Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4096328iob; Sun, 8 May 2022 03:07:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwtzzUwjoEJTBnnyZrXTOQ2BAnzDE599OxQNStgpCovda2Ab3ckJX/+sgSd3AmLqvMtPM8z X-Received: by 2002:a05:6402:51d0:b0:427:dfa3:1a46 with SMTP id r16-20020a05640251d000b00427dfa31a46mr11779351edd.107.1652004425677; Sun, 08 May 2022 03:07:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652004425; cv=none; d=google.com; s=arc-20160816; b=HnylE6jTIoKqDt0w/JwLlJXefQI7KYiQ0YJa44jsMNCPgXWISmUQjI3SAZx7FPRCrt 1ImhQs3PanIZww8HzmIKwOfe462erJczo6Dx7Bz2LDN7u5dFbJ8aik7LNuNLQiF8QKJn bRh92yqEvp5pjtTpVrWq4R+47B/G+a+OWi0dAhRAcia5ywzlTtKoxlzfLhvjTveiRaEi ZJnwskD/pn9CCnTiTkTJESa3/z/grromXGgfnJX/kMMRfnQ7orZC5XdWLDTwKc9y3XNV tiQrF2EoBLLxmdgMSv4MQmpOt+pRtmQ3fUZsv0GJeurHlzeXTRayQeza1WeDFl2EmT3D K2hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=QJLe2DFDS/QjqpmTJkOXtbDheygS9jFDY+WEWjXe8MU=; b=z5Fwk5eTLhhZYvm35wKX588H9A6v02CTJU91UZFjv0dicg82Un/vokTcJ09tIw3nlO Ovum0REoqAd2XFhQf/ZC3gzwl7e7oDN0Z+qec7xR2PMKkwUW7caDioVh4SZqkg1O3Nq/ vUSS63PrYOBtoYhOVmYkHgFEdZUv6Ny9GRNxYuXsYxfV0DYY++0PiOgf0Aaq86jhvtAS 81Xc3V/M9oNNgmTTUSz680Suyo8LO6CkPBzprxLpOSen3TYvjFk6HVwo+xzzfR1Ri/5x SASWK4Vbgo+V7CI7YhRSz/dAABIMJWxNZhnplqpU0cGY3VdScfu2MrqHOtCPS2YGm1dA AqIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=epbVYSob; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nd22-20020a170907629600b006e87a109539si933173ejc.204.2022.05.08.03.06.40; Sun, 08 May 2022 03:07:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=epbVYSob; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443659AbiEFQP0 (ORCPT + 99 others); Fri, 6 May 2022 12:15:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443546AbiEFQNa (ORCPT ); Fri, 6 May 2022 12:13:30 -0400 Received: from smtp-bc0e.mail.infomaniak.ch (smtp-bc0e.mail.infomaniak.ch [45.157.188.14]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CF66069CCB for ; Fri, 6 May 2022 09:09:43 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwW94tCNzMprrw; Fri, 6 May 2022 18:09:41 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwW92rDwzlhSM0; Fri, 6 May 2022 18:09:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853381; bh=cmILz4WmKumtNbX1pB4Es0uoK/Hp1d7jlUzEE1O4U1k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=epbVYSobZJouR2NgBHN1XJmNMj/OslJrof2xy4sV4WzBDF1jrkjdhPQ/FxjFtYI1q YaLfWBeszs3aO/RfLl7SjLFcfB01mogK9T553hG/gNcp5rgy+a6BlY1DkIe4mESOl4 LDi0XIUZY82ilIv9Rb/iivKHdvsYcCSCLXvk3KuY= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Al Viro , Jann Horn , John Johansen , Kees Cook , Konstantin Meskhidze , Paul Moore , Shuah Khan , Tetsuo Handa , linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 05/12] landlock: Move filesystem helpers and add a new one Date: Fri, 6 May 2022 18:10:55 +0200 Message-Id: <20220506161102.525323-6-mic@digikod.net> In-Reply-To: <20220506161102.525323-1-mic@digikod.net> References: <20220506161102.525323-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Move the SB_NOUSER and IS_PRIVATE dentry check to a standalone is_nouser_or_private() helper. This will be useful for a following commit. Move get_mode_access() and maybe_remove() to make them usable by new code provided by a following commit. Reviewed-by: Paul Moore Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220506161102.525323-6-mic@digikod.net --- Changes since v2: * Format with clang-format and rebase. Changes since v1: * Move is_nouser_or_private() explanation up to a function header comment block as suggested by Paul Moore. * Add Reviewed-by: Paul Moore. --- security/landlock/fs.c | 87 ++++++++++++++++++++++-------------------- 1 file changed, 46 insertions(+), 41 