lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220221212522.320243-1-mic@digikod.net>
Date:   Mon, 21 Feb 2022 22:25:11 +0100
From:   Mickaël Salaün <mic@...ikod.net>
To:     James Morris <jmorris@...ei.org>,
        "Serge E . Hallyn" <serge@...lyn.com>
Cc:     Mickaël Salaün <mic@...ikod.net>,
        Al Viro <viro@...iv.linux.org.uk>,
        Jann Horn <jannh@...gle.com>,
        Kees Cook <keescook@...omium.org>,
        Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
        Paul Moore <paul@...l-moore.com>,
        Shuah Khan <shuah@...nel.org>, linux-doc@...r.kernel.org,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org
Subject: [PATCH v1 00/11] Landlock: file linking and renaming support

Hi,

One of the most annoying limitations of Landlock is that sandboxed
processes can only link and rename files to the same directory (i.e.
file reparenting is always denied).  Indeed, because of the unprivileged
nature of Landlock, file hierarchy are identified thanks to ephemeral
inode tagging, which may cause arbitrary renaming and linking to change
the security policy in an unexpected way.

This patch series brings a new access right, LANDLOCK_ACCESS_FS_REFER,
which enables to allow safe file linking and renaming.  In a nutshell,
Landlock checks that the inherited access rights of a moved or renamed
file cannot increase but only reduce.  Six new test suits cover file
renaming and linking, which brings coverage for security/landlock/ from
93.5% of lines to 94.4%.

The documentation and the tutorial is extended with this new access
right, along with more explanations about backward and forward
compatibility, good practices, and a bit about the current access
rights rational.

While developing this new feature, I also found an issue with the
current implementation of Landlock.  In some (rare) cases, sandboxed
processes may be more restricted than intended.  Indeed, because of the
current way to check file hierarchy access rights, composition of rules
may be incomplete when requesting multiple accesses at the same time.
This is fixed with a dedicated patch involving some refactoring.  A new
test suite checks relevant new edge cases.

As a side effect, and to limit the increased use of the stack, I reduced
the number of Landlock nested domains from 64 to 16.  I think this
should be more than enough for legitimate use cases, but feel free to
challenge this decision with real and legitimate use cases.

Because of the current path_rename security hook, Landlock cannot yet
return consistent error codes with RENAME_EXCHANGE.  I plan to address
this issue with a next series.

This patch series was developed with some complementary new tests sent
in a standalone patch series:
https://lore.kernel.org/r/20220221155311.166278-1-mic@digikod.net

Additionally, a new dedicated syzkaller test has been developed to cover
new paths.

Regards,

Mickaël Salaün (11):
  landlock: Define access_mask_t to enforce a consistent access mask
    size
  landlock: Reduce the maximum number of layers to 16
  landlock: Create find_rule() from unmask_layers()
  landlock: Fix same-layer rule unions
  landlock: Move filesystem helpers and add a new one
  landlock: Add support for file reparenting with
    LANDLOCK_ACCESS_FS_REFER
  selftest/landlock: Add 6 new test suites dedicated to file reparenting
  samples/landlock: Add support for file reparenting
  landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning
  landlock: Document good practices about filesystem policies
  landlock: Add design choices documentation for filesystem access
    rights

 Documentation/security/landlock.rst          |  17 +-
 Documentation/userspace-api/landlock.rst     | 145 +++-
 include/uapi/linux/landlock.h                |  27 +-
 samples/landlock/sandboxer.c                 |  37 +-
 security/landlock/fs.c                       | 721 +++++++++++++++----
 security/landlock/fs.h                       |   2 +-
 security/landlock/limits.h                   |   6 +-
 security/landlock/ruleset.c                  |   6 +-
 security/landlock/ruleset.h                  |  23 +-
 security/landlock/syscalls.c                 |   2 +-
 tools/testing/selftests/landlock/base_test.c |   2 +-
 tools/testing/selftests/landlock/fs_test.c   | 634 +++++++++++++++-
 12 files changed, 1447 insertions(+), 175 deletions(-)


base-commit: cfb92440ee71adcc2105b0890bb01ac3cddb8507
-- 
2.35.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