mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-01 10:42:11 +00:00
Landlock updates for v6.9-rc1
-----BEGIN PGP SIGNATURE----- iIYEABYKAC4WIQSVyBthFV4iTW/VU1/l49DojIL20gUCZfHmqxAcbWljQGRpZ2lr b2QubmV0AAoJEOXj0OiMgvbSvbABAIUF7nujsgnE9AykjhTKzg+by86mvXK0fdLG WVW0cwfgAP49daJb8JyZP9d6PvcgDfH4vV8E7r5PFeaICPdoOwg2Bg== =xJV1 -----END PGP SIGNATURE----- Merge tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux Pull landlock updates from Mickaël Salaün: "Some miscellaneous improvements, including new KUnit tests, extended documentation and boot help, and some cosmetic cleanups. Additional test changes already went through the net tree" * tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: samples/landlock: Don't error out if a file path cannot be opened landlock: Use f_cred in security_file_open() hook landlock: Rename "ptrace" files to "task" landlock: Simplify current_check_access_socket() landlock: Warn once if a Landlock action is requested while disabled landlock: Extend documentation for kernel support landlock: Add support for KUnit tests selftests/landlock: Clean up error logs related to capabilities
This commit is contained in:
commit
35e886e88c
@ -19,11 +19,12 @@ unexpected/malicious behaviors in user space applications. Landlock empowers
|
|||||||
any process, including unprivileged ones, to securely restrict themselves.
|
any process, including unprivileged ones, to securely restrict themselves.
|
||||||
|
|
||||||
We can quickly make sure that Landlock is enabled in the running system by
|
We can quickly make sure that Landlock is enabled in the running system by
|
||||||
looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep
|
looking for "landlock: Up and running" in kernel logs (as root):
|
||||||
landlock || journalctl -kg landlock`` . Developers can also easily check for
|
``dmesg | grep landlock || journalctl -kb -g landlock`` .
|
||||||
Landlock support with a :ref:`related system call <landlock_abi_versions>`. If
|
Developers can also easily check for Landlock support with a
|
||||||
Landlock is not currently supported, we need to :ref:`configure the kernel
|
:ref:`related system call <landlock_abi_versions>`.
|
||||||
appropriately <kernel_support>`.
|
If Landlock is not currently supported, we need to
|
||||||
|
:ref:`configure the kernel appropriately <kernel_support>`.
|
||||||
|
|
||||||
Landlock rules
|
Landlock rules
|
||||||
==============
|
==============
|
||||||
@ -499,6 +500,9 @@ access rights.
|
|||||||
Kernel support
|
Kernel support
|
||||||
==============
|
==============
|
||||||
|
|
||||||
|
Build time configuration
|
||||||
|
------------------------
|
||||||
|
|
||||||
Landlock was first introduced in Linux 5.13 but it must be configured at build
|
Landlock was first introduced in Linux 5.13 but it must be configured at build
|
||||||
time with ``CONFIG_SECURITY_LANDLOCK=y``. Landlock must also be enabled at boot
|
time with ``CONFIG_SECURITY_LANDLOCK=y``. Landlock must also be enabled at boot
|
||||||
time as the other security modules. The list of security modules enabled by
|
time as the other security modules. The list of security modules enabled by
|
||||||
@ -507,11 +511,52 @@ contains ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other
|
|||||||
potentially useful security modules for the running system (see the
|
potentially useful security modules for the running system (see the
|
||||||
``CONFIG_LSM`` help).
|
``CONFIG_LSM`` help).
|
||||||
|
|
||||||
|
Boot time configuration
|
||||||
|
-----------------------
|
||||||
|
|
||||||
If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
|
If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can
|
||||||
still enable it by adding ``lsm=landlock,[...]`` to
|
enable Landlock by adding ``lsm=landlock,[...]`` to
|
||||||
Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader
|
Documentation/admin-guide/kernel-parameters.rst in the boot loader
|
||||||
configuration.
|
configuration.
