Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp476400lqo;
        Thu, 16 May 2024 11:29:11 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCXS9quUe1j7f2W+l/UaJVAO+nrkqxpNjL7h8rEXSEKt57LulFN0Epe8LiP/9Pe0tJcIHN31tYY1Lh1MLob6foFveVQLm76HL+3NFofu8Q==
X-Google-Smtp-Source: AGHT+IHacqHGUrK4ld9BllZNQgaYRlyivhniJrzBtHsS8ogSsC6+35ff3Gf2rS0xdRIW2DYN0Jfy
X-Received: by 2002:a17:906:f59f:b0:a5c:fe8e:cf6f with SMTP id a640c23a62f3a-a5cfe8ed230mr87873466b.56.1715884150933;
        Thu, 16 May 2024 11:29:10 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715884150; cv=pass;
        d=google.com; s=arc-20160816;
        b=NQcNQ6d0n+xpEmx2mTM3KHb+9Of4KFyJWg0VnPIDveXNM6Ck4QNioAAGUy+rfesEWF
         vCvweMO3z+RwyZvCAgssoSCnkXOctPxUseSehNjCJUPsjsKIRORxlTtyQ4hnQH1dqVat
         a1kCwOExZ1n0BcJ233Ghefp1YE8fN54w8f+J/W54jf1JBgcE00P64ucg++MqXWiLg8Ql
         /gufZt0GjfRXnDzBo2J/JljOpXPTkjnzvHHA0Fc9sbodeWGqbUgCKAjEsY3+k0qClWQF
         Hf8eEh6gv1LljkRdlaByAHFim60YQiPq7MYVGaxQadxIJClKTsPwTUI6s3daPvIIeloX
         /cKg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=3HPBFcfXIupAj8rBMIh3SYeVvxw0d3/RL490PTDHfy4=;
        fh=hFRsBPsmyt5H+/HilVgY4sC0Oz4JPO8VCKZ57LMInRc=;
        b=YIpS63yVZgymb0XBzv+2FXM5uCp+1GO1YP/2D3K2L79JM6d00yke7XPuCNL9386r40
         MVcuMZDJljdyU2qQb42egToDpROZHbAWjO5g8NzFmKbDL880iclHeUiv87uWUkRnvtyC
         cvKIRsIDNPp8OYHot7RrT/7n5b7bTC5+yMjFnyA9GV4BcY3BbP8dHJnAWsFYLOCp0O8D
         4LDsJf3v2/HVnjRKYs/Q1TDze1MW3ZCz8w9R1AVMupBmL70/Bhy16/CF9bBskW+yUjDz
         usShF1qBaon4WAX7HntuJ+3OY3R3iWqCHNpF54EyPLS7a2O5Lr4bFefp+gjR6Z+bfJ1A
         feEw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=1+TVKVPP;
       arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net);
       spf=pass (google.com: domain of linux-kernel+bounces-181469-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181469-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-181469-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id a640c23a62f3a-a5a17c2c9f5si930013366b.1044.2024.05.16.11.29.10
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 May 2024 11:29:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-181469-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=1+TVKVPP;
       arc=pass (i=1 spf=pass spfdomain=digikod.net dkim=pass dkdomain=digikod.net);
       spf=pass (google.com: domain of linux-kernel+bounces-181469-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-181469-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id A87901F2151D
	for <linux.lists.archive@gmail.com>; Thu, 16 May 2024 18:29:10 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 3BB3516079C;
	Thu, 16 May 2024 18:19:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="1+TVKVPP"
Received: from smtp-190e.mail.infomaniak.ch (smtp-190e.mail.infomaniak.ch [185.125.25.14])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C479156F4D
	for <linux-kernel@vger.kernel.org>; Thu, 16 May 2024 18:19:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.14
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715883594; cv=none; b=AOUeQrnf927e2KRqA+NLo5vy37dnufqyNRkS1t15q2v15+buAydN/NeC/W600i/f3QnUyO9PXx4h4V+a7ZH4w2rDgwrueKPTBWaf3aDzQq3CBk6ngfdcqK9SAcDfPinWxaeQotZ3NQcnn/136IApwH5PMvyPyzEMiVwC5DAs34g=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715883594; c=relaxed/simple;
	bh=5KRWtyLsaH6DIVboHThP86V5QZIcRzReg8vtxsJ0D1M=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=C2JQO8WWco3VQFt4tsYGW5tDJyXgfkPh8pZ99AyrilWavZ731tApyoGTgjBhl9zbipAz7hmgt8NoBnEcRcEXxJihDz+KlB7oOMjMtiiH68cUvQYn5NumsoHdvXzLU3Pkl3N2sYiVpIw6jYtvuhlQIpkgzyhstEsHKN6oPMwDRHg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=1+TVKVPP; arc=none smtp.client-ip=185.125.25.14
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net
Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108])
	by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4VgJKG6Z0lzC4V;
	Thu, 16 May 2024 20:19:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net;
	s=20191114; t=1715883586;
	bh=3HPBFcfXIupAj8rBMIh3SYeVvxw0d3/RL490PTDHfy4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=1+TVKVPPz2feTbBej8nkBd3KW28RYulRNpHiWy9t/UGYLMlYCv7QjnZZVoO5mqqHM
	 61vb+X7HZ0ksaxu1M8Tte4U0KvKv53pPHV0EheOGfYx+JV5juMpI8oQKkwSTx2xa0+
	 SgOF2+JNnrENcTF2daXVpZp7/FyX8/I9wwhcfizg=
Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4VgJKG1fLNzhPV;
	Thu, 16 May 2024 20:19:46 +0200 (CEST)
From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
To: =?UTF-8?q?G=C3=BCnther=20Noack?= <gnoack@google.com>,
	Paul Moore <paul@paul-moore.com>
Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	nathan@kernel.org,
	ndesaulniers@google.com,
	syzkaller-bugs@googlegroups.com,
	trix@redhat.com,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	stable@vger.kernel.org,
	syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com
Subject: [PATCH v1 1/2] landlock: Fix d_parent walk
Date: Thu, 16 May 2024 20:19:34 +0200
Message-ID: <20240516181935.1645983-2-mic@digikod.net>
In-Reply-To: <20240516181935.1645983-1-mic@digikod.net>
References: <20240516181935.1645983-1-mic@digikod.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Infomaniak-Routing: alpha

