Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp5312961rwr; Mon, 24 Apr 2023 02:05:09 -0700 (PDT) X-Google-Smtp-Source: AKy350aeTKZUEaxsEYxL9Lxm6L67o7s3SrcODc1zLiRaYJqbj1Wg7sFhqyum0tKTYWEgU6qj/3pe X-Received: by 2002:a05:6a00:851:b0:637:920c:25fd with SMTP id q17-20020a056a00085100b00637920c25fdmr18582687pfk.17.1682327109458; Mon, 24 Apr 2023 02:05:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682327109; cv=none; d=google.com; s=arc-20160816; b=hm/mctJ+D17kjx5KYpGUNknFgoFdzw66/iUwSFfoAUVHRJ3pS+QzW/xt1+zzak5C6d f3AusKqJh5AgAc9U2DJB+e5B7Gx+UC1Q+/SiTmkg10+o0nNwCmqo6nTXd7tAIksr/Ozo ZwIztH8Pq5dXgFwe6dBspWoE9fzEpAhvKw0NvyhyR/lB8o+lcQsfjT9OXRmrzVMKz1ZR uJFyRsS0cc6lhx3eBGySo4DEEeQYygA8Hukrx3iaJDLHh9qFnpaGxVqcrvSJY6b8B9li OPoIfciQJsDJZ4heZdRceexjyBcTOSDR4KRcW7DG0Xv6dbFd7/cniHZo4OC4aWIvMIZN qALg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-language:from:references:cc:to:subject:user-agent :mime-version:date:message-id; bh=x52ubdjMzkeufu8OfMenLqnfHNxiL526QvteeaOL9lQ=; b=u+rpivQ86O6xkpNk0ulkvP1Pd24vFqOjU3pSG7F88bECxsfVRZ33Nutwf0D16DNYUK lZ24aziXwX6tEYAstL8nBewuUGIKhiZhucxdPm2skvc9iR6zVYFzDuhLiB0DvfK/M3H9 5GGkN69slslhqrWZLzrpHaqaKCNhz1NV5XHlIpDZnd4NY0p86AzsrKNv1nCfFKgnVVyM 74UdQyXKEPaNZWJsjT7oDeLLkRwQ0VzqRoM1Anb16MaB00Mkt0vhxKjaKRb9MJrb3Bb+ W1GMuEptcKBO1aHHSiVcvkqEM8jqorVRAmJa/znw44vvESfgp7nE2yBJMCz8qaBGW9x0 4wyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z5-20020aa79e45000000b0063b8a929ed4si10826094pfq.145.2023.04.24.02.04.54; Mon, 24 Apr 2023 02:05:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231361AbjDXIwv (ORCPT + 99 others); Mon, 24 Apr 2023 04:52:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231272AbjDXIws (ORCPT ); Mon, 24 Apr 2023 04:52:48 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 515BE193; Mon, 24 Apr 2023 01:52:43 -0700 (PDT) Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.55]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4Q4f4w3rg2zKv7Y; Mon, 24 Apr 2023 16:51:44 +0800 (CST) Received: from [10.67.110.112] (10.67.110.112) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Mon, 24 Apr 2023 16:52:40 +0800 Message-ID: <5fc97b5b-e76f-99c7-7314-6bb16851f66e@huawei.com> Date: Mon, 24 Apr 2023 16:52:40 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1 Subject: Re: [PATCH -next v2 0/6] landlock: add chmod and chown support To: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , , , , , CC: , , , , , Konstantin Meskhidze References: <20220827111215.131442-1-xiujianfeng@huawei.com> From: xiujianfeng Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.67.110.112] X-ClientProxiedBy: dggems702-chm.china.huawei.com (10.3.19.179) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-5.4 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023/4/21 1:40, Mickaël Salaün wrote: > > On 18/04/2023 12:53, xiujianfeng wrote: >> Hi Mickael, >> >> Sorry about the long silence on this work, As we known this work depends >> on another work about changing argument from struct dentry to struct >> path for some attr/xattr related lsm hooks, I'm stuck with this thing, >> because IMA/EVM is a special security module which is not LSM-based >> currently, and severely coupled with the file system. so I am waiting >> for Roberto Sassu' work (Move IMA and EVM to the LSM infrastructure) to >> be ready, I think it can make my work more easy. you can find >> Roberto'work here, >> https://lwn.net/ml/linux-kernel/20230303181842.1087717-1-roberto.sassu@huaweicloud.com/ >> >> Any good idea are welcome, thanks. > > Thanks for the update Xiu. > > Which part would be needed from Roberto's patch series? > As we discussed before, the two access rights that need to be added and their usage is as below: LANDLOCK_ACCESS_FS_WRITE_METADATA controls 1.inode_setattr 2.inode_setxattr 