[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7103eef1-cedc-f9e5-de31-f0702e7a6ade@digikod.net>
Date: Wed, 27 Jan 2021 20:57:05 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com>,
"Serge E . Hallyn" <serge@...lyn.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
Andy Lutomirski <luto@...capital.net>,
Anton Ivanov <anton.ivanov@...bridgegreys.com>,
Arnd Bergmann <arnd@...db.de>,
Casey Schaufler <casey@...aufler-ca.com>,
Jeff Dike <jdike@...toit.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Michael Kerrisk <mtk.manpages@...il.com>,
Richard Weinberger <richard@....at>,
Shuah Khan <shuah@...nel.org>,
Vincent Dagonneau <vincent.dagonneau@....gouv.fr>,
kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
linux-arch@...r.kernel.org, linux-doc@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org,
linux-security-module@...r.kernel.org, x86@...nel.org,
Mickaël Salaün <mic@...ux.microsoft.com>
Subject: Re: [PATCH v27 07/12] landlock: Support filesystem access-control
I found a corner-case which is not well handled, e.g.
* layer1 only restricts X access and allows X access for /a
-> X is allowed for /a
* layer2 only restricts Y access and allows Y access for /a/b
-> X is not allowed for /a anymore because now the path walk for /a
doesn't encounter a layer 2 rule
I'm working on a fix and I'll send a new patch series soon. Stay tune!
On 21/01/2021 21:51, Mickaël Salaün wrote:
> From: Mickaël Salaün <mic@...ux.microsoft.com>
>
> Thanks to the Landlock objects and ruleset, it is possible to identify
> inodes according to a process's domain. To enable an unprivileged
> process to express a file hierarchy, it first needs to open a directory
> (or a file) and pass this file descriptor to the kernel through
> landlock_add_rule(2). When checking if a file access request is
> allowed, we walk from the requested dentry to the real root, following
> the different mount layers. The access to each "tagged" inodes are
> collected according to their rule layer level, and ANDed to create
> access to the requested file hierarchy. This makes possible to identify
> a lot of files without tagging every inodes nor modifying the
> filesystem, while still following the view and understanding the user
> has from the filesystem.
>
> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not
> keep the same struct inodes for the same inodes whereas these inodes are
> in use.
>
> This commit adds a minimal set of supported filesystem access-control
> which doesn't enable to restrict all file-related actions. This is the
> result of multiple discussions to minimize the code of Landlock to ease
> review. Thanks to the Landlock design, extending this access-control
> without breaking user space will not be a problem. Moreover, seccomp
> filters can be used to restrict the use of syscall families which may
> not be currently handled by Landlock.
>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: Anton Ivanov <anton.ivanov@...bridgegreys.com>
> Cc: James Morris <jmorris@...ei.org>
> Cc: Jann Horn <jannh@...gle.com>
> Cc: Jeff Dike <jdike@...toit.com>
> Cc: Kees Cook <keescook@...omium.org>
> Cc: Richard Weinberger <richard@....at>
> Cc: Serge E. Hallyn <serge@...lyn.com>
> Signed-off-by: Mickaël Salaün <mic@...ux.microsoft.com>
> ---
>
> Changes since v26:
> * Check each rule of a path to enable a more permissive and pragmatic
> access control per layer. Suggested by Jann Horn:
> https://lore.kernel.org/lkml/CAG48ez1O0VTwEiRd3KqexoF78WR+cmP5bGk5Kh5Cs7aPepiDVg@mail.gmail.com/
> * Rename check_access_path_continue() to unmask_layers() and make it
> return the new layer mask.
> * Avoid double domain check in hook_file_open().
> * In the documentation, add utime(2) as another example of unhandled
> syscalls. Indeed, using `touch` to test write access may be tempting.
> * Remove outdated comment about OverlayFS.
> * Rename the landlock.h ifdef to align with most similar files.
> * Fix spelling.
>
> Changes since v25:
> * Move build_check_layer() to ruleset.c, and add built-time checks for
> the fs_access_mask and access variables according to
> _LANDLOCK_ACCESS_FS_MASK.
> * Move limits to a dedicated file and rename them:
> _LANDLOCK_ACCESS_FS_LAST and _LANDLOCK_ACCESS_FS_MASK.
> * Set build_check_layer() as non-inline to trigger a warning if it is
> not called.
> * Use BITS_PER_TYPE() macro.
> * Rename function to landlock_add_fs_hooks().
> * Cosmetic variable renames.
>
> Changes since v24:
> * Use the new struct landlock_rule and landlock_layer to not mix
> accesses from different layers. Revert "Enforce deterministic
> interleaved path rules" from v24, and fix the layer check. This
> enables to follow a sane semantic: an access is granted if, for each
> policy layer, at least one rule encountered on the pathwalk grants the
> access, regardless of their position in the layer stack (suggested by
> Jann Horn). See layout1.interleaved_masked_accesses tests from
> tools/testing/selftests/landlock/fs_test.c for corner cases.
> * Add build-time checks for layers.
> * Use the new landlock_insert_rule() API.
>
> Changes since v23:
> * Enforce deterministic interleaved path rules. To have consistent
> layered rules, granting access to a path implies that all accesses
> tied to inodes, from the requested file to the real root, must be
> checked. Otherwise, stacked rules may result to overzealous
> restrictions. By excluding the ability to add exceptions in the same
> layer (e.g. /a allowed, /a/b denied, and /a/b/c allowed), we get
> deterministic interleaved path rules. This removes an optimization
> which could be replaced by a proper cache mechanism. This also
> further simplifies and explain check_access_path_continue().
