From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Günther Noack" <gnoack@google.com>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Paul Moore" <paul@paul-moore.com>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v1 1/3] landlock: Refactor filesystem access mask management
Date: Sat, 5 Oct 2024 18:57:55 +0200 [thread overview]
Message-ID: <20241005.a69458234f74@gnoack.org> (raw)
In-Reply-To: <20241001141234.397649-2-mic@digikod.net>
On Tue, Oct 01, 2024 at 04:12:32PM +0200, Mickaël Salaün wrote:
> Replace get_raw_handled_fs_accesses() with a generic
> landlock_merge_access_masks(), and replace the get_fs_domain()
> implementation with a call to the new landlock_filter_access_masks()
> helper. These helpers will also be useful for other types of access.
>
> Replace struct access_masks with union access_masks that includes a new
> "all" field to simplify mask filtering.
>
> Cc: Günther Noack <gnoack@google.com>
> Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> Link: https://lore.kernel.org/r/20241001141234.397649-2-mic@digikod.net
> ---
> security/landlock/fs.c | 21 ++++-----------
> security/landlock/ruleset.h | 51 +++++++++++++++++++++++++++---------
> security/landlock/syscalls.c | 2 +-
> 3 files changed, 44 insertions(+), 30 deletions(-)
>
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 7d79fc8abe21..a2ef7d151c81 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -388,33 +388,22 @@ static bool is_nouser_or_private(const struct dentry *dentry)
> unlikely(IS_PRIVATE(d_backing_inode(dentry))));
> }
>
> -static access_mask_t
> -get_raw_handled_fs_accesses(const struct landlock_ruleset *const domain)
> -{
> - access_mask_t access_dom = 0;
> - size_t layer_level;
> -
> - for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
> - access_dom |=
> - landlock_get_raw_fs_access_mask(domain, layer_level);
> - return access_dom;
> -}
> -
> static access_mask_t
> get_handled_fs_accesses(const struct landlock_ruleset *const domain)
> {
> /* Handles all initially denied by default access rights. */
> - return get_raw_handled_fs_accesses(domain) |
> + return landlock_merge_access_masks(domain).fs |
> LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
> }
>
> static const struct landlock_ruleset *
> get_fs_domain(const struct landlock_ruleset *const domain)
> {
> - if (!domain || !get_raw_handled_fs_accesses(domain))
> - return NULL;
> + const union access_masks all_fs = {
> + .fs = ~0,
> + };
>
> - return domain;
> + return landlock_filter_access_masks(domain, all_fs);
> }
>
> static const struct landlock_ruleset *get_current_fs_domain(void)
> diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h
> index 61bdbc550172..a816042ca8f3 100644
> --- a/security/landlock/ruleset.h
> +++ b/security/landlock/ruleset.h
> @@ -41,12 +41,19 @@ static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_SCOPE);
> static_assert(sizeof(unsigned long) >= sizeof(access_mask_t));
>
> /* Ruleset access masks. */
> -struct access_masks {
> - access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
> - access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
> - access_mask_t scope : LANDLOCK_NUM_SCOPE;
> +union access_masks {
> + struct {
> + access_mask_t fs : LANDLOCK_NUM_ACCESS_FS;
> + access_mask_t net : LANDLOCK_NUM_ACCESS_NET;
> + access_mask_t scope : LANDLOCK_NUM_SCOPE;
> + };
> + u32 all;
> };
More of a style remark:
I wonder whether it is worth turning this into a union.
If this is for performance, I do not think is buys you much. With
optimization enabled, it does not make much of a difference whether
you are doing the & on .all or whether you are doing it on the
individual fields. (I tried it out with gcc. The only difference is
that the & on the individual fields will at the end mask only the bits
that belong to these fields.)
At the same time, in most places where struct access_masks is used,
the union is not necessary and might add to the confusion.
>
> +/* Makes sure all fields are covered. */
> +static_assert(sizeof(((union access_masks *)NULL)->all) ==
> + sizeof(union access_masks));
> +
> typedef u16 layer_mask_t;
> /* Makes sure all layers can be checked. */
> static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
> @@ -229,7 +236,7 @@ struct landlock_ruleset {
> * layers are set once and never changed for the
> * lifetime of the ruleset.