|
||||||
|
|
||||||
|
For example, if the current built-in configuration is:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null
|
||||||
|
CONFIG_LSM="lockdown,yama,integrity,apparmor"
|
||||||
|
|
||||||
|
...and if the cmdline doesn't contain ``landlock`` either:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline
|
||||||
|
lsm=lockdown,yama,integrity,apparmor
|
||||||
|
|
||||||
|
...we should configure the boot loader to set a cmdline extending the ``lsm``
|
||||||
|
list with the ``landlock,`` prefix::
|
||||||
|
|
||||||
|
lsm=landlock,lockdown,yama,integrity,apparmor
|
||||||
|
|
||||||
|
After a reboot, we can check that Landlock is up and running by looking at
|
||||||
|
kernel logs:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
# dmesg | grep landlock || journalctl -kb -g landlock
|
||||||
|
[ 0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
|
||||||
|
[ 0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor
|
||||||
|
[ 0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor
|
||||||
|
[ 0.000000] landlock: Up and running.
|
||||||
|
|
||||||
|
The kernel may be configured at build time to always load the ``lockdown`` and
|
||||||
|
``capability`` LSMs. In that case, these LSMs will appear at the beginning of
|
||||||
|
the ``LSM: initializing`` log line as well, even if they are not configured in
|
||||||
|
the boot loader.
|
||||||
|
|
||||||
|
Network support
|
||||||
|
---------------
|
||||||
|
|
||||||
To be able to explicitly allow TCP operations (e.g., adding a network rule with
|
To be able to explicitly allow TCP operations (e.g., adding a network rule with
|
||||||
``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP
|
``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP
|
||||||
(``CONFIG_INET=y``). Otherwise, sys_landlock_add_rule() returns an
|
(``CONFIG_INET=y``). Otherwise, sys_landlock_add_rule() returns an
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
// SPDX-License-Identifier: BSD-3-Clause
|
// SPDX-License-Identifier: BSD-3-Clause
|
||||||
/*
|
/*
|
||||||
* Simple Landlock sandbox manager able to launch a process restricted by a
|
* Simple Landlock sandbox manager able to execute a process restricted by
|
||||||
* user-defined filesystem access control policy.
|
* user-defined file system and network access control policies.
|
||||||
*
|
*
|
||||||
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
|
* Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
|
||||||
* Copyright © 2020 ANSSI
|
* Copyright © 2020 ANSSI
|
||||||
@ -120,9 +120,11 @@ static int populate_ruleset_fs(const char *const env_var, const int ruleset_fd,
|
|||||||
if (path_beneath.parent_fd < 0) {
|
if (path_beneath.parent_fd < 0) {
|
||||||
fprintf(stderr, "Failed to open \"%s\": %s\n",
|
fprintf(stderr, "Failed to open \"%s\": %s\n",
|
||||||
path_list[i], strerror(errno));
|
path_list[i], strerror(errno));
|
||||||
goto out_free_name;
|
continue;
|
||||||
}
|
}
|
||||||
if (fstat(path_beneath.parent_fd, &statbuf)) {
|
if (fstat(path_beneath.parent_fd, &statbuf)) {
|
||||||
|
fprintf(stderr, "Failed to stat \"%s\": %s\n",
|
||||||
|
path_list[i], strerror(errno));
|
||||||
close(path_beneath.parent_fd);
|
close(path_beneath.parent_fd);
|
||||||
goto out_free_name;
|
goto out_free_name;
|
||||||
}
|
}
|
||||||
@ -227,7 +229,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
|
|||||||
ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
|
ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,
|
||||||
ENV_TCP_CONNECT_NAME, argv[0]);
|
ENV_TCP_CONNECT_NAME, argv[0]);
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"Launch a command in a restricted environment.\n\n");
|
"Execute a command in a restricted environment.\n\n");
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"Environment variables containing paths and ports "
|
"Environment variables containing paths and ports "
|
||||||
"each separated by a colon:\n");
|
"each separated by a colon:\n");
|
||||||
@ -248,7 +250,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
|
|||||||
ENV_TCP_CONNECT_NAME);
|
ENV_TCP_CONNECT_NAME);
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"\nexample:\n"
|
"\nexample:\n"
|
||||||
"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
|
"%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "
|
||||||
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
|
"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
|
||||||
"%s=\"9418\" "
|
"%s=\"9418\" "
|
||||||
"%s=\"80:443\" "
|
"%s=\"80:443\" "
|
||||||
@ -383,6 +385,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
|
|||||||
|
|
||||||
cmd_path = argv[1];
|
cmd_path = argv[1];
|
||||||
cmd_argv = argv + 1;
|
cmd_argv = argv + 1;
|
||||||
|
fprintf(stderr, "Executing the sandboxed command...\n");
|
||||||
execvpe(cmd_path, cmd_argv, envp);
|
execvpe(cmd_path, cmd_argv, envp);
|
||||||
fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,
|
fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
|
4
security/landlock/.kunitconfig
Normal file
4
security/landlock/.kunitconfig
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
CONFIG_KUNIT=y
|
||||||
|
CONFIG_SECURITY=y
|
||||||
|
CONFIG_SECURITY_LANDLOCK=y
|
||||||
|
CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y
|
@ -20,3 +20,18 @@ config SECURITY_LANDLOCK
|
|||||||
If you are unsure how to answer this question, answer N. Otherwise,
|
If you are unsure how to answer this question, answer N. Otherwise,
|
||||||
you should also prepend "landlock," to the content of CONFIG_LSM to
|
you should also prepend "landlock," to the content of CONFIG_LSM to
|
||||||
enable Landlock at boot time.
