Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2221812iof; Tue, 7 Jun 2022 23:39:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJymFaeeg+9rrlRcxOq+rPwYUF4HI1rB39+0nEmOYoKqeI8mvHXtJ+L73P71E2Imdu9C4rQ7 X-Received: by 2002:a63:1422:0:b0:3fc:5a4e:d68 with SMTP id u34-20020a631422000000b003fc5a4e0d68mr28238210pgl.418.1654670369148; Tue, 07 Jun 2022 23:39:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654670369; cv=none; d=google.com; s=arc-20160816; b=JthvtPvU6YObKJ/TTWYf1s2Gbi8Ift5fUhK5udkE40K4CcnOGqwgj6c1rE6oI1d1HQ TdpUlCiM4QescK3GHn+s4zr918u7cM2GvIU7yj5hYIlG+5xBaIF48PME07WrVN4l4Uq3 S0F3+gnoezA4kUPsPVDcB5zZ2lpJKDaKuJUsdGIOBnp8r+o66/WStsCWP/Y0ohOVW39Z T5tbHePvShfH9a93uGy4thYvjBBa2Nk6CA8ihG6a5GlEwUwV3RfyptS1lfUhMCe0YkeN M34gQqM6OTbleBtDvhLMhQp2QIyhBR3f4FgGEE7WwbAA5TkprNhtmcxDGnttFtfircfU qsWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=bMj7Gc6Z3xwNMgl+qpyOnIPucWssa0+ucWmKq2xeSAY=; b=cr/QQ1G2vObWTzksx/blxout962sQ52594GrLxug+ETIpyg9y3dFPV1SCSTtoBDrZK Qy6kTdYLFmnbopZkcnDazi13RMlEbgkCAjOW36pPgrocRiY3YsdUPvfs7EHpd95Qiqbg Sb8aiiMncSSYhi3mwAoU/16LfgAVT+Z4K+Hkl1yfsTwjiEd3yI8KpjlaFOnALB++YAM8 4mHk5UKykbjzGH7izIE7uPjlIRlAc/PFpguRClWHOsrq0KFoEjzABE3dYo3bRj/c3MPE pqhLpJID9XjNTCcS3K4nv2nUx5nyojvGIjecsQ7oBqtuLRnv0NSQOlfsdJ/cjcIG7RRK ynjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ka7IYyRz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id q132-20020a632a8a000000b003fccbc8a085si23643402pgq.782.2022.06.07.23.39.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 23:39:29 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ka7IYyRz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0E3F6163F4D; Tue, 7 Jun 2022 23:01:34 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230026AbiFHCaE (ORCPT + 99 others); Tue, 7 Jun 2022 22:30:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1446950AbiFHC1A (ORCPT ); Tue, 7 Jun 2022 22:27:00 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D205A26854B; Tue, 7 Jun 2022 12:21:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 11129B823CE; Tue, 7 Jun 2022 19:21:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 74987C385A2; Tue, 7 Jun 2022 19:21:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654629699; bh=g87Y1uGDdJzNQpe0rlFlHuESKO6QUlZYQPzLsH/O1Cs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ka7IYyRz7MVa30lWw0I7REM7JoJ39KKTl2vPrtUxs4uRopPesDdKdDqSa3zWcH/Mc Tzlp3nuYuMfdT/U2RjEk80diSLWz3PRfjYFG/QKnFAosjw3OXDBjrxkCUol8aEbKZk XKNKCvVowuA/QdQjL8FPB4B+boJEfGDpALO7OYfk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Subject: [PATCH 5.18 785/879] landlock: Change landlock_restrict_self(2) check ordering Date: Tue, 7 Jun 2022 19:05:03 +0200 Message-Id: <20220607165025.654737496@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mickaël Salaün commit eba39ca4b155c54adf471a69e91799cc1727873f upstream. According to the Landlock goal to be a security feature available to unprivileges processes, it makes more sense to first check for no_new_privs before checking anything else (i.e. syscall arguments). Merge inval_fd_enforce and unpriv_enforce_without_no_new_privs tests into the new restrict_self_checks_ordering. This is similar to the previous commit checking other syscalls. Link: https://lore.kernel.org/r/20220506160820.524344-10-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün Signed-off-by: Greg Kroah-Hartman --- security/landlock/syscalls.c | 8 ++-- tools/testing/selftests/landlock/base_test.c | 47 +++++++++++++++++++++------ 2 files changed, 41 insertions(+), 14 deletions(-) --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -405,10 +405,6 @@ SYSCALL_DEFINE2(landlock_restrict_self, if (!landlock_initialized) return -EOPNOTSUPP; - /* No flag for now. */ - if (flags) - return -EINVAL; - /* * Similar checks as for seccomp(2), except that an -EPERM may be * returned. @@ -417,6 +413,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; + /* No flag for now. */ + if (flags) + return -EINVAL; + /* Gets and checks the ruleset. */ ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); if (IS_ERR(ruleset)) --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -168,22 +168,49 @@ TEST(add_rule_checks_ordering) ASSERT_EQ(0, close(ruleset_fd)); } -TEST(inval_fd_enforce) +/* Tests ordering of syscall argument and permission checks. */ +TEST(restrict_self_checks_ordering) { + const struct landlock_ruleset_attr ruleset_attr = { + .handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE, + }; + struct landlock_path_beneath_attr path_beneath_attr = { + .allowed_access = LANDLOCK_ACCESS_FS_EXECUTE, + .parent_fd = -1, + }; + const int ruleset_fd = + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + + ASSERT_LE(0, ruleset_fd); + path_beneath_attr.parent_fd = + open("/tmp", O_PATH | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, path_beneath_attr.parent_fd); + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, 0)); + ASSERT_EQ(0, close(path_beneath_attr.parent_fd)); + + /* Checks unprivileged enforcement without no_new_privs. */ + drop_caps(_metadata); + ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(-1, landlock_restrict_self(-1, 0)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + /* Checks invalid flags. */ + ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(EINVAL, errno); + + /* Checks invalid ruleset FD. */ ASSERT_EQ(-1, landlock_restrict_self(-1, 0)); ASSERT_EQ(EBADF, errno); -} - -TEST(unpriv_enforce_without_no_new_privs) -{ - int err; - drop_caps(_metadata); - err = landlock_restrict_self(-1, 0); - ASSERT_EQ(EPERM, errno); - ASSERT_EQ(err, -1); + /* Checks valid call. */ + ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); + ASSERT_EQ(0, close(ruleset_fd)); } TEST(ruleset_fd_io)