From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: "Günther Noack" <gnoack@google.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
"Paul Moore" <paul@paul-moore.com>,
"Dave Chinner" <david@fromorbit.com>,
"Kent Overstreet" <kent.overstreet@linux.dev>,
syzbot+34b68f850391452207df@syzkaller.appspotmail.com,
syzbot+360866a59e3c80510a62@syzkaller.appspotmail.com,
"Ubisectech Sirius" <bugreport@ubisectech.com>,
"Brian Foster" <bfoster@redhat.com>,
linux-bcachefs@vger.kernel.org, linux-xfs@vger.kernel.org
Subject: Re: [PATCH v1 1/2] landlock: Handle weird files
Date: Sat, 11 Jan 2025 16:38:56 +0100 [thread overview]
Message-ID: <20250111.PhoHophoh1zi@digikod.net> (raw)
In-Reply-To: <20250110.3421eeaaf069@gnoack.org>
On Fri, Jan 10, 2025 at 05:37:26PM +0100, Günther Noack wrote:
> On Fri, Jan 10, 2025 at 04:39:13PM +0100, Mickaël Salaün wrote:
> > A corrupted filesystem (e.g. bcachefs) might return weird files.
> > Instead of throwing a warning and allowing access to such file, treat
> > them as regular files.
> >
> > Cc: Dave Chinner <david@fromorbit.com>
> > Cc: Günther Noack <gnoack@google.com>
> > Cc: Kent Overstreet <kent.overstreet@linux.dev>
> > Cc: Paul Moore <paul@paul-moore.com>
> > Reported-by: syzbot+34b68f850391452207df@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/r/000000000000a65b35061cffca61@google.com
> > Reported-by: syzbot+360866a59e3c80510a62@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/r/67379b3f.050a0220.85a0.0001.GAE@google.com
> > Reported-by: Ubisectech Sirius <bugreport@ubisectech.com>
> > Closes: https://lore.kernel.org/r/c426821d-8380-46c4-a494-7008bbd7dd13.bugreport@ubisectech.com
> > Fixes: cb2c7d1a1776 ("landlock: Support filesystem access-control")
> > Signed-off-by: Mickaël Salaün <mic@digikod.net>
> > ---
> > security/landlock/fs.c | 11 +++++------
> > 1 file changed, 5 insertions(+), 6 deletions(-)
> >
> > diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> > index e31b97a9f175..7adb25150488 100644
> > --- a/security/landlock/fs.c
> > +++ b/security/landlock/fs.c
> > @@ -937,10 +937,6 @@ static access_mask_t get_mode_access(const umode_t mode)
> > switch (mode & S_IFMT) {
> > case S_IFLNK:
> > return LANDLOCK_ACCESS_FS_MAKE_SYM;
> > - case 0:
> > - /* A zero mode translates to S_IFREG. */
> > - case S_IFREG:
> > - return LANDLOCK_ACCESS_FS_MAKE_REG;
> > case S_IFDIR:
> > return LANDLOCK_ACCESS_FS_MAKE_DIR;
> > case S_IFCHR:
> > @@ -951,9 +947,12 @@ static access_mask_t get_mode_access(const umode_t mode)
> > return LANDLOCK_ACCESS_FS_MAKE_FIFO;
> > case S_IFSOCK:
> > return LANDLOCK_ACCESS_FS_MAKE_SOCK;
> > + case S_IFREG:
> > + case 0:
> > + /* A zero mode translates to S_IFREG. */
> > default:
> > - WARN_ON_ONCE(1);
> > - return 0;
> > + /* Treats weird files as regular files. */
> > + return LANDLOCK_ACCESS_FS_MAKE_REG;
> > }
> > }
> >
> > --
> > 2.47.1
> >
>
> Reviewed-by: Günther Noack <gnoack3000@gmail.com>
>
> Makes sense to me, since this is enforcing a stronger check than before
> and can only happen in the case of corruption.
>
> I do not have a good intuition about what happens afterwards when the
> file system is in such a state. I imagine that this will usually give
> an error shortly afterwards, as the opening of the file continues? Is
> that right?
I guess it depends on the filesystem implementation. For instance, XFS
returns an error if a weird file is detected [1], whereas bcachefs
ignores it (which is considered a bug, but not fixed yet) [2].
[1] https://lore.kernel.org/all/Zpc46HEacI%2Fwd7Rg@dread.disaster.area/
[2] https://lore.kernel.org/all/4hohnthh54adx35lnxzedop3oxpntpmtygxso4iraiexfdlt4d@6m7ssepvjyar/
>
> –Günther
>
next prev parent reply other threads:[~2025-01-11 15:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 15:39 [PATCH v1 1/2] landlock: Handle weird files Mickaël Salaün
2025-01-10 15:39 ` [PATCH v1 2/2] landlock: Constify get_mode_access() Mickaël Salaün
2025-01-10 16:39 ` Günther Noack
2025-01-10 16:37 ` [PATCH v1 1/2] landlock: Handle weird files Günther Noack
2025-01-11 15:38 ` Mickaël Salaün [this message]
2025-01-15 7:15 ` Christoph Hellwig
2025-01-15 10:54 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250111.PhoHophoh1zi@digikod.net \
--to=mic@digikod.net \
--cc=bfoster@redhat.com \
--cc=bugreport@ubisectech.com \
--cc=david@fromorbit.com \
--cc=gnoack3000@gmail.com \
--cc=gnoack@google.com \
--cc=kent.overstreet@linux.dev \
--cc=linux-bcachefs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=syzbot+34b68f850391452207df@syzkaller.appspotmail.com \
--cc=syzbot+360866a59e3c80510a62@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).