> * Fix memory allocation error handling in landlock_create_object()
> calls. This prevent to inadvertently hold an inode.
> * In get_inode_object(), improve comments, make code more readable and
> move kfree() call out of the lock window.
> * Use the simplified landlock_insert_rule() API.
>
> Changes since v22:
> * Simplify check_access_path_continue() (suggested by Jann Horn).
> * Remove prefetch() call for now (suggested by Jann Horn).
> * Fix spelling and remove superfluous comment (spotted by Jann Horn).
> * Cosmetic variable renaming.
>
> Changes since v21:
> * Rename ARCH_EPHEMERAL_STATES to ARCH_EPHEMERAL_INODES (suggested by
> James Morris).
> * Remove the LANDLOCK_ACCESS_FS_CHROOT right because chroot(2) (which
> requires CAP_SYS_CHROOT) doesn't enable to bypass Landlock (as tests
> demonstrate it), and because it is often used by sandboxes, it would
> be counterproductive to forbid it. This also reduces the code size.
> * Clean up documentation.
>
> Changes since v19:
> * Fix spelling (spotted by Randy Dunlap).
>
> Changes since v18:
> * Remove useless include.
> * Fix spelling.
>
> Changes since v17:
> * Replace landlock_release_inodes() with security_sb_delete() (requested
> by James Morris).
> * Replace struct super_block->s_landlock_inode_refs with the LSM
> infrastructure management of the superblock (requested by James
> Morris).
> * Fix mknod restriction with a zero mode (spotted by Vincent Dagonneau).
> * Minimize executed code in path_mknod and file_open hooks when the
> current tasks is not sandboxed.
> * Remove useless checks on the file pointer and inode in
> hook_file_open() .
> * Constify domain pointers.
> * Rename inode_landlock() to landlock_inode().
> * Import include/uapi/linux/landlock.h and _LANDLOCK_ACCESS_FS_* from
> the ruleset and domain management patch.
> * Explain the rational of this minimal set of access-control.
> https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/
>
> Changes since v16:
> * Add ARCH_EPHEMERAL_STATES and enable it for UML.
>
> Changes since v15:
> * Replace layer_levels and layer_depth with a bitfield of layers: this
> enables to properly manage superset and subset of access rights,
> whatever their order in the stack of layers.
> Cf. https://lore.kernel.org/lkml/e07fe473-1801-01cc-12ae-b3167f95250e@digikod.net/
> * Allow to open pipes and similar special files through /proc/self/fd/.
> * Properly handle internal filesystems such as nsfs: always allow these
> kind of roots because disconnected path cannot be evaluated.
> * Remove the LANDLOCK_ACCESS_FS_LINK_TO and
> LANDLOCK_ACCESS_FS_RENAME_{TO,FROM}, but use the
> LANDLOCK_ACCESS_FS_REMOVE_{FILE,DIR} and LANDLOCK_ACCESS_FS_MAKE_*
> instead. Indeed, it is not possible for now (and not really useful)
> to express the semantic of a source and a destination.
> * Check access rights to remove a directory or a file with rename(2).
> * Forbid reparenting when linking or renaming. This is needed to easily
> protect against possible privilege escalation by changing the place of
> a file or directory in relation to an enforced access policy (from the
> set of layers). This will be relaxed in the future.
> * Update hooks to take into account replacement of the object's self and
> beneath access bitfields with one. Simplify the code.
> * Check file related access rights.
> * Check d_is_negative() instead of !d_backing_inode() in
> check_access_path_continue(), and continue the path walk while there
> is no mapped inode e.g., with rename(2).
> * Check private inode in check_access_path().
> * Optimize get_file_access() when dealing with a directory.
> * Add missing atomic.h .
>
> Changes since v14:
> * Simplify the object, rule and ruleset management at the expense of a
> less aggressive memory freeing (contributed by Jann Horn, with
> additional modifications):
> - Rewrite release_inode() to use inode->sb->s_landlock_inode_refs.
> - Remove useless checks in landlock_release_inodes(), clean object
> pointer according to the new struct landlock_object and wait for all
> iput() to complete.
> - Rewrite get_inode_object() according to the new struct
> landlock_object. If there is a race-condition when cleaning up an
> object, we retry until the concurrent thread finished the object
> cleaning.
> Cf. https://lore.kernel.org/lkml/CAG48ez21bEn0wL1bbmTiiu8j9jP5iEWtHOwz4tURUJ+ki0ydYw@mail.gmail.com/
> * Fix nested domains by implementing a notion of layer level and depth:
> - Check for matching level ranges when walking through a file path.
> - Only allow access if every layer granted the access request.
> * Handles files without mount points (e.g. pipes).
> * Hardens path walk by checking inode pointer values.
> * Prefetches d_parent when walking to the root directory.
> * Remove useless inode_alloc_security hook() (suggested by Jann Horn):
> already initialized by lsm_inode_alloc().
> * Remove the inode_free_security hook.
> * Remove access checks that may be required for FD-only requests:
> truncate, getattr, lock, chmod, chown, chgrp, ioctl. This will be
> handle in a future evolution of Landlock, but right now the goal is to
> lighten the code to ease review.
> * Constify variables.
> * Move ABI checks into syscall.c .
> * Cosmetic variable renames.
>
> Changes since v11:
> * Add back, revamp and make a fully working filesystem access-control
> based on paths and inodes.
> * Remove the eBPF dependency.
