Re: [PATCH v9 1/8] landlock: Add IOCTL access right

[PATCH v9 0/8] Landlock: IOCTL support · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 1/8] landlock: Add IOCTL access right · "Günther Noack" <gnoack@google.com> · 2024-02-09
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · "Günther Noack" <gnoack@google.com> · 2024-02-10
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · "Arnd Bergmann" <arnd@arndb.de> · 2024-02-10
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Christian Brauner <brauner@kernel.org> · 2024-02-12
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · "Günther Noack" <gnoack@google.com> · 2024-02-12
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · "Günther Noack" <gnoack@google.com> · 2024-02-10
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2024-02-16
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2024-02-16
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Günther Noack <hidden> · 2024-02-18
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Günther Noack <hidden> · 2024-02-19
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2024-02-16
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2024-02-19
[RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-02-19
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-03-01
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Arnd Bergmann" <arnd@arndb.de> · 2024-03-01
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-03-01
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Günther Noack" <gnoack@google.com> · 2024-03-05
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-03-06
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Arnd Bergmann" <arnd@arndb.de> · 2024-03-06
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Christian Brauner <brauner@kernel.org> · 2024-03-07
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Arnd Bergmann" <arnd@arndb.de> · 2024-03-07
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Günther Noack" <gnoack@google.com> · 2024-03-07
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Paul Moore <paul@paul-moore.com> · 2024-03-07
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Dave Chinner <david@fromorbit.com> · 2024-03-07
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Paul Moore <paul@paul-moore.com> · 2024-03-07
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Arnd Bergmann" <arnd@arndb.de> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Paul Moore <paul@paul-moore.com> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Casey Schaufler <casey@schaufler-ca.com> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Paul Moore <paul@paul-moore.com> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Günther Noack" <gnoack@google.com> · 2024-03-09
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Casey Schaufler <casey@schaufler-ca.com> · 2024-03-09
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Paul Moore <paul@paul-moore.com> · 2024-03-11
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Günther Noack" <gnoack@google.com> · 2024-03-08
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Dave Chinner <david@fromorbit.com> · 2024-03-11
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · "Günther Noack" <gnoack@google.com> · 2024-03-11
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Dave Chinner <david@fromorbit.com> · 2024-03-11
Re: [RFC PATCH] fs: Add vfs_masks_device_ioctl*() helpers · Mickaël Salaün <mic@digikod.net> · 2024-03-12
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · "Günther Noack" <gnoack@google.com> · 2024-02-28
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2024-03-01
Re: [PATCH v9 1/8] landlock: Add IOCTL access right · Mickaël Salaün <mic@digikod.net> · 2024-03-01
[PATCH v9 2/8] selftests/landlock: Test IOCTL support · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 3/8] selftests/landlock: Test IOCTL with memfds · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 4/8] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 5/8] selftests/landlock: Test IOCTLs on named pipes · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 6/8] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 7/8] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL · "Günther Noack" <gnoack@google.com> · 2024-02-09
[PATCH v9 8/8] landlock: Document IOCTL support · "Günther Noack" <gnoack@google.com> · 2024-02-09

From: "Günther Noack" <gnoack@google.com>
Date: 2024-02-10 11:06:23
Also in: linux-fsdevel

Hello Arnd!

On Fri, Feb 09, 2024 at 06:06:05PM +0100, Günther Noack wrote:

quoted hunk ↗ jump to hunk

Introduces the LANDLOCK_ACCESS_FS_IOCTL access right
and increments the Landlock ABI version to 5.

[...]

diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 73997e63734f..84efea3f7c0f 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
+/**
+ * get_required_ioctl_access(): Determine required IOCTL access rights.
+ *
+ * @cmd: The IOCTL command that is supposed to be run.
+ *
+ * Any new IOCTL commands that are implemented in fs/ioctl.c's do_vfs_ioctl()
+ * should be considered for inclusion here.
+ *
+ * Returns: The access rights that must be granted on an opened file in order to
+ * use the given @cmd.
+ */
+static __attribute_const__ access_mask_t
+get_required_ioctl_access(const unsigned int cmd)
+{
+	switch (cmd) {

  [...]

+	case FIONREAD:

Hello Arnd!  Christian Brauner suggested at FOSDEM that you would be a
good person to reach out to regarding this question -- we would
appreciate if you could have a short look! :)

Context: This patch set lets processes restrict the use of IOCTLs with
the Landlock LSM.  To make the use of this feature more practical, we
are relaxing the rules for some common and harmless IOCTL commands,
which are directly implemented in fs/ioctl.c.

The IOCTL command in question is FIONREAD: fs/ioctl.c implements
FIONREAD directly for S_ISREG files, but it does call the FIONREAD
implementation in the VFS layer for other file types.

The question we are asking ourselves is:

* Can we let processes safely use FIONREAD for all files which get
  opened for the purpose of reading, or do we run the risk of
  accidentally exposing surprising IOCTL implementations which have
  completely different purposes?

  Is it safe to assume that the VFS layer FIONREAD implementations are
  actually implementing FIONREAD semantics?

* I know there have been accidental collisions of IOCTL command
  numbers in the past -- Hypothetically, if this were to happen in one
  of the VFS implementations of FIONREAD, would that be considered a
  bug that would need to get fixed in that implementation?

+	case FIOQSIZE:
+	case FIGETBSZ:
+		/*
+		 * FIONREAD returns the number of bytes available for reading.
+		 * FIONREAD returns the number of immediately readable bytes for
+		 * a file.

(Oops, repetitive doc, probably mis-merged.  Fixing it in next version.)


Thanks!
—Günther

-- 
Sent using Mutt 🐕 Woof Woof

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help