Re: [PATCH v6 00/17] Network support for Landlock
From: Mickaël Salaün <mic@digikod.net>
Date: 2022-08-29 13:11:38
Also in:
netdev, netfilter-devel
On 27/08/2022 15:30, Konstantin Meskhidze (A) wrote:
7/28/2022 4:17 PM, Mickaël Salaün пишет:
[...]
quoted
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 59229be378d6..669de66094ed 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h@@ -19,8 +19,8 @@ #include "limits.h" #include "object.h" -// TODO: get back to u16 thanks to ruleset->net_access_mask -typedef u32 access_mask_t; +/* Rule access mask. */ +typedef u16 access_mask_t; /* Makes sure all filesystem access rights can be stored. */ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS); /* Makes sure all network access rights can be stored. */@@ -28,6 +28,12 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_NET); /* Makes sure for_each_set_bit() and for_each_clear_bit() calls are OK. */ static_assert(sizeof(unsigned long) >= sizeof(access_mask_t)); +/* Ruleset access masks. */ +typedef u16 access_masks_t; +/* Makes sure all ruleset access rights can be stored. */ +static_assert(BITS_PER_TYPE(access_masks_t) >= + LANDLOCK_NUM_ACCESS_FS + LANDLOCK_NUM_ACCESS_NET); + typedef u16 layer_mask_t; /* Makes sure all layers can be checked. */ static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);@@ -47,16 +53,33 @@ struct landlock_layer { access_mask_t access; }; +/** + * union landlock_key - Key of a ruleset's red-black tree + */ union landlock_key { struct landlock_object *object; uintptr_t data; }; +/** + * enum landlock_key_type - Type of &union landlock_key + */ enum landlock_key_type { + /** + * @LANDLOCK_KEY_INODE: Type of &landlock_ruleset.root_inode's node + * keys. + */ LANDLOCK_KEY_INODE = 1, + /** + * @LANDLOCK_KEY_NET_PORT: Type of &landlock_ruleset.root_net_port's + * node keys. + */ LANDLOCK_KEY_NET_PORT = 2, }; +/** + * struct landlock_id - Unique rule identifier for a ruleset + */ struct landlock_id { union landlock_key key; const enum landlock_key_type type;@@ -113,15 +136,17 @@ struct landlock_hierarchy { */ struct landlock_ruleset { /** - * @root: Root of a red-black tree containing &struct landlock_rule - * nodes. Once a ruleset is tied to a process (i.e. as a domain), this - * tree is immutable until @usage reaches zero. + * @root_inode: Root of a red-black tree containing &struct + * landlock_rule nodes with inode object. Once a ruleset is tied to a + * process (i.e. as a domain), this tree is immutable until @usage + * reaches zero. */ struct rb_root root_inode; /** - * @root_net_port: Root of a red-black tree containing object nodes - * for network port. Once a ruleset is tied to a process (i.e. as a domain), - * this tree is immutable until @usage reaches zero. + * @root_net_port: Root of a red-black tree containing &struct + * landlock_rule nodes with network port. Once a ruleset is tied to a + * process (i.e. as a domain), this tree is immutable until @usage + * reaches zero. */ struct rb_root root_net_port; /**@@ -162,32 +187,25 @@ struct landlock_ruleset { */ u32 num_layers; /** - * TODO: net_access_mask: Contains the subset of network - * actions that are restricted by a ruleset. - */ - access_mask_t net_access_mask; - /** - * @access_masks: Contains the subset of filesystem - * actions that are restricted by a ruleset. A domain - * saves all layers of merged rulesets in a stack - * (FAM), starting from the first layer to the last - * one. These layers are used when merging rulesets, - * for user space backward compatibility (i.e. - * future-proof), and to properly handle merged + * @access_masks: Contains the subset of filesystem and + * network actions that are restricted by a ruleset. + * A domain saves all layers of merged rulesets in a + * stack (FAM), starting from the first layer to the + * last one. These layers are used when merging + * rulesets, for user space backward compatibility + * (i.e. future-proof), and to properly handle merged * rulesets