Re: [PATCH v9 07/12] landlock: Refactor landlock_add_rule() syscall

[PATCH v9 00/12] Network support for Landlock · Konstantin Meskhidze <hidden> · 2023-01-16
[PATCH v9 02/12] landlock: Allow filesystem layout changes for domains without such rule type · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 02/12] landlock: Allow filesystem layout changes for domains without such rule type · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 02/12] landlock: Allow filesystem layout changes for domains without such rule type · Konstantin Meskhidze (A) <hidden> · 2023-02-14
Re: [PATCH v9 02/12] landlock: Allow filesystem layout changes for domains without such rule type · Mickaël Salaün <mic@digikod.net> · 2023-02-14
Re: [PATCH v9 02/12] landlock: Allow filesystem layout changes for domains without such rule type · Konstantin Meskhidze (A) <hidden> · 2023-02-14
[PATCH v9 01/12] landlock: Make ruleset's access masks more generic · Konstantin Meskhidze <hidden> · 2023-01-16
[PATCH v9 04/12] landlock: Refactor merge/inherit_ruleset functions · Konstantin Meskhidze <hidden> · 2023-01-16
[PATCH v9 03/12] landlock: Refactor landlock_find_rule/insert_rule · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 03/12] landlock: Refactor landlock_find_rule/insert_rule · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 03/12] landlock: Refactor landlock_find_rule/insert_rule · Konstantin Meskhidze (A) <hidden> · 2023-02-14
Re: [PATCH v9 03/12] landlock: Refactor landlock_find_rule/insert_rule · Mickaël Salaün <mic@digikod.net> · 2023-02-14
Re: [PATCH v9 03/12] landlock: Refactor landlock_find_rule/insert_rule · Konstantin Meskhidze (A) <hidden> · 2023-02-14
[PATCH v9 07/12] landlock: Refactor landlock_add_rule() syscall · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 07/12] landlock: Refactor landlock_add_rule() syscall · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 07/12] landlock: Refactor landlock_add_rule() syscall · Konstantin Meskhidze (A) <hidden> · 2023-02-14
[PATCH v9 06/12] landlock: Refactor _unmask_layers() and _init_layer_masks() · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 06/12] landlock: Refactor _unmask_layers() and _init_layer_masks() · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 06/12] landlock: Refactor _unmask_layers() and _init_layer_masks() · Konstantin Meskhidze (A) <hidden> · 2023-02-14
Re: [PATCH v9 06/12] landlock: Refactor _unmask_layers() and _init_layer_masks() · Mickaël Salaün <mic@digikod.net> · 2023-02-21
Re: [PATCH v9 06/12] landlock: Refactor _unmask_layers() and _init_layer_masks() · Konstantin Meskhidze (A) <hidden> · 2023-03-06
[PATCH v9 05/12] landlock: Move and rename umask_layers() and init_layer_masks() · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 05/12] landlock: Move and rename umask_layers() and init_layer_masks() · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 05/12] landlock: Move and rename umask_layers() and init_layer_masks() · Konstantin Meskhidze (A) <hidden> · 2023-02-14
[PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Konstantin Meskhidze (A) <hidden> · 2023-02-14
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Konstantin Meskhidze (A) <hidden> · 2023-03-13
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Mickaël Salaün <mic@digikod.net> · 2023-03-14
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Konstantin Meskhidze (A) <hidden> · 2023-03-14
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Mickaël Salaün <mic@digikod.net> · 2023-02-21
Re: [PATCH v9 08/12] landlock: Add network rules and TCP hooks support · Konstantin Meskhidze (A) <hidden> · 2023-03-06
[PATCH v9 09/12] selftests/landlock: Share enforce_ruleset() · Konstantin Meskhidze <hidden> · 2023-01-16
[PATCH v9 11/12] samples/landlock: Add network demo · Konstantin Meskhidze <hidden> · 2023-01-16
[PATCH v9 12/12] landlock: Document Landlock's network support · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Günther Noack <hidden> · 2023-01-21
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Konstantin Meskhidze (A) <hidden> · 2023-01-23
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Mickaël Salaün <mic@digikod.net> · 2023-01-27
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Konstantin Meskhidze (A) <hidden> · 2023-01-30
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Mickaël Salaün <mic@digikod.net> · 2023-02-21
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Konstantin Meskhidze (A) <hidden> · 2023-03-06
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Mickaël Salaün <mic@digikod.net> · 2023-03-06
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Konstantin Meskhidze (A) <hidden> · 2023-03-06
Re: [PATCH v9 12/12] landlock: Document Landlock's network support · Konstantin Meskhidze (A) <hidden> · 2023-01-30
[PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Konstantin Meskhidze <hidden> · 2023-01-16
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Mickaël Salaün <mic@digikod.net> · 2023-02-10
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Konstantin Meskhidze (A) <hidden> · 2023-02-14
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Mickaël Salaün <mic@digikod.net> · 2023-02-14
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Konstantin Meskhidze (A) <hidden> · 2023-02-14
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Mickaël Salaün <mic@digikod.net> · 2023-02-21
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Konstantin Meskhidze (A) <hidden> · 2023-03-06
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Mickaël Salaün <mic@digikod.net> · 2023-03-06
Re: [PATCH v9 10/12] selftests/landlock: Add 10 new test suites dedicated to network · Konstantin Meskhidze (A) <hidden> · 2023-03-06
Re: [PATCH v9 00/12] Network support for Landlock · Günther Noack <hidden> · 2023-02-23
Re: [PATCH v9 00/12] Network support for Landlock · Konstantin Meskhidze (A) <hidden> · 2023-03-06
Re: [PATCH v9 00/12] Network support for Landlock · Konstantin Meskhidze (A) <hidden> · 2023-03-13
Re: [PATCH v9 00/12] Network support for Landlock · Mickaël Salaün <mic@digikod.net> · 2023-03-14
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-06-26
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Jeff Xu <hidden> · 2023-06-28
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-06-28
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Jeff Xu <hidden> · 2023-06-28
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · "Günther Noack" <gnoack@google.com> · 2023-06-28
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Jeff Xu <hidden> · 2023-06-28
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-06-28
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Jeff Xu <hidden> · 2023-06-29
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-06-29
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Jeff Xu <hidden> · 2023-06-30
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-06-30
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Jeff Xu <hidden> · 2023-07-05
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-07-12
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Konstantin Meskhidze (A) <hidden> · 2023-07-13
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-07-13
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Konstantin Meskhidze (A) <hidden> · 2023-07-13
Re: [PATCH v9 00/12] Network support for Landlock - allowed list of protocols · Mickaël Salaün <mic@digikod.net> · 2023-06-28