>
> Previous changes:
> https://lore.kernel.org/lkml/20190721213116.23476-6-mic@digikod.net/
> ---
> MAINTAINERS | 1 +
> arch/Kconfig | 7 +
> arch/um/Kconfig | 1 +
> include/uapi/linux/landlock.h | 75 ++++
> security/landlock/Kconfig | 2 +-
> security/landlock/Makefile | 2 +-
> security/landlock/fs.c | 621 ++++++++++++++++++++++++++++++++++
> security/landlock/fs.h | 56 +++
> security/landlock/limits.h | 4 +
> security/landlock/ruleset.c | 4 +
> security/landlock/setup.c | 7 +
> security/landlock/setup.h | 2 +
> 12 files changed, 780 insertions(+), 2 deletions(-)
> create mode 100644 include/uapi/linux/landlock.h
> create mode 100644 security/landlock/fs.c
> create mode 100644 security/landlock/fs.h
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 74406a6bc6ee..572e4288c60f 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -9942,6 +9942,7 @@ L: linux-security-module@...r.kernel.org
> S: Supported
> W: https://landlock.io
> T: git https://github.com/landlock-lsm/linux.git
> +F: include/uapi/linux/landlock.h
> F: security/landlock/
> K: landlock
> K: LANDLOCK
> diff --git a/arch/Kconfig b/arch/Kconfig
> index 24862d15f3a3..54999569c755 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -946,6 +946,13 @@ config COMPAT_32BIT_TIME
> config ARCH_NO_PREEMPT
> bool
>
> +config ARCH_EPHEMERAL_INODES
> + def_bool n
> + help
> + An arch should select this symbol if it doesn't keep track of inode
> + instances on its own, but instead relies on something else (e.g. the host
> + kernel for an UML kernel).
> +
> config ARCH_SUPPORTS_RT
> bool
>
> diff --git a/arch/um/Kconfig b/arch/um/Kconfig
> index 34d302d1a07f..451787332335 100644
> --- a/arch/um/Kconfig
> +++ b/arch/um/Kconfig
> @@ -5,6 +5,7 @@ menu "UML-specific options"
> config UML
> bool
> default y
> + select ARCH_EPHEMERAL_INODES
> select ARCH_HAS_KCOV
> select ARCH_NO_PREEMPT
> select HAVE_ARCH_AUDITSYSCALL
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> new file mode 100644
> index 000000000000..f69877099c8e
> --- /dev/null
> +++ b/include/uapi/linux/landlock.h
> @@ -0,0 +1,75 @@
> +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
> +/*
> + * Landlock - User space API
> + *
> + * Copyright © 2017-2020 Mickaël Salaün <mic@...ikod.net>
> + * Copyright © 2018-2020 ANSSI
> + */
> +
> +#ifndef _UAPI_LINUX_LANDLOCK_H
> +#define _UAPI_LINUX_LANDLOCK_H
> +
> +/**
> + * DOC: fs_access
> + *
> + * A set of actions on kernel objects may be defined by an attribute (e.g.
> + * &struct landlock_path_beneath_attr) including a bitmask of access.
> + *
> + * Filesystem flags
> + * ~~~~~~~~~~~~~~~~
> + *
> + * These flags enable to restrict a sandboxed process to a set of actions on
> + * files and directories. Files or directories opened before the sandboxing
> + * are not subject to these restrictions.
> + *
> + * A file can only receive these access rights:
> + *
> + * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
> + * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
> + * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
> + *
> + * A directory can receive access rights related to files or directories. The
> + * following access right is applied to the directory itself, and the
> + * directories beneath it:
> + *
> + * - %LANDLOCK_ACCESS_FS_READ_DIR: Open a directory or list its content.
> + *
> + * However, the following access rights only apply to the content of a
> + * directory, not the directory itself:
> + *
> + * - %LANDLOCK_ACCESS_FS_REMOVE_DIR: Remove an empty directory or rename one.
> + * - %LANDLOCK_ACCESS_FS_REMOVE_FILE: Unlink (or rename) a file.
> + * - %LANDLOCK_ACCESS_FS_MAKE_CHAR: Create (or rename or link) a character
> + * device.
> + * - %LANDLOCK_ACCESS_FS_MAKE_DIR: Create (or rename) a directory.
> + * - %LANDLOCK_ACCESS_FS_MAKE_REG: Create (or rename or link) a regular file.
> + * - %LANDLOCK_ACCESS_FS_MAKE_SOCK: Create (or rename or link) a UNIX domain
> + * socket.
> + * - %LANDLOCK_ACCESS_FS_MAKE_FIFO: Create (or rename or link) a named pipe.
> + * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
> + * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
> + *
> + * .. warning::
> + *
> + * It is currently not possible to restrict some file-related actions
> + * accessible through these syscall families: :manpage:`chdir(2)`,
> + * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
> + * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
> + * :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`.
> + * Future Landlock evolutions will enable to restrict them.
