* [PATCH v6 1/9] landlock: Remove remaining "inline" modifiers in .c files
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-30 9:27 ` Mickaël Salaün
2023-11-24 17:30 ` [PATCH v6 2/9] selftests/landlock: Rename "permitted" to "allowed" in ftruncate tests Günther Noack
` (7 subsequent siblings)
8 siblings, 1 reply; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
Suggested-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack@google.com>
---
security/landlock/fs.c | 26 +++++++++++++-------------
security/landlock/ruleset.c | 2 +-
2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index bc7c126deea2..9ba989ef46a5 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -193,7 +193,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
*
* Returns NULL if no rule is found or if @dentry is negative.
*/
-static inline const struct landlock_rule *
+static const struct landlock_rule *
find_rule(const struct landlock_ruleset *const domain,
const struct dentry *const dentry)
{
@@ -220,7 +220,7 @@ find_rule(const struct landlock_ruleset *const domain,
* sockfs, pipefs), but can still be reachable through
* /proc/<pid>/fd/<file-descriptor>
*/
-static inline bool is_nouser_or_private(const struct dentry *dentry)
+static bool is_nouser_or_private(const struct dentry *dentry)
{
return (dentry->d_sb->s_flags & SB_NOUSER) ||
(d_is_positive(dentry) &&
@@ -264,7 +264,7 @@ static const struct landlock_ruleset *get_current_fs_domain(void)
*
* @layer_masks_child2: Optional child masks.
*/
-static inline bool no_more_access(
+static bool no_more_access(
const layer_mask_t (*const layer_masks_parent1)[LANDLOCK_NUM_ACCESS_FS],
const layer_mask_t (*const layer_masks_child1)[LANDLOCK_NUM_ACCESS_FS],
const bool child1_is_directory,
@@ -316,7 +316,7 @@ static inline bool no_more_access(
*
* Returns true if the request is allowed, false otherwise.
*/
-static inline bool
+static bool
scope_to_request(const access_mask_t access_request,
layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
{
@@ -335,7 +335,7 @@ scope_to_request(const access_mask_t access_request,
* Returns true if there is at least one access right different than
* LANDLOCK_ACCESS_FS_REFER.
*/
-static inline bool
+static bool
is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
const access_mask_t access_request)
{
@@ -551,9 +551,9 @@ static bool is_access_to_paths_allowed(
return allowed_parent1 && allowed_parent2;
}
-static inline int check_access_path(const struct landlock_ruleset *const domain,
- const struct path *const path,
- access_mask_t access_request)
+static int check_access_path(const struct landlock_ruleset *const domain,
+ const struct path *const path,
+ access_mask_t access_request)
{
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
@@ -565,8 +565,8 @@ static inline int check_access_path(const struct landlock_ruleset *const domain,
return -EACCES;
}
-static inline int current_check_access_path(const struct path *const path,
- const access_mask_t access_request)
+static int current_check_access_path(const struct path *const path,
+ const access_mask_t access_request)
{
const struct landlock_ruleset *const dom = get_current_fs_domain();
@@ -575,7 +575,7 @@ static inline int current_check_access_path(const struct path *const path,
return check_access_path(dom, path, access_request);
}
-static inline access_mask_t get_mode_access(const umode_t mode)
+static access_mask_t get_mode_access(const umode_t mode)
{
switch (mode & S_IFMT) {
case S_IFLNK:
@@ -600,7 +600,7 @@ static inline access_mask_t get_mode_access(const umode_t mode)
}
}
-static inline access_mask_t maybe_remove(const struct dentry *const dentry)
+static access_mask_t maybe_remove(const struct dentry *const dentry)
{
if (d_is_negative(dentry))
return 0;
@@ -1086,7 +1086,7 @@ static int hook_path_truncate(const struct path *const path)
* Returns the access rights that are required for opening the given file,
* depending on the file type and open mode.
*/
-static inline access_mask_t
+static access_mask_t
get_required_file_open_access(const struct file *const file)
{
access_mask_t access = 0;
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index ffedc99f2b68..789c81b26a50 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -305,7 +305,7 @@ int landlock_insert_rule(struct landlock_ruleset *const ruleset,
return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers));
}
-static inline void get_hierarchy(struct landlock_hierarchy *const hierarchy)
+static void get_hierarchy(struct landlock_hierarchy *const hierarchy)
{
if (hierarchy)
refcount_inc(&hierarchy->usage);
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH v6 1/9] landlock: Remove remaining "inline" modifiers in .c files
2023-11-24 17:30 ` [PATCH v6 1/9] landlock: Remove remaining "inline" modifiers in .c files Günther Noack
@ 2023-11-30 9:27 ` Mickaël Salaün
2023-12-01 14:05 ` Günther Noack
0 siblings, 1 reply; 17+ messages in thread
From: Mickaël Salaün @ 2023-11-30 9:27 UTC (permalink / raw)
To: Günther Noack
Cc: linux-security-module, Jeff Xu, Jorge Lucangeli Obes, Allen Webb,
Dmitry Torokhov, Paul Moore, Konstantin Meskhidze, Matt Bobrowski,
linux-fsdevel
Thanks for this cleanup. Maybe add a (one-line) explanation?
On Fri, Nov 24, 2023 at 06:30:18PM +0100, Günther Noack wrote:
> Suggested-by: Mickaël Salaün <mic@digikod.net>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
> security/landlock/fs.c | 26 +++++++++++++-------------
> security/landlock/ruleset.c | 2 +-
> 2 files changed, 14 insertions(+), 14 deletions(-)
>
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index bc7c126deea2..9ba989ef46a5 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -193,7 +193,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> *
> * Returns NULL if no rule is found or if @dentry is negative.
> */
> -static inline const struct landlock_rule *
> +static const struct landlock_rule *
> find_rule(const struct landlock_ruleset *const domain,
> const struct dentry *const dentry)
> {
> @@ -220,7 +220,7 @@ find_rule(const struct landlock_ruleset *const domain,
> * sockfs, pipefs), but can still be reachable through
> * /proc/<pid>/fd/<file-descriptor>
> */
> -static inline bool is_nouser_or_private(const struct dentry *dentry)
> +static bool is_nouser_or_private(const struct dentry *dentry)
> {
> return (dentry->d_sb->s_flags & SB_NOUSER) ||
> (d_is_positive(dentry) &&
> @@ -264,7 +264,7 @@ static const struct landlock_ruleset *get_current_fs_domain(void)
> *
> * @layer_masks_child2: Optional child masks.
> */
> -static inline bool no_more_access(
> +static bool no_more_access(
> const layer_mask_t (*const layer_masks_parent1)[LANDLOCK_NUM_ACCESS_FS],
> const layer_mask_t (*const layer_masks_child1)[LANDLOCK_NUM_ACCESS_FS],
> const bool child1_is_directory,
> @@ -316,7 +316,7 @@ static inline bool no_more_access(
> *
> * Returns true if the request is allowed, false otherwise.
> */
> -static inline bool
> +static bool
> scope_to_request(const access_mask_t access_request,
> layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
> {
> @@ -335,7 +335,7 @@ scope_to_request(const access_mask_t access_request,
> * Returns true if there is at least one access right different than
> * LANDLOCK_ACCESS_FS_REFER.
> */
> -static inline bool
> +static bool
> is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
> const access_mask_t access_request)
> {
> @@ -551,9 +551,9 @@ static bool is_access_to_paths_allowed(
> return allowed_parent1 && allowed_parent2;
> }
>
> -static inline int check_access_path(const struct landlock_ruleset *const domain,
> - const struct path *const path,
> - access_mask_t access_request)
> +static int check_access_path(const struct landlock_ruleset *const domain,
> + const struct path *const path,
> + access_mask_t access_request)
> {
> layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
>
> @@ -565,8 +565,8 @@ static inline int check_access_path(const struct landlock_ruleset *const domain,
> return -EACCES;
> }
>
> -static inline int current_check_access_path(const struct path *const path,
> - const access_mask_t access_request)
> +static int current_check_access_path(const struct path *const path,
> + const access_mask_t access_request)
> {
> const struct landlock_ruleset *const dom = get_current_fs_domain();
>
> @@ -575,7 +575,7 @@ static inline int current_check_access_path(const struct path *const path,
> return check_access_path(dom, path, access_request);
> }
>
> -static inline access_mask_t get_mode_access(const umode_t mode)
> +static access_mask_t get_mode_access(const umode_t mode)
> {
> switch (mode & S_IFMT) {
> case S_IFLNK:
> @@ -600,7 +600,7 @@ static inline access_mask_t get_mode_access(const umode_t mode)
> }
> }
>
> -static inline access_mask_t maybe_remove(const struct dentry *const dentry)
> +static access_mask_t maybe_remove(const struct dentry *const dentry)
> {
> if (d_is_negative(dentry))
> return 0;
> @@ -1086,7 +1086,7 @@ static int hook_path_truncate(const struct path *const path)
> * Returns the access rights that are required for opening the given file,
> * depending on the file type and open mode.
> */
> -static inline access_mask_t
> +static access_mask_t
> get_required_file_open_access(const struct file *const file)
> {
> access_mask_t access = 0;
> diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
> index ffedc99f2b68..789c81b26a50 100644
> --- a/security/landlock/ruleset.c
> +++ b/security/landlock/ruleset.c
> @@ -305,7 +305,7 @@ int landlock_insert_rule(struct landlock_ruleset *const ruleset,
> return insert_rule(ruleset, id, &layers, ARRAY_SIZE(layers));
> }
>
> -static inline void get_hierarchy(struct landlock_hierarchy *const hierarchy)
> +static void get_hierarchy(struct landlock_hierarchy *const hierarchy)
> {
> if (hierarchy)
> refcount_inc(&hierarchy->usage);
> --
> 2.43.0.rc1.413.gea7ed67945-goog
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH v6 1/9] landlock: Remove remaining "inline" modifiers in .c files
2023-11-30 9:27 ` Mickaël Salaün
@ 2023-12-01 14:05 ` Günther Noack
0 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-12-01 14:05 UTC (permalink / raw)
To: Mickaël Salaün
Cc: linux-security-module, Jeff Xu, Jorge Lucangeli Obes, Allen Webb,
Dmitry Torokhov, Paul Moore, Konstantin Meskhidze, Matt Bobrowski,
linux-fsdevel
On Thu, Nov 30, 2023 at 10:27:18AM +0100, Mickaël Salaün wrote:
>
> Thanks for this cleanup. Maybe add a (one-line) explanation?
Done.