3.inode_removexattr 4.inode_set_acl 5.inode_remove_acl LANDLOCK_ACCESS_FS_READ_METADATA controls 1.inode_getattr 2.inode_get_acl 3.inode_getxattr 4.inode_listxattr all these APIs should be changed to use struct path instead of dentry, and then several vfs APIs as follows are invovled: notify_change, __vfs_setxattr_locked, __vfs_removexattr_locked, __vfs_setxattr_noperm vfs_set_acl vfs_remove_acl vfs_getxattr vfs_listxattr vfs_get_acl and also include some LSM hooks such as inode_post_setxattr and inode_setsecctx. Since the original places where pass dentry to security_inode_xxx may not have any struct path, we have to pass it from the top caller, so this also touches lots of filesystems(e.g. cachefiles, ecryptfs, ksmbd, nfsd, overlayfs...). Other LSMs such as selinux, smack can be easy to refator because they are LSM-based, and if VFS passes path to security_inode_xxx and they can just use path->dentry instead inside they own modules. AS for IMA/EVM, unfortunately they are not LSM-based and coupled with the file system. To make things worse, there is a recursive dependency situation during the update of extended attribute which happen as follows: __vfs_setxattr_noperm => security_inode_post_setxattr => evm_inode_post_setxattr => evm_update_evmxattr => __vfs_setxattr_noperm To change the argument of __vfs_setxattr_noperm from a dentry to the path structure, the two EVM functions would have to be altered as well. However, evm_update_evmxattr is called by 3 other EVM functions who lives in the very heart of the complicated EVM framework. Any change to them would cause a nasty chain reaction in EVM and, as IMA would trigger EVM directly, in IMA as well. There is another callchain as follow: ima_appraise_measurement =>evm_verifyxattr =>evm_verifyxattr =>evm_verify_hmac =>evm_calc_hash =>evm_calc_hmac_or_hash =>vfs_getxattr Passing struct path into vfs_getxattr() would also affect this callchain. Currently ima_appraise_measurment accepts a struct file, and dentry is generated from file_dentry(file) in order to mitigate a deadlock issue involving overlayfs(commit e71b9dff0634ed). Once &file->f_path is passed through this callchain, and someone wants the dentry, it will be using file->f_path.dentry, which is different from file_dentry(file). In the overlayfs scenario, may this cause an issue? The patchset of moving IMA and EVM into the LSM infrastructe would be helpfull but still can not completely resolve this situation. more refactor would be needed in EVM. That's all that's happening right now. > >> >> >> On 2022/8/27 19:12, Xiu Jianfeng wrote: >>> v2: >>>   * abstract walk_to_visible_parent() helper >>>   * chmod and chown rights only take affect on directory's context >>>   * add testcase for fchmodat/lchown/fchownat >>>   * fix other review issues >>> >>> Xiu Jianfeng (6): >>>    landlock: expand access_mask_t to u32 type >>>    landlock: abstract walk_to_visible_parent() helper >>>    landlock: add chmod and chown support >>>    landlock/selftests: add selftests for chmod and chown >>>    landlock/samples: add chmod and chown support >>>    landlock: update chmod and chown support in document >>> >>>   Documentation/userspace-api/landlock.rst     |   9 +- >>>   include/uapi/linux/landlock.h                |  10 +- >>>   samples/landlock/sandboxer.c                 |  13 +- >>>   security/landlock/fs.c                       | 110 ++++++-- >>>   security/landlock/limits.h                   |   2 +- >>>   security/landlock/ruleset.h                  |   2 +- >>>   security/landlock/syscalls.c                 |   2 +- >>>   tools/testing/selftests/landlock/base_test.c |   2 +- >>>   tools/testing/selftests/landlock/fs_test.c   | 267 ++++++++++++++++++- >>>   9 files changed, 386 insertions(+), 31 deletions(-) >>>