|
enable Landlock at boot time.
|
||||||
|
|
||||||
|
config SECURITY_LANDLOCK_KUNIT_TEST
|
||||||
|
bool "KUnit tests for Landlock" if !KUNIT_ALL_TESTS
|
||||||
|
depends on KUNIT=y
|
||||||
|
depends on SECURITY_LANDLOCK
|
||||||
|
default KUNIT_ALL_TESTS
|
||||||
|
help
|
||||||
|
Build KUnit tests for Landlock.
|
||||||
|
|
||||||
|
See the KUnit documentation in Documentation/dev-tools/kunit
|
||||||
|
|
||||||
|
Run all KUnit tests for Landlock with:
|
||||||
|
./tools/testing/kunit/kunit.py run --kunitconfig security/landlock
|
||||||
|
|
||||||
|
If you are unsure how to answer this question, answer N.
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
|
obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o
|
||||||
|
|
||||||
landlock-y := setup.o syscalls.o object.o ruleset.o \
|
landlock-y := setup.o syscalls.o object.o ruleset.o \
|
||||||
cred.o ptrace.o fs.o
|
cred.o task.o fs.o
|
||||||
|
|
||||||
landlock-$(CONFIG_INET) += net.o
|
landlock-$(CONFIG_INET) += net.o
|
||||||
|
@ -17,4 +17,6 @@
|
|||||||
|
|
||||||
#define pr_fmt(fmt) LANDLOCK_NAME ": " fmt
|
#define pr_fmt(fmt) LANDLOCK_NAME ": " fmt
|
||||||
|
|
||||||
|
#define BIT_INDEX(bit) HWEIGHT(bit - 1)
|
||||||
|
|
||||||
#endif /* _SECURITY_LANDLOCK_COMMON_H */
|
#endif /* _SECURITY_LANDLOCK_COMMON_H */
|
||||||
|
@ -7,6 +7,7 @@
|
|||||||
* Copyright © 2021-2022 Microsoft Corporation
|
* Copyright © 2021-2022 Microsoft Corporation
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <kunit/test.h>
|
||||||
#include <linux/atomic.h>
|
#include <linux/atomic.h>
|
||||||
#include <linux/bitops.h>
|
#include <linux/bitops.h>
|
||||||
#include <linux/bits.h>
|
#include <linux/bits.h>
|
||||||
@ -247,15 +248,18 @@ get_handled_fs_accesses(const struct landlock_ruleset *const domain)
|
|||||||
LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
|
LANDLOCK_ACCESS_FS_INITIALLY_DENIED;
|
||||||
}
|
}
|
||||||
|
|
||||||
static const struct landlock_ruleset *get_current_fs_domain(void)
|
static const struct landlock_ruleset *
|
||||||
|
get_fs_domain(const struct landlock_ruleset *const domain)
|
||||||
{
|
{
|
||||||
const struct landlock_ruleset *const dom =
|
if (!domain || !get_raw_handled_fs_accesses(domain))
|
||||||
landlock_get_current_domain();
|
|
||||||
|
|
||||||
if (!dom || !get_raw_handled_fs_accesses(dom))
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
return dom;
|
return domain;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const struct landlock_ruleset *get_current_fs_domain(void)
|
||||||
|
{
|
||||||
|
return get_fs_domain(landlock_get_current_domain());
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -311,6 +315,119 @@ static bool no_more_access(
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define NMA_TRUE(...) KUNIT_EXPECT_TRUE(test, no_more_access(__VA_ARGS__))
|
||||||
|
#define NMA_FALSE(...) KUNIT_EXPECT_FALSE(test, no_more_access(__VA_ARGS__))
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
|
||||||
|
|
||||||
|
static void test_no_more_access(struct kunit *const test)
|
||||||
|
{
|
||||||
|
const layer_mask_t rx0[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0),
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_READ_FILE)] = BIT_ULL(0),
|
||||||
|
};
|
||||||
|
const layer_mask_t mx0[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0),
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_MAKE_REG)] = BIT_ULL(0),