—Günther
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v6 2/9] selftests/landlock: Rename "permitted" to "allowed" in ftruncate tests
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
2023-11-24 17:30 ` [PATCH v6 1/9] landlock: Remove remaining "inline" modifiers in .c files Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-24 17:30 ` [PATCH v6 3/9] landlock: Optimize the number of calls to get_access_mask slightly Günther Noack
` (6 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
Suggested-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack@google.com>
---
tools/testing/selftests/landlock/fs_test.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 18e1f86a6234..971a7bb404d6 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -3627,7 +3627,7 @@ FIXTURE_TEARDOWN(ftruncate)
FIXTURE_VARIANT(ftruncate)
{
const __u64 handled;
- const __u64 permitted;
+ const __u64 allowed;
const int expected_open_result;
const int expected_ftruncate_result;
};
@@ -3636,7 +3636,7 @@ FIXTURE_VARIANT(ftruncate)
FIXTURE_VARIANT_ADD(ftruncate, w_w) {
/* clang-format on */
.handled = LANDLOCK_ACCESS_FS_WRITE_FILE,
- .permitted = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
.expected_open_result = 0,
.expected_ftruncate_result = 0,
};
@@ -3645,7 +3645,7 @@ FIXTURE_VARIANT_ADD(ftruncate, w_w) {
FIXTURE_VARIANT_ADD(ftruncate, t_t) {
/* clang-format on */
.handled = LANDLOCK_ACCESS_FS_TRUNCATE,
- .permitted = LANDLOCK_ACCESS_FS_TRUNCATE,
+ .allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
.expected_open_result = 0,
.expected_ftruncate_result = 0,
};
@@ -3654,7 +3654,7 @@ FIXTURE_VARIANT_ADD(ftruncate, t_t) {
FIXTURE_VARIANT_ADD(ftruncate, wt_w) {
/* clang-format on */
.handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .permitted = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
.expected_open_result = 0,
.expected_ftruncate_result = EACCES,
};
@@ -3663,8 +3663,7 @@ FIXTURE_VARIANT_ADD(ftruncate, wt_w) {
FIXTURE_VARIANT_ADD(ftruncate, wt_wt) {
/* clang-format on */
.handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .permitted = LANDLOCK_ACCESS_FS_WRITE_FILE |
- LANDLOCK_ACCESS_FS_TRUNCATE,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
.expected_open_result = 0,
.expected_ftruncate_result = 0,
};
@@ -3673,7 +3672,7 @@ FIXTURE_VARIANT_ADD(ftruncate, wt_wt) {
FIXTURE_VARIANT_ADD(ftruncate, wt_t) {
/* clang-format on */
.handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_TRUNCATE,
- .permitted = LANDLOCK_ACCESS_FS_TRUNCATE,
+ .allowed = LANDLOCK_ACCESS_FS_TRUNCATE,
.expected_open_result = EACCES,
};
@@ -3683,7 +3682,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate)
const struct rule rules[] = {
{
.path = path,
- .access = variant->permitted,
+ .access = variant->allowed,
},
{},
};
@@ -3724,7 +3723,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
const struct rule rules[] = {
{
.path = path,
- .access = variant->permitted,
+ .access = variant->allowed,
},
{},
};
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v6 3/9] landlock: Optimize the number of calls to get_access_mask slightly
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
2023-11-24 17:30 ` [PATCH v6 1/9] landlock: Remove remaining "inline" modifiers in .c files Günther Noack
2023-11-24 17:30 ` [PATCH v6 2/9] selftests/landlock: Rename "permitted" to "allowed" in ftruncate tests Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-24 17:30 ` [PATCH v6 4/9] landlock: Add IOCTL access right Günther Noack
` (5 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
This call is now going through a function pointer,
and it is not as obvious any more that it will be inlined.
Signed-off-by: Günther Noack <gnoack@google.com>
---
security/landlock/ruleset.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c
index 789c81b26a50..e0a5fbf9201a 100644
--- a/security/landlock/ruleset.c
+++ b/security/landlock/ruleset.c
@@ -723,11 +723,12 @@ landlock_init_layer_masks(const struct landlock_ruleset *const domain,
/* Saves all handled accesses per layer. */
for (layer_level = 0; layer_level < domain->num_layers; layer_level++) {
const unsigned long access_req = access_request;
+ const access_mask_t access_mask =
+ get_access_mask(domain, layer_level);
unsigned long access_bit;
for_each_set_bit(access_bit, &access_req, num_access) {
- if (BIT_ULL(access_bit) &
- get_access_mask(domain, layer_level)) {
+ if (BIT_ULL(access_bit) & access_mask) {
(*layer_masks)[access_bit] |=
BIT_ULL(layer_level);
handled_accesses |= BIT_ULL(access_bit);
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v6 4/9] landlock: Add IOCTL access right
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
` (2 preceding siblings ...)
2023-11-24 17:30 ` [PATCH v6 3/9] landlock: Optimize the number of calls to get_access_mask slightly Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-26 7:23 ` kernel test robot
2023-11-30 9:28 ` Mickaël Salaün
2023-11-24 17:30 ` [PATCH v6 5/9] selftests/landlock: Test IOCTL support Günther Noack
` (4 subsequent siblings)
8 siblings, 2 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
Introduces the LANDLOCK_ACCESS_FS_IOCTL access right
and increments the Landlock ABI version to 5.
Like the truncate right, these rights are associated with a file
descriptor at the time of open(2), and get respected even when the
file descriptor is used outside of the thread which it was originally
opened in.
A newly enabled Landlock policy therefore does not apply to file
descriptors which are already open.
If the LANDLOCK_ACCESS_FS_IOCTL right is handled, only a small number
of safe IOCTL commands will be permitted on newly opened files. The
permitted IOCTLs can be configured through the ruleset in limited ways
now. (See documentation for details.)
Noteworthy scenarios which require special attention:
TTY devices support IOCTLs like TIOCSTI and TIOCLINUX, which can be
used to control shell processes on the same terminal which run at
different privilege levels, which may make it possible to escape a
sandbox. Because stdin, stdout and stderr are normally inherited
rather than newly opened, IOCTLs are usually permitted on them even
after the Landlock policy is enforced.
Some legitimate file system features, like setting up fscrypt, are
exposed as IOCTL commands on regular files and directories -- users of
Landlock are advised to double check that the sandboxed process does
not need to invoke these IOCTLs.
Known limitations:
The LANDLOCK_ACCESS_FS_IOCTL access right is a coarse-grained control
over IOCTL commands. Future work will enable a more fine-grained
access control for IOCTLs.
In the meantime, Landlock users may use path-based restrictions in
combination with their knowledge about the file system layout to
control what IOCTLs can be done. Mounting file systems with the nodev
option can help to distinguish regular files and devices, and give
guarantees about the affected files, which Landlock alone can not give
yet.
Signed-off-by: Günther Noack <gnoack@google.com>
---
include/uapi/linux/landlock.h | 58 ++++++-
security/landlock/fs.c | 172 ++++++++++++++++++-
security/landlock/fs.h | 2 +
security/landlock/limits.h | 5 +-
security/landlock/ruleset.h | 2 +-
security/landlock/syscalls.c | 19 +-
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/fs_test.c | 5 +-
8 files changed, 243 insertions(+), 22 deletions(-)
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index 25c8d7677539..578f268b084b 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -128,7 +128,7 @@ struct landlock_net_port_attr {
* files and directories. Files or directories opened before the sandboxing
* are not subject to these restrictions.
*
- * A file can only receive these access rights:
+ * The following access rights apply only to files:
*
* - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
* - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that
@@ -138,12 +138,13 @@ struct landlock_net_port_attr {
* - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
* - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`,
* :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
- * ``O_TRUNC``. Whether an opened file can be truncated with
- * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the
- * same way as read and write permissions are checked during
- * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and
- * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the
- * third version of the Landlock ABI.
+ * ``O_TRUNC``. This access right is available since the third version of the
+ * Landlock ABI.
+ *
+ * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
+ * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
+ * read and write permissions are checked during :manpage:`open(2)` using
+ * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE.
*
* A directory can receive access rights related to files or directories. The
* following access right is applied to the directory itself, and the
@@ -198,13 +199,53 @@ struct landlock_net_port_attr {
* If multiple requirements are not met, the ``EACCES`` error code takes
* precedence over ``EXDEV``.
*
+ * The following access right applies both to files and directories:
+ *
+ * - %LANDLOCK_ACCESS_FS_IOCTL: Invoke :manpage:`ioctl(2)` commands on an opened
+ * file or directory.
+ *
+ * This access right applies to all :manpage:`ioctl(2)` commands, except of
+ * ``FIOCLEX``, ``FIONCLEX``, ``FIONBIO`` and ``FIOASYNC``. These commands
+ * continue to be invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL
+ * access right.
+ *
+ * When certain other access rights are handled in the ruleset, in addition to
+ * %LANDLOCK_ACCESS_FS_IOCTL, granting these access rights will unlock access
+ * to additional groups of IOCTL commands, on the affected files:
+ *
+ * * %LANDLOCK_ACCESS_FS_READ_FILE unlocks access to ``FIOQSIZE``,
+ * ``FS_IOC_FIEMAP``, ``FIBMAP``, ``FIGETBSZ``, ``FIONREAD``,
+ * ``FIDEDUPRANGE``.
+ *
+ * * %LANDLOCK_ACCESS_FS_WRITE_FILE unlocks access to ``FIOQSIZE``,
+ * ``FS_IOC_FIEMAP``, ``FIBMAP``, ``FIGETBSZ``, ``FICLONE``,
+ * ``FICLONERANGE``, ``FS_IOC_RESVSP``, ``FS_IOC_RESVSP64``,
+ * ``FS_IOC_UNRESVSP``, ``FS_IOC_UNRESVSP64``, ``FS_IOC_ZERO_RANGE``.
+ *
+ * * %LANDLOCK_ACCESS_FS_READ_DIR unlocks access to ``FIOQSIZE``,
+ * ``FS_IOC_FIEMAP``, ``FIBMAP``, ``FIGETBSZ``.
+ *
+ * When these access rights are handled in the ruleset, the availability of
+ * the affected IOCTL commands is not governed by %LANDLOCK_ACCESS_FS_IOCTL
+ * any more, but by the respective access right.
+ *
+ * All other IOCTL commands are not handled specially, and are governed by
+ * %LANDLOCK_ACCESS_FS_IOCTL. This includes %FS_IOC_GETFLAGS and
+ * %FS_IOC_SETFLAGS for manipulating inode flags (:manpage:`ioctl_iflags(2)`),
+ * %FS_IOC_FSFETXATTR and %FS_IOC_FSSETXATTR for manipulating extended
+ * attributes, as well as %FIFREEZE and %FITHAW for freezing and thawing file
+ * systems.
+ *
+ * This access right is available since the fifth version of the Landlock
+ * ABI.
+ *
* .. warning::
*
* It is currently not possible to restrict some file-related actions
* accessible through these syscall families: :manpage:`chdir(2)`,
* :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
* :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
- * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`.
+ * :manpage:`fcntl(2)`, :manpage:`access(2)`.
* Future Landlock evolutions will enable to restrict them.
*/
/* clang-format off */
@@ -223,6 +264,7 @@ struct landlock_net_port_attr {
#define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
#define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
+#define LANDLOCK_ACCESS_FS_IOCTL (1ULL << 15)
/* clang-format on */
/**
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index 9ba989ef46a5..098bf4bd7736 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -7,12 +7,14 @@
* Copyright © 2021-2022 Microsoft Corporation
*/
+#include <asm/ioctls.h>
#include <linux/atomic.h>
#include <linux/bitops.h>
#include <linux/bits.h>
#include <linux/compiler_types.h>
#include <linux/dcache.h>
#include <linux/err.h>
+#include <linux/falloc.h>
#include <linux/fs.h>
#include <linux/init.h>
#include <linux/kernel.h>
@@ -28,6 +30,7 @@
#include <linux/types.h>
#include <linux/wait_bit.h>
#include <linux/workqueue.h>
+#include <uapi/linux/fiemap.h>
#include <uapi/linux/landlock.h>
#include "common.h"
@@ -83,6 +86,141 @@ static const struct landlock_object_underops landlock_fs_underops = {
.release = release_inode
};
+/* IOCTL helpers */
+
+/*
+ * These are synthetic access rights, which are only used within the kernel, but
+ * not exposed to callers in userspace. The mapping between these access rights
+ * and IOCTL commands is defined in the required_ioctl_access() helper function.
