| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241007.SheiFoom7Sei@digikod.net>
Date: Mon, 7 Oct 2024 15:00:32 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Günther Noack <gnoack3000@...il.com>
Cc: Günther Noack <gnoack@...gle.com>,
Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>, Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
Paul Moore <paul@...l-moore.com>, Tahera Fahimi <fahimitahera@...il.com>,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v1 1/3] landlock: Refactor filesystem access mask
management
On Sat, Oct 05, 2024 at 06:57:55PM +0200, Günther Noack wrote:
> On Tue, Oct 01, 2024 at 04:12:32PM +0200, Mickaël Salaün wrote:
> > Replace get_raw_handled_fs_accesses() with a generic
> > landlock_merge_access_masks(), and replace the get_fs_domain()
> > implementation with a call to the new landlock_filter_access_masks()
> > helper. These helpers will also be useful for other types of access.
> >
> > Replace struct access_masks with union access_masks that includes a new
> > "all" field to simplify mask filtering.
> >
> > Cc: Günther Noack <gnoack@...gle.com>
> > Cc: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
> > Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> > Link: https://lore.kernel.org/r/20241001141234.397649-2-mic@digikod.net
> > ---
> > security/landlock/fs.c | 21 ++++-----------
> > security/landlock/ruleset.h | 51 +++++++++++++++++++++++++++---------
> > security/landlock/syscalls.c | 2 +-
> > 3 files changed, 44 insertions(+), 30 deletions(-)
> >
> > diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> > index 7d79fc8abe21..a2ef7d151c81 100644
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
> > @@ -388,33 +388,22 @@ static bool is_nouser_or_private(const struct dentry *dentry)
> > unlikely(IS_PRIVATE(d_backing_inode(dentry))));
> > }
> >
> > -static access_mask_t
> > -get_raw_handled_fs_accesses(const struct landlock_ruleset *const domain)
> > -{
> > - access_mask_t access_dom = 0;
> > - size_t layer_level;
> > -
> > - for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
> > - access_dom |=
> > - landlock_get_raw_fs_access_mask(domain, layer_level);
> > - return access_dom;
> > -}
> > -
> > static access_mask_t
> > get_handled_fs_accesses(const struct landlock_ruleset *const domain)
> > {
> > /* Handles all initially denied by default access rights. */
> > - return get_raw_handled_fs_accesses(domain) |
> > + return landlock_merge_access_masks(domain).fs |
> > LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
> > }
> >
> > static const struct landlock_ruleset *
> > get_fs_domain(const struct landlock_ruleset *const domain)
> > {
> > - if (!domain || !get_raw_handled_fs_accesses(domain))
> > - return NULL;
> > + const union access_masks all_fs = {
> > + .fs = ~0,
> > + };
> >
> > - return domain;
> > + return landlock_filter_access_masks(domain, all_fs);
> > }
> >
> > static const struct landlock_ruleset *get_current_fs_domain(void)
> > diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> > index 61bdbc550172..a816042ca8f3 100644
> > --- a/security/landlock/ruleset.h
> > +++ b/security/landlock/ruleset.h
> > @@ -41,12 +41,19 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
> > static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
> >
> > /* Ruleset access masks. */
> > -struct access_masks {
> > - access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
> > - access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
> > - access_mask_t scope : LANDLOCK_NUM_SCOPE;
> > +union access_masks {
> > + struct {
> > + access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
> > + access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
> > + access_mask_t scope : LANDLOCK_NUM_SCOPE;
> > + };
> > + u32 all;
> > };
>
> More of a style remark:
>
> I wonder whether it is worth turning this into a union.
>
> If this is for performance, I do not think is buys you much. With
> optimization enabled, it does not make much of a difference whether
> you are doing the & on .all or whether you are doing it on the
> individual fields. (I tried it out with gcc. The only difference is
> that the & on the individual fields will at the end mask only the bits
> that belong to these fields.)
This is not about performance but about maintainability and simplicity
(to avoid future changes/errors). Indeed, with this "all" field we
don't need to update (or forget to update) the
landlock_merge_access_masks() helper. This function can be simple and
generic to be used in the fs.c, net.c, and scope.c files.
>
> At the same time, in most places where struct access_masks is used,
> the union is not necessary and might add to the confusion.
I think it should not be an issue, and it leverages the advantages of
the previous access_masks_t with the ones of struct access_masks.