> + */
> +#define LANDLOCK_ACCESS_FS_EXECUTE (1ULL << 0)
> +#define LANDLOCK_ACCESS_FS_WRITE_FILE (1ULL << 1)
> +#define LANDLOCK_ACCESS_FS_READ_FILE (1ULL << 2)
> +#define LANDLOCK_ACCESS_FS_READ_DIR (1ULL << 3)
> +#define LANDLOCK_ACCESS_FS_REMOVE_DIR (1ULL << 4)
> +#define LANDLOCK_ACCESS_FS_REMOVE_FILE (1ULL << 5)
> +#define LANDLOCK_ACCESS_FS_MAKE_CHAR (1ULL << 6)
> +#define LANDLOCK_ACCESS_FS_MAKE_DIR (1ULL << 7)
> +#define LANDLOCK_ACCESS_FS_MAKE_REG (1ULL << 8)
> +#define LANDLOCK_ACCESS_FS_MAKE_SOCK (1ULL << 9)
> +#define LANDLOCK_ACCESS_FS_MAKE_FIFO (1ULL << 10)
> +#define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
> +#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
> +
> +#endif /* _UAPI_LINUX_LANDLOCK_H */
> diff --git a/security/landlock/Kconfig b/security/landlock/Kconfig
> index 42a659e81196..e4b9d453bc70 100644
> --- a/security/landlock/Kconfig
> +++ b/security/landlock/Kconfig
> @@ -2,7 +2,7 @@
>
> config SECURITY_LANDLOCK
> bool "Landlock support"
> - depends on SECURITY
> + depends on SECURITY && !ARCH_EPHEMERAL_INODES
> select SECURITY_PATH
> help
> Landlock is a safe sandboxing mechanism that enables processes to
> diff --git a/security/landlock/Makefile b/security/landlock/Makefile
> index f1d1eb72fa76..92e3d80ab8ed 100644
> --- a/security/landlock/Makefile
> +++ b/security/landlock/Makefile
> @@ -1,4 +1,4 @@
> obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
>
> landlock-y := setup.o object.o ruleset.o \
> - cred.o ptrace.o
> + cred.o ptrace.o fs.o
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> new file mode 100644
> index 000000000000..27f5d40038b1
> --- /dev/null
> +++ b/security/landlock/fs.c
> @@ -0,0 +1,621 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/*
> + * Landlock LSM - Filesystem management and hooks
> + *
> + * Copyright © 2016-2020 Mickaël Salaün <mic@...ikod.net>
> + * Copyright © 2018-2020 ANSSI
> + */
> +
> +#include <linux/atomic.h>
> +#include <linux/bitops.h>
> +#include <linux/bits.h>
> +#include <linux/compiler_types.h>
> +#include <linux/dcache.h>
> +#include <linux/err.h>
> +#include <linux/fs.h>
> +#include <linux/init.h>
> +#include <linux/kernel.h>
> +#include <linux/limits.h>
> +#include <linux/list.h>
> +#include <linux/lsm_hooks.h>
> +#include <linux/mount.h>
> +#include <linux/namei.h>
> +#include <linux/path.h>
> +#include <linux/rcupdate.h>
> +#include <linux/spinlock.h>
> +#include <linux/stat.h>
> +#include <linux/types.h>
> +#include <linux/wait_bit.h>
> +#include <linux/workqueue.h>
> +#include <uapi/linux/landlock.h>
> +
> +#include "common.h"
> +#include "cred.h"
> +#include "fs.h"
> +#include "limits.h"
> +#include "object.h"
> +#include "ruleset.h"
> +#include "setup.h"
> +
> +/* Underlying object management */
> +
> +static void release_inode(struct landlock_object *const object)
> + __releases(object->lock)
> +{
> + struct inode *const inode = object->underobj;
> + struct super_block *sb;
> +
> + if (!inode) {
> + spin_unlock(&object->lock);
> + return;
> + }
> +
> + spin_lock(&inode->i_lock);
> + /*
> + * Make sure that if the filesystem is concurrently unmounted,
> + * hook_sb_delete() will wait for us to finish iput().
> + */
> + sb = inode->i_sb;
> + atomic_long_inc(&landlock_superblock(sb)->inode_refs);
> + rcu_assign_pointer(landlock_inode(inode)->object, NULL);
> + spin_unlock(&inode->i_lock);
> + spin_unlock(&object->lock);
> + /*
> + * Now, new rules can safely be tied to @inode.
> + */
> +
> + iput(inode);
> + if (atomic_long_dec_and_test(&landlock_superblock(sb)->inode_refs))
> + wake_up_var(&landlock_superblock(sb)->inode_refs);
> +}
> +
> +static const struct landlock_object_underops landlock_fs_underops = {
> + .release = release_inode
> +};
> +
> +/* Ruleset management */
> +
> +static struct landlock_object *get_inode_object(struct inode *const inode)
> +{
> + struct landlock_object *object, *new_object;
> + struct landlock_inode_security *inode_sec = landlock_inode(inode);
> +
> + rcu_read_lock();
> +retry:
> + object = rcu_dereference(inode_sec->object);
> + if (object) {
> + if (likely(refcount_inc_not_zero(&object->usage))) {
> + rcu_read_unlock();
> + return object;
> + }
> + /*
> + * We are racing with release_inode(), the object is going
> + * away. Wait for release_inode(), then retry.
> + */
> + spin_lock(&object->lock);
> + spin_unlock(&object->lock);
> + goto retry;
> + }
> + rcu_read_unlock();
> +
> + /*
> + * If there is no object tied to @inode, then create a new one (without
> + * holding any locks).
> + */
> + new_object = landlock_create_object(&landlock_fs_underops, inode);
> + if (IS_ERR(new_object))
> + return new_object;
> +
> + spin_lock(&inode->i_lock);
> + object = rcu_dereference_protected(inode_sec->object,
> + lockdep_is_held(&inode->i_lock));
> + if (unlikely(object)) {
> + /* Someone else just created the object, bail out and retry. */
> + spin_unlock(&inode->i_lock);
> + kfree(new_object);
> +
> + rcu_read_lock();
> + goto retry;
> + }
> +
> + rcu_assign_pointer(inode_sec->object, new_object);
> + /*
> + * @inode will be released by hook_sb_delete() on its superblock
> + * shutdown.
> + */
> + ihold(inode);
> + spin_unlock(&inode->i_lock);
> + return new_object;
> +}
> +
> +/* All access rights that can be tied to files. */
> +#define ACCESS_FILE ( \
> + LANDLOCK_ACCESS_FS_EXECUTE | \
> + LANDLOCK_ACCESS_FS_WRITE_FILE | \
> + LANDLOCK_ACCESS_FS_READ_FILE)
> +
> +/*
> + * @path: Should have been checked by get_path_from_fd().