+ */
+#define LANDLOCK_ACCESS_FS_IOCTL_GROUP1 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 1)
+#define LANDLOCK_ACCESS_FS_IOCTL_GROUP2 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 2)
+#define LANDLOCK_ACCESS_FS_IOCTL_GROUP3 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 3)
+#define LANDLOCK_ACCESS_FS_IOCTL_GROUP4 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 4)
+
+/* ioctl_groups - all synthetic access rights for IOCTL command groups */
+static const access_mask_t ioctl_groups =
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP1 | LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP3 | LANDLOCK_ACCESS_FS_IOCTL_GROUP4;
+
+/**
+ * required_ioctl_access(): Determine required IOCTL access rights.
+ *
+ * @cmd: The IOCTL command that is supposed to be run.
+ *
+ * Returns: The access rights that must be granted on an opened file in order to
+ * use the given @cmd.
+ */
+static access_mask_t required_ioctl_access(unsigned int cmd)
+{
+ switch (cmd) {
+ case FIOCLEX:
+ case FIONCLEX:
+ case FIONBIO:
+ case FIOASYNC:
+ /*
+ * FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC manipulate the FD's
+ * close-on-exec and the file's buffered-IO and async flags.
+ * These operations are also available through fcntl(2),
+ * and are unconditionally permitted in Landlock.
+ */
+ return 0;
+ case FIOQSIZE:
+ return LANDLOCK_ACCESS_FS_IOCTL_GROUP1;
+ case FS_IOC_FIEMAP:
+ case FIBMAP:
+ case FIGETBSZ:
+ return LANDLOCK_ACCESS_FS_IOCTL_GROUP2;
+ case FIONREAD:
+ case FIDEDUPERANGE:
+ return LANDLOCK_ACCESS_FS_IOCTL_GROUP3;
+ case FICLONE:
+ case FICLONERANGE:
+ case FS_IOC_RESVSP:
+ case FS_IOC_RESVSP64:
+ case FS_IOC_UNRESVSP:
+ case FS_IOC_UNRESVSP64:
+ case FS_IOC_ZERO_RANGE:
+ return LANDLOCK_ACCESS_FS_IOCTL_GROUP4;
+ default:
+ /*
+ * Other commands are guarded by the catch-all access right.
+ */
+ return LANDLOCK_ACCESS_FS_IOCTL;
+ }
+}
+
+/**
+ * expand_ioctl() - Return the dst flags from either the src flag or the
+ * %LANDLOCK_ACCESS_FS_IOCTL flag, depending on whether the
+ * %LANDLOCK_ACCESS_FS_IOCTL and src access rights are handled or not.
+ *
+ * @handled: Handled access rights
+ * @access: The access mask to copy values from
+ * @src: A single access right to copy from in @access.
+ * @dst: One or more access rights to copy to
+ *
+ * Returns: @dst, or 0
+ */
+static access_mask_t expand_ioctl(const access_mask_t handled,
+ const access_mask_t access,
+ const access_mask_t src,
+ const access_mask_t dst)
+{
+ access_mask_t copy_from;
+
+ if (!(handled & LANDLOCK_ACCESS_FS_IOCTL))
+ return 0;
+
+ copy_from = (handled & src) ? src : LANDLOCK_ACCESS_FS_IOCTL;
+ if (access & copy_from)
+ return dst;
+
+ return 0;
+}
+
+/**
+ * landlock_expand_access_fs() - Returns @access with the synthetic IOCTL group
+ * flags enabled if necessary.
+ *
+ * @handled: Handled FS access rights.
+ * @access: FS access rights to expand.
+ *
+ * Returns: @access expanded by the necessary flags for the synthetic IOCTL
+ * access rights.
+ */
+static access_mask_t landlock_expand_access_fs(const access_mask_t handled,
+ const access_mask_t access)
+{
+ static_assert((ioctl_groups & LANDLOCK_MASK_ACCESS_FS) == ioctl_groups);
+
+ return access |
+ expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_WRITE_FILE,
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP1 |
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP4) |
+ expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_READ_FILE,
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP1 |
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP3) |
+ expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_READ_DIR,
+ LANDLOCK_ACCESS_FS_IOCTL_GROUP1);
+}
+
+/**
+ * landlock_expand_handled_access_fs() - add synthetic IOCTL access rights to an
+ * access mask of handled accesses.
+ *
+ * @handled: The handled accesses of a ruleset that is being created
+ *
+ * Returns: @handled, with the bits for the synthetic IOCTL access rights set,
+ * if %LANDLOCK_ACCESS_FS_IOCTL is handled
+ */
+access_mask_t landlock_expand_handled_access_fs(const access_mask_t handled)
+{
+ return landlock_expand_access_fs(handled, handled);
+}
+
/* Ruleset management */
static struct landlock_object *get_inode_object(struct inode *const inode)
@@ -147,7 +285,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode)
LANDLOCK_ACCESS_FS_EXECUTE | \
LANDLOCK_ACCESS_FS_WRITE_FILE | \
LANDLOCK_ACCESS_FS_READ_FILE | \
- LANDLOCK_ACCESS_FS_TRUNCATE)
+ LANDLOCK_ACCESS_FS_TRUNCATE | \
+ LANDLOCK_ACCESS_FS_IOCTL)
/* clang-format on */
/*
@@ -157,6 +296,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
const struct path *const path,
access_mask_t access_rights)
{
+ access_mask_t handled;
int err;
struct landlock_id id = {
.type = LANDLOCK_KEY_INODE,
@@ -169,9 +309,11 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
if (WARN_ON_ONCE(ruleset->num_layers != 1))
return -EINVAL;
+ handled = landlock_get_fs_access_mask(ruleset, 0);
+ /* Expands the synthetic IOCTL groups. */
+ access_rights |= landlock_expand_access_fs(handled, access_rights);
/* Transforms relative access rights to absolute ones. */
- access_rights |= LANDLOCK_MASK_ACCESS_FS &
- ~landlock_get_fs_access_mask(ruleset, 0);
+ access_rights |= LANDLOCK_MASK_ACCESS_FS & ~handled;
id.key.object = get_inode_object(d_backing_inode(path->dentry));
if (IS_ERR(id.key.object))
return PTR_ERR(id.key.object);
@@ -1123,7 +1265,9 @@ static int hook_file_open(struct file *const file)
{
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
access_mask_t open_access_request, full_access_request, allowed_access;
- const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
+ const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE |
+ LANDLOCK_ACCESS_FS_IOCTL |
+ ioctl_groups;
const struct landlock_ruleset *const dom = get_current_fs_domain();
if (!dom)
@@ -1196,6 +1340,25 @@ static int hook_file_truncate(struct file *const file)
return -EACCES;
}
+static int hook_file_ioctl(struct file *file, unsigned int cmd,
+ unsigned long arg)
+{
+ const access_mask_t required_access = required_ioctl_access(cmd);
+ const access_mask_t allowed_access =
+ landlock_file(file)->allowed_access;
+
+ /*
+ * It is the access rights at the time of opening the file which
+ * determine whether IOCTL can be used on the opened file later.
+ *
+ * The access right is attached to the opened file in hook_file_open().
+ */
+ if ((allowed_access & required_access) == required_access)
+ return 0;
+
+ return -EACCES;
+}
+
static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),
@@ -1218,6 +1381,7 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = {
LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security),
LSM_HOOK_INIT(file_open, hook_file_open),
LSM_HOOK_INIT(file_truncate, hook_file_truncate),
+ LSM_HOOK_INIT(file_ioctl, hook_file_ioctl),
};
__init void landlock_add_fs_hooks(void)
diff --git a/security/landlock/fs.h b/security/landlock/fs.h
index 488e4813680a..c88fe7bda37b 100644
--- a/security/landlock/fs.h
+++ b/security/landlock/fs.h
@@ -92,4 +92,6 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
const struct path *const path,
access_mask_t access_hierarchy);
+access_mask_t landlock_expand_handled_access_fs(const access_mask_t handled);
+
#endif /* _SECURITY_LANDLOCK_FS_H */
diff --git a/security/landlock/limits.h b/security/landlock/limits.h
index 93c9c6f91556..63b5aa0bd8fa 100644
--- a/security/landlock/limits.h
+++ b/security/landlock/limits.h
@@ -18,7 +18,10 @@
#define LANDLOCK_MAX_NUM_LAYERS 16
#define LANDLOCK_MAX_NUM_RULES U32_MAX
-#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE
+#define LANDLOCK_LAST_PUBLIC_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL
+#define LANDLOCK_MASK_PUBLIC_ACCESS_FS ((LANDLOCK_LAST_PUBLIC_ACCESS_FS << 1) - 1)
+
+#define LANDLOCK_LAST_ACCESS_FS (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 4)
#define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
#define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS)
#define LANDLOCK_SHIFT_ACCESS_FS 0
diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
index c7f1526784fd..5a28ea8e1c3d 100644
--- a/security/landlock/ruleset.h
+++ b/security/landlock/ruleset.h
@@ -30,7 +30,7 @@
LANDLOCK_ACCESS_FS_REFER)
/* clang-format on */
-typedef u16 access_mask_t;
+typedef u32 access_mask_t;
/* Makes sure all filesystem access rights can be stored. */
static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
/* Makes sure all network access rights can be stored. */
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 898358f57fa0..f0bc50003b46 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -137,7 +137,7 @@ static const struct file_operations ruleset_fops = {
.write = fop_dummy_write,
};
-#define LANDLOCK_ABI_VERSION 4
+#define LANDLOCK_ABI_VERSION 5
/**
* sys_landlock_create_ruleset - Create a new ruleset
@@ -192,8 +192,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
return err;
/* Checks content (and 32-bits cast). */
- if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
- LANDLOCK_MASK_ACCESS_FS)
+ if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_PUBLIC_ACCESS_FS) !=
+ LANDLOCK_MASK_PUBLIC_ACCESS_FS)
return -EINVAL;
/* Checks network content (and 32-bits cast). */
@@ -201,6 +201,10 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
LANDLOCK_MASK_ACCESS_NET)
return -EINVAL;
+ /* Expands synthetic IOCTL groups. */
+ ruleset_attr.handled_access_fs = landlock_expand_handled_access_fs(
+ ruleset_attr.handled_access_fs);
+
/* Checks arguments and transforms to kernel struct. */
ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,
ruleset_attr.handled_access_net);
@@ -309,8 +313,13 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
if (!path_beneath_attr.allowed_access)
return -ENOMSG;
- /* Checks that allowed_access matches the @ruleset constraints. */
- mask = landlock_get_raw_fs_access_mask(ruleset, 0);
+ /*
+ * Checks that allowed_access matches the @ruleset constraints and only
+ * consists of publicly visible access rights (as opposed to synthetic
+ * ones).
