Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp476326lqo;
        Thu, 16 May 2024 11:29:01 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWXG/VcNlobMph5wFmCT+zj1PogNIFejRC2PyxCAB15TDaBWbLQJ4UGENFsJUOcn1KS5OsGtI6ue21eZRNjWpxfCc5JHWT+Bwlc51yXqQ==
X-Google-Smtp-Source: AGHT+IHlCWemIcOAoJo4QV9vtLlZNORlIAB4v3riJg1yEs4kn0rztcB6mi3MCct9yF4LGaik9gPh
X-Received: by 2002:a50:ab47:0:b0:572:9984:1921 with SMTP id 4fb4d7f45d1cf-5734d5bec35mr14083097a12.17.1715884141624;
        Thu, 16 May 2024 11:29:01 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715884141; cv=pass;
        d=google.com; s=arc-20160816;
        b=NLwApltr4L5RHvgzT7X3AblYVfyC3xJf8aaoNYUezcGb+YY4m/AJWzz21x7mO+/5g/
         PDaSmctfdyc8UASTbXlb+yaOC4Q1JjzFOCp78y2geMOddF+YD04Zl0Ffa6Lk88LN4SKB
         eisunfbcGXOxZ8ch44kvncTpvGDrUemxxkneu/L/x73QcxsGmVxhUc+j1PQGt10unE1U
         v7iHpWI7qX9zzMSCg6lirjpgG7yANv3T2KjDVrNrYOqITuDimZv6DuYZYuja+pht21yf
         wHaBt2viTT4Xu9FvYxy0PRPU0yQXnvg8mEtADVyCvgDBwxpvXdqjZ0Dd8EFTZFCGYwNw
         lSRQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=CerPzP5dUgudtzxZqGbBjChoGejUpjLgIsX+ii7FKE4=;
        fh=qnWYaS3jPr9B181i0rBVjEXdENt2sOCiucG9tU4jey4=;
        b=Z1jEG4wQDGecbKJqp29XRispS3u4qI200UaWmoCBGwvVcaTNRjcUVM811778XL+unE
         PnItDLy2k15HG5BAa9orpWHgRNLridNfPpx1qVu8mEwpyK9+f3QaiEf7TxwXpftiCoUs
         c9D7CS+nzKdsd27Fxs5dbk3wYB8I87ouHogfDHOVyTym8zou7gFffdS4NqbPQa6IYG4T
         xnGlYwMkyD+gdyf+YhptR70lM7hm7NCxS0bzyHHsHXINDBQ2PAs60Oi26CYRjnYF7+nR
         6abVyS6CA6Ijs1S8X5WaInxDtu9Fry0IK4EWOvZ45dBtj1p79FTowrgMK/v5ChlXIf8K
         6X4g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=tr43CFx4;
       arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net);
       spf=pass (google.com: domain of linux-kernel+bounces-181467-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181467-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-181467-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5733beacad3si8762807a12.57.2024.05.16.11.29.01
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 May 2024 11:29:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-181467-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=tr43CFx4;
       arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net);
       spf=pass (google.com: domain of linux-kernel+bounces-181467-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181467-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 5B4D01F22EC3
	for <linux.lists.archive@gmail.com>; Thu, 16 May 2024 18:29:01 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B8B15157461;
	Thu, 16 May 2024 18:19:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="tr43CFx4"
Received: from smtp-190c.mail.infomaniak.ch (smtp-190c.mail.infomaniak.ch [185.125.25.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44D4415EFA8
	for <linux-kernel@vger.kernel.org>; Thu, 16 May 2024 18:19:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.12
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715883593; cv=none; b=kGAts0RTr/t27jqOgDlGtOUwghZgS+IKN/qK/UrmQA/WgIyWU3nUwxyRNp3DLF2SJeQY4x+/BnztJzXNO+jPZgzooppBG3BEqWHYJIOUn9FDWSqW3PdgeWTOEy0eIGfK/vDYctnnDCQ0eW3Q5lgM/EcEYbtf1gqmP83/7QOFIwk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715883593; c=relaxed/simple;
	bh=8i+81HfSMQ4B+34PJVD+1LT4BhQy/TedwCa1JhBidyI=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=N8V7mmpMcbhg22B21dfEvs6n9rtkuntYSx5w+V/X6Gf9W+SlDWhhAiYd+/PG7LLz5lN6roawrL7W6rav/jz5swkQnezz14CqhtWHJmzntP7Ku81MnDf82h2XO0aGrajPd4yPj08IcxNIaAWMhXUSy+fM7Zt6ssrOiS/rQSZoLTI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=tr43CFx4; arc=none smtp.client-ip=185.125.25.12
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net
Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108])
	by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4VgJKF5ZDYz9xx;
	Thu, 16 May 2024 20:19:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net;
	s=20191114; t=1715883585;
	bh=CerPzP5dUgudtzxZqGbBjChoGejUpjLgIsX+ii7FKE4=;
	h=From:To:Cc:Subject:Date:From;
	b=tr43CFx470rjkCLy632XfxFwcR4DuopkPnCccYyTMlCqEqvRu3D6NAgjmeB0w25YG
	 3HAJ678i3/sRVhh+u0fgksy+B6pseiHVVsdtnSCGaHeD4w+MEtbz5ZUck29ooSbGTu
	 ygFce8B0cvrv4EvaPwk/WHewg3X6vt/QqooQFL4E=
Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4VgJKF1bmxzdsH;
	Thu, 16 May 2024 20:19:45 +0200 (CEST)
From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
To: =?UTF-8?q?G=C3=BCnther=20Noack?= <gnoack@google.com>,
	Paul Moore <paul@paul-moore.com>
Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	nathan@kernel.org,
	ndesaulniers@google.com,
	syzkaller-bugs@googlegroups.com,
	trix@redhat.com,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v1 0/2] Fix warning in collect_domain_accesses()
Date: Thu, 16 May 2024 20:19:33 +0200
Message-ID: <20240516181935.1645983-1-mic@digikod.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Infomaniak-Routing: alpha

Hi,

As found by syzbot, there is an issue in the collect_domain_accesses()
function.  A WARN_ON_ONCE() can be triggered by processes sandboxed with
Landlock and trying to do a link with a mount root directory.  This is
then not a security issue.  Moreover, such directory can only be created
with the open_tree(2) syscall by a process with CAP_SYS_ADMIN.

See https://lore.kernel.org/r/000000000000553d3f0618198200@google.com

Regards,

Mickaël Salaün (2):
  landlock: Fix d_parent walk
  selftests/landlock: Add layout1.refer_mount_root

 security/landlock/fs.c                     | 13 ++++++-
 tools/testing/selftests/landlock/fs_test.c | 45 ++++++++++++++++++++++
 2 files changed, 56 insertions(+), 2 deletions(-)


base-commit: 5bf9e57e634bd72a97b4b12c87186fc052a6a116
-- 
2.45.0