From: Jann Horn <jannh@google.com>
To: Tahera Fahimi <fahimitahera@gmail.com>
Cc: outreachy@lists.linux.dev, mic@digikod.net, gnoack@google.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, bjorn3_gh@protonmail.com,
netdev@vger.kernel.org
Subject: Re: [PATCH v3 2/6] Landlock: Adding file_send_sigiotask signal scoping support
Date: Thu, 15 Aug 2024 22:25:15 +0200 [thread overview]
Message-ID: <CAG48ez2Sw0Cy3RYrgrsEDKyWoxMmMbzX6yY-OEfZqeyGDQhy9w@mail.gmail.com> (raw)
In-Reply-To: <d04bc943e8d275e8d00bb7742bcdbabc7913abbe.1723680305.git.fahimitahera@gmail.com>
On Thu, Aug 15, 2024 at 8:29 PM Tahera Fahimi <fahimitahera@gmail.com> wrote:
> This patch adds two new hooks "hook_file_set_fowner" and
> "hook_file_free_security" to set and release a pointer to the
> domain of the file owner. This pointer "fown_domain" in
> "landlock_file_security" will be used in "file_send_sigiotask"
> to check if the process can send a signal.
>
> Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com>
> ---
> security/landlock/fs.c | 18 ++++++++++++++++++
> security/landlock/fs.h | 6 ++++++
> security/landlock/task.c | 27 +++++++++++++++++++++++++++
> 3 files changed, 51 insertions(+)
>
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index 7877a64cc6b8..d05f0e9c5e54 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -1636,6 +1636,21 @@ static int hook_file_ioctl_compat(struct file *file, unsigned int cmd,
> return -EACCES;
> }
>
> +static void hook_file_set_fowner(struct file *file)
> +{
> + write_lock_irq(&file->f_owner.lock);
Before updating landlock_file(file)->fown_domain, this hook must also
drop a reference on the old domain - maybe by just calling
landlock_put_ruleset_deferred(landlock_file(file)->fown_domain) here.
> + landlock_file(file)->fown_domain = landlock_get_current_domain();
> + landlock_get_ruleset(landlock_file(file)->fown_domain);
> + write_unlock_irq(&file->f_owner.lock);
> +}
> +
> +static void hook_file_free_security(struct file *file)
> +{
> + write_lock_irq(&file->f_owner.lock);
> + landlock_put_ruleset(landlock_file(file)->fown_domain);
> + write_unlock_irq(&file->f_owner.lock);
> +}
> +
> static struct security_hook_list landlock_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),
>
> @@ -1660,6 +1675,9 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(file_truncate, hook_file_truncate),
> LSM_HOOK_INIT(file_ioctl, hook_file_ioctl),
> LSM_HOOK_INIT(file_ioctl_compat, hook_file_ioctl_compat),
> +
> + LSM_HOOK_INIT(file_set_fowner, hook_file_set_fowner),
> + LSM_HOOK_INIT(file_free_security, hook_file_free_security),
> };
>
> __init void landlock_add_fs_hooks(void)
> diff --git a/security/landlock/fs.h b/security/landlock/fs.h
> index 488e4813680a..6054563295d8 100644
> --- a/security/landlock/fs.h
> +++ b/security/landlock/fs.h
> @@ -52,6 +52,12 @@ struct landlock_file_security {
> * needed to authorize later operations on the open file.
> */
> access_mask_t allowed_access;
> + /**
> + * @fown_domain: A pointer to a &landlock_ruleset of the process own
> + * the file. This ruleset is protected by fowner_struct.lock same as
> + * pid, uid, euid fields in fown_struct.
