++++++++-=
--
> >>   security/landlock/limits.h                   |   2 +-
> >>   security/landlock/syscalls.c                 |   2 +-
> >>   tools/testing/selftests/landlock/base_test.c |   2 +-
> >>   tools/testing/selftests/landlock/fs_test.c   |   3 +-
> >>   6 files changed, 566 insertions(+), 77 deletions(-)
> >
> > I'm still not going to claim that I'm a Landlock expert, but this
> > looks sane to me.
> >
> > Reviewed-by: Paul Moore <paul@paul-moore.com>
>
> Thanks Paul! I'll send a small update shortly, with some typo fixes,
> some unlikely() calls, and rebased on the other Landlock patch series.

Since it sounds like those are all pretty minor changes, feel free to
preserve my 'Reviewed-by' on the respun patch.

--=20
paul-moore.com