lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20210630224856.1313928-1-mic@digikod.net>
Date:   Thu,  1 Jul 2021 00:48:52 +0200
From:   Mickaël Salaün <mic@...ikod.net>
To:     Al Viro <viro@...iv.linux.org.uk>,
        James Morris <jmorris@...ei.org>,
        Serge Hallyn <serge@...lyn.com>
Cc:     Mickaël Salaün <mic@...ikod.net>,
        Andy Lutomirski <luto@...capital.net>,
        Jann Horn <jannh@...gle.com>,
        Kees Cook <keescook@...omium.org>,
        Shuah Khan <shuah@...nel.org>, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-security-module@...r.kernel.org
Subject: [PATCH v1 0/4] Landlock filesystem caching

Hi,

The goal of this patch series is to reduce the performance impact of
walking through a lot of files while being landlocked.  Indeed, because
of the unprivileged nature of Landlock, each file access implies to
check access granted to each directory of the path, which slows down
open time.

Currently, openat(2) calls spend more than 22% of their time in
hook_file_open().  The performance impact for a common worth case
scenario is significantly reduced thanks to this patch series,
theoretically going from O(n) with n as the depth of a path, to O(1)
(cf. benchmarks in the caching patch).

This series adds a new security hook (resolve_path_at) and uses it to
implement access caching in Landlock.  I'm planning to build on top of
that for other improvements (using task's working directory and task's
root directory) but that will require other hook changes.

This new hook is also a first step to be able to securely restrict file
descriptors used for path resolution (e.g. dirfd in openat2).

Caching may be difficult to get right especially for security checks.  I
extended the current tests and I'm still working on new ones.  If you
have test/attack scenarios, please share them.  I would really
appreciate constructive reviews for these critical changes.  This series
can be applied on top of v5.13 .

Regards,

Mickaël Salaün (4):
  fs,security: Add resolve_path_at() hook
  landlock: Add filesystem rule caching
  selftests/landlock: Work in a temporary directory
  selftests/landlock: Check all possible intermediate directories

 fs/namei.c                                 |   9 +
 include/linux/lsm_hook_defs.h              |   2 +
 include/linux/lsm_hooks.h                  |   8 +
 include/linux/security.h                   |   9 +
 security/landlock/cache.h                  |  77 +++++++
 security/landlock/cred.c                   |  15 +-
 security/landlock/cred.h                   |  20 +-
 security/landlock/fs.c                     | 224 +++++++++++++++++++--
 security/landlock/fs.h                     |  29 +++
 security/landlock/setup.c                  |   2 +
 security/security.c                        |   6 +
 tools/testing/selftests/landlock/fs_test.c | 205 ++++++++++++++-----
 12 files changed, 544 insertions(+), 62 deletions(-)
 create mode 100644 security/landlock/cache.h


base-commit: 62fb9874f5da54fdb243003b386128037319b219
-- 
2.32.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