+ */
+ mask = landlock_get_raw_fs_access_mask(ruleset, 0) &
+ LANDLOCK_MASK_PUBLIC_ACCESS_FS;
if ((path_beneath_attr.allowed_access | mask) != mask)
return -EINVAL;
diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
index 646f778dfb1e..d292b419ccba 100644
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -75,7 +75,7 @@ TEST(abi_version)
const struct landlock_ruleset_attr ruleset_attr = {
.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
};
- ASSERT_EQ(4, landlock_create_ruleset(NULL, 0,
+ ASSERT_EQ(5, landlock_create_ruleset(NULL, 0,
LANDLOCK_CREATE_RULESET_VERSION));
ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 971a7bb404d6..0e86c14e7bb6 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -525,9 +525,10 @@ TEST_F_FORK(layout1, inval)
LANDLOCK_ACCESS_FS_EXECUTE | \
LANDLOCK_ACCESS_FS_WRITE_FILE | \
LANDLOCK_ACCESS_FS_READ_FILE | \
- LANDLOCK_ACCESS_FS_TRUNCATE)
+ LANDLOCK_ACCESS_FS_TRUNCATE | \
+ LANDLOCK_ACCESS_FS_IOCTL)
-#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE
+#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL
#define ACCESS_ALL ( \
ACCESS_FILE | \
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH v6 4/9] landlock: Add IOCTL access right
2023-11-24 17:30 ` [PATCH v6 4/9] landlock: Add IOCTL access right Günther Noack
@ 2023-11-26 7:23 ` kernel test robot
2023-11-30 9:28 ` Mickaël Salaün
1 sibling, 0 replies; 17+ messages in thread
From: kernel test robot @ 2023-11-26 7:23 UTC (permalink / raw)
To: Günther Noack; +Cc: oe-kbuild-all
Hi Günther,
kernel test robot noticed the following build errors:
[auto build test ERROR on shuah-kselftest/next]
[also build test ERROR on shuah-kselftest/fixes linus/master v6.7-rc2]
[cannot apply to next-20231124]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/G-nther-Noack/selftests-landlock-Rename-permitted-to-allowed-in-ftruncate-tests/20231125-023121
base: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git next
patch link: https://lore.kernel.org/r/20231124173026.3257122-5-gnoack%40google.com
patch subject: [PATCH v6 4/9] landlock: Add IOCTL access right
config: powerpc64-randconfig-r123-20231126 (https://download.01.org/0day-ci/archive/20231126/202311261403.9hYewImp-lkp@intel.com/config)
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project.git f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce: (https://download.01.org/0day-ci/archive/20231126/202311261403.9hYewImp-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202311261403.9hYewImp-lkp@intel.com/
All errors (new ones prefixed by >>):
>> security/landlock/fs.c:195:16: error: static_assert expression is not an integral constant expression
static_assert((ioctl_groups & LANDLOCK_MASK_ACCESS_FS) == ioctl_groups);
~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/build_bug.h:77:50: note: expanded from macro 'static_assert'
#define static_assert(expr, ...) __static_assert(expr, ##__VA_ARGS__, #expr)
~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/build_bug.h:78:56: note: expanded from macro '__static_assert'
#define __static_assert(expr, msg, ...) _Static_assert(expr, msg)
^~~~
1 error generated.
vim +195 security/landlock/fs.c
181
182 /**
183 * landlock_expand_access_fs() - Returns @access with the synthetic IOCTL group
184 * flags enabled if necessary.
185 *
186 * @handled: Handled FS access rights.
187 * @access: FS access rights to expand.
188 *
189 * Returns: @access expanded by the necessary flags for the synthetic IOCTL
190 * access rights.
191 */
192 static access_mask_t landlock_expand_access_fs(const access_mask_t handled,
193 const access_mask_t access)
194 {
> 195 static_assert((ioctl_groups & LANDLOCK_MASK_ACCESS_FS) == ioctl_groups);
196
197 return access |
198 expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_WRITE_FILE,
199 LANDLOCK_ACCESS_FS_IOCTL_GROUP1 |
200 LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
201 LANDLOCK_ACCESS_FS_IOCTL_GROUP4) |
202 expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_READ_FILE,
203 LANDLOCK_ACCESS_FS_IOCTL_GROUP1 |
204 LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
205 LANDLOCK_ACCESS_FS_IOCTL_GROUP3) |
206 expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_READ_DIR,
207 LANDLOCK_ACCESS_FS_IOCTL_GROUP1);
208 }
209
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH v6 4/9] landlock: Add IOCTL access right
2023-11-24 17:30 ` [PATCH v6 4/9] landlock: Add IOCTL access right Günther Noack
2023-11-26 7:23 ` kernel test robot
@ 2023-11-30 9:28 ` Mickaël Salaün
2023-12-01 14:04 ` Günther Noack
1 sibling, 1 reply; 17+ messages in thread
From: Mickaël Salaün @ 2023-11-30 9:28 UTC (permalink / raw)
To: Günther Noack
Cc: linux-security-module, Jeff Xu, Jorge Lucangeli Obes, Allen Webb,
Dmitry Torokhov, Paul Moore, Konstantin Meskhidze, Matt Bobrowski,
linux-fsdevel
On Fri, Nov 24, 2023 at 06:30:21PM +0100, Günther Noack wrote:
> Introduces the LANDLOCK_ACCESS_FS_IOCTL access right
> and increments the Landlock ABI version to 5.
>
> Like the truncate right, these rights are associated with a file
> descriptor at the time of open(2), and get respected even when the
> file descriptor is used outside of the thread which it was originally
> opened in.
>
> A newly enabled Landlock policy therefore does not apply to file
> descriptors which are already open.
>
> If the LANDLOCK_ACCESS_FS_IOCTL right is handled, only a small number
> of safe IOCTL commands will be permitted on newly opened files. The
> permitted IOCTLs can be configured through the ruleset in limited ways
> now. (See documentation for details.)
>
> Noteworthy scenarios which require special attention:
>
> TTY devices support IOCTLs like TIOCSTI and TIOCLINUX, which can be
> used to control shell processes on the same terminal which run at
> different privilege levels, which may make it possible to escape a
> sandbox. Because stdin, stdout and stderr are normally inherited
> rather than newly opened, IOCTLs are usually permitted on them even
> after the Landlock policy is enforced.
>
> Some legitimate file system features, like setting up fscrypt, are
> exposed as IOCTL commands on regular files and directories -- users of
> Landlock are advised to double check that the sandboxed process does
> not need to invoke these IOCTLs.
>
> Known limitations:
>
> The LANDLOCK_ACCESS_FS_IOCTL access right is a coarse-grained control
> over IOCTL commands. Future work will enable a more fine-grained
> access control for IOCTLs.
>
> In the meantime, Landlock users may use path-based restrictions in
> combination with their knowledge about the file system layout to
> control what IOCTLs can be done. Mounting file systems with the nodev
> option can help to distinguish regular files and devices, and give
> guarantees about the affected files, which Landlock alone can not give
> yet.
>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
> include/uapi/linux/landlock.h | 58 ++++++-
> security/landlock/fs.c | 172 ++++++++++++++++++-
> security/landlock/fs.h | 2 +
> security/landlock/limits.h | 5 +-
> security/landlock/ruleset.h | 2 +-
> security/landlock/syscalls.c | 19 +-
> tools/testing/selftests/landlock/base_test.c | 2 +-
> tools/testing/selftests/landlock/fs_test.c | 5 +-
> 8 files changed, 243 insertions(+), 22 deletions(-)
>
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index 25c8d7677539..578f268b084b 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -128,7 +128,7 @@ struct landlock_net_port_attr {
> * files and directories. Files or directories opened before the sandboxing
> * are not subject to these restrictions.
> *
> - * A file can only receive these access rights:
> + * The following access rights apply only to files:
> *
> * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
> * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that
> @@ -138,12 +138,13 @@ struct landlock_net_port_attr {
> * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
> * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file with :manpage:`truncate(2)`,
> * :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
> - * ``O_TRUNC``. Whether an opened file can be truncated with
> - * :manpage:`ftruncate(2)` is determined during :manpage:`open(2)`, in the
> - * same way as read and write permissions are checked during
> - * :manpage:`open(2)` using %LANDLOCK_ACCESS_FS_READ_FILE and
> - * %LANDLOCK_ACCESS_FS_WRITE_FILE. This access right is available since the
> - * third version of the Landlock ABI.
> + * ``O_TRUNC``. This access right is available since the third version of the
> + * Landlock ABI.
> + *
> + * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
> + * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
> + * read and write permissions are checked during :manpage:`open(2)` using
> + * %LANDLOCK_ACCESS_FS_READ_FILE and %LANDLOCK_ACCESS_FS_WRITE_FILE.
> *
> * A directory can receive access rights related to files or directories. The
> * following access right is applied to the directory itself, and the
> @@ -198,13 +199,53 @@ struct landlock_net_port_attr {
> * If multiple requirements are not met, the ``EACCES`` error code takes
> * precedence over ``EXDEV``.
> *
> + * The following access right applies both to files and directories:
> + *
> + * - %LANDLOCK_ACCESS_FS_IOCTL: Invoke :manpage:`ioctl(2)` commands on an opened
> + * file or directory.
> + *
> + * This access right applies to all :manpage:`ioctl(2)` commands, except of
> + * ``FIOCLEX``, ``FIONCLEX``, ``FIONBIO`` and ``FIOASYNC``. These commands
> + * continue to be invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL
> + * access right.
> + *
> + * When certain other access rights are handled in the ruleset, in addition to
> + * %LANDLOCK_ACCESS_FS_IOCTL, granting these access rights will unlock access
> + * to additional groups of IOCTL commands, on the affected files:
> + *
> + * * %LANDLOCK_ACCESS_FS_READ_FILE unlocks access to ``FIOQSIZE``,
> + * ``FS_IOC_FIEMAP``, ``FIBMAP``, ``FIGETBSZ``, ``FIONREAD``,
> + * ``FIDEDUPRANGE``.
> + *
> + * * %LANDLOCK_ACCESS_FS_WRITE_FILE unlocks access to ``FIOQSIZE``,
> + * ``FS_IOC_FIEMAP``, ``FIBMAP``, ``FIGETBSZ``, ``FICLONE``,
> + * ``FICLONERANGE``, ``FS_IOC_RESVSP``, ``FS_IOC_RESVSP64``,
> + * ``FS_IOC_UNRESVSP``, ``FS_IOC_UNRESVSP64``, ``FS_IOC_ZERO_RANGE``.
> + *
> + * * %LANDLOCK_ACCESS_FS_READ_DIR unlocks access to ``FIOQSIZE``,
> + * ``FS_IOC_FIEMAP``, ``FIBMAP``, ``FIGETBSZ``.
> + *
> + * When these access rights are handled in the ruleset, the availability of
> + * the affected IOCTL commands is not governed by %LANDLOCK_ACCESS_FS_IOCTL
> + * any more, but by the respective access right.
> + *
> + * All other IOCTL commands are not handled specially, and are governed by
> + * %LANDLOCK_ACCESS_FS_IOCTL. This includes %FS_IOC_GETFLAGS and
> + * %FS_IOC_SETFLAGS for manipulating inode flags (:manpage:`ioctl_iflags(2)`),
> + * %FS_IOC_FSFETXATTR and %FS_IOC_FSSETXATTR for manipulating extended
> + * attributes, as well as %FIFREEZE and %FITHAW for freezing and thawing file
> + * systems.
> + *
> + * This access right is available since the fifth version of the Landlock
> + * ABI.
> + *
> * .. warning::
> *
> * It is currently not possible to restrict some file-related actions
> * accessible through these syscall families: :manpage:`chdir(2)`,
> * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
> * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
> - * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`.
> + * :manpage:`fcntl(2)`, :manpage:`access(2)`.
> * Future Landlock evolutions will enable to restrict them.
