From: "Günther Noack" <gnoack3000@gmail.com>
To: linux-security-module@vger.kernel.org
Cc: "Mickaël Salaün" <mic@digikod.net>,
"James Morris" <jmorris@namei.org>,
"Paul Moore" <paul@paul-moore.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-fsdevel@vger.kernel.org,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Günther Noack" <gnoack3000@gmail.com>
Subject: [PATCH v8 3/9] landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed()
Date: Sat, 1 Oct 2022 17:49:02 +0200 [thread overview]
Message-ID: <20221001154908.49665-4-gnoack3000@gmail.com> (raw)
In-Reply-To: <20221001154908.49665-1-gnoack3000@gmail.com>
* Rename it to is_access_to_paths_allowed()
* Make it return true iff the access is allowed
* Calculate the EXDEV/EACCES error code in the one place where it's needed
Suggested-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
security/landlock/fs.c | 89 +++++++++++++++++++++---------------------
1 file changed, 44 insertions(+), 45 deletions(-)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index a9dbd99d9ee7..083dd3d359de 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -430,7 +430,7 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
}
/**
- * check_access_path_dual - Check accesses for requests with a common path
+ * is_access_to_paths_allowed - Check accesses for requests with a common path
*
* @domain: Domain to check against.
* @path: File hierarchy to walk through.
@@ -465,14 +465,10 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
* allow the request.
*
* Returns:
- * - 0 if the access request is granted;
- * - -EACCES if it is denied because of access right other than
- * LANDLOCK_ACCESS_FS_REFER;
- * - -EXDEV if the renaming or linking would be a privileged escalation
- * (according to each layered policies), or if LANDLOCK_ACCESS_FS_REFER is
- * not allowed by the source or the destination.
+ * - true if the access request is granted;
+ * - false otherwise
*/
-static int check_access_path_dual(
+static bool is_access_to_paths_allowed(
const struct landlock_ruleset *const domain,
const struct path *const path,
const access_mask_t access_request_parent1,
@@ -492,17 +488,17 @@ static int check_access_path_dual(
(*layer_masks_child2)[LANDLOCK_NUM_ACCESS_FS] = NULL;
if (!access_request_parent1 && !access_request_parent2)
- return 0;
+ return true;
if (WARN_ON_ONCE(!domain || !path))
- return 0;
+ return true;
if (is_nouser_or_private(path->dentry))
- return 0;
+ return true;
if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1))
- return -EACCES;
+ return false;
if (unlikely(layer_masks_parent2)) {
if (WARN_ON_ONCE(!dentry_child1))
- return -EACCES;
+ return false;
/*
* For a double request, first check for potential privilege
* escalation by looking at domain handled accesses (which are
@@ -513,7 +509,7 @@ static int check_access_path_dual(
is_dom_check = true;
} else {
if (WARN_ON_ONCE(dentry_child1 || dentry_child2))
- return -EACCES;
+ return false;
/* For a simple request, only check for requested accesses. */
access_masked_parent1 = access_request_parent1;
access_masked_parent2 = access_request_parent2;
@@ -622,24 +618,7 @@ static int check_access_path_dual(
}
path_put(&walker_path);
- if (allowed_parent1 && allowed_parent2)
- return 0;
-
- /*
- * This prioritizes EACCES over EXDEV for all actions, including
- * renames with RENAME_EXCHANGE.
- */
- if (likely(is_eacces(layer_masks_parent1, access_request_parent1) ||
- is_eacces(layer_masks_parent2, access_request_parent2)))
- return -EACCES;
-
- /*
- * Gracefully forbids reparenting if the destination directory
- * hierarchy is not a superset of restrictions of the source directory
- * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the
- * source or the destination.
- */
- return -EXDEV;
+ return allowed_parent1 && allowed_parent2;
}
static inline int check_access_path(const struct landlock_ruleset *const domain,
@@ -649,8 +628,10 @@ static inline int check_access_path(const struct landlock_ruleset *const domain,
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
access_request = init_layer_masks(domain, access_request, &layer_masks);
- return check_access_path_dual(domain, path, access_request,
- &layer_masks, NULL, 0, NULL, NULL);
+ if (is_access_to_paths_allowed(domain, path, access_request,
+ &layer_masks, NULL, 0, NULL, NULL))
+ return 0;
+ return -EACCES;
}
static inline int current_check_access_path(const struct path *const path,
@@ -711,8 +692,9 @@ static inline access_mask_t maybe_remove(const struct dentry *const dentry)
* file. While walking from @dir to @mnt_root, we record all the domain's
* allowed accesses in @layer_masks_dom.