|
||||||
|
};
|
||||||
|
const layer_mask_t x0[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0),
|
||||||
|
};
|
||||||
|
const layer_mask_t x1[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(1),
|
||||||
|
};
|
||||||
|
const layer_mask_t x01[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0) |
|
||||||
|
BIT_ULL(1),
|
||||||
|
};
|
||||||
|
const layer_mask_t allows_all[LANDLOCK_NUM_ACCESS_FS] = {};
|
||||||
|
|
||||||
|
/* Checks without restriction. */
|
||||||
|
NMA_TRUE(&x0, &allows_all, false, &allows_all, NULL, false);
|
||||||
|
NMA_TRUE(&allows_all, &x0, false, &allows_all, NULL, false);
|
||||||
|
NMA_FALSE(&x0, &x0, false, &allows_all, NULL, false);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Checks that we can only refer a file if no more access could be
|
||||||
|
* inherited.
|
||||||
|
*/
|
||||||
|
NMA_TRUE(&x0, &x0, false, &rx0, NULL, false);
|
||||||
|
NMA_TRUE(&rx0, &rx0, false, &rx0, NULL, false);
|
||||||
|
NMA_FALSE(&rx0, &rx0, false, &x0, NULL, false);
|
||||||
|
NMA_FALSE(&rx0, &rx0, false, &x1, NULL, false);
|
||||||
|
|
||||||
|
/* Checks allowed referring with different nested domains. */
|
||||||
|
NMA_TRUE(&x0, &x1, false, &x0, NULL, false);
|
||||||
|
NMA_TRUE(&x1, &x0, false, &x0, NULL, false);
|
||||||
|
NMA_TRUE(&x0, &x01, false, &x0, NULL, false);
|
||||||
|
NMA_TRUE(&x0, &x01, false, &rx0, NULL, false);
|
||||||
|
NMA_TRUE(&x01, &x0, false, &x0, NULL, false);
|
||||||
|
NMA_TRUE(&x01, &x0, false, &rx0, NULL, false);
|
||||||
|
NMA_FALSE(&x01, &x01, false, &x0, NULL, false);
|
||||||
|
|
||||||
|
/* Checks that file access rights are also enforced for a directory. */
|
||||||
|
NMA_FALSE(&rx0, &rx0, true, &x0, NULL, false);
|
||||||
|
|
||||||
|
/* Checks that directory access rights don't impact file referring... */
|
||||||
|
NMA_TRUE(&mx0, &mx0, false, &x0, NULL, false);
|
||||||
|
/* ...but only directory referring. */
|
||||||
|
NMA_FALSE(&mx0, &mx0, true, &x0, NULL, false);
|
||||||
|
|
||||||
|
/* Checks directory exchange. */
|
||||||
|
NMA_TRUE(&mx0, &mx0, true, &mx0, &mx0, true);
|
||||||
|
NMA_TRUE(&mx0, &mx0, true, &mx0, &x0, true);
|
||||||
|
NMA_FALSE(&mx0, &mx0, true, &x0, &mx0, true);
|
||||||
|
NMA_FALSE(&mx0, &mx0, true, &x0, &x0, true);
|
||||||
|
NMA_FALSE(&mx0, &mx0, true, &x1, &x1, true);
|
||||||
|
|
||||||
|
/* Checks file exchange with directory access rights... */
|
||||||
|
NMA_TRUE(&mx0, &mx0, false, &mx0, &mx0, false);
|
||||||
|
NMA_TRUE(&mx0, &mx0, false, &mx0, &x0, false);
|
||||||
|
NMA_TRUE(&mx0, &mx0, false, &x0, &mx0, false);
|
||||||
|
NMA_TRUE(&mx0, &mx0, false, &x0, &x0, false);
|
||||||
|
/* ...and with file access rights. */
|
||||||
|
NMA_TRUE(&rx0, &rx0, false, &rx0, &rx0, false);
|
||||||
|
NMA_TRUE(&rx0, &rx0, false, &rx0, &x0, false);
|
||||||
|
NMA_FALSE(&rx0, &rx0, false, &x0, &rx0, false);
|
||||||
|
NMA_FALSE(&rx0, &rx0, false, &x0, &x0, false);
|
||||||
|
NMA_FALSE(&rx0, &rx0, false, &x1, &x1, false);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Allowing the following requests should not be a security risk
|
||||||
|
* because domain 0 denies execute access, and domain 1 is always
|
||||||
|
* nested with domain 0. However, adding an exception for this case
|
||||||
|
* would mean to check all nested domains to make sure none can get
|
||||||
|
* more privileges (e.g. processes only sandboxed by domain 0).
