From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
Jeff Xu <jeffxu@google.com>,
Jorge Lucangeli Obes <jorgelo@chromium.org>,
Allen Webb <allenwebb@google.com>,
Dmitry Torokhov <dtor@google.com>,
Paul Moore <paul@paul-moore.com>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Matt Bobrowski <repnop@google.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v3 0/5] Landlock: IOCTL support
Date: Fri, 25 Aug 2023 17:03:43 +0200 [thread overview]
Message-ID: <ZOjCz5j4+tgptF53@google.com> (raw)
In-Reply-To: <20230818.iechoCh0eew0@digikod.net>
Hi!
On Fri, Aug 18, 2023 at 03:39:19PM +0200, Mickaël Salaün wrote:
> On Mon, Aug 14, 2023 at 07:28:11PM +0200, Günther Noack wrote:
> > These patches add simple ioctl(2) support to Landlock.
>
> [...]
>
> > How we arrived at the list of always-permitted IOCTL commands
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > To decide which IOCTL commands should be blanket-permitted I went through the
> > list of IOCTL commands mentioned in fs/ioctl.c and looked at them individually
> > to understand what they are about. The following list is my conclusion from
> > that.
> >
> > We should always allow the following IOCTL commands:
> >
> > * FIOCLEX, FIONCLEX - these work on the file descriptor and manipulate the
> > close-on-exec flag
> > * FIONBIO, FIOASYNC - these work on the struct file and enable nonblocking-IO
> > and async flags
> > * FIONREAD - get the number of bytes available for reading (the implementation
> > is defined per file type)
>
> I think we should treat FIOQSIZE like FIONREAD, i.e. check for
> LANDLOCK_ACCESS_FS_READ_FILE as explain in my previous message.
> Tests should then rely on something else.
OK, I rewrote the tests to use FS_IOC_GETFLAGS.
Some thoughts on these two IOCTLs:
FIONREAD gives the number of bytes that are ready to read. This IOCTL seems
only useful when the file is open for reading. However, do you think that we
should correlate this with (a) LANDLOCK_ACCESS_FS_READ_FILE, or with (b)
f->f_mode & FMODE_READ? (The difference is that in case (a), FIONREAD will work
if you open a file O_WRONLY and you also have the LANDLOCK_ACCESS_FS_READ_FILE
right for that file. In case (b), it would only work if you also opened the
file for reading.)
FIOQSIZE seems like it would be useful for both reading *and* writing? -- The
reading case is obvious, but for writers it's also useful if you want to seek
around in the file, and make sure that the position that you seek to already
exists. (I'm not sure whether that use case is relevant in practical
applications though.) -- Why would FIOQSIZE only be useful for readers?
(In fact, it seems to me almost like FIOQSIZE might rather be missing a security
hook check for one of the "getting file attribute" hooks?)
So basically, the implementation that I currently ended up with is:
switch (cmd) {
case FIOCLEX:
case FIONCLEX:
case FIONBIO:
case FIOASYNC:
case FIOQSIZE:
return 0;
case FIONREAD:
if (file->f_mode & FMODE_READ)
return 0;
}
(with some comments in the source code, of course...)
Does that look reasonable to you?
—Günther
--
Sent using Mutt 🐕 Woof Woof
next prev parent reply other threads:[~2023-08-25 15:04 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-14 17:28 [PATCH v3 0/5] Landlock: IOCTL support Günther Noack
2023-08-14 17:28 ` [PATCH v3 1/5] landlock: Add ioctl access right Günther Noack
2023-08-14 17:43 ` Günther Noack
2023-08-14 17:28 ` [PATCH v3 2/5] selftests/landlock: Test ioctl support Günther Noack
2023-08-18 17:06 ` Mickaël Salaün
2023-08-25 15:51 ` Günther Noack
2023-08-25 17:07 ` Mickaël Salaün
2023-09-01 13:35 ` Günther Noack
2023-09-01 20:24 ` Mickaël Salaün
2023-08-14 17:28 ` [PATCH v3 3/5] selftests/landlock: Test ioctl with memfds Günther Noack
2023-08-14 17:28 ` [PATCH v3 4/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
2023-08-14 17:28 ` [PATCH v3 5/5] landlock: Document ioctl support Günther Noack
2023-08-18 16:28 ` Mickaël Salaün
2023-08-25 11:55 ` Günther Noack
2023-08-18 13:26 ` [PATCH v3 0/5] Landlock: IOCTL support Mickaël Salaün
2023-08-18 13:39 ` Mickaël Salaün
2023-08-25 15:03 ` Günther Noack [this message]
2023-08-25 16:50 ` Mickaël Salaün
2023-08-26 18:26 ` Mickaël Salaün
2023-09-02 11:53 ` Günther Noack
2023-09-04 18:08 ` Mickaël Salaün
2023-09-11 10:02 ` Günther Noack
2023-09-11 15:25 ` Mickaël Salaün
2023-09-11 16:34 ` Mickaël Salaün
2023-10-19 22:09 ` Günther Noack
2023-10-20 14:57 ` Mickaël Salaün
2023-10-25 22:07 ` Günther Noack
2023-10-26 14:55 ` Mickaël Salaün
2023-11-03 13:06 ` Günther Noack
2023-11-03 15:12 ` Mickaël Salaün
2023-08-22 14:39 ` [PATCH v3 0/5] Landlock: IOCTL support - TTY restrictions RFC Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZOjCz5j4+tgptF53@google.com \
--to=gnoack@google.com \
--cc=allenwebb@google.com \
--cc=dtor@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=repnop@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.