*
- * This is similar to check_access_path_dual() but much simpler because it only
- * handles walking on the same mount point and only check one set of accesses.
+ * This is similar to is_access_to_paths_allowed() but much simpler because it
+ * only handles walking on the same mount point and only checks one set of
+ * accesses.
*
* Returns:
* - true if all the domain access rights are allowed for @dir;
@@ -857,10 +839,11 @@ static int current_check_refer_path(struct dentry *const old_dentry,
access_request_parent1 = init_layer_masks(
dom, access_request_parent1 | access_request_parent2,
&layer_masks_parent1);
- return check_access_path_dual(dom, new_dir,
- access_request_parent1,
- &layer_masks_parent1, NULL, 0,
- NULL, NULL);
+ if (is_access_to_paths_allowed(
+ dom, new_dir, access_request_parent1,
+ &layer_masks_parent1, NULL, 0, NULL, NULL))
+ return 0;
+ return -EACCES;
}
access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER;
@@ -886,11 +869,27 @@ static int current_check_refer_path(struct dentry *const old_dentry,
* parent access rights. This will be useful to compare with the
* destination parent access rights.
*/
- return check_access_path_dual(dom, &mnt_dir, access_request_parent1,
- &layer_masks_parent1, old_dentry,
- access_request_parent2,
- &layer_masks_parent2,
- exchange ? new_dentry : NULL);
+ if (is_access_to_paths_allowed(
+ dom, &mnt_dir, access_request_parent1, &layer_masks_parent1,
+ old_dentry, access_request_parent2, &layer_masks_parent2,
+ exchange ? new_dentry : NULL))
+ return 0;
+
+ /*
+ * This prioritizes EACCES over EXDEV for all actions, including
+ * renames with RENAME_EXCHANGE.
+ */
+ if (likely(is_eacces(&layer_masks_parent1, access_request_parent1) ||
+ is_eacces(&layer_masks_parent2, access_request_parent2)))
+ return -EACCES;
+
+ /*
+ * Gracefully forbids reparenting if the destination directory
+ * hierarchy is not a superset of restrictions of the source directory
+ * hierarchy, or if LANDLOCK_ACCESS_FS_REFER is not allowed by the
+ * source or the destination.
+ */
+ return -EXDEV;
}
/* Inode hooks */
--
2.37.3
next prev parent reply other threads:[~2022-10-01 15:49 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-01 15:48 [PATCH v8 0/9] landlock: truncate support Günther Noack
2022-10-01 15:49 ` [PATCH v8 1/9] security: Create file_truncate hook from path_truncate hook Günther Noack
2022-10-05 18:53 ` Mickaël Salaün
2022-10-08 7:45 ` Günther Noack
2022-10-06 1:10 ` Paul Moore
2022-10-01 15:49 ` [PATCH v8 2/9] selftests/landlock: Locally define __maybe_unused Günther Noack
2022-10-05 18:53 ` Mickaël Salaün
2022-10-08 7:47 ` Günther Noack
2022-10-01 15:49 ` Günther Noack [this message]
2022-10-05 18:54 ` [PATCH v8 3/9] landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed() Mickaël Salaün
2022-10-08 7:54 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 4/9] landlock: Support file truncation Günther Noack
2022-10-04 19:56 ` Nathan Chancellor
2022-10-05 18:52 ` Mickaël Salaün
2022-10-06 20:19 ` Günther Noack
2022-10-05 18:55 ` Mickaël Salaün
2022-10-08 8:08 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 5/9] selftests/landlock: Selftests for file truncation support Günther Noack
2022-10-01 15:49 ` [PATCH v8 6/9] selftests/landlock: Test open() and ftruncate() in multiple scenarios Günther Noack
2022-10-05 18:56 ` Mickaël Salaün
2022-10-01 15:49 ` [PATCH v8 7/9] selftests/landlock: Test FD passing from a Landlock-restricted to an unrestricted process Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:25 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 8/9] samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:47 ` Günther Noack
2022-10-01 15:49 ` [PATCH v8 9/9] landlock: Document Landlock's file truncation support Günther Noack
2022-10-05 18:57 ` Mickaël Salaün
2022-10-08 8:49 ` Günther Noack
2022-10-05 19:18 ` [PATCH v8 0/9] landlock: truncate support Mickaël Salaün
2022-10-08 10:20 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221001154908.49665-4-gnoack3000@gmail.com \
--to=gnoack3000@gmail.com \
--cc=jmorris@namei.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.