|
||||||
|
* Moreover, this behavior (i.e. composition of N domains) could then
|
||||||
|
* be inconsistent compared to domain 1's ruleset alone (e.g. it might
|
||||||
|
* be denied to link/rename with domain 1's ruleset, whereas it would
|
||||||
|
* be allowed if nested on top of domain 0). Another drawback would be
|
||||||
|
* to create a cover channel that could enable sandboxed processes to
|
||||||
|
* infer most of the filesystem restrictions from their domain. To
|
||||||
|
* make it simple, efficient, safe, and more consistent, this case is
|
||||||
|
* always denied.
|
||||||
|
*/
|
||||||
|
NMA_FALSE(&x1, &x1, false, &x0, NULL, false);
|
||||||
|
NMA_FALSE(&x1, &x1, false, &rx0, NULL, false);
|
||||||
|
NMA_FALSE(&x1, &x1, true, &x0, NULL, false);
|
||||||
|
NMA_FALSE(&x1, &x1, true, &rx0, NULL, false);
|
||||||
|
|
||||||
|
/* Checks the same case of exclusive domains with a file... */
|
||||||
|
NMA_TRUE(&x1, &x1, false, &x01, NULL, false);
|
||||||
|
NMA_FALSE(&x1, &x1, false, &x01, &x0, false);
|
||||||
|
NMA_FALSE(&x1, &x1, false, &x01, &x01, false);
|
||||||
|
NMA_FALSE(&x1, &x1, false, &x0, &x0, false);
|
||||||
|
/* ...and with a directory. */
|
||||||
|
NMA_FALSE(&x1, &x1, false, &x0, &x0, true);
|
||||||
|
NMA_FALSE(&x1, &x1, true, &x0, &x0, false);
|
||||||
|
NMA_FALSE(&x1, &x1, true, &x0, &x0, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
|
||||||
|
|
||||||
|
#undef NMA_TRUE
|
||||||
|
#undef NMA_FALSE
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Removes @layer_masks accesses that are not requested.
|
* Removes @layer_masks accesses that are not requested.
|
||||||
*
|
*
|
||||||
@ -331,6 +448,57 @@ scope_to_request(const access_mask_t access_request,
|
|||||||
return !memchr_inv(layer_masks, 0, sizeof(*layer_masks));
|
return !memchr_inv(layer_masks, 0, sizeof(*layer_masks));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
|
||||||
|
|
||||||
|
static void test_scope_to_request_with_exec_none(struct kunit *const test)
|
||||||
|
{
|
||||||
|
/* Allows everything. */
|
||||||
|
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
|
||||||
|
|
||||||
|
/* Checks and scopes with execute. */
|
||||||
|
KUNIT_EXPECT_TRUE(test, scope_to_request(LANDLOCK_ACCESS_FS_EXECUTE,
|
||||||
|
&layer_masks));
|
||||||
|
KUNIT_EXPECT_EQ(test, 0,
|
||||||
|
layer_masks[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)]);
|
||||||
|
KUNIT_EXPECT_EQ(test, 0,
|
||||||
|
layer_masks[BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)]);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_scope_to_request_with_exec_some(struct kunit *const test)
|
||||||
|
{
|
||||||
|
/* Denies execute and write. */
|
||||||
|
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0),
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)] = BIT_ULL(1),
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Checks and scopes with execute. */
|
||||||
|
KUNIT_EXPECT_FALSE(test, scope_to_request(LANDLOCK_ACCESS_FS_EXECUTE,
|
||||||
|
&layer_masks));
|
||||||
|
KUNIT_EXPECT_EQ(test, BIT_ULL(0),
|
||||||
|
layer_masks[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)]);
|
||||||
|
KUNIT_EXPECT_EQ(test, 0,
|
||||||
|
layer_masks[BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)]);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_scope_to_request_without_access(struct kunit *const test)
|
||||||
|
{
|
||||||
|
/* Denies execute and write. */
|
||||||
|
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)] = BIT_ULL(0),
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)] = BIT_ULL(1),
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Checks and scopes without access request. */
|
||||||
|
KUNIT_EXPECT_TRUE(test, scope_to_request(0, &layer_masks));
|
||||||
|
KUNIT_EXPECT_EQ(test, 0,
|
||||||
|
layer_masks[BIT_INDEX(LANDLOCK_ACCESS_FS_EXECUTE)]);
|
||||||
|
KUNIT_EXPECT_EQ(test, 0,
|
||||||
|
layer_masks[BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)]);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Returns true if there is at least one access right different than
|
* Returns true if there is at least one access right different than
|
||||||
* LANDLOCK_ACCESS_FS_REFER.