> */
> /* clang-format off */
> @@ -223,6 +264,7 @@ struct landlock_net_port_attr {
> #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
> #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
> #define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
> +#define LANDLOCK_ACCESS_FS_IOCTL (1ULL << 15)
> /* clang-format on */
>
> /**
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 9ba989ef46a5..098bf4bd7736 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -7,12 +7,14 @@
> * Copyright © 2021-2022 Microsoft Corporation
> */
>
> +#include <asm/ioctls.h>
> #include <linux/atomic.h>
> #include <linux/bitops.h>
> #include <linux/bits.h>
> #include <linux/compiler_types.h>
> #include <linux/dcache.h>
> #include <linux/err.h>
> +#include <linux/falloc.h>
> #include <linux/fs.h>
> #include <linux/init.h>
> #include <linux/kernel.h>
> @@ -28,6 +30,7 @@
> #include <linux/types.h>
> #include <linux/wait_bit.h>
> #include <linux/workqueue.h>
> +#include <uapi/linux/fiemap.h>
> #include <uapi/linux/landlock.h>
>
> #include "common.h"
> @@ -83,6 +86,141 @@ static const struct landlock_object_underops landlock_fs_underops = {
> .release = release_inode
> };
>
> +/* IOCTL helpers */
> +
> +/*
> + * These are synthetic access rights, which are only used within the kernel, but
> + * not exposed to callers in userspace. The mapping between these access rights
> + * and IOCTL commands is defined in the required_ioctl_access() helper function.
> + */
> +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP1 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 1)
> +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP2 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 2)
> +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP3 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 3)
> +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP4 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 4)
> +
> +/* ioctl_groups - all synthetic access rights for IOCTL command groups */
> +static const access_mask_t ioctl_groups =
I find it easier to read and maintain with an ORed right per line, which
requires clang-format on/off marks.
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP1 | LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP3 | LANDLOCK_ACCESS_FS_IOCTL_GROUP4;
> +
> +/**
> + * required_ioctl_access(): Determine required IOCTL access rights.
> + *
> + * @cmd: The IOCTL command that is supposed to be run.
> + *
> + * Returns: The access rights that must be granted on an opened file in order to
> + * use the given @cmd.
> + */
> +static access_mask_t required_ioctl_access(unsigned int cmd)
> +{
> + switch (cmd) {
> + case FIOCLEX:
> + case FIONCLEX:
> + case FIONBIO:
> + case FIOASYNC:
> + /*
> + * FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC manipulate the FD's
> + * close-on-exec and the file's buffered-IO and async flags.
> + * These operations are also available through fcntl(2),
> + * and are unconditionally permitted in Landlock.
> + */
> + return 0;
> + case FIOQSIZE:
> + return LANDLOCK_ACCESS_FS_IOCTL_GROUP1;
> + case FS_IOC_FIEMAP:
> + case FIBMAP:
> + case FIGETBSZ:
> + return LANDLOCK_ACCESS_FS_IOCTL_GROUP2;
> + case FIONREAD:
> + case FIDEDUPERANGE:
> + return LANDLOCK_ACCESS_FS_IOCTL_GROUP3;
> + case FICLONE:
> + case FICLONERANGE:
> + case FS_IOC_RESVSP:
> + case FS_IOC_RESVSP64:
> + case FS_IOC_UNRESVSP:
> + case FS_IOC_UNRESVSP64:
> + case FS_IOC_ZERO_RANGE:
> + return LANDLOCK_ACCESS_FS_IOCTL_GROUP4;
> + default:
> + /*
> + * Other commands are guarded by the catch-all access right.
> + */
> + return LANDLOCK_ACCESS_FS_IOCTL;
> + }
> +}
> +
> +/**
> + * expand_ioctl() - Return the dst flags from either the src flag or the
> + * %LANDLOCK_ACCESS_FS_IOCTL flag, depending on whether the
> + * %LANDLOCK_ACCESS_FS_IOCTL and src access rights are handled or not.
> + *
> + * @handled: Handled access rights
> + * @access: The access mask to copy values from
> + * @src: A single access right to copy from in @access.
> + * @dst: One or more access rights to copy to
> + *
> + * Returns: @dst, or 0
> + */
> +static access_mask_t expand_ioctl(const access_mask_t handled,
> + const access_mask_t access,
> + const access_mask_t src,
> + const access_mask_t dst)
> +{
> + access_mask_t copy_from;
> +
> + if (!(handled & LANDLOCK_ACCESS_FS_IOCTL))
> + return 0;
> +
> + copy_from = (handled & src) ? src : LANDLOCK_ACCESS_FS_IOCTL;
> + if (access & copy_from)
> + return dst;
> +
> + return 0;
> +}
> +
> +/**
> + * landlock_expand_access_fs() - Returns @access with the synthetic IOCTL group
> + * flags enabled if necessary.
> + *
> + * @handled: Handled FS access rights.
> + * @access: FS access rights to expand.
> + *
> + * Returns: @access expanded by the necessary flags for the synthetic IOCTL
> + * access rights.
> + */
> +static access_mask_t landlock_expand_access_fs(const access_mask_t handled,
> + const access_mask_t access)
> +{
> + static_assert((ioctl_groups & LANDLOCK_MASK_ACCESS_FS) == ioctl_groups);
You can move the static_assert() call just after the ioctl_groups
declaration (contrary to BUILD_BUG_ON() calls which must be in a
function).
> +
> + return access |
> + expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_WRITE_FILE,
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP1 |
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP4) |
> + expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_READ_FILE,
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP1 |
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP2 |
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP3) |
> + expand_ioctl(handled, access, LANDLOCK_ACCESS_FS_READ_DIR,
> + LANDLOCK_ACCESS_FS_IOCTL_GROUP1);
> +}
> +
> +/**
> + * landlock_expand_handled_access_fs() - add synthetic IOCTL access rights to an
> + * access mask of handled accesses.
> + *
> + * @handled: The handled accesses of a ruleset that is being created
> + *
> + * Returns: @handled, with the bits for the synthetic IOCTL access rights set,
> + * if %LANDLOCK_ACCESS_FS_IOCTL is handled
Missing final dot.
> + */
> +access_mask_t landlock_expand_handled_access_fs(const access_mask_t handled)
> +{
> + return landlock_expand_access_fs(handled, handled);
> +}
> +
> /* Ruleset management */
>
> static struct landlock_object *get_inode_object(struct inode *const inode)
> @@ -147,7 +285,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode)
> LANDLOCK_ACCESS_FS_EXECUTE | \
> LANDLOCK_ACCESS_FS_WRITE_FILE | \
> LANDLOCK_ACCESS_FS_READ_FILE | \
> - LANDLOCK_ACCESS_FS_TRUNCATE)
> + LANDLOCK_ACCESS_FS_TRUNCATE | \
> + LANDLOCK_ACCESS_FS_IOCTL)
> /* clang-format on */
>
> /*
> @@ -157,6 +296,7 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> const struct path *const path,
> access_mask_t access_rights)
> {
> + access_mask_t handled;
> int err;
> struct landlock_id id = {
> .type = LANDLOCK_KEY_INODE,
> @@ -169,9 +309,11 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> if (WARN_ON_ONCE(ruleset->num_layers != 1))
> return -EINVAL;
>
> + handled = landlock_get_fs_access_mask(ruleset, 0);
> + /* Expands the synthetic IOCTL groups. */
> + access_rights |= landlock_expand_access_fs(handled, access_rights);
> /* Transforms relative access rights to absolute ones. */
> - access_rights |= LANDLOCK_MASK_ACCESS_FS &
> - ~landlock_get_fs_access_mask(ruleset, 0);
> + access_rights |= LANDLOCK_MASK_ACCESS_FS & ~handled;
> id.key.object = get_inode_object(d_backing_inode(path->dentry));
> if (IS_ERR(id.key.object))
> return PTR_ERR(id.key.object);
> @@ -1123,7 +1265,9 @@ static int hook_file_open(struct file *const file)
> {
> layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
> access_mask_t open_access_request, full_access_request, allowed_access;
> - const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
> + const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE |
> + LANDLOCK_ACCESS_FS_IOCTL |
> + ioctl_groups;
> const struct landlock_ruleset *const dom = get_current_fs_domain();
>
> if (!dom)
> @@ -1196,6 +1340,25 @@ static int hook_file_truncate(struct file *const file)
> return -EACCES;
> }
>
> +static int hook_file_ioctl(struct file *file, unsigned int cmd,
> + unsigned long arg)
> +{
> + const access_mask_t required_access = required_ioctl_access(cmd);
> + const access_mask_t allowed_access =
> + landlock_file(file)->allowed_access;
> +
> + /*
> + * It is the access rights at the time of opening the file which
> + * determine whether IOCTL can be used on the opened file later.
> + *
> + * The access right is attached to the opened file in hook_file_open().
> + */
> + if ((allowed_access & required_access) == required_access)
> + return 0;
> +
> + return -EACCES;
> +}
> +
> static struct security_hook_list landlock_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),
>
> @@ -1218,6 +1381,7 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security),
> LSM_HOOK_INIT(file_open, hook_file_open),
> LSM_HOOK_INIT(file_truncate, hook_file_truncate),
> + LSM_HOOK_INIT(file_ioctl, hook_file_ioctl),
> };
>
> __init void landlock_add_fs_hooks(void)
> diff --git a/security/landlock/fs.h b/security/landlock/fs.h
> index 488e4813680a..c88fe7bda37b 100644
> --- a/security/landlock/fs.h
> +++ b/security/landlock/fs.h
> @@ -92,4 +92,6 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
> const struct path *const path,
> access_mask_t access_hierarchy);
>
> +access_mask_t landlock_expand_handled_access_fs(const access_mask_t handled);
> +
> #endif /* _SECURITY_LANDLOCK_FS_H */
> diff --git a/security/landlock/limits.h b/security/landlock/limits.h
> index 93c9c6f91556..63b5aa0bd8fa 100644
> --- a/security/landlock/limits.h
> +++ b/security/landlock/limits.h
> @@ -18,7 +18,10 @@
> #define LANDLOCK_MAX_NUM_LAYERS 16
> #define LANDLOCK_MAX_NUM_RULES U32_MAX
>
> -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE
> +#define LANDLOCK_LAST_PUBLIC_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL
> +#define LANDLOCK_MASK_PUBLIC_ACCESS_FS ((LANDLOCK_LAST_PUBLIC_ACCESS_FS << 1) - 1)
> +
A one-line comment explaining the "4" below would be useful.