> + */
> +int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> + const struct path *const path, u32 access_rights)
> +{
> + int err;
> + struct landlock_object *object;
> +
> + /* Files only get access rights that make sense. */
> + if (!d_is_dir(path->dentry) && (access_rights | ACCESS_FILE) !=
> + ACCESS_FILE)
> + return -EINVAL;
> +
> + /* Transforms relative access rights to absolute ones. */
> + access_rights |= LANDLOCK_MASK_ACCESS_FS & ~ruleset->fs_access_mask;
> + object = get_inode_object(d_backing_inode(path->dentry));
> + if (IS_ERR(object))
> + return PTR_ERR(object);
> + mutex_lock(&ruleset->lock);
> + err = landlock_insert_rule(ruleset, object, access_rights);
> + mutex_unlock(&ruleset->lock);
> + /*
> + * No need to check for an error because landlock_insert_rule()
> + * increments the refcount for the new object if needed.
> + */
> + landlock_put_object(object);
> + return err;
> +}
> +
> +/* Access-control management */
> +
> +static inline u64 unmask_layers(
> + const struct landlock_ruleset *const domain,
> + const struct path *const path, const u32 access_request,
> + u64 layer_mask)
> +{
> + const struct landlock_rule *rule;
> + const struct inode *inode;
> + size_t i;
> +
> + if (d_is_negative(path->dentry))
> + /* Continues to walk while there is no mapped inode. */
> + return layer_mask;
> + inode = d_backing_inode(path->dentry);
> + rcu_read_lock();
> + rule = landlock_find_rule(domain,
> + rcu_dereference(landlock_inode(inode)->object));
> + rcu_read_unlock();
> + if (!rule)
> + return layer_mask;
> +
> + /*
> + * An access is granted if, for each policy layer, at least one rule
> + * encountered on the pathwalk grants the requested accesses,
> + * regardless of their position in the layer stack. We must then check
> + * the remaining layers for each inode, from the last added layer to
> + * the first one.
> + */
> + for (i = 0; i < rule->num_layers; i++) {
> + const struct landlock_layer *const layer = &rule->layers[i];
> + const u64 layer_level = BIT_ULL(layer->level - 1);
> +
> + if ((layer->access & access_request) == access_request) {
> + layer_mask &= ~layer_level;
> +
> + if (layer_mask == 0)
> + return layer_mask;
> + }
> + }
> + return layer_mask;
> +}
> +
> +static int check_access_path(const struct landlock_ruleset *const domain,
> + const struct path *const path, u32 access_request)
> +{
> + bool allowed = false;
> + struct path walker_path;
> + u64 layer_mask;
> +
> + /* Make sure all layers can be checked. */
> + BUILD_BUG_ON(BITS_PER_TYPE(layer_mask) < LANDLOCK_MAX_NUM_LAYERS);
> +
> + if (WARN_ON_ONCE(!domain || !path))
> + return 0;
> + /*
> + * Allows access to pseudo filesystems that will never be mountable
> + * (e.g. sockfs, pipefs), but can still be reachable through
> + * /proc/self/fd .
> + */
> + if ((path->dentry->d_sb->s_flags & SB_NOUSER) ||
> + (d_is_positive(path->dentry) &&
> + unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))))
> + return 0;
> + if (WARN_ON_ONCE(domain->num_layers < 1))
> + return -EACCES;
> +
> + layer_mask = GENMASK_ULL(domain->num_layers - 1, 0);
> + /*
> + * An access request that is not handled by the domain should be
> + * allowed.
> + */
> + access_request &= domain->fs_access_mask;
> + if (access_request == 0)
> + return 0;
> + walker_path = *path;
> + path_get(&walker_path);
> + /*
> + * We need to walk through all the hierarchy to not miss any relevant
> + * restriction.
> + */
> + while (true) {
> + struct dentry *parent_dentry;
> +
> + layer_mask = unmask_layers(domain, &walker_path,
> + access_request, layer_mask);
> + if (layer_mask == 0) {
> + /* Stops when a rule from each layer grants access. */
> + allowed = true;
> + break;
> + }
> +
> +jump_up:
> + if (walker_path.dentry == walker_path.mnt->mnt_root) {
> + if (follow_up(&walker_path)) {
> + /* Ignores hidden mount points. */
> + goto jump_up;
> + } else {
> + /*
> + * Stops at the real root. Denies access
> + * because not all layers have granted access.
> + */
> + allowed = false;
> + break;
> + }
> + }
> + if (unlikely(IS_ROOT(walker_path.dentry))) {
> + /*
> + * Stops at disconnected root directories. Only allows
> + * access to internal filesystems (e.g. nsfs, which is
> + * reachable through /proc/self/ns).
> + */
> + allowed = !!(walker_path.mnt->mnt_flags & MNT_INTERNAL);
> + break;
> + }
> + parent_dentry = dget_parent(walker_path.dentry);
> + dput(walker_path.dentry);
> + walker_path.dentry = parent_dentry;
> + }
> + path_put(&walker_path);
> + return allowed ? 0 : -EACCES;
> +}
> +
> +static inline int current_check_access_path(const struct path *const path,
> + const u32 access_request)
> +{
> + const struct landlock_ruleset *const dom =
> + landlock_get_current_domain();
> +
> + if (!dom)
> + return 0;
> + return check_access_path(dom, path, access_request);
> +}
> +
> +/* Super-block hooks */
> +
> +/*
> + * Release the inodes used in a security policy.