|
* LANDLOCK_ACCESS_FS_REFER.
|
||||||
@ -354,6 +522,51 @@ is_eacces(const layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS],
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define IE_TRUE(...) KUNIT_EXPECT_TRUE(test, is_eacces(__VA_ARGS__))
|
||||||
|
#define IE_FALSE(...) KUNIT_EXPECT_FALSE(test, is_eacces(__VA_ARGS__))
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
|
||||||
|
|
||||||
|
static void test_is_eacces_with_none(struct kunit *const test)
|
||||||
|
{
|
||||||
|
const layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
|
||||||
|
|
||||||
|
IE_FALSE(&layer_masks, 0);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_REFER);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_EXECUTE);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_WRITE_FILE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_is_eacces_with_refer(struct kunit *const test)
|
||||||
|
{
|
||||||
|
const layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_REFER)] = BIT_ULL(0),
|
||||||
|
};
|
||||||
|
|
||||||
|
IE_FALSE(&layer_masks, 0);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_REFER);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_EXECUTE);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_WRITE_FILE);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void test_is_eacces_with_write(struct kunit *const test)
|
||||||
|
{
|
||||||
|
const layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {
|
||||||
|
[BIT_INDEX(LANDLOCK_ACCESS_FS_WRITE_FILE)] = BIT_ULL(0),
|
||||||
|
};
|
||||||
|
|
||||||
|
IE_FALSE(&layer_masks, 0);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_REFER);
|
||||||
|
IE_FALSE(&layer_masks, LANDLOCK_ACCESS_FS_EXECUTE);
|
||||||
|
|
||||||
|
IE_TRUE(&layer_masks, LANDLOCK_ACCESS_FS_WRITE_FILE);
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
|
||||||
|
|
||||||
|
#undef IE_TRUE
|
||||||
|
#undef IE_FALSE
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* is_access_to_paths_allowed - Check accesses for requests with a common path
|
* is_access_to_paths_allowed - Check accesses for requests with a common path
|
||||||
*
|
*
|
||||||
@ -1124,7 +1337,8 @@ static int hook_file_open(struct file *const file)
|
|||||||
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
|
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
|
||||||
access_mask_t open_access_request, full_access_request, allowed_access;
|
access_mask_t open_access_request, full_access_request, allowed_access;
|
||||||
const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
|
const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
|
||||||
const struct landlock_ruleset *const dom = get_current_fs_domain();
|
const struct landlock_ruleset *const dom =
|
||||||
|
get_fs_domain(landlock_cred(file->f_cred)->domain);
|
||||||
|
|
||||||
if (!dom)
|
if (!dom)
|
||||||
return 0;
|
return 0;
|
||||||
@ -1225,3 +1439,27 @@ __init void landlock_add_fs_hooks(void)
|
|||||||
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
||||||
&landlock_lsmid);
|
&landlock_lsmid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
|
||||||
|
|
||||||
|
/* clang-format off */
|
||||||
|
static struct kunit_case test_cases[] = {
|
||||||
|
KUNIT_CASE(test_no_more_access),
|
||||||
|
KUNIT_CASE(test_scope_to_request_with_exec_none),
|
||||||
|
KUNIT_CASE(test_scope_to_request_with_exec_some),
|
||||||
|