> +#define LANDLOCK_LAST_ACCESS_FS (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 4)
> #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
> #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS)
> #define LANDLOCK_SHIFT_ACCESS_FS 0
> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> index c7f1526784fd..5a28ea8e1c3d 100644
> --- a/security/landlock/ruleset.h
> +++ b/security/landlock/ruleset.h
> @@ -30,7 +30,7 @@
> LANDLOCK_ACCESS_FS_REFER)
> /* clang-format on */
>
> -typedef u16 access_mask_t;
> +typedef u32 access_mask_t;
> /* Makes sure all filesystem access rights can be stored. */
> static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
> /* Makes sure all network access rights can be stored. */
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 898358f57fa0..f0bc50003b46 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -137,7 +137,7 @@ static const struct file_operations ruleset_fops = {
> .write = fop_dummy_write,
> };
>
> -#define LANDLOCK_ABI_VERSION 4
> +#define LANDLOCK_ABI_VERSION 5
>
> /**
> * sys_landlock_create_ruleset - Create a new ruleset
> @@ -192,8 +192,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
> return err;
>
> /* Checks content (and 32-bits cast). */
> - if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
> - LANDLOCK_MASK_ACCESS_FS)
> + if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_PUBLIC_ACCESS_FS) !=
> + LANDLOCK_MASK_PUBLIC_ACCESS_FS)
> return -EINVAL;
>
> /* Checks network content (and 32-bits cast). */
> @@ -201,6 +201,10 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
> LANDLOCK_MASK_ACCESS_NET)
> return -EINVAL;
>
> + /* Expands synthetic IOCTL groups. */
> + ruleset_attr.handled_access_fs = landlock_expand_handled_access_fs(
> + ruleset_attr.handled_access_fs);
> +
> /* Checks arguments and transforms to kernel struct. */
> ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,
> ruleset_attr.handled_access_net);
> @@ -309,8 +313,13 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
> if (!path_beneath_attr.allowed_access)
> return -ENOMSG;
>
> - /* Checks that allowed_access matches the @ruleset constraints. */
> - mask = landlock_get_raw_fs_access_mask(ruleset, 0);
> + /*
> + * Checks that allowed_access matches the @ruleset constraints and only
> + * consists of publicly visible access rights (as opposed to synthetic
> + * ones).
> + */
> + mask = landlock_get_raw_fs_access_mask(ruleset, 0) &
> + LANDLOCK_MASK_PUBLIC_ACCESS_FS;
> if ((path_beneath_attr.allowed_access | mask) != mask)
> return -EINVAL;
>
> diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
> index 646f778dfb1e..d292b419ccba 100644
> --- a/tools/testing/selftests/landlock/base_test.c
> +++ b/tools/testing/selftests/landlock/base_test.c
> @@ -75,7 +75,7 @@ TEST(abi_version)
> const struct landlock_ruleset_attr ruleset_attr = {
> .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
> };
> - ASSERT_EQ(4, landlock_create_ruleset(NULL, 0,
> + ASSERT_EQ(5, landlock_create_ruleset(NULL, 0,
> LANDLOCK_CREATE_RULESET_VERSION));
>
> ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index 971a7bb404d6..0e86c14e7bb6 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -525,9 +525,10 @@ TEST_F_FORK(layout1, inval)
> LANDLOCK_ACCESS_FS_EXECUTE | \
> LANDLOCK_ACCESS_FS_WRITE_FILE | \
> LANDLOCK_ACCESS_FS_READ_FILE | \
> - LANDLOCK_ACCESS_FS_TRUNCATE)
> + LANDLOCK_ACCESS_FS_TRUNCATE | \
> + LANDLOCK_ACCESS_FS_IOCTL)
>
> -#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE
> +#define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL
>
> #define ACCESS_ALL ( \
> ACCESS_FILE | \
> --
> 2.43.0.rc1.413.gea7ed67945-goog
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: [PATCH v6 4/9] landlock: Add IOCTL access right
2023-11-30 9:28 ` Mickaël Salaün
@ 2023-12-01 14:04 ` Günther Noack
0 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-12-01 14:04 UTC (permalink / raw)
To: Mickaël Salaün
Cc: linux-security-module, Jeff Xu, Jorge Lucangeli Obes, Allen Webb,
Dmitry Torokhov, Paul Moore, Konstantin Meskhidze, Matt Bobrowski,
linux-fsdevel
On Thu, Nov 30, 2023 at 10:28:44AM +0100, Mickaël Salaün wrote:
> On Fri, Nov 24, 2023 at 06:30:21PM +0100, Günther Noack wrote:
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
> > @@ -83,6 +86,141 @@ static const struct landlock_object_underops landlock_fs_underops = {
> > .release = release_inode
> > };
> >
> > +/* IOCTL helpers */
> > +
> > +/*
> > + * These are synthetic access rights, which are only used within the kernel, but
> > + * not exposed to callers in userspace. The mapping between these access rights
> > + * and IOCTL commands is defined in the required_ioctl_access() helper function.
> > + */
> > +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP1 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 1)
> > +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP2 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 2)
> > +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP3 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 3)
> > +#define LANDLOCK_ACCESS_FS_IOCTL_GROUP4 (LANDLOCK_LAST_PUBLIC_ACCESS_FS << 4)
> > +
> > +/* ioctl_groups - all synthetic access rights for IOCTL command groups */
> > +static const access_mask_t ioctl_groups =
>
> I find it easier to read and maintain with an ORed right per line, which
> requires clang-format on/off marks.
Done.
I turned this into a #define as well, so that the static_assert() works even in
the GCC9-based PowerPC configuration where the compile previouly failed. (I
have not reproduced this, but it seems obvious that this is the problem; the old
compiler does not realize yet that a "const int" is constant enough.)
> > +/**
> > + * landlock_expand_access_fs() - Returns @access with the synthetic IOCTL group
> > + * flags enabled if necessary.
> > + *
> > + * @handled: Handled FS access rights.
> > + * @access: FS access rights to expand.
> > + *
> > + * Returns: @access expanded by the necessary flags for the synthetic IOCTL
> > + * access rights.
> > + */
> > +static access_mask_t landlock_expand_access_fs(const access_mask_t handled,
> > + const access_mask_t access)
> > +{
> > + static_assert((ioctl_groups & LANDLOCK_MASK_ACCESS_FS) == ioctl_groups);
>
> You can move the static_assert() call just after the ioctl_groups
> declaration (contrary to BUILD_BUG_ON() calls which must be in a
> function).
Done.
> > + * Returns: @handled, with the bits for the synthetic IOCTL access rights set,
> > + * if %LANDLOCK_ACCESS_FS_IOCTL is handled
>
> Missing final dot.
Thanks, added here and also in a few other places where I missed it.
—Günther
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v6 5/9] selftests/landlock: Test IOCTL support
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
` (3 preceding siblings ...)
2023-11-24 17:30 ` [PATCH v6 4/9] landlock: Add IOCTL access right Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-30 9:30 ` Mickaël Salaün
2023-11-24 17:30 ` [PATCH v6 6/9] selftests/landlock: Test IOCTL with memfds Günther Noack
` (3 subsequent siblings)
8 siblings, 1 reply; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
Exercises Landlock's IOCTL feature in different combinations of
handling and permitting the rights LANDLOCK_ACCESS_FS_IOCTL,
LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_WRITE_FILE and
LANDLOCK_ACCESS_FS_READ_DIR, and in different combinations of using
files and directories.
Signed-off-by: Günther Noack <gnoack@google.com>
---
tools/testing/selftests/landlock/fs_test.c | 431 ++++++++++++++++++++-
1 file changed, 428 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 0e86c14e7bb6..94f54a61e508 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -9,6 +9,7 @@
#define _GNU_SOURCE
#include <fcntl.h>
+#include <linux/fs.h>
#include <linux/landlock.h>
#include <linux/magic.h>
#include <sched.h>
@@ -672,6 +673,9 @@ static int create_ruleset(struct __test_metadata *const _metadata,
}
for (i = 0; rules[i].path; i++) {
+ if (!rules[i].access)
+ continue;
+
add_path_beneath(_metadata, ruleset_fd, rules[i].access,
rules[i].path);
}
@@ -3380,7 +3384,7 @@ TEST_F_FORK(layout1, truncate_unhandled)
LANDLOCK_ACCESS_FS_WRITE_FILE;
int ruleset_fd;
- /* Enable Landlock. */
+ /* Enables Landlock. */
ruleset_fd = create_ruleset(_metadata, handled, rules);
ASSERT_LE(0, ruleset_fd);
@@ -3463,7 +3467,7 @@ TEST_F_FORK(layout1, truncate)
LANDLOCK_ACCESS_FS_TRUNCATE;
int ruleset_fd;
- /* Enable Landlock. */
+ /* Enables Landlock. */
ruleset_fd = create_ruleset(_metadata, handled, rules);
ASSERT_LE(0, ruleset_fd);
@@ -3689,7 +3693,7 @@ TEST_F_FORK(ftruncate, open_and_ftruncate)
};
int fd, ruleset_fd;
- /* Enable Landlock. */
+ /* Enables Landlock. */
ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
ASSERT_LE(0, ruleset_fd);
enforce_ruleset(_metadata, ruleset_fd);
@@ -3766,6 +3770,16 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
ASSERT_EQ(0, close(socket_fds[1]));
}
+/* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */
+static int test_fs_ioc_getflags_ioctl(int fd)
+{
+ uint32_t flags;
+
+ if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0)
+ return errno;
+ return 0;
+}
+
TEST(memfd_ftruncate)
{
int fd;
@@ -3782,6 +3796,417 @@ TEST(memfd_ftruncate)
ASSERT_EQ(0, close(fd));
}
+/* clang-format off */
+FIXTURE(ioctl) {};
+/* clang-format on */
+
+FIXTURE_SETUP(ioctl)
+{
+ prepare_layout(_metadata);
+ create_file(_metadata, file1_s1d1);
+}
+
+FIXTURE_TEARDOWN(ioctl)
+{
+ EXPECT_EQ(0, remove_path(file1_s1d1));
+ cleanup_layout(_metadata);
+}
+
+FIXTURE_VARIANT(ioctl)
+{
+ const __u64 handled;
+ const __u64 allowed;
+ const mode_t open_mode;
+ /*
+ * These are the expected IOCTL results for a representative IOCTL from
+ * each of the IOCTL groups. We only distinguish the 0 and EACCES
+ * results here, and treat other errors as 0.
+ */
+ const int expected_fioqsize_result; /* G1 */
+ const int expected_fibmap_result; /* G2 */
+ const int expected_fionread_result; /* G3 */
+ const int expected_fs_ioc_zero_range_result; /* G4 */
+ const int expected_fs_ioc_getflags_result; /* other */
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_none) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = 0,
+ .open_mode = O_RDWR,
+ .expected_fioqsize_result = EACCES,
+ .expected_fibmap_result = EACCES,
+ .expected_fionread_result = EACCES,
+ .expected_fs_ioc_zero_range_result = EACCES,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_i_allowed_i) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_IOCTL,
+ .open_mode = O_RDWR,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = 0,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, unhandled) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_EXECUTE,
+ .allowed = LANDLOCK_ACCESS_FS_EXECUTE,
+ .open_mode = O_RDWR,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = 0,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwd_allowed_r) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_READ_DIR,
+ .allowed = LANDLOCK_ACCESS_FS_READ_FILE,
+ .open_mode = O_RDONLY,
+ /* If LANDLOCK_ACCESS_FS_IOCTL is not handled, all IOCTLs work. */
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = 0,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwd_allowed_w) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_READ_DIR,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ .open_mode = O_WRONLY,
+ /* If LANDLOCK_ACCESS_FS_IOCTL is not handled, all IOCTLs work. */
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = 0,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_ri_allowed_r) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_READ_FILE,
+ .open_mode = O_RDONLY,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = EACCES,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_wi_allowed_w) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ .open_mode = O_WRONLY,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = EACCES,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_di_allowed_d) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_DIR | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_READ_DIR,
+ .open_mode = O_RDWR,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = EACCES,
+ .expected_fionread_result = EACCES,
+ .expected_fs_ioc_zero_range_result = EACCES,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwi_allowed_rw) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_WRITE_FILE,
+ .open_mode = O_RDWR,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwi_allowed_r) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_READ_FILE,
+ .open_mode = O_RDONLY,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = EACCES,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwi_allowed_ri) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .open_mode = O_RDONLY,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = 0,
+ .expected_fs_ioc_zero_range_result = EACCES,
+ .expected_fs_ioc_getflags_result = 0,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwi_allowed_w) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE,
+ .open_mode = O_WRONLY,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = EACCES,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = EACCES,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(ioctl, handled_rwi_allowed_wi) {
+ /* clang-format on */
+ .handled = LANDLOCK_ACCESS_FS_READ_FILE |
+ LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .allowed = LANDLOCK_ACCESS_FS_WRITE_FILE | LANDLOCK_ACCESS_FS_IOCTL,
+ .open_mode = O_WRONLY,
+ .expected_fioqsize_result = 0,
+ .expected_fibmap_result = 0,
+ .expected_fionread_result = EACCES,
+ .expected_fs_ioc_zero_range_result = 0,
+ .expected_fs_ioc_getflags_result = 0,
+};
+
+static int test_fioqsize_ioctl(int fd)
+{
+ size_t sz;
+
+ if (ioctl(fd, FIOQSIZE, &sz) < 0)
+ return errno;
+ return 0;
+}
+
+static int test_fibmap_ioctl(int fd)
+{
+ int blk = 0;
+
+ /*
+ * We only want to distinguish here whether Landlock already caught it,
+ * so we treat anything but EACCESS as success. (It commonly returns
+ * EPERM when missing CAP_SYS_RAWIO.)
