| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Apr 2023 14:42:17 +0300
From: "Konstantin Meskhidze (A)" <konstantin.meskhidze@...wei.com>
To: Mickaël Salaün <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>
Subject: Re: [PATCH v10 02/13] landlock: Allow filesystem layout changes for
domains without such rule type
4/16/2023 7:09 PM, Mickaël Salaün пишет:
>
> On 23/03/2023 09:52, Konstantin Meskhidze wrote:
>> From: Mickaël Salaün <mic@...ikod.net>
>>
>> Allow mount point and root directory changes when there is no filesystem
>> rule tied to the current Landlock domain. This doesn't change anything
>> for now because a domain must have at least a (filesystem) rule, but
>> this will change when other rule types will come. For instance, a
>> domain only restricting the network should have no impact on filesystem
>> restrictions.
>>
>> Add a new get_current_fs_domain() helper to quickly check filesystem
>> rule existence for all filesystem LSM hooks.
>>
>> Remove unnecessary inlining.
>>
>> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
>> ---
>>
>> Changes since v9:
>> * Refactors documentaion landlock.rst.
>> * Changes ACCESS_FS_INITIALLY_DENIED constant
>> to LANDLOCK_ACCESS_FS_INITIALLY_DENIED.
>> * Gets rid of unnecessary masking of access_dom in
>> get_raw_handled_fs_accesses() function.
>>
>> Changes since v8:
>> * Refactors get_handled_fs_accesses().
>> * Adds landlock_get_raw_fs_access_mask() helper.
>>
>> ---
>> Documentation/userspace-api/landlock.rst | 6 +-
>> security/landlock/fs.c | 78 ++++++++++++------------
>> security/landlock/ruleset.h | 25 +++++++-
>> security/landlock/syscalls.c | 6 +-
>> 4 files changed, 68 insertions(+), 47 deletions(-)
>>
>
> [...]
>
>> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
>> index 71aca7f990bc..d35cd5d304db 100644
>> --- a/security/landlock/syscalls.c
>> +++ b/security/landlock/syscalls.c
>> @@ -310,6 +310,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
>> struct path path;
>> struct landlock_ruleset *ruleset;
>> int res, err;
>> + access_mask_t mask;
>>
>> if (!landlock_initialized)
>> return -EOPNOTSUPP;
>> @@ -348,9 +349,8 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
>> * Checks that allowed_access matches the @ruleset constraints
>> * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
>> */
>> - if ((path_beneath_attr.allowed_access |
>> - landlock_get_fs_access_mask(ruleset, 0)) !=
>> - landlock_get_fs_access_mask(ruleset, 0)) {
>> + mask = landlock_get_raw_fs_access_mask(ruleset, 0);
>> + if ((path_beneath_attr.allowed_access | mask) != mask) {
>
> This hunk can be moved to the previous patch (i.e. mask = …). This patch
> should only contains the new landlock_get_raw_fs_access_mask() call.
>
Sorry. Did not get this tip. Please can you explain what do you mean here?
>
>> err = -EINVAL;
>> goto out_put_ruleset;
>> }
>> --
>> 2.25.1
>>
> .
Powered by blists - more mailing lists