[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7e14e18e-a9dd-b9e6-6d97-124d587599f3@huawei.com>
Date: Fri, 21 Apr 2023 10:54:20 +0300
From: "Konstantin Meskhidze (A)" <konstantin.meskhidze@...wei.com>
To: Mickaël Salaün <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>
Subject: Re: [PATCH v10 02/13] landlock: Allow filesystem layout changes for
domains without such rule type
4/20/2023 8:32 PM, Mickaël Salaün пишет:
>
> On 20/04/2023 13:42, Konstantin Meskhidze (A) wrote:
>>
>>
>> 4/16/2023 7:09 PM, Mickaël Salaün пишет:
>>>
>>> On 23/03/2023 09:52, Konstantin Meskhidze wrote:
>>>> From: Mickaël Salaün <mic@...ikod.net>
>>>>
>>>> Allow mount point and root directory changes when there is no filesystem
>>>> rule tied to the current Landlock domain. This doesn't change anything
>>>> for now because a domain must have at least a (filesystem) rule, but
>>>> this will change when other rule types will come. For instance, a
>>>> domain only restricting the network should have no impact on filesystem
>>>> restrictions.
>>>>
>>>> Add a new get_current_fs_domain() helper to quickly check filesystem
>>>> rule existence for all filesystem LSM hooks.
>>>>
>>>> Remove unnecessary inlining.
>>>>
>>>> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
>>>> ---
>>>>
>>>> Changes since v9:
>>>> * Refactors documentaion landlock.rst.
>>>> * Changes ACCESS_FS_INITIALLY_DENIED constant
>>>> to LANDLOCK_ACCESS_FS_INITIALLY_DENIED.
>>>> * Gets rid of unnecessary masking of access_dom in
>>>> get_raw_handled_fs_accesses() function.
>>>>
>>>> Changes since v8:
>>>> * Refactors get_handled_fs_accesses().
>>>> * Adds landlock_get_raw_fs_access_mask() helper.
>>>>
>>>> ---
>>>> Documentation/userspace-api/landlock.rst | 6 +-
>>>> security/landlock/fs.c | 78 ++++++++++++------------
>>>> security/landlock/ruleset.h | 25 +++++++-
>>>> security/landlock/syscalls.c | 6 +-
>>>> 4 files changed, 68 insertions(+), 47 deletions(-)
>>>>
>>>
>>> [...]
>>>
>>>> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
>>>> index 71aca7f990bc..d35cd5d304db 100644
>>>> --- a/security/landlock/syscalls.c
>>>> +++ b/security/landlock/syscalls.c
>>>> @@ -310,6 +310,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
>>>> struct path path;
>>>> struct landlock_ruleset *ruleset;
>>>> int res, err;
>>>> + access_mask_t mask;
>>>>
>>>> if (!landlock_initialized)
>>>> return -EOPNOTSUPP;
>>>> @@ -348,9 +349,8 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
>>>> * Checks that allowed_access matches the @ruleset constraints
>>>> * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
>>>> */
>>>> - if ((path_beneath_attr.allowed_access |
>>>> - landlock_get_fs_access_mask(ruleset, 0)) !=
>>>> - landlock_get_fs_access_mask(ruleset, 0)) {
>>>> + mask = landlock_get_raw_fs_access_mask(ruleset, 0);
>>>> + if ((path_beneath_attr.allowed_access | mask) != mask) {
>>>
>>> This hunk can be moved to the previous patch (i.e. mask = …). This patch
>>> should only contains the new landlock_get_raw_fs_access_mask() call.
>>>
>>
>> Sorry. Did not get this tip. Please can you explain what do you mean here?
>
> You can squash this part in the previous patch:
>
> - if ((path_beneath_attr.allowed_access |
> - landlock_get_fs_access_mask(ruleset, 0)) !=
> - landlock_get_fs_access_mask(ruleset, 0)) {
> + mask = landlock_get_fs_access_mask(ruleset, 0);
> + if ((path_beneath_attr.allowed_access | mask) != mask) {
Ok. Thanks.
>
> And this patch will then only include this part:
>
> - mask = landlock_get_fs_access_mask(ruleset, 0);
> + mask = landlock_get_raw_fs_access_mask(ruleset, 0);
>
Got it.
>
>>>
>>>> err = -EINVAL;
>>>> goto out_put_ruleset;
>>>> }
>>>> --
>>>> 2.25.1
>>>>
>>> .
> .
Powered by blists - more mailing lists