+ */
+ if (ioctl(fd, FIBMAP, &blk) < 0 && errno == EACCES)
+ return errno;
+ return 0;
+}
+
+static int test_fionread_ioctl(int fd)
+{
+ size_t sz = 0;
+
+ if (ioctl(fd, FIONREAD, &sz) < 0 && errno == EACCES)
+ return errno;
+ return 0;
+}
+
+#define FS_IOC_ZERO_RANGE _IOW('X', 57, struct space_resv)
+
+static int test_fs_ioc_zero_range_ioctl(int fd)
+{
+ struct space_resv {
+ __s16 l_type;
+ __s16 l_whence;
+ __s64 l_start;
+ __s64 l_len; /* len == 0 means until end of file */
+ __s32 l_sysid;
+ __u32 l_pid;
+ __s32 l_pad[4]; /* reserved area */
+ } reservation = {};
+ /*
+ * This can fail for various reasons, but we only want to distinguish
+ * here whether Landlock already caught it, so we treat anything but
+ * EACCES as success.
+ */
+ if (ioctl(fd, FS_IOC_ZERO_RANGE, &reservation) < 0 && errno == EACCES)
+ return errno;
+ return 0;
+}
+
+TEST_F_FORK(ioctl, handle_dir_access_file)
+{
+ const int flag = 0;
+ const struct rule rules[] = {
+ {
+ .path = dir_s1d1,
+ .access = variant->allowed,
+ },
+ {},
+ };
+ int file_fd, ruleset_fd;
+
+ /* Enables Landlock. */
+ ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+
+ file_fd = open(file1_s1d1, variant->open_mode);
+ ASSERT_LE(0, file_fd);
+
+ /*
+ * Checks that IOCTL commands in each IOCTL group return the expected
+ * errors.
+ */
+ EXPECT_EQ(variant->expected_fioqsize_result,
+ test_fioqsize_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fibmap_result, test_fibmap_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fionread_result,
+ test_fionread_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fs_ioc_zero_range_result,
+ test_fs_ioc_zero_range_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fs_ioc_getflags_result,
+ test_fs_ioc_getflags_ioctl(file_fd));
+
+ /* Checks that unrestrictable commands are unrestricted. */
+ EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
+ EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
+ EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
+ EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
+
+ ASSERT_EQ(0, close(file_fd));
+}
+
+TEST_F_FORK(ioctl, handle_dir_access_dir)
+{
+ const char *const path = dir_s1d1;
+ const int flag = 0;
+ const struct rule rules[] = {
+ {
+ .path = path,
+ .access = variant->allowed,
+ },
+ {},
+ };
+ int dir_fd, ruleset_fd;
+
+ /* Enables Landlock. */
+ ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+
+ /*
+ * Ignore variant->open_mode for this test, as we intend to open a
+ * directory. If the directory can not be opened, the variant is
+ * infeasible to test with an opened directory.
+ */
+ dir_fd = open(path, O_RDONLY);
+ if (dir_fd < 0)
+ return;
+
+ /*
+ * Checks that IOCTL commands in each IOCTL group return the expected
+ * errors.
+ */
+ EXPECT_EQ(variant->expected_fioqsize_result,
+ test_fioqsize_ioctl(dir_fd));
+ EXPECT_EQ(variant->expected_fibmap_result, test_fibmap_ioctl(dir_fd));
+ EXPECT_EQ(variant->expected_fionread_result,
+ test_fionread_ioctl(dir_fd));
+ EXPECT_EQ(variant->expected_fs_ioc_zero_range_result,
+ test_fs_ioc_zero_range_ioctl(dir_fd));
+ EXPECT_EQ(variant->expected_fs_ioc_getflags_result,
+ test_fs_ioc_getflags_ioctl(dir_fd));
+
+ /* Checks that unrestrictable commands are unrestricted. */
+ EXPECT_EQ(0, ioctl(dir_fd, FIOCLEX));
+ EXPECT_EQ(0, ioctl(dir_fd, FIONCLEX));
+ EXPECT_EQ(0, ioctl(dir_fd, FIONBIO, &flag));
+ EXPECT_EQ(0, ioctl(dir_fd, FIOASYNC, &flag));
+
+ ASSERT_EQ(0, close(dir_fd));
+}
+
+TEST_F_FORK(ioctl, handle_file_access_file)
+{
+ const char *const path = file1_s1d1;
+ const int flag = 0;
+ const struct rule rules[] = {
+ {
+ .path = path,
+ .access = variant->allowed,
+ },
+ {},
+ };
+ int file_fd, ruleset_fd;
+
+ if (variant->allowed & LANDLOCK_ACCESS_FS_READ_DIR) {
+ SKIP(return, "LANDLOCK_ACCESS_FS_READ_DIR "
+ "can not be granted on files");
+ }
+
+ /* Enables Landlock. */
+ ruleset_fd = create_ruleset(_metadata, variant->handled, rules);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+
+ file_fd = open(path, variant->open_mode);
+ ASSERT_LE(0, file_fd);
+
+ /*
+ * Checks that IOCTL commands in each IOCTL group return the expected
+ * errors.
+ */
+ EXPECT_EQ(variant->expected_fioqsize_result,
+ test_fioqsize_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fibmap_result, test_fibmap_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fionread_result,
+ test_fionread_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fs_ioc_zero_range_result,
+ test_fs_ioc_zero_range_ioctl(file_fd));
+ EXPECT_EQ(variant->expected_fs_ioc_getflags_result,
+ test_fs_ioc_getflags_ioctl(file_fd));
+
+ /* Checks that unrestrictable commands are unrestricted. */
+ EXPECT_EQ(0, ioctl(file_fd, FIOCLEX));
+ EXPECT_EQ(0, ioctl(file_fd, FIONCLEX));
+ EXPECT_EQ(0, ioctl(file_fd, FIONBIO, &flag));
+ EXPECT_EQ(0, ioctl(file_fd, FIOASYNC, &flag));
+
+ ASSERT_EQ(0, close(file_fd));
+}
+
/* clang-format off */
FIXTURE(layout1_bind) {};
/* clang-format on */
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* Re: [PATCH v6 5/9] selftests/landlock: Test IOCTL support
2023-11-24 17:30 ` [PATCH v6 5/9] selftests/landlock: Test IOCTL support Günther Noack
@ 2023-11-30 9:30 ` Mickaël Salaün
0 siblings, 0 replies; 17+ messages in thread
From: Mickaël Salaün @ 2023-11-30 9:30 UTC (permalink / raw)
To: Günther Noack
Cc: linux-security-module, Jeff Xu, Jorge Lucangeli Obes, Allen Webb,
Dmitry Torokhov, Paul Moore, Konstantin Meskhidze, Matt Bobrowski,
linux-fsdevel
On Fri, Nov 24, 2023 at 06:30:22PM +0100, Günther Noack wrote:
> Exercises Landlock's IOCTL feature in different combinations of
> handling and permitting the rights LANDLOCK_ACCESS_FS_IOCTL,
> LANDLOCK_ACCESS_FS_READ_FILE, LANDLOCK_ACCESS_FS_WRITE_FILE and
> LANDLOCK_ACCESS_FS_READ_DIR, and in different combinations of using
> files and directories.
>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
> tools/testing/selftests/landlock/fs_test.c | 431 ++++++++++++++++++++-
> 1 file changed, 428 insertions(+), 3 deletions(-)
>
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index 0e86c14e7bb6..94f54a61e508 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -9,6 +9,7 @@
>
> #define _GNU_SOURCE
> #include <fcntl.h>
> +#include <linux/fs.h>
> #include <linux/landlock.h>
> #include <linux/magic.h>
> #include <sched.h>
> @@ -672,6 +673,9 @@ static int create_ruleset(struct __test_metadata *const _metadata,
> }
>
> for (i = 0; rules[i].path; i++) {
> + if (!rules[i].access)
> + continue;
I hope this change will not hide some bugs in future changes. We could
set .path to NULL instead but I think your approach is OK.
> +
> add_path_beneath(_metadata, ruleset_fd, rules[i].access,
> rules[i].path);
> }
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v6 6/9] selftests/landlock: Test IOCTL with memfds
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
` (4 preceding siblings ...)
2023-11-24 17:30 ` [PATCH v6 5/9] selftests/landlock: Test IOCTL support Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-24 17:30 ` [PATCH v6 7/9] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) Günther Noack
` (2 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
Because the LANDLOCK_ACCESS_FS_IOCTL right is associated with the
opened file during open(2), IOCTLs are supposed to work with files
which are opened by means other than open(2).
Signed-off-by: Günther Noack <gnoack@google.com>
---
tools/testing/selftests/landlock/fs_test.c | 36 ++++++++++++++++------
1 file changed, 27 insertions(+), 9 deletions(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 94f54a61e508..734647f86564 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -3780,20 +3780,38 @@ static int test_fs_ioc_getflags_ioctl(int fd)
return 0;
}
-TEST(memfd_ftruncate)
+TEST(memfd_ftruncate_and_ioctl)
{
- int fd;
-
- fd = memfd_create("name", MFD_CLOEXEC);
- ASSERT_LE(0, fd);
+ const struct landlock_ruleset_attr attr = {
+ .handled_access_fs = ACCESS_ALL,
+ };
+ int ruleset_fd, fd, i;
/*
- * Checks that ftruncate is permitted on file descriptors that are
- * created in ways other than open(2).
+ * We exercise the same test both with and without Landlock enabled, to
+ * ensure that it behaves the same in both cases.
*/
- EXPECT_EQ(0, test_ftruncate(fd));
+ for (i = 0; i < 2; i++) {
+ /* Creates a new memfd. */
+ fd = memfd_create("name", MFD_CLOEXEC);
+ ASSERT_LE(0, fd);
- ASSERT_EQ(0, close(fd));
+ /*
+ * Checks that operations associated with the opened file
+ * (ftruncate, ioctl) are permitted on file descriptors that are
+ * created in ways other than open(2).