> + *
> + * Cf. fsnotify_unmount_inodes()
> + */
> +static void hook_sb_delete(struct super_block *const sb)
> +{
> + struct inode *inode, *iput_inode = NULL;
> +
> + if (!landlock_initialized)
> + return;
> +
> + spin_lock(&sb->s_inode_list_lock);
> + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
> + struct landlock_inode_security *inode_sec =
> + landlock_inode(inode);
> + struct landlock_object *object;
> + bool do_put = false;
> +
> + rcu_read_lock();
> + object = rcu_dereference(inode_sec->object);
> + if (!object) {
> + rcu_read_unlock();
> + continue;
> + }
> +
> + spin_lock(&object->lock);
> + if (object->underobj) {
> + object->underobj = NULL;
> + do_put = true;
> + spin_lock(&inode->i_lock);
> + rcu_assign_pointer(inode_sec->object, NULL);
> + spin_unlock(&inode->i_lock);
> + }
> + spin_unlock(&object->lock);
> + rcu_read_unlock();
> + if (!do_put)
> + /*
> + * A concurrent iput() in release_inode() is ongoing
> + * and we will just wait for it to finish.
> + */
> + continue;
> +
> + /*
> + * At this point, we own the ihold() reference that was
> + * originally set up by get_inode_object(). Therefore we can
> + * drop the list lock and know that the inode won't disappear
> + * from under us until the next loop walk.
> + */
> + spin_unlock(&sb->s_inode_list_lock);
> + /*
> + * We can now actually put the previous inode, which is not
> + * needed anymore for the loop walk.
> + */
> + if (iput_inode)
> + iput(iput_inode);
> + iput_inode = inode;
> + spin_lock(&sb->s_inode_list_lock);
> + }
> + spin_unlock(&sb->s_inode_list_lock);
> + if (iput_inode)
> + iput(iput_inode);
> +
> + /*
> + * Wait for pending iput() in release_inode().
> + */
> + wait_var_event(&landlock_superblock(sb)->inode_refs, !atomic_long_read(
> + &landlock_superblock(sb)->inode_refs));
> +}
> +
> +/*
> + * Because a Landlock security policy is defined according to the filesystem
> + * layout (i.e. the mount namespace), changing it may grant access to files not
> + * previously allowed.
> + *
> + * To make it simple, deny any filesystem layout modification by landlocked
> + * processes. Non-landlocked processes may still change the namespace of a
> + * landlocked process, but this kind of threat must be handled by a system-wide
> + * access-control security policy.
> + *
> + * This could be lifted in the future if Landlock can safely handle mount
> + * namespace updates requested by a landlocked process. Indeed, we could
> + * update the current domain (which is currently read-only) by taking into
> + * account the accesses of the source and the destination of a new mount point.
> + * However, it would also require to make all the child domains dynamically
> + * inherit these new constraints. Anyway, for backward compatibility reasons,
> + * a dedicated user space option would be required (e.g. as a ruleset command
> + * option).
> + */
> +static int hook_sb_mount(const char *const dev_name,
> + const struct path *const path, const char *const type,
> + const unsigned long flags, void *const data)
> +{
> + if (!landlock_get_current_domain())
> + return 0;
> + return -EPERM;
> +}
> +
> +static int hook_move_mount(const struct path *const from_path,
> + const struct path *const to_path)
> +{
> + if (!landlock_get_current_domain())
> + return 0;
> + return -EPERM;
> +}
> +
> +/*
> + * Removing a mount point may reveal a previously hidden file hierarchy, which
> + * may then grant access to files, which may have previously been forbidden.
> + */
> +static int hook_sb_umount(struct vfsmount *const mnt, const int flags)
> +{
> + if (!landlock_get_current_domain())
> + return 0;
> + return -EPERM;
> +}
> +
> +static int hook_sb_remount(struct super_block *const sb, void *const mnt_opts)
> +{
> + if (!landlock_get_current_domain())
> + return 0;
> + return -EPERM;
> +}
> +
> +/*
> + * pivot_root(2), like mount(2), changes the current mount namespace. It must
> + * then be forbidden for a landlocked process.
> + *
> + * However, chroot(2) may be allowed because it only changes the relative root
> + * directory of the current process. Moreover, it can be used to restrict the
> + * view of the filesystem.
> + */
> +static int hook_sb_pivotroot(const struct path *const old_path,
> + const struct path *const new_path)
> +{
> + if (!landlock_get_current_domain())
> + return 0;
> + return -EPERM;
> +}
> +
> +/* Path hooks */
> +
> +static inline u32 get_mode_access(const umode_t mode)
> +{
> + switch (mode & S_IFMT) {
> + case S_IFLNK:
> + return LANDLOCK_ACCESS_FS_MAKE_SYM;
> + case 0:
> + /* A zero mode translates to S_IFREG. */
> + case S_IFREG:
> + return LANDLOCK_ACCESS_FS_MAKE_REG;
> + case S_IFDIR:
> + return LANDLOCK_ACCESS_FS_MAKE_DIR;
> + case S_IFCHR:
> + return LANDLOCK_ACCESS_FS_MAKE_CHAR;
> + case S_IFBLK:
> + return LANDLOCK_ACCESS_FS_MAKE_BLOCK;
> + case S_IFIFO:
> + return LANDLOCK_ACCESS_FS_MAKE_FIFO;
> + case S_IFSOCK:
> + return LANDLOCK_ACCESS_FS_MAKE_SOCK;
> + default:
> + WARN_ON_ONCE(1);
> + return 0;
> + }
> +}
> +
> +/*
> + * Creating multiple links or renaming may lead to privilege escalations if not
> + * handled properly. Indeed, we must be sure that the source doesn't gain more
> + * privileges by being accessible from the destination. This is getting more
> + * complex when dealing with multiple layers. The whole picture can be seen as
> + * a multilayer partial ordering problem. A future version of Landlock will
> + * deal with that.
