From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-190f.mail.infomaniak.ch (smtp-190f.mail.infomaniak.ch [185.125.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2D2E205ABA for ; Fri, 10 Jan 2025 11:24:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.15 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736508284; cv=none; b=tqPSF2jLP8ugHX6OCYJMqDpZsSrH5rfxytuwu/k5T0SlqH75lRwtYADi9eBFqGDYJJWt7lpnwJxTDQDwNj2ipkyKpVo2zw/LLK0hAS3//Xkkpe3erpdpArZf9ZWG6RjiIvs9xmcq1Y4Va6j1M41GSKqLzJpDa67jSeGu1RPZBC0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736508284; c=relaxed/simple; bh=xYu7mv+AKl6RD847kj+30pqzI/UU505MEfuhmi3dCmE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Fwtu7fsdvESH+GL/mVUYCR3eqSjLKa18YvGaUHeS6D1udKPox8mJXDhDeE+RMpaVuGajvP0eQUEj21EcGy+/aArvy79l5N4fHDsJdAUR1ezeXleOPCnGOn2RuctvQDzwgIk/wTS3WhHMi81a/yOgXnCKB5mPzgYNopF9rcs4rCg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=wLpNHGQA; arc=none smtp.client-ip=185.125.25.15 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="wLpNHGQA" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4YTzp11x9Vz3n5; Fri, 10 Jan 2025 12:24:41 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1736508281; bh=5lL+heYdB/ShYMoCch+jsXhFcK8Z6nwMDhjvne5414o=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=wLpNHGQAsAoghNZFrQyiGFXOopSjbondI+lwiofDgUx9sbMf3v7aNUrGy/dhxWnGL rXy33R9ngurHZH6ePbQa08UfTM6ogUlBDGRTYtUIDnJppTwa7QMRLhyPquf5jI2nxB ZOuq4awP0mMbwbd+111Et52g50xgHn8YIjJcxxYo= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4YTzp01ckTzZ5X; Fri, 10 Jan 2025 12:24:40 +0100 (CET) Date: Fri, 10 Jan 2025 12:24:39 +0100 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Eric Paris , Paul Moore , =?utf-8?Q?G=C3=BCnther?= Noack , "Serge E . Hallyn" Cc: Ben Scarlato , Casey Schaufler , Charles Zaffery , Daniel Burgener , Francis Laniel , James Morris , Jann Horn , Jeff Xu , Jorge Lucangeli Obes , Kees Cook , Konstantin Meskhidze , Matt Bobrowski , Mikhail Ivanov , Phil Sutter , Praveen K Paladugu , Robert Salvet , Shervin Oloumi , Song Liu , Tahera Fahimi , Tyler Hicks , audit@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v4 13/30] landlock: Optimize file path walks and prepare for audit support Message-ID: <20250110.ahKa1heipoh9@digikod.net> References: <20250108154338.1129069-1-mic@digikod.net> <20250108154338.1129069-14-mic@digikod.net> Precedence: bulk X-Mailing-List: audit@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20250108154338.1129069-14-mic@digikod.net> X-Infomaniak-Routing: alpha On Wed, Jan 08, 2025 at 04:43:21PM +0100, Mickaël Salaün wrote: > Always synchronize access_masked_parent* with access_request_parent* > according to allowed_parent*. This is required for audit support to be > able to get back to the reason of denial. > > In a rename/link action, instead of always checking a rule two times for > the same parent directory of the source and the destination files, only > check it when an action on a child was not already allowed. This also > enables us to keep consistent allowed_parent* status, which is required > to get back to the reason of denial. > > For internal mount points, only upgrade allowed_parent* to true but do > not wrongfully set both of them to false otherwise. This is also > required to get back to the reason of denial. > > This does not impact the current behavior but slightly optimize code and > prepare for audit support that needs to know the exact reason why an > access was denied. > > Cc: Günther Noack > Signed-off-by: Mickaël Salaün > Link: https://lore.kernel.org/r/20250108154338.1129069-14-mic@digikod.net Pushed in my next tree to simplify next patch series. > --- > > Changes since v2: > - New patch. > --- > security/landlock/fs.c | 44 ++++++++++++++++++++++++++---------------- > 1 file changed, 27 insertions(+), 17 deletions(-) > > diff --git a/security/landlock/fs.c b/security/landlock/fs.c > index ddadc465581e..01f9d5e78218 100644 > --- a/security/landlock/fs.c > +++ b/security/landlock/fs.c > @@ -854,15 +854,6 @@ static bool is_access_to_paths_allowed( > child1_is_directory, layer_masks_parent2, > layer_masks_child2, > child2_is_directory))) { > - allowed_parent1 = scope_to_request( > - access_request_parent1, layer_masks_parent1); > - allowed_parent2 = scope_to_request( > - access_request_parent2, layer_masks_parent2); > - > - /* Stops when all accesses are granted. */ > - if (allowed_parent1 && allowed_parent2) > - break; > - > /* > * Now, downgrades the remaining checks from domain > * handled accesses to requested accesses. > @@ -870,15 +861,32 @@ static bool is_access_to_paths_allowed( > is_dom_check = false; > access_masked_parent1 = access_request_parent1; > access_masked_parent2 = access_request_parent2; > + > + allowed_parent1 = > + allowed_parent1 || > + scope_to_request(access_masked_parent1, > + layer_masks_parent1); > + allowed_parent2 = > + allowed_parent2 || > + scope_to_request(access_masked_parent2, > + layer_masks_parent2); > + > + /* Stops when all accesses are granted. */ > + if (allowed_parent1 && allowed_parent2) > + break; > } > > rule = find_rule(domain, walker_path.dentry); > - allowed_parent1 = landlock_unmask_layers( > - rule, access_masked_parent1, layer_masks_parent1, > - ARRAY_SIZE(*layer_masks_parent1)); > - allowed_parent2 = landlock_unmask_layers( > - rule, access_masked_parent2, layer_masks_parent2, > - ARRAY_SIZE(*layer_masks_parent2)); > + allowed_parent1 = allowed_parent1 || > + landlock_unmask_layers( > + rule, access_masked_parent1, > + layer_masks_parent1, > + ARRAY_SIZE(*layer_masks_parent1)); > + allowed_parent2 = allowed_parent2 || > + landlock_unmask_layers( > + rule, access_masked_parent2, > + layer_masks_parent2, > + ARRAY_SIZE(*layer_masks_parent2)); > > /* Stops when a rule from each layer grants access. */ > if (allowed_parent1 && allowed_parent2) > @@ -902,8 +910,10 @@ static bool is_access_to_paths_allowed( > * access to internal filesystems (e.g. nsfs, which is > * reachable through /proc//ns/). > */ > - allowed_parent1 = allowed_parent2 = > - !!(walker_path.mnt->mnt_flags & MNT_INTERNAL); > + if (walker_path.mnt->mnt_flags & MNT_INTERNAL) { > + allowed_parent1 = true; > + allowed_parent2 = true; > + } > break; > } > parent_dentry = dget_parent(walker_path.dentry); > -- > 2.47.1 > >