> */
> - struct access_masks access_masks[];
> + union access_masks access_masks[];
> };
> };
> };
> @@ -260,6 +267,31 @@ static inline void landlock_get_ruleset(struct landlock_ruleset *const ruleset)
> refcount_inc(&ruleset->usage);
> }
>
> +static inline union access_masks
> +landlock_merge_access_masks(const struct landlock_ruleset *const domain)
> +{
> + size_t layer_level;
> + union access_masks matches = {};
> +
> + for (layer_level = 0; layer_level < domain->num_layers; layer_level++)
> + matches.all |= domain->access_masks[layer_level].all;
> +
> + return matches;
> +}
> +
> +static inline const struct landlock_ruleset *
> +landlock_filter_access_masks(const struct landlock_ruleset *const domain,
> + const union access_masks masks)
With this function name, the return type of this function is
unintuitive to me. Judging by the name, I would have expected a
function that returns a "access_masks" value as well, similar to the
function one above (the remaining access rights after filtering)?
In the places where the result of this function is returned directly,
I find myself jumping back to the function implementation to
understand what this means.
As a constructive suggestion, how about calling this function
differently, e.g.
bool landlock_any_access_rights_handled(
const struct landlock_ruleset *const domain,
struct access_masks masks);
Then the callers who previously did
return landlock_filter_access_masks(dom, masks);
would now do
if (landlock_any_access_rights_handled(dom, masks))
return dom;
return NULL;
This is more verbose, but IMHO verbose code is not inherently bad,
if it is also clearer. And it's only two lines more.
> +{
> + if (!domain)
> + return NULL;
> +
> + if (landlock_merge_access_masks(domain).all & masks.all)
> + return domain;
> +
> + return NULL;
> +}
Function documentation for both functions would be good :)
> +
> static inline void
> landlock_add_fs_access_mask(struct landlock_ruleset *const ruleset,
> const access_mask_t fs_access_mask,
> @@ -295,19 +327,12 @@ landlock_add_scope_mask(struct landlock_ruleset *const ruleset,
> ruleset->access_masks[layer_level].scope |= mask;
> }
>
> -static inline access_mask_t
> -landlock_get_raw_fs_access_mask(const struct landlock_ruleset *const ruleset,
> - const u16 layer_level)
> -{
> - return ruleset->access_masks[layer_level].fs;
> -}
> -
> static inline access_mask_t
> landlock_get_fs_access_mask(const struct landlock_ruleset *const ruleset,
> const u16 layer_level)
> {
> /* Handles all initially denied by default access rights. */
> - return landlock_get_raw_fs_access_mask(ruleset, layer_level) |
> + return ruleset->access_masks[layer_level].fs |
> LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
> }
>
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index f5a0e7182ec0..c097d356fa45 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -329,7 +329,7 @@ static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
> return -ENOMSG;
>
> /* Checks that allowed_access matches the @ruleset constraints. */
> - mask = landlock_get_raw_fs_access_mask(ruleset, 0);
> + mask = ruleset->access_masks[0].fs;
> if ((path_beneath_attr.allowed_access | mask) != mask)
> return -EINVAL;
>
> --
> 2.46.1
>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
–Günther
next prev parent reply other threads:[~2024-10-05 16:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-01 14:12 [PATCH v1 0/3] Refactor Landlock access mask management Mickaël Salaün
2024-10-01 14:12 ` [PATCH v1 1/3] landlock: Refactor filesystem " Mickaël Salaün
2024-10-05 16:57 ` Günther Noack [this message]
2024-10-07 13:00 ` Mickaël Salaün
2024-10-10 9:10 ` Mickaël Salaün
2024-10-01 14:12 ` [PATCH v1 2/3] landlock: Refactor network " Mickaël Salaün
2024-10-01 14:12 ` [PATCH v1 3/3] landlock: Optimize scope enforcement Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241005.a69458234f74@gnoack.org \
--to=gnoack3000@gmail.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).