| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Oct 2023 18:34:38 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
Cc: willemdebruijn.kernel@...il.com, gnoack3000@...il.com,
linux-security-module@...r.kernel.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org,
yusongping@...wei.com, artem.kuzin@...wei.com
Subject: Re: [PATCH v13 07/12] landlock: Refactor landlock_add_rule() syscall
On Mon, Oct 16, 2023 at 09:50:25AM +0800, Konstantin Meskhidze wrote:
> Change the landlock_add_rule() syscall to support new rule types
> in future Landlock versions. Add the add_rule_path_beneath() helper
> to support current filesystem rules.
>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@...wei.com>
> Link: https://lore.kernel.org/r/20230920092641.832134-8-konstantin.meskhidze@huawei.com
> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> ---
>
> Changes since v12:
> * None.
>
> Changes since v11:
> * None.
>
> Changes since v10:
> * None.
>
> Changes since v9:
> * Minor fixes:
> - deletes unnecessary curly braces.
> - deletes unnecessary empty line.
>
> Changes since v8:
> * Refactors commit message.
> * Minor fixes.
>
> Changes since v7:
> * None
>
> Changes since v6:
> * None
>
> Changes since v5:
> * Refactors syscall landlock_add_rule() and add_rule_path_beneath() helper
> to make argument check ordering consistent and get rid of partial revertings
> in following patches.
> * Rolls back refactoring base_test.c seltest.
> * Formats code with clang-format-14.
>
> Changes since v4:
> * Refactors add_rule_path_beneath() and landlock_add_rule() functions
> to optimize code usage.
> * Refactors base_test.c seltest: adds LANDLOCK_RULE_PATH_BENEATH
> rule type in landlock_add_rule() call.
>
> Changes since v3:
> * Split commit.
> * Refactors landlock_add_rule syscall.
>
> ---
> security/landlock/syscalls.c | 92 +++++++++++++++++++-----------------
> 1 file changed, 48 insertions(+), 44 deletions(-)
>
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index d35cd5d304db..8a54e87dbb17 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -274,6 +274,47 @@ static int get_path_from_fd(const s32 fd, struct path *const path)
> return err;
> }
>
> +static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
> + const void __user *const rule_attr)
> +{
> + struct landlock_path_beneath_attr path_beneath_attr;
> + struct path path;
> + int res, err;
> + access_mask_t mask;
> +
> + /* Copies raw user space buffer, only one type for now. */
> + res = copy_from_user(&path_beneath_attr, rule_attr,
> + sizeof(path_beneath_attr));
> + if (res)
> + return -EFAULT;
> +
> + /*
> + * Informs about useless rule: empty allowed_access (i.e. deny rules)
> + * are ignored in path walks.
> + */
> + if (!path_beneath_attr.allowed_access)
> + return -ENOMSG;
> +
> + /*
> + * Checks that allowed_access matches the @ruleset constraints
> + * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
> + */
You now can replace this comment block with that:
+ /* Checks that allowed_access matches the @ruleset constraints. */
> + mask = landlock_get_raw_fs_access_mask(ruleset, 0);
> + if ((path_beneath_attr.allowed_access | mask) != mask)
> + return -EINVAL;
> +
> + /* Gets and checks the new rule. */
> + err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
> + if (err)
> + return err;
> +
> + /* Imports the new rule. */
> + err = landlock_append_fs_rule(ruleset, &path,
> + path_beneath_attr.allowed_access);
> + path_put(&path);
> + return err;
> +}
Powered by blists - more mailing lists