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index c5749301b37d..7b7860039a08 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -261,6 +261,18 @@ unmask_layers(const struct landlock_rule *const rule, return false; } +/* + * Allows access to pseudo filesystems that will never be mountable (e.g. + * sockfs, pipefs), but can still be reachable through + * /proc//fd/ + */ +static inline bool is_nouser_or_private(const struct dentry *dentry) +{ + return (dentry->d_sb->s_flags & SB_NOUSER) || + (d_is_positive(dentry) && + unlikely(IS_PRIVATE(d_backing_inode(dentry)))); +} + static int check_access_path(const struct landlock_ruleset *const domain, const struct path *const path, const access_mask_t access_request) @@ -274,14 +286,7 @@ static int check_access_path(const struct landlock_ruleset *const domain, return 0; if (WARN_ON_ONCE(!domain || !path)) return 0; - /* - * Allows access to pseudo filesystems that will never be mountable - * (e.g. sockfs, pipefs), but can still be reachable through - * /proc//fd/ . - */ - if ((path->dentry->d_sb->s_flags & SB_NOUSER) || - (d_is_positive(path->dentry) && - unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))) + if (is_nouser_or_private(path->dentry)) return 0; if (WARN_ON_ONCE(domain->num_layers < 1)) return -EACCES; @@ -360,6 +365,39 @@ static inline int current_check_access_path(const struct path *const path, return check_access_path(dom, path, access_request); } +static inline access_mask_t get_mode_access(const umode_t mode) +{ + switch (mode & S_IFMT) { + case S_IFLNK: + return LANDLOCK_ACCESS_FS_MAKE_SYM; + case 0: + /* A zero mode translates to S_IFREG. */ + case S_IFREG: + return LANDLOCK_ACCESS_FS_MAKE_REG; + case S_IFDIR: + return LANDLOCK_ACCESS_FS_MAKE_DIR; + case S_IFCHR: + return LANDLOCK_ACCESS_FS_MAKE_CHAR; + case S_IFBLK: + return LANDLOCK_ACCESS_FS_MAKE_BLOCK; + case S_IFIFO: + return LANDLOCK_ACCESS_FS_MAKE_FIFO; + case S_IFSOCK: + return LANDLOCK_ACCESS_FS_MAKE_SOCK; + default: + WARN_ON_ONCE(1); + return 0; + } +} + +static inline access_mask_t maybe_remove(const struct dentry *const dentry) +{ + if (d_is_negative(dentry)) + return 0; + return d_is_dir(dentry) ? LANDLOCK_ACCESS_FS_REMOVE_DIR : + LANDLOCK_ACCESS_FS_REMOVE_FILE; +} + /* Inode hooks */ static void hook_inode_free_security(struct inode *const inode) @@ -553,31 +591,6 @@ static int hook_sb_pivotroot(const struct path *const old_path, /* Path hooks */ -static inline access_mask_t get_mode_access(const umode_t mode) -{ - switch (mode & S_IFMT) { - case S_IFLNK: - return LANDLOCK_ACCESS_FS_MAKE_SYM; - case 0: - /* A zero mode translates to S_IFREG. */ - case S_IFREG: - return LANDLOCK_ACCESS_FS_MAKE_REG; - case S_IFDIR: - return LANDLOCK_ACCESS_FS_MAKE_DIR; - case S_IFCHR: - return LANDLOCK_ACCESS_FS_MAKE_CHAR; - case S_IFBLK: - return LANDLOCK_ACCESS_FS_MAKE_BLOCK; - case S_IFIFO: - return LANDLOCK_ACCESS_FS_MAKE_FIFO; - case S_IFSOCK: - return LANDLOCK_ACCESS_FS_MAKE_SOCK; - default: - WARN_ON_ONCE(1); - return 0; - } -} - /* * Creating multiple links or renaming may lead to privilege escalations if not * handled properly. Indeed, we must be sure that the source doesn't gain more @@ -606,14 +619,6 @@ static int hook_path_link(struct dentry *const old_dentry, get_mode_access(d_backing_inode(old_dentry)->i_mode)); } -static inline access_mask_t maybe_remove(const struct dentry *const dentry) -{ - if (d_is_negative(dentry)) - return 0; - return d_is_dir(dentry) ? LANDLOCK_ACCESS_FS_REMOVE_DIR : - LANDLOCK_ACCESS_FS_REMOVE_FILE; -} - static int hook_path_rename(const struct path *const old_dir, struct dentry *const old_dentry, const struct path *const new_dir, -- 2.35.1