lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6d057ab4-8dfe-0977-d13a-323f05af38b8@huawei.com>
Date:   Tue, 14 Feb 2023 15:57:57 +0300
From:   "Konstantin Meskhidze (A)" <konstantin.meskhidze@...wei.com>
To:     Mickaël Salaün <mic@...ikod.net>
CC:     <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
        <linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
        <netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
        <artem.kuzin@...wei.com>
Subject: Re: [PATCH v9 02/12] landlock: Allow filesystem layout changes for
 domains without such rule type



2/14/2023 3:07 PM, Mickaël Salaün пишет:
> 
> On 14/02/2023 09:51, Konstantin Meskhidze (A) wrote:
>> 
>> 
>> 2/10/2023 8:34 PM, Mickaël Salaün пишет:
>>> Hi Konstantin,
>>>
>>> I think this patch series is almost ready. Here is a first batch of
>>> review, I'll send more next week.
>>>
>>     Hi Mickaёl.
>>     thnaks for the review.
>> 
>>>
>>> I forgot to update the documentation. Can you please squash the
>>> following patch into this one?
>> 
>>     No problem. I will squash.
>>     Can I download this doc patch from your repo or I can use the diff below?
> 
> You can take the diff below.

   Ok. Will be done.
> 
>>>
>>>
>>> diff --git a/Documentation/userspace-api/landlock.rst
>>> b/Documentation/userspace-api/landlock.rst
>>> index 980558b879d6..fc2be89b423f 100644
>>> --- a/Documentation/userspace-api/landlock.rst
>>> +++ b/Documentation/userspace-api/landlock.rst
>>> @@ -416,9 +416,9 @@ Current limitations
>>>     Filesystem topology modification
>>>     --------------------------------
>>>
>>> -As for file renaming and linking, a sandboxed thread cannot modify its
>>> -filesystem topology, whether via :manpage:`mount(2)` or
>>> -:manpage:`pivot_root(2)`.  However, :manpage:`chroot(2)` calls are not
>>> denied.
>>> +Threads sandboxed with filesystem restrictions cannot modify filesystem
>>> +topology, whether via :manpage:`mount(2)` or :manpage:`pivot_root(2)`.
>>> +However, :manpage:`chroot(2)` calls are not denied.
>>>
>>>     Special filesystems
>>>     -------------------
>>>
>>>
>>> On 16/01/2023 09:58, Konstantin Meskhidze wrote:
>>>> From: Mickaël Salaün <mic@...ikod.net>
>>>>
>>>> Allow mount point and root directory changes when there is no filesystem
>>>> rule tied to the current Landlock domain.  This doesn't change anything
>>>> for now because a domain must have at least a (filesystem) rule, but
>>>> this will change when other rule types will come.  For instance, a
>>>> domain only restricting the network should have no impact on filesystem
>>>> restrictions.
>>>>
>>>> Add a new get_current_fs_domain() helper to quickly check filesystem
>>>> rule existence for all filesystem LSM hooks.
>>>>
>>>> Remove unnecessary inlining.
>>>>
>>>> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
>>>> ---
>>>>
>>>> Changes since v8:
>>>> * Refactors get_handled_fs_accesses().
>>>> * Adds landlock_get_raw_fs_access_mask() helper.
>>>>
>>> .
> .

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