From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Günther Noack" <gnoack3000@gmail.com>,
"Jeff Xu" <jeffxu@google.com>,
"Jorge Lucangeli Obes" <jorgelo@chromium.org>,
"Allen Webb" <allenwebb@google.com>,
"Jeff Xu" <jeffxu@chromium.org>,
"Dmitry Torokhov" <dtor@google.com>,
linux-security-module@vger.kernel.org,
"Paul Moore" <paul@paul-moore.com>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
Linux-Fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [RFC 0/4] Landlock: ioctl support
Date: Wed, 12 Jul 2023 13:08:20 +0200 [thread overview]
Message-ID: <ZK6JhyiC0Z0vwu0u@google.com> (raw)
In-Reply-To: <d4f1395c-d2d4-1860-3a02-2a0c023dd761@digikod.net>
Hello!
On Sat, Jun 17, 2023 at 11:47:55AM +0200, Mickaël Salaün wrote:
> > > We should also think about batch operations on FD (see the
> > > close_range syscall), for instance to deny all IOCTLs on inherited
> > > or received FDs.
> >
> > Hm, you mean a landlock_fd_rights_limit_range() syscall to limit the
> > rights for an entire range of FDs?
> >
> > I have to admit, I'm not familiar with the real-life use cases of
> > close_range(). In most programs I work with, it's difficult to reason
> > about their ordering once the program has really started to run. So I
> > imagine that close_range() is mostly used to "sanitize" the open file
> > descriptors at the start of main(), and you have a similar use case in
> > mind for this one as well?
> >
> > If it's just about closing the range from 0 to 2, I'm not sure it's
> > worth adding a custom syscall. :)
>
> The advantage of this kind of range is to efficiently manage all potential
> FDs, and the main use case is to close (or change, see the flags) everything
> *except" 0-2 (i.e. 3-~0), and then avoid a lot of (potentially useless)
> syscalls.
>
> The Landlock interface doesn't need to be a syscall. We could just add a new
> rule type which could take a FD range and restrict them when calling
> landlock_restrict_self(). Something like this:
> struct landlock_fd_attr {
> __u64 allowed_access;
> __u32 first;
> __u32 last;
> }
FYI, regarding the idea of dropping rights on already-opened files:
I'm starting to have doubts about how feasible this is in practice.
The "obvious" approach is to just remove the access rights from the security
blob flags on the struct file.
But these opened "struct file"s might be shared with other processes already,
and mutating them in place would have undesired side effects on other processes.
For example, if brltty uses ioctls on the terminal and then one of the programs
running in that terminal drops ioctl rights on that open file, it would affect
brltty as well, because both the Landlocked program and brltty use the same
struct file.
It could be technically stored next to the file descriptor list, where the
close-on-exec flag is also stored, but that seems more cumbersome than I had
hoped. I don't have a good approach for that idea yet, so I'll drop it for now.
Ideas are welcome. :)
—Günther
--
Sent using Mutt 🐕 Woof Woof
next prev parent reply other threads:[~2023-07-12 11:08 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-02 17:17 [RFC 0/4] Landlock: ioctl support Günther Noack
2023-05-02 17:17 ` [RFC 1/4] landlock: Increment Landlock ABI version to 4 Günther Noack
2023-06-19 14:41 ` Mickaël Salaün
2023-05-02 17:17 ` [RFC 2/4] landlock: Add LANDLOCK_ACCESS_FS_IOCTL access right Günther Noack
2023-06-19 14:42 ` Mickaël Salaün
2023-07-14 12:46 ` Günther Noack
2023-07-31 13:42 ` Mickaël Salaün
2023-05-02 17:17 ` [RFC 3/4] selftests/landlock: Test ioctl support Günther Noack
2023-06-19 14:42 ` Mickaël Salaün
2023-08-07 7:39 ` Günther Noack
2023-08-07 9:41 ` Mickaël Salaün
2023-08-07 13:21 ` Günther Noack
2023-05-02 17:17 ` [RFC 4/4] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
2023-05-04 21:12 ` [RFC 0/4] Landlock: ioctl support Mickaël Salaün
2023-05-10 19:21 ` Günther Noack
2023-05-24 21:43 ` Jeff Xu
2023-06-17 9:48 ` Mickaël Salaün
2023-06-20 23:44 ` Jeff Xu
2023-06-21 9:17 ` Mickaël Salaün
2023-06-17 9:47 ` Mickaël Salaün
2023-06-19 16:21 ` Günther Noack
2023-06-19 18:57 ` Mickaël Salaün
2023-07-12 11:08 ` Günther Noack [this message]
2023-07-12 11:38 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZK6JhyiC0Z0vwu0u@google.com \
--to=gnoack@google.com \
--cc=allenwebb@google.com \
--cc=dtor@google.com \
--cc=gnoack3000@gmail.com \
--cc=jeffxu@chromium.org \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).