without overlapping access rights. These * layers are set once and never changed for the * lifetime of the ruleset. */ - // TODO: rename (back) to fs_access_mask because layers - // are only useful for file hierarchies. - access_mask_t access_masks[]; + access_masks_t access_masks[]; }; }; }; struct landlock_ruleset * -landlock_create_ruleset(const access_mask_t access_mask_fs, - const access_mask_t access_mask_net); +landlock_create_ruleset(const access_mask_t fs_access_mask, + const access_mask_t net_access_mask); void landlock_put_ruleset(struct landlock_ruleset *const ruleset); void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset);@@ -210,41 +228,7 @@ static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset) refcount_inc(&ruleset->usage); } -// TODO: These helpers should not be required thanks to the new ruleset->net_access_mask. -/* A helper function to set a filesystem mask. */ -static inline void -landlock_set_fs_access_mask(struct landlock_ruleset *ruleset, - const access_mask_t access_mask_fs, u16 mask_level) -{ - ruleset->access_masks[mask_level] = access_mask_fs; -} - -/* A helper function to get a filesystem mask. */ -static inline u32 -landlock_get_fs_access_mask(const struct landlock_ruleset *ruleset, - u16 mask_level) -{ - return (ruleset->access_masks[mask_level] & LANDLOCK_MASK_ACCESS_FS); -} - -/* A helper function to set a network mask. */ -static inline void -landlock_set_net_access_mask(struct landlock_ruleset *ruleset, - const access_mask_t access_mask_net, - u16 mask_level) -{ - ruleset->access_masks[mask_level] |= - (access_mask_net << LANDLOCK_MASK_SHIFT_NET); -} - -/* A helper function to get a network mask. */ -static inline u32 -landlock_get_net_access_mask(const struct landlock_ruleset *ruleset, - u16 mask_level) -{ - return (ruleset->access_masks[mask_level] >> LANDLOCK_MASK_SHIFT_NET); -} - +// TODO: Remove if only relevant for fs.c access_mask_t get_handled_accesses(const struct landlock_ruleset *const domain, const u16 rule_type, const u16 num_access);@@ -258,4 +242,50 @@ access_mask_t init_layer_masks(const struct landlock_ruleset *const domain, layer_mask_t (*const layer_masks)[], const enum landlock_key_type key_type); +static inline void +landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset, + const access_mask_t fs_access_mask, + const u16 layer_level) +{ + access_mask_t fs_mask = fs_access_mask & LANDLOCK_MASK_ACCESS_FS; + + /* Should already be checked in sys_landlock_create_ruleset(). */ + WARN_ON_ONCE(fs_access_mask != fs_mask); + // TODO: Add tests to check "|=" and not "=" > Is it kunit test? If so, do you want to add this kind of tests in futurelandlock versions?
In this sixth patch series, landlock_set_fs_access_mask() was replacing the content of access_masks[] whereas landlock_set_net_access_mask() was ORing it. It didn't lead to a bug because landlock_set_fs_access_mask() was called before landlock_set_net_access_mask(), but it was brittle. Anyway, it was a good reminder to add a test to check that filesystem and network restrictions work well together. This can be added as a basic filesystem test using a ruleset handling network restrictions but no network rule (in fs_test.c), and as a basic network test using a ruleset handling filesystem restrictions but no filestem rule (in net_test.c). This could also be part of a kunit test in the future.
quoted
+ ruleset->access_masks[layer_level] |= + (fs_mask << LANDLOCK_SHIFT_ACCESS_FS); +} + +static inline void +landlock_add_net_access_mask(struct landlock_ruleset *const ruleset, + const access_mask_t net_access_mask, + const u16 layer_level) +{ + access_mask_t net_mask = net_access_mask & LANDLOCK_MASK_ACCESS_NET; + + /* Should already be checked in sys_landlock_create_ruleset(). */ + WARN_ON_ONCE(net_access_mask != net_mask); + // TODO: Add tests to check "|=" and not "="The same above. I'm going add invalid network attribute checking into TEST_F(socket, inval) test in coming patch.
Good