>
>
> >
> > +/* Makes sure all fields are covered. */
> > +static_assert(sizeof(((union access_masks *)NULL)->all) ==
> > + sizeof(union access_masks));
> > +
> > typedef u16 layer_mask_t;
> > /* Makes sure all layers can be checked. */
> > static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
> > @@ -229,7 +236,7 @@ struct landlock_ruleset {
> > * layers are set once and never changed for the
> > * lifetime of the ruleset.
> > */
> > - struct access_masks access_masks[];
> > + union access_masks access_masks[];
> > };
> > };
> > };
> > @@ -260,6 +267,31 @@ static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
> > refcount_inc(&ruleset->usage);
> > }
> >
> > +static inline union access_masks
> > +landlock_merge_access_masks(const struct landlock_ruleset *const domain)
> > +{
> > + size_t layer_level;
> > + union access_masks matches = {};
> > +
> > + for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
> > + matches.all |= domain->access_masks[layer_level].all;
> > +
> > + return matches;
> > +}
> > +
> > +static inline const struct landlock_ruleset *
> > +landlock_filter_access_masks(const struct landlock_ruleset *const domain,
> > + const union access_masks masks)
>
> With this function name, the return type of this function is
> unintuitive to me. Judging by the name, I would have expected a
> function that returns a "access_masks" value as well, similar to the
> function one above (the remaining access rights after filtering)?
Fair
>
> In the places where the result of this function is returned directly,
> I find myself jumping back to the function implementation to
> understand what this means.
>
> As a constructive suggestion, how about calling this function
> differently, e.g.
>
> bool landlock_any_access_rights_handled(
> const struct landlock_ruleset *const domain,
> struct access_masks masks);
>
> Then the callers who previously did
>
> return landlock_filter_access_masks(dom, masks);
>
> would now do
>
> if (landlock_any_access_rights_handled(dom, masks))
> return dom;
> return NULL;
I'm not sure if you're suggesting to return an union access_masks or a
landlock_ruleset pointer. Returning a ruleset/domain simplifies the
work of callers so I'd prefer to keep that.
The "_any_access_rights_handled" doesn't have a verb, and it's not clear
to me if it would return the handled access rights or something else.
What about renaming it landlock_mask_ruleset(dom, access_masks) instead?
For now, the variables named "domain" points to struct landlock_ruleset,
but they will eventually point to a future struct landlock_domain. So,
I prefer to keep the name "ruleset" in helpers dealing with struct
landlock_ruleset. We'll need to change these helpers when we'll switch
to landlock_domain anyway.
>
> This is more verbose, but IMHO verbose code is not inherently bad,
> if it is also clearer. And it's only two lines more.
>
> > +{
> > + if (!domain)
> > + return NULL;
> > +
> > + if (landlock_merge_access_masks(domain).all & masks.all)
> > + return domain;
> > +
> > + return NULL;
> > +}
>
> Function documentation for both functions would be good :)
Indeed :)
>
> > +
> > static inline void
> > landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
> > const access_mask_t fs_access_mask,
> > @@ -295,19 +327,12 @@ landlock_add_scope_mask(struct landlock_ruleset *const ruleset,
> > ruleset->access_masks[layer_level].scope |= mask;
> > }
> >
> > -static inline access_mask_t
> > -landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,
> > - const u16 layer_level)
> > -{
> > - return ruleset->access_masks[layer_level].fs;
> > -}
> > -
> > static inline access_mask_t
> > landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
> > const u16 layer_level)
> > {
> > /* Handles all initially denied by default access rights. */
> > - return landlock_get_raw_fs_access_mask(ruleset, layer_level) |
> > + return ruleset->access_masks[layer_level].fs |
> > LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
> > }
> >
> > diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> > index f5a0e7182ec0..c097d356fa45 100644
> > --- a/security/landlock/syscalls.c
> > +++ b/security/landlock/syscalls.c
> > @@ -329,7 +329,7 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
> > return -ENOMSG;
> >
> > /* Checks that allowed_access matches the @ruleset constraints. */
> > - mask = landlock_get_raw_fs_access_mask(ruleset, 0);
> > + mask = ruleset->access_masks[0].fs;
> > if ((path_beneath_attr.allowed_access | mask) != mask)
> > return -EINVAL;
> >
> > --
> > 2.46.1
> >
>
> Reviewed-by: Günther Noack <gnoack3000@...il.com>
>
> –Günther
>
Powered by blists - more mailing lists