The canary in collect_domain_accesses() can be triggered when trying to
link a root mount point.  This cannot work in practice because this
directory is mounted, but the VFS check is done after the call to
security_path_link().

Do not use source directory's d_parent when the source directory is the
mount point.

Add tests to check error codes when renaming or linking a mount root
directory.  This previously triggered a kernel warning.  The
linux/mount.h file is not sorted with other headers to ease backport to
Linux 6.1 .

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com
Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER")
Closes: https://lore.kernel.org/r/000000000000553d3f0618198200@google.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20240516181935.1645983-2-mic@digikod.net
---
 security/landlock/fs.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 22d8b7c28074..7877a64cc6b8 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1110,6 +1110,7 @@ static int current_check_refer_path(struct dentry *const old_dentry,
 	bool allow_parent1, allow_parent2;
 	access_mask_t access_request_parent1, access_request_parent2;
 	struct path mnt_dir;
+	struct dentry *old_parent;
 	layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] = {},
 		     layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] = {};
 
@@ -1157,9 +1158,17 @@ static int current_check_refer_path(struct dentry *const old_dentry,
 	mnt_dir.mnt = new_dir->mnt;
 	mnt_dir.dentry = new_dir->mnt->mnt_root;
 
+	/*
+	 * old_dentry may be the root of the common mount point and
+	 * !IS_ROOT(old_dentry) at the same time (e.g. with open_tree() and
+	 * OPEN_TREE_CLONE).  We do not need to call dget(old_parent) because
+	 * we keep a reference to old_dentry.
+	 */
+	old_parent = (old_dentry == mnt_dir.dentry) ? old_dentry :
+						      old_dentry->d_parent;
+
 	/* new_dir->dentry is equal to new_dentry->d_parent */
-	allow_parent1 = collect_domain_accesses(dom, mnt_dir.dentry,
-						old_dentry->d_parent,
+	allow_parent1 = collect_domain_accesses(dom, mnt_dir.dentry, old_parent,
 						&layer_masks_parent1);
 	allow_parent2 = collect_domain_accesses(
 		dom, mnt_dir.dentry, new_dir->dentry, &layer_masks_parent2);
-- 
2.45.0