From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6CA8C38145 for ; Fri, 2 Sep 2022 13:54:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238426AbiIBNye (ORCPT ); Fri, 2 Sep 2022 09:54:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46218 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238816AbiIBNyC (ORCPT ); Fri, 2 Sep 2022 09:54:02 -0400 Received: from smtp-bc08.mail.infomaniak.ch (smtp-bc08.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc08]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A897413F905 for ; Fri, 2 Sep 2022 06:28:36 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4MJyy91GrqzMpxcm; Fri, 2 Sep 2022 15:12:49 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4MJyy83BDzzlh8Tx; Fri, 2 Sep 2022 15:12:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1662124369; bh=NZuPz5CF88YaZt2LzRpCh3DjFQ0672gh8CixqZNr/po=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=iufP62Py6dUyfFCZU29paNvSI45kH20mvfnBxS3wCPSy4CD1LIZMXA1ptYBgw5ZDS zwBr1r9UpkV+15JODcJ2PFGSAvxShKezmNqvGLyt/bED0EtoB05JMuDE3H6PaYQZuV Hgs+3CoVcc4gkl9GlF/kQrTpbCpqvwRX8UzVebME= Message-ID: Date: Fri, 2 Sep 2022 15:12:47 +0200 MIME-Version: 1.0 User-Agent: Subject: Re: [PATCH v5 0/4] landlock: truncate support Content-Language: en-US To: xiujianfeng , =?UTF-8?Q?G=c3=bcnther_Noack?= , linux-security-module@vger.kernel.org Cc: James Morris , Paul Moore , "Serge E . Hallyn" , linux-fsdevel@vger.kernel.org, Konstantin Meskhidze References: <20220817203006.21769-1-gnoack3000@gmail.com> <0bf1e5f2-3764-d697-d3ab-d3c4064484ef@huawei.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= In-Reply-To: <0bf1e5f2-3764-d697-d3ab-d3c4064484ef@huawei.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: On 02/09/2022 14:26, xiujianfeng wrote: > Hi, > > 在 2022/9/2 1:10, Mickaël Salaün 写道: >> Hmm, I think there is an issue with this series. Landlock only enforces >> restrictions at open time or when dealing with user-supplied file paths >> (relative or absolute). The use of the path_truncate hook in this series >> doesn't distinguish between file descriptor from before the current >> sandbox or from after being sandboxed. For instance, if a file >> descriptor is received through a unix socket, it is assumed that this is >> legitimate and no Landlock restriction apply on it, which is not the >> case with this series anymore. It is the same for files opened before >> the process sandbox itself. > > so I think this issue also exists in the chown/chmod series, right? > there is a testcase in that patchset verify the corresponding rights > inside the sanbox with a fd opened before sanboxing. Correct. For LANDLOCK_ACCESS_FS_TRUNCATE, we need to add tests to make sure that: * a sandboxed process with the truncate restriction can open a file in write mode, forward it to an un-sandboxed process, and make sure this receiver cannot truncate the file descriptor, nor its dup. * an inherited file descriptor can be truncated even if done by a sandboxed process, except if it was created by a sandboxed process and the truncate restriction applied on it. However, for the file metadata accesses, I suggest you first focus on the inode_setattr and inode_setxattr hook modifications. We'll get back to this FD-based restrictions later.