From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
Jeff Xu <jeffxu@google.com>,
Jorge Lucangeli Obes <jorgelo@chromium.org>,
Allen Webb <allenwebb@google.com>,
Dmitry Torokhov <dtor@google.com>,
Paul Moore <paul@paul-moore.com>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Matt Bobrowski <repnop@google.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v4 0/7] Landlock: IOCTL support
Date: Fri, 8 Dec 2023 15:39:30 +0100 [thread overview]
Message-ID: <ZXMqordGs31R7oGR@google.com> (raw)
In-Reply-To: <20231130.eipai4uXighe@digikod.net>
On Thu, Nov 30, 2023 at 10:26:47AM +0100, Mickaël Salaün wrote:
> On Fri, Nov 24, 2023 at 02:02:12PM +0100, Günther Noack wrote:
> > On Fri, Nov 17, 2023 at 09:44:31PM +0100, Mickaël Salaün wrote:
> > I don't think it is at odds with the backwards-compatibility concerns which we
> > previously discussed. The synthetic groups still exist, it's just the
> > "permitting LANDLOCK_ACCESS_FS_IOCTL on a file or directory" which affects a
> > different set of IOCTL commands.
>
> It would not be a backward-compatibility issue, but it would make
> LANDLOCK_ACCESS_FS_IOCTL too powerful even if we get safer/better access
> rights. Furthermore, reducing the scope of LANDLOCK_ACCESS_FS_IOCTL with
> new handled access rights should better inform end encourage developers
> to drop LANDLOCK_ACCESS_FS_IOCTL when it is not strictly needed.
> It would be useful to explain this rationale in the commit message.
> See https://lore.kernel.org/all/20231020.moefooYeV9ei@digikod.net/
Done; I added a section to the commit message.
> > > > > If the scope of LANDLOCK_ACCESS_FS_IOCTL is well documented, that should
> > > > > be OK. But maybe we should rename this right to something like
> > > > > LANDLOCK_ACCESS_FS_IOCTL_DEFAULT to make it more obvious that it handles
> > > > > IOCTLs that are not handled by other access rights?
> > > >
> > > > Hmm, I'm not convinced this is a good name. It makes sense in the context of
> > > > allowing "all the other ioctls" for a file or file hierarchy, but when setting
> > > > LANDLOCK_ACCESS_FS_IOCTL in handled_access_fs, that flag turns off *all* ioctls,
> > > > so "default" doesn't seem appropriate to me.
> > >
> > > It should turn off all IOCTLs that are not handled by another access
> > > right. The handled access rights should be expanded the same way as the
> > > allowed access rights.
> >
> > If you handle LANDLOCK_ACCESS_FS_IOCTL, and you don't permit anything on files
> > or directories, all IOCTL commands will be forbidden, independent of what else
> > is handled.
> >
> > The opposite is not true:
> >
> > If you handle LANDLOCK_ACCESS_FS_READ_FILE, and you don't handle
> > LANDLOCK_ACCESS_FS_IOCTL, all IOCTL commands will happily work.
> >
> > So if you see it through that lens, you could say that it is only the
> > LANDLOCK_ACCESS_FS_IOCTL bit in the "handled" mask which forbids any IOCTL
> > commands at all.
>
> Handling LANDLOCK_ACCESS_FS_IOCTL does make all IOCTLs denied by
> default. However, to allow IOCTLs, developers may need to allow
> LANDLOCK_ACCESS_FS_IOCTL or another access right according to the
> underlying semantic.
>
> It would be useful to add an example with your table in the
> documentation, for instance with LANDLOCK_ACCESS_FS_READ_FILE (handled
> or not handled, with LANDLOCK_ACCESS_FS_IOCTL or not, allowed on a file
> or not...).
Added an example to the documentation.
—Günther
prev parent reply other threads:[~2023-12-08 14:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-03 15:57 [PATCH v4 0/7] Landlock: IOCTL support Günther Noack
2023-11-03 15:57 ` [PATCH v4 1/7] landlock: Optimize the number of calls to get_access_mask slightly Günther Noack
2023-11-16 21:49 ` Mickaël Salaün
2023-11-17 10:54 ` Günther Noack
2023-11-03 15:57 ` [PATCH v4 2/7] landlock: Add IOCTL access right Günther Noack
2023-11-16 21:50 ` Mickaël Salaün
2023-11-17 10:49 ` Günther Noack
2023-11-03 15:57 ` [PATCH v4 3/7] selftests/landlock: Test IOCTL support Günther Noack
2023-11-03 15:57 ` [PATCH v4 4/7] selftests/landlock: Test IOCTL with memfds Günther Noack
2023-11-03 15:57 ` [PATCH v4 5/7] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) Günther Noack
2023-11-03 15:57 ` [PATCH v4 6/7] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
2023-11-04 1:50 ` kernel test robot
2023-11-16 21:50 ` Mickaël Salaün
2023-11-17 10:52 ` Günther Noack
2023-11-03 15:57 ` [PATCH v4 7/7] landlock: Document IOCTL support Günther Noack
2023-11-16 21:49 ` [PATCH v4 0/7] Landlock: " Mickaël Salaün
2023-11-17 14:44 ` Günther Noack
2023-11-17 20:44 ` Mickaël Salaün
2023-11-24 13:02 ` Günther Noack
2023-11-30 9:26 ` Mickaël Salaün
2023-12-08 14:39 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZXMqordGs31R7oGR@google.com \
--to=gnoack@google.com \
--cc=allenwebb@google.com \
--cc=dtor@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=repnop@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.