> + */
> +static int hook_path_link(struct dentry *const old_dentry,
> + const struct path *const new_dir,
> + struct dentry *const new_dentry)
> +{
> + const struct landlock_ruleset *const dom =
> + landlock_get_current_domain();
> +
> + if (!dom)
> + return 0;
> + /* The mount points are the same for old and new paths, cf. EXDEV. */
> + if (old_dentry->d_parent != new_dir->dentry)
> + /* For now, forbid reparenting. */
> + return -EACCES;
> + if (unlikely(d_is_negative(old_dentry)))
> + return -EACCES;
> + return check_access_path(dom, new_dir,
> + get_mode_access(d_backing_inode(old_dentry)->i_mode));
> +}
> +
> +static inline u32 maybe_remove(const struct dentry *const dentry)
> +{
> + if (d_is_negative(dentry))
> + return 0;
> + return d_is_dir(dentry) ? LANDLOCK_ACCESS_FS_REMOVE_DIR :
> + LANDLOCK_ACCESS_FS_REMOVE_FILE;
> +}
> +
> +static int hook_path_rename(const struct path *const old_dir,
> + struct dentry *const old_dentry,
> + const struct path *const new_dir,
> + struct dentry *const new_dentry)
> +{
> + const struct landlock_ruleset *const dom =
> + landlock_get_current_domain();
> +
> + if (!dom)
> + return 0;
> + /* The mount points are the same for old and new paths, cf. EXDEV. */
> + if (old_dir->dentry != new_dir->dentry)
> + /* For now, forbid reparenting. */
> + return -EACCES;
> + if (WARN_ON_ONCE(d_is_negative(old_dentry)))
> + return -EACCES;
> + /* RENAME_EXCHANGE is handled because directories are the same. */
> + return check_access_path(dom, old_dir, maybe_remove(old_dentry) |
> + maybe_remove(new_dentry) |
> + get_mode_access(d_backing_inode(old_dentry)->i_mode));
> +}
> +
> +static int hook_path_mkdir(const struct path *const dir,
> + struct dentry *const dentry, const umode_t mode)
> +{
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_DIR);
> +}
> +
> +static int hook_path_mknod(const struct path *const dir,
> + struct dentry *const dentry, const umode_t mode,
> + const unsigned int dev)
> +{
> + const struct landlock_ruleset *const dom =
> + landlock_get_current_domain();
> +
> + if (!dom)
> + return 0;
> + return check_access_path(dom, dir, get_mode_access(mode));
> +}
> +
> +static int hook_path_symlink(const struct path *const dir,
> + struct dentry *const dentry, const char *const old_name)
> +{
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_MAKE_SYM);
> +}
> +
> +static int hook_path_unlink(const struct path *const dir,
> + struct dentry *const dentry)
> +{
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_FILE);
> +}
> +
> +static int hook_path_rmdir(const struct path *const dir,
> + struct dentry *const dentry)
> +{
> + return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_DIR);
> +}
> +
> +/* File hooks */
> +
> +static inline u32 get_file_access(const struct file *const file)
> +{
> + u32 access = 0;
> +
> + if (file->f_mode & FMODE_READ) {
> + /* A directory can only be opened in read mode. */
> + if (S_ISDIR(file_inode(file)->i_mode))
> + return LANDLOCK_ACCESS_FS_READ_DIR;
> + access = LANDLOCK_ACCESS_FS_READ_FILE;
> + }
> + if (file->f_mode & FMODE_WRITE)
> + access |= LANDLOCK_ACCESS_FS_WRITE_FILE;
> + /* __FMODE_EXEC is indeed part of f_flags, not f_mode. */
> + if (file->f_flags & __FMODE_EXEC)
> + access |= LANDLOCK_ACCESS_FS_EXECUTE;
> + return access;
> +}
> +
> +static int hook_file_open(struct file *const file)
> +{
> + const struct landlock_ruleset *const dom =
> + landlock_get_current_domain();
> +
> + if (!dom)
> + return 0;
> + /*
> + * Because a file may be opened with O_PATH, get_file_access() may
> + * return 0. This case will be handled with a future Landlock
> + * evolution.
> + */
> + return check_access_path(dom, &file->f_path, get_file_access(file));
> +}
> +
> +static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
> + LSM_HOOK_INIT(sb_delete, hook_sb_delete),
> + LSM_HOOK_INIT(sb_mount, hook_sb_mount),
> + LSM_HOOK_INIT(move_mount, hook_move_mount),
> + LSM_HOOK_INIT(sb_umount, hook_sb_umount),
> + LSM_HOOK_INIT(sb_remount, hook_sb_remount),
> + LSM_HOOK_INIT(sb_pivotroot, hook_sb_pivotroot),
> +
> + LSM_HOOK_INIT(path_link, hook_path_link),
> + LSM_HOOK_INIT(path_rename, hook_path_rename),
> + LSM_HOOK_INIT(path_mkdir, hook_path_mkdir),
> + LSM_HOOK_INIT(path_mknod, hook_path_mknod),
> + LSM_HOOK_INIT(path_symlink, hook_path_symlink),
> + LSM_HOOK_INIT(path_unlink, hook_path_unlink),
> + LSM_HOOK_INIT(path_rmdir, hook_path_rmdir),
> +
> + LSM_HOOK_INIT(file_open, hook_file_open),
> +};
> +
> +__init void landlock_add_fs_hooks(void)
> +{
> + security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
> + LANDLOCK_NAME);
> +}
> diff --git a/security/landlock/fs.h b/security/landlock/fs.h
> new file mode 100644
> index 000000000000..9f14ec4d8d48
> --- /dev/null
> +++ b/security/landlock/fs.h
> @@ -0,0 +1,56 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Landlock LSM - Filesystem management and hooks
> + *
> + * Copyright © 2017-2020 Mickaël Salaün <mic@...ikod.net>
> + * Copyright © 2018-2020 ANSSI
> + */
> +
> +#ifndef _SECURITY_LANDLOCK_FS_H
> +#define _SECURITY_LANDLOCK_FS_H
> +
> +#include <linux/fs.h>
> +#include <linux/init.h>
> +#include <linux/rcupdate.h>
> +
> +#include "ruleset.h"
> +#include "setup.h"
> +
> +struct landlock_inode_security {
> + /*
> + * @object: Weak pointer to an allocated object. All writes (i.e.
