From: "Mickaël Salaün" <mic@digikod.net>
To: Christian Brauner <brauner@kernel.org>
Cc: "Dan Carpenter" <dan.carpenter@linaro.org>,
"Günther Noack" <gnoack@google.com>,
"Paul Moore" <paul@paul-moore.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
"Kees Cook" <kees@kernel.org>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2 5/8] landlock: Always allow signals between threads of the same process
Date: Thu, 20 Mar 2025 22:06:07 +0100 [thread overview]
Message-ID: <20250320.zahqueisoeT6@digikod.net> (raw)
In-Reply-To: <20250318161443.279194-6-mic@digikod.net>
On Tue, Mar 18, 2025 at 05:14:40PM +0100, Mickaël Salaün wrote:
> Because Linux credentials are managed per thread, user space relies on
> some hack to synchronize credential update across threads from the same
> process. This is required by the Native POSIX Threads Library and
> implemented by set*id(2) wrappers and libcap(3) to use tgkill(2) to
> synchronize threads. See nptl(7) and libpsx(3). Furthermore, some
> runtimes like Go do not enable developers to have control over threads
> [1].
>
> To avoid potential issues, and because threads are not security
> boundaries, let's relax the Landlock (optional) signal scoping to always
> allow signals sent between threads of the same process. This exception
> is similar to the __ptrace_may_access() one.
>
> hook_file_set_fowner() now checks if the target task is part of the same
> process as the caller. If this is the case, then the related signal
> triggered by the socket will always be allowed.
>
> Scoping of abstract UNIX sockets is not changed because kernel objects
> (e.g. sockets) should be tied to their creator's domain at creation
> time.
>
> Note that creating one Landlock domain per thread puts each of these
> threads (and their future children) in their own scope, which is
> probably not what users expect, especially in Go where we do not control
> threads. However, being able to drop permissions on all threads should
> not be restricted by signal scoping. We are working on a way to make it
> possible to atomically restrict all threads of a process with the same
> domain [2].
>
> Add erratum for signal scoping.
>
> Closes: https://github.com/landlock-lsm/go-landlock/issues/36
> Fixes: 54a6e6bbf3be ("landlock: Add signal scoping")
> Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
> Depends-on: 26f204380a3c ("fs: Fix file_set_fowner LSM hook inconsistencies")
> Link: https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx [1]
> Link: https://github.com/landlock-lsm/linux/issues/2 [2]
> Cc: Günther Noack <gnoack@google.com>
> Cc: Paul Moore <paul@paul-moore.com>
> Cc: Serge Hallyn <serge@hallyn.com>
> Cc: Tahera Fahimi <fahimitahera@gmail.com>
> Cc: stable@vger.kernel.org
> Acked-by: Christian Brauner <brauner@kernel.org>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> Link: https://lore.kernel.org/r/20250318161443.279194-6-mic@digikod.net
> index 71b9dc331aae..47c862fe14e4 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -27,7 +27,9 @@
> #include <linux/mount.h>
> #include <linux/namei.h>
> #include <linux/path.h>
> +#include <linux/pid.h>
> #include <linux/rcupdate.h>
> +#include <linux/sched/signal.h>
> #include <linux/spinlock.h>
> #include <linux/stat.h>
> #include <linux/types.h>
> @@ -1630,15 +1632,27 @@ static int hook_file_ioctl_compat(struct file *file, unsigned int cmd,
>
> static void hook_file_set_fowner(struct file *file)
> {
> - struct landlock_ruleset *new_dom, *prev_dom;
> + struct fown_struct *fown = file_f_owner(file);
> + struct landlock_ruleset *new_dom = NULL;
> + struct landlock_ruleset *prev_dom;
> + struct task_struct *p;
>
> /*
> * Lock already held by __f_setown(), see commit 26f204380a3c ("fs: Fix
> * file_set_fowner LSM hook inconsistencies").
> */
> - lockdep_assert_held(&file_f_owner(file)->lock);
> - new_dom = landlock_get_current_domain();
> - landlock_get_ruleset(new_dom);
> + lockdep_assert_held(&fown->lock);
> +
> + /*
> + * Always allow sending signals between threads of the same process. This
> + * ensures consistency with hook_task_kill().
> + */
> + p = pid_task(fown->pid, fown->pid_type);
> + if (!same_thread_group(p, current)) {
There is a missing pointer check. I'll apply this:
- if (!same_thread_group(p, current)) {
+ if (!p || !same_thread_group(p, current)) {
> + new_dom = landlock_get_current_domain();
> + landlock_get_ruleset(new_dom);
> + }
> +
> prev_dom = landlock_file(file)->fown_domain;
> landlock_file(file)->fown_domain = new_dom;
>
next prev parent reply other threads:[~2025-03-20 21:06 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 16:14 [PATCH v2 0/8] Landlock signal scope fix and errata interface Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 1/8] landlock: Move code to ease future backports Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 2/8] landlock: Add the errata interface Mickaël Salaün
2025-03-30 10:13 ` Günther Noack
2025-03-31 10:38 ` Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 3/8] landlock: Add erratum for TCP fix Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 4/8] landlock: Prepare to add second errata Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 5/8] landlock: Always allow signals between threads of the same process Mickaël Salaün
2025-03-20 21:06 ` Mickaël Salaün [this message]
2025-03-26 7:51 ` kernel test robot
2025-03-26 11:51 ` Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 6/8] selftests/landlock: Split signal_scoping_threads tests Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 7/8] selftests/landlock: Add a new test for setuid() Mickaël Salaün
2025-03-18 16:14 ` [PATCH v2 8/8] landlock: Document errata Mickaël Salaün
-- strict thread matches above, loose matches on Subject: below --
2025-03-26 8:00 [linux-next:master] [landlock] 9d65581539: WARNING:suspicious_RCU_usage kernel test robot
2025-03-26 14:39 ` Mickaël Salaün
[not found] ` <20250327.ahthiSoh4Nec@digikod.net>
2025-03-28 3:00 ` Oliver Sang
2025-03-28 6:05 ` Oliver Sang
2025-03-28 8:31 ` Mickaël Salaün
2025-03-28 9:26 ` Oliver Sang
2025-03-28 14:11 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250320.zahqueisoeT6@digikod.net \
--to=mic@digikod.net \
--cc=brauner@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.