+ */
+ EXPECT_EQ(0, test_ftruncate(fd));
+ EXPECT_EQ(0, test_fs_ioc_getflags_ioctl(fd));
+
+ ASSERT_EQ(0, close(fd));
+
+ /* Enables Landlock. */
+ ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+ }
}
/* clang-format off */
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v6 7/9] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH)
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
` (5 preceding siblings ...)
2023-11-24 17:30 ` [PATCH v6 6/9] selftests/landlock: Test IOCTL with memfds Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-24 17:30 ` [PATCH v6 8/9] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
2023-11-24 17:30 ` [PATCH v6 9/9] landlock: Document IOCTL support Günther Noack
8 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
ioctl(2) and ftruncate(2) operations on files opened with O_PATH
should always return EBADF, independent of the
LANDLOCK_ACCESS_FS_TRUNCATE and LANDLOCK_ACCESS_FS_IOCTL access rights
in that file hierarchy.
Signed-off-by: Günther Noack <gnoack@google.com>
Suggested-by: Mickaël Salaün <mic@digikod.net>
---
tools/testing/selftests/landlock/fs_test.c | 40 ++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 734647f86564..d7987b631ec4 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -3814,6 +3814,46 @@ TEST(memfd_ftruncate_and_ioctl)
}
}
+TEST_F_FORK(layout1, o_path_ftruncate_and_ioctl)
+{
+ const struct landlock_ruleset_attr attr = {
+ .handled_access_fs = ACCESS_ALL,
+ };
+ int ruleset_fd, fd;
+
+ /*
+ * Checks that for files opened with O_PATH, both ioctl(2) and
+ * ftruncate(2) yield EBADF, as it is documented in open(2) for the
+ * O_PATH flag.
+ */
+ fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
+ ASSERT_LE(0, fd);
+
+ EXPECT_EQ(EBADF, test_ftruncate(fd));
+ EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
+
+ ASSERT_EQ(0, close(fd));
+
+ /* Enables Landlock. */
+ ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0);
+ ASSERT_LE(0, ruleset_fd);
+ enforce_ruleset(_metadata, ruleset_fd);
+ ASSERT_EQ(0, close(ruleset_fd));
+
+ /*
+ * Checks that after enabling Landlock,
+ * - the file can still be opened with O_PATH
+ * - both ioctl and truncate still yield EBADF (not EACCES).
+ */
+ fd = open(dir_s1d1, O_PATH | O_CLOEXEC);
+ ASSERT_LE(0, fd);
+
+ EXPECT_EQ(EBADF, test_ftruncate(fd));
+ EXPECT_EQ(EBADF, test_fs_ioc_getflags_ioctl(fd));
+
+ ASSERT_EQ(0, close(fd));
+}
+
/* clang-format off */
FIXTURE(ioctl) {};
/* clang-format on */
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v6 8/9] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
` (6 preceding siblings ...)
2023-11-24 17:30 ` [PATCH v6 7/9] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
2023-11-24 17:30 ` [PATCH v6 9/9] landlock: Document IOCTL support Günther Noack
8 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
Add ioctl support to the Landlock sample tool.
The ioctl right is grouped with the read-write rights in the sample
tool, as some ioctl requests provide features that mutate state.
Signed-off-by: Günther Noack <gnoack@google.com>
Co-developed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
samples/landlock/sandboxer.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 08596c0ef070..d7323e5526be 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -81,7 +81,8 @@ static int parse_path(char *env_path, const char ***const path_list)
LANDLOCK_ACCESS_FS_EXECUTE | \
LANDLOCK_ACCESS_FS_WRITE_FILE | \
LANDLOCK_ACCESS_FS_READ_FILE | \
- LANDLOCK_ACCESS_FS_TRUNCATE)
+ LANDLOCK_ACCESS_FS_TRUNCATE | \
+ LANDLOCK_ACCESS_FS_IOCTL)
/* clang-format on */
@@ -199,11 +200,12 @@ static int populate_ruleset_net(const char *const env_var, const int ruleset_fd,
LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
LANDLOCK_ACCESS_FS_MAKE_SYM | \
LANDLOCK_ACCESS_FS_REFER | \
- LANDLOCK_ACCESS_FS_TRUNCATE)
+ LANDLOCK_ACCESS_FS_TRUNCATE | \
+ LANDLOCK_ACCESS_FS_IOCTL)
/* clang-format on */
-#define LANDLOCK_ABI_LAST 4
+#define LANDLOCK_ABI_LAST 5
int main(const int argc, char *const argv[], char *const *const envp)
{
@@ -317,6 +319,11 @@ int main(const int argc, char *const argv[], char *const *const envp)
ruleset_attr.handled_access_net &=
~(LANDLOCK_ACCESS_NET_BIND_TCP |
LANDLOCK_ACCESS_NET_CONNECT_TCP);
+ __attribute__((fallthrough));
+ case 4:
+ /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
+ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
+
fprintf(stderr,
"Hint: You should update the running kernel "
"to leverage Landlock features "
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread* [PATCH v6 9/9] landlock: Document IOCTL support
2023-11-24 17:30 [PATCH v6 0/9] Landlock: IOCTL support Günther Noack
` (7 preceding siblings ...)
2023-11-24 17:30 ` [PATCH v6 8/9] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
@ 2023-11-24 17:30 ` Günther Noack
8 siblings, 0 replies; 17+ messages in thread
From: Günther Noack @ 2023-11-24 17:30 UTC (permalink / raw)
To: linux-security-module, Mickaël Salaün
Cc: Jeff Xu, Jorge Lucangeli Obes, Allen Webb, Dmitry Torokhov,
Paul Moore, Konstantin Meskhidze, Matt Bobrowski, linux-fsdevel,
Günther Noack
In the paragraph above the fallback logic, use the shorter phrasing
from the landlock(7) man page.
Signed-off-by: Günther Noack <gnoack@google.com>
---
Documentation/userspace-api/landlock.rst | 74 +++++++++++++++++++-----
1 file changed, 59 insertions(+), 15 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 2e3822677061..68498ca64dc9 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -75,7 +75,8 @@ to be explicit about the denied-by-default access rights.
LANDLOCK_ACCESS_FS_MAKE_BLOCK |
LANDLOCK_ACCESS_FS_MAKE_SYM |
LANDLOCK_ACCESS_FS_REFER |
- LANDLOCK_ACCESS_FS_TRUNCATE,
+ LANDLOCK_ACCESS_FS_TRUNCATE |
+ LANDLOCK_ACCESS_FS_IOCTL,
.handled_access_net =
LANDLOCK_ACCESS_NET_BIND_TCP |
LANDLOCK_ACCESS_NET_CONNECT_TCP,
@@ -84,10 +85,10 @@ to be explicit about the denied-by-default access rights.
Because we may not know on which kernel version an application will be
executed, it is safer to follow a best-effort security approach. Indeed, we
should try to protect users as much as possible whatever the kernel they are
-using. To avoid binary enforcement (i.e. either all security features or
-none), we can leverage a dedicated Landlock command to get the current version
-of the Landlock ABI and adapt the handled accesses. Let's check if we should
-remove access rights which are only supported in higher versions of the ABI.
+using.
+
+To be compatible with older Linux versions, we detect the available Landlock ABI
+version, and only use the available subset of access rights:
.. code-block:: c
@@ -113,6 +114,10 @@ remove access rights which are only supported in higher versions of the ABI.
ruleset_attr.handled_access_net &=
~(LANDLOCK_ACCESS_NET_BIND_TCP |
LANDLOCK_ACCESS_NET_CONNECT_TCP);
+ __attribute__((fallthrough));
+ case 4:
+ /* Removes LANDLOCK_ACCESS_FS_IOCTL for ABI < 5 */
+ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_IOCTL;
}
This enables to create an inclusive ruleset that will contain our rules.
@@ -224,6 +229,7 @@ access rights per directory enables to change the location of such directory
without relying on the destination directory access rights (except those that
are required for this operation, see ``LANDLOCK_ACCESS_FS_REFER``
documentation).
+
Having self-sufficient hierarchies also helps to tighten the required access
rights to the minimal set of data. This also helps avoid sinkhole directories,
i.e. directories where data can be linked to but not linked from. However,
@@ -317,18 +323,24 @@ It should also be noted that truncating files does not require the
system call, this can also be done through :manpage:`open(2)` with the flags
``O_RDONLY | O_TRUNC``.
-When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE``
-right is associated with the newly created file descriptor and will be used for
-subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is
-similar to opening a file for reading or writing, where permissions are checked
-during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
+The truncate right is associated with the opened file (see below).
+
+Rights associated with file descriptors
+---------------------------------------
+
+When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` and
+``LANDLOCK_ACCESS_FS_IOCTL`` rights is associated with the newly created file
+descriptor and will be used for subsequent truncation and ioctl attempts using
+:manpage:`ftruncate(2)` and :manpage:`ioctl(2)`. The behavior is similar to
+opening a file for reading or writing, where permissions are checked during
+:manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and
:manpage:`write(2)` calls.
-As a consequence, it is possible to have multiple open file descriptors for the
-same file, where one grants the right to truncate the file and the other does
-not. It is also possible to pass such file descriptors between processes,
-keeping their Landlock properties, even when these processes do not have an
-enforced Landlock ruleset.
+As a consequence, it is possible to have multiple open file descriptors
+referring to the same file, where one grants the truncate or ioctl right and the
+other does not. It is also possible to pass such file descriptors between
+processes, keeping their Landlock properties, even when these processes do not
+have an enforced Landlock ruleset.
Compatibility
=============
@@ -457,6 +469,28 @@ Memory usage
Kernel memory allocated to create rulesets is accounted and can be restricted
by the Documentation/admin-guide/cgroup-v1/memory.rst.
+IOCTL support
+-------------
+
+The ``LANDLOCK_ACCESS_FS_IOCTL`` access right restricts the use of
+:manpage:`ioctl(2)`, but it only applies to newly opened files. This means
+specifically that pre-existing file descriptors like stdin, stdout and stderr
+are unaffected.
+
+Users should be aware that TTY devices have traditionally permitted to control
+other processes on the same TTY through the ``TIOCSTI`` and ``TIOCLINUX`` IOCTL
+commands. It is therefore recommended to close inherited TTY file descriptors,
+or to reopen them from ``/proc/self/fd/*`` without the
+``LANDLOCK_ACCESS_FS_IOCTL`` right, if possible. The :manpage:`isatty(3)`
+function checks whether a given file descriptor is a TTY.
+
+Landlock's IOCTL support is coarse-grained at the moment, but may become more
+fine-grained in the future. Until then, users are advised to establish the
+guarantees that they need through the file hierarchy, by only permitting the
+``LANDLOCK_ACCESS_FS_IOCTL`` right on files where it is really harmless. In
+cases where you can control the mounts, the ``nodev`` mount option can help to
+rule out that device files can be accessed.
+
Previous limitations
====================
@@ -494,6 +528,16 @@ bind and connect actions to only a set of allowed ports thanks to the new
``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
access rights.
+IOCTL (ABI < 5)
+---------------
+
+IOCTL operations could not be denied before the fifth Landlock ABI, so
+:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
+earlier ABI.
+
+Starting with the Landlock ABI version 5, it is possible to restrict the use of
+:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL`` access right.
+
.. _kernel_support:
Kernel support
--
2.43.0.rc1.413.gea7ed67945-goog
^ permalink raw reply related [flat|nested] 17+ messages in thread