From: Konstantin Meskhidze (A) <hidden>
Date: 2023-02-14 10:18:51
Also in: netdev, netfilter-devel


2/10/2023 8:38 PM, Mickaël Salaün пишет:

On 16/01/2023 09:58, Konstantin Meskhidze wrote:

quoted

Change the landlock_add_rule() syscall to support new rule types
in future Landlock versions. Add the add_rule_path_beneath() helper
to support current filesystem rules.

Signed-off-by: Konstantin Meskhidze <redacted>
---

Changes since v8:
* Refactors commit message.
* Minor fixes.

Changes since v7:
* None

Changes since v6:
* None

Changes since v5:
* Refactors syscall landlock_add_rule() and add_rule_path_beneath() helper
to make argument check ordering consistent and get rid of partial revertings
in following patches.
* Rolls back refactoring base_test.c seltest.
* Formats code with clang-format-14.

Changes since v4:
* Refactors add_rule_path_beneath() and landlock_add_rule() functions
to optimize code usage.
* Refactors base_test.c seltest: adds LANDLOCK_RULE_PATH_BENEATH
rule type in landlock_add_rule() call.

Changes since v3:
* Split commit.
* Refactors landlock_add_rule syscall.

---
  security/landlock/syscalls.c | 94 +++++++++++++++++++-----------------
  1 file changed, 50 insertions(+), 44 deletions(-)

diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index d35cd5d304db..73c80cd2cdbe 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c

@@ -274,6 +274,49 @@ static int get_path_from_fd(const s32 fd, struct path *const path)
  	return err;
  }
  
+static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
+				 const void __user *const rule_attr)
+{
+	struct landlock_path_beneath_attr path_beneath_attr;
+	struct path path;
+	int res, err;
+	access_mask_t mask;
+
+	/* Copies raw user space buffer, only one type for now. */
+	res = copy_from_user(&path_beneath_attr, rule_attr,
+			     sizeof(path_beneath_attr));
+	if (res)
+		return -EFAULT;
+
+	/*
+	 * Informs about useless rule: empty allowed_access (i.e. deny rules)
+	 * are ignored in path walks.
+	 */
+	if (!path_beneath_attr.allowed_access) {
+		return -ENOMSG;
+	}

Please follows the ./scripts/checkpatch.pl conventions (i.e. no curly
braces). You should add an empty line after this return though.

  Ok. I will fix it.

quoted

+	/*
+	 * Checks that allowed_access matches the @ruleset constraints
+	 * (ruleset->access_masks[0] is automatically upgraded to 64-bits).
+	 */
+	mask = landlock_get_raw_fs_access_mask(ruleset, 0);
+	if ((path_beneath_attr.allowed_access | mask) != mask) {
+		return -EINVAL;
+	}

Same here.

   Got it.

quoted

+
+	/* Gets and checks the new rule. */
+	err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
+	if (err)
+		return err;
+
+	/* Imports the new rule. */
+	err = landlock_append_fs_rule(ruleset, &path,
+				      path_beneath_attr.allowed_access);
+	path_put(&path);
+

No need for this empty line.

   Ok. Thanks for noticing.

quoted

+	return err;
+}
+

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help