> + * creating a new object or removing one) are protected by the
> + * underlying inode->i_lock. Disassociating @object from the inode is
> + * additionally protected by @object->lock, from the time @object's
> + * usage refcount drops to zero to the time this pointer is nulled out.
> + * Cf. release_inode().
> + */
> + struct landlock_object __rcu *object;
> +};
> +
> +struct landlock_superblock_security {
> + /*
> + * @inode_refs: References to Landlock underlying objects.
> + * Cf. struct super_block->s_fsnotify_inode_refs .
> + */
> + atomic_long_t inode_refs;
> +};
> +
> +static inline struct landlock_inode_security *landlock_inode(
> + const struct inode *const inode)
> +{
> + return inode->i_security + landlock_blob_sizes.lbs_inode;
> +}
> +
> +static inline struct landlock_superblock_security *landlock_superblock(
> + const struct super_block *const superblock)
> +{
> + return superblock->s_security + landlock_blob_sizes.lbs_superblock;
> +}
> +
> +__init void landlock_add_fs_hooks(void);
> +
> +int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> + const struct path *const path, u32 access_hierarchy);
> +
> +#endif /* _SECURITY_LANDLOCK_FS_H */
> diff --git a/security/landlock/limits.h b/security/landlock/limits.h
> index b734f597bb0e..2a0a1095ee27 100644
> --- a/security/landlock/limits.h
> +++ b/security/landlock/limits.h
> @@ -10,8 +10,12 @@
> #define _SECURITY_LANDLOCK_LIMITS_H
>
> #include <linux/limits.h>
> +#include <uapi/linux/landlock.h>
>
> #define LANDLOCK_MAX_NUM_LAYERS 64
> #define LANDLOCK_MAX_NUM_RULES U32_MAX
>
> +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_MAKE_SYM
> +#define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
> +
> #endif /* _SECURITY_LANDLOCK_LIMITS_H */
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index bf7ff66c1b12..548636a68b48 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -112,10 +112,12 @@ static void build_check_ruleset(void)
> const struct landlock_ruleset ruleset = {
> .num_rules = ~0,
> .num_layers = ~0,
> + .fs_access_mask = ~0,
> };
>
> BUILD_BUG_ON(ruleset.num_rules < LANDLOCK_MAX_NUM_RULES);
> BUILD_BUG_ON(ruleset.num_layers < LANDLOCK_MAX_NUM_LAYERS);
> + BUILD_BUG_ON(ruleset.fs_access_mask < LANDLOCK_MASK_ACCESS_FS);
> }
>
> /**
> @@ -214,9 +216,11 @@ static void build_check_layer(void)
> {
> const struct landlock_layer layer = {
> .level = ~0,
> + .access = ~0,
> };
>
> BUILD_BUG_ON(layer.level < LANDLOCK_MAX_NUM_LAYERS);
> + BUILD_BUG_ON(layer.access < LANDLOCK_MASK_ACCESS_FS);
> }
>
> int landlock_insert_rule(struct landlock_ruleset *const ruleset,
> diff --git a/security/landlock/setup.c b/security/landlock/setup.c
> index a5d6ef334991..f8e8e980454c 100644
> --- a/security/landlock/setup.c
> +++ b/security/landlock/setup.c
> @@ -11,17 +11,24 @@
>
> #include "common.h"
> #include "cred.h"
> +#include "fs.h"
> #include "ptrace.h"
> #include "setup.h"
>
> +bool landlock_initialized __lsm_ro_after_init = false;
> +
> struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
> .lbs_cred = sizeof(struct landlock_cred_security),
> + .lbs_inode = sizeof(struct landlock_inode_security),
> + .lbs_superblock = sizeof(struct landlock_superblock_security),
> };
>
> static int __init landlock_init(void)
> {
> landlock_add_cred_hooks();
> landlock_add_ptrace_hooks();
> + landlock_add_fs_hooks();
> + landlock_initialized = true;
> pr_info("Up and running.\n");
> return 0;
> }
> diff --git a/security/landlock/setup.h b/security/landlock/setup.h
> index 9fdbf33fcc33..1daffab1ab4b 100644
> --- a/security/landlock/setup.h
> +++ b/security/landlock/setup.h
> @@ -11,6 +11,8 @@
>
> #include <linux/lsm_hooks.h>
>
> +extern bool landlock_initialized;
> +
> extern struct lsm_blob_sizes landlock_blob_sizes;
>
> #endif /* _SECURITY_LANDLOCK_SETUP_H */
>
Powered by blists - more mailing lists