KUNIT_CASE(test_scope_to_request_without_access),
|
||||||
|
KUNIT_CASE(test_is_eacces_with_none),
|
||||||
|
KUNIT_CASE(test_is_eacces_with_refer),
|
||||||
|
KUNIT_CASE(test_is_eacces_with_write),
|
||||||
|
{}
|
||||||
|
};
|
||||||
|
/* clang-format on */
|
||||||
|
|
||||||
|
static struct kunit_suite test_suite = {
|
||||||
|
.name = "landlock_fs",
|
||||||
|
.test_cases = test_cases,
|
||||||
|
};
|
||||||
|
|
||||||
|
kunit_test_suite(test_suite);
|
||||||
|
|
||||||
|
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
|
||||||
|
@ -64,12 +64,11 @@ static const struct landlock_ruleset *get_current_net_domain(void)
|
|||||||
static int current_check_access_socket(struct socket *const sock,
|
static int current_check_access_socket(struct socket *const sock,
|
||||||
struct sockaddr *const address,
|
struct sockaddr *const address,
|
||||||
const int addrlen,
|
const int addrlen,
|
||||||
const access_mask_t access_request)
|
access_mask_t access_request)
|
||||||
{
|
{
|
||||||
__be16 port;
|
__be16 port;
|
||||||
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
|
layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_NET] = {};
|
||||||
const struct landlock_rule *rule;
|
const struct landlock_rule *rule;
|
||||||
access_mask_t handled_access;
|
|
||||||
struct landlock_id id = {
|
struct landlock_id id = {
|
||||||
.type = LANDLOCK_KEY_NET_PORT,
|
.type = LANDLOCK_KEY_NET_PORT,
|
||||||
};
|
};
|
||||||
@ -164,9 +163,9 @@ static int current_check_access_socket(struct socket *const sock,
|
|||||||
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
|
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
|
||||||
|
|
||||||
rule = landlock_find_rule(dom, id);
|
rule = landlock_find_rule(dom, id);
|
||||||
handled_access = landlock_init_layer_masks(
|
access_request = landlock_init_layer_masks(
|
||||||
dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
|
dom, access_request, &layer_masks, LANDLOCK_KEY_NET_PORT);
|
||||||
if (landlock_unmask_layers(rule, handled_access, &layer_masks,
|
if (landlock_unmask_layers(rule, access_request, &layer_masks,
|
||||||
ARRAY_SIZE(layer_masks)))
|
ARRAY_SIZE(layer_masks)))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
@ -14,8 +14,8 @@
|
|||||||
#include "cred.h"
|
#include "cred.h"
|
||||||
#include "fs.h"
|
#include "fs.h"
|
||||||
#include "net.h"
|
#include "net.h"
|
||||||
#include "ptrace.h"
|
|
||||||
#include "setup.h"
|
#include "setup.h"
|
||||||
|
#include "task.h"
|
||||||
|
|
||||||
bool landlock_initialized __ro_after_init = false;
|
bool landlock_initialized __ro_after_init = false;
|
||||||
|
|
||||||
@ -34,7 +34,7 @@ const struct lsm_id landlock_lsmid = {
|
|||||||
static int __init landlock_init(void)
|
static int __init landlock_init(void)
|
||||||
{
|
{
|
||||||
landlock_add_cred_hooks();
|
landlock_add_cred_hooks();
|
||||||
landlock_add_ptrace_hooks();
|
landlock_add_task_hooks();
|
||||||
landlock_add_fs_hooks();
|
landlock_add_fs_hooks();
|
||||||
landlock_add_net_hooks();
|
landlock_add_net_hooks();
|
||||||
landlock_initialized = true;
|
landlock_initialized = true;
|
||||||
|
@ -33,6 +33,18 @@
|
|||||||
#include "ruleset.h"
|
#include "ruleset.h"
|
||||||
#include "setup.h"
|
#include "setup.h"
|
||||||
|
|
||||||
|
static bool is_initialized(void)
|
||||||
|
{
|
||||||
|
if (likely(landlock_initialized))
|
||||||
|
return true;
|
||||||
|
|
||||||
|
pr_warn_once(
|
||||||