> + */
> + struct landlock_ruleset *fown_domain;
> };
>
> /**
> diff --git a/security/landlock/task.c b/security/landlock/task.c
> index 9de96a5005c4..568292dbfe7d 100644
> --- a/security/landlock/task.c
> +++ b/security/landlock/task.c
> @@ -18,6 +18,7 @@
>
> #include "common.h"
> #include "cred.h"
> +#include "fs.h"
> #include "ruleset.h"
> #include "setup.h"
> #include "task.h"
> @@ -261,12 +262,38 @@ static int hook_task_kill(struct task_struct *const p,
> return 0;
> }
>
> +static int hook_file_send_sigiotask(struct task_struct *tsk,
> + struct fown_struct *fown, int signum)
> +{
> + struct file *file;
> + bool is_scoped;
> + const struct landlock_ruleset *dom, *target_dom;
> +
> + /* struct fown_struct is never outside the context of a struct file */
> + file = container_of(fown, struct file, f_owner);
> +
> + read_lock_irq(&file->f_owner.lock);
> + dom = landlock_file(file)->fown_domain;
> + read_unlock_irq(&file->f_owner.lock);
At this point, the ->fown_domain pointer could concurrently change,
and (once you apply my suggestion above) the old ->fown_domain could
therefore be freed concurrently. One way to avoid that would be to use
landlock_get_ruleset() to grab a reference before calling
read_unlock_irq(), and drop that reference with
landlock_put_ruleset_deferred() before exiting from this function.
> + if (!dom)
> + return 0;
> +
> + rcu_read_lock();
> + target_dom = landlock_get_task_domain(tsk);
> + is_scoped = domain_is_scoped(dom, target_dom, LANDLOCK_SCOPED_SIGNAL);
> + rcu_read_unlock();
> + if (is_scoped)
> + return -EPERM;
> + return 0;
> +}
> +
> static struct security_hook_list landlock_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
> LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
> LSM_HOOK_INIT(unix_stream_connect, hook_unix_stream_connect),
> LSM_HOOK_INIT(unix_may_send, hook_unix_may_send),
> LSM_HOOK_INIT(task_kill, hook_task_kill),
> + LSM_HOOK_INIT(file_send_sigiotask, hook_file_send_sigiotask),
> };
>
> __init void landlock_add_task_hooks(void)
> --
> 2.34.1
>
next prev parent reply other threads:[~2024-08-15 20:25 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-15 18:29 [PATCH v3 0/6] Landlock: Signal Scoping Support Tahera Fahimi
2024-08-15 18:29 ` [PATCH v3 1/6] Landlock: Add signal control Tahera Fahimi
2024-08-15 18:29 ` [PATCH v3 2/6] Landlock: Adding file_send_sigiotask signal scoping support Tahera Fahimi
2024-08-15 20:25 ` Jann Horn [this message]
2024-08-15 21:28 ` Tahera Fahimi
2024-08-15 22:10 ` Jann Horn
2024-08-15 23:06 ` Tahera Fahimi
2024-08-19 17:57 ` Mickaël Salaün
2024-08-21 10:13 ` Mickaël Salaün
2024-08-15 18:29 ` [PATCH v3 3/6] selftest/Landlock: Signal restriction tests Tahera Fahimi
2024-08-20 15:57 ` Mickaël Salaün
2024-08-26 12:40 ` Mickaël Salaün
2024-08-15 18:29 ` [PATCH v3 4/6] selftest/Landlock: pthread_kill(3) tests Tahera Fahimi
2024-08-20 15:57 ` Mickaël Salaün
2024-08-26 12:40 ` Mickaël Salaün
2024-08-15 18:29 ` [PATCH v3 5/6] sample/Landlock: Support signal scoping restriction Tahera Fahimi
2024-08-15 18:29 ` [PATCH v3 6/6] Landlock: Document LANDLOCK_SCOPED_SIGNAL Tahera Fahimi
2024-08-15 21:07 ` Tahera Fahimi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez2Sw0Cy3RYrgrsEDKyWoxMmMbzX6yY-OEfZqeyGDQhy9w@mail.gmail.com \
--to=jannh@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=fahimitahera@gmail.com \
--cc=gnoack@google.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=outreachy@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).