From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C9E1C3567B for ; Thu, 27 Feb 2020 16:51:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1D9B120801 for ; Thu, 27 Feb 2020 16:51:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730469AbgB0QvO (ORCPT ); Thu, 27 Feb 2020 11:51:14 -0500 Received: from smtp-sh2.infomaniak.ch ([128.65.195.6]:54545 "EHLO smtp-sh2.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729165AbgB0QvO (ORCPT ); Thu, 27 Feb 2020 11:51:14 -0500 Received: from smtp-2-0000.mail.infomaniak.ch (smtp-2-0000.mail.infomaniak.ch [10.5.36.107]) by smtp-sh2.infomaniak.ch (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 01RGoZLm055757 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 27 Feb 2020 17:50:35 +0100 Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 48SzF33Z82zlj7qp; Thu, 27 Feb 2020 17:50:31 +0100 (CET) Subject: Re: [RFC PATCH v14 05/10] fs,landlock: Support filesystem access-control To: Jann Horn Cc: kernel list , Al Viro , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Greg Kroah-Hartman , James Morris , Jann Horn , Jonathan Corbet , Kees Cook , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , "Serge E . Hallyn" , Shuah Khan , Vincent Dagonneau , Kernel Hardening , Linux API , linux-arch , linux-doc@vger.kernel.org, linux-fsdevel , "open list:KERNEL SELFTEST FRAMEWORK" , linux-security-module , the arch/x86 maintainers References: <20200224160215.4136-1-mic@digikod.net> <20200224160215.4136-6-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <34319b76-44bd-8915-fd7c-5147f901615e@digikod.net> Date: Thu, 27 Feb 2020 17:50:31 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On 26/02/2020 21:29, Jann Horn wrote: > On Mon, Feb 24, 2020 at 5:03 PM Mickaël Salaün wrote: >> +static inline u32 get_mem_access(unsigned long prot, bool private) >> +{ >> + u32 access = LANDLOCK_ACCESS_FS_MAP; >> + >> + /* Private mapping do not write to files. */ >> + if (!private && (prot & PROT_WRITE)) >> + access |= LANDLOCK_ACCESS_FS_WRITE; >> + if (prot & PROT_READ) >> + access |= LANDLOCK_ACCESS_FS_READ; >> + if (prot & PROT_EXEC) >> + access |= LANDLOCK_ACCESS_FS_EXECUTE; >> + return access; >> +} > > When I do the following, is landlock going to detect that the mmap() > is a read access, or is it incorrectly going to think that it's > neither read nor write? > > $ cat write-only.c > #include > #include > #include > int main(void) { > int fd = open("/etc/passwd", O_RDONLY); > char *ptr = mmap(NULL, 0x1000, PROT_WRITE, MAP_PRIVATE, fd, 0); > printf("'%.*s'\n", 4, ptr); > } > $ gcc -o write-only write-only.c -Wall > $ ./write-only > 'root' > $ > Thanks to the "if (!private && (prot & PROT_WRITE))", Landlock allows this private mmap (as intended) even if there is no write access to this file, but not with a shared mmap (and a file opened with O_RDWR). I just added a test for this to be sure. However, I'm not sure this hook is useful for now. Indeed, the process still need to have a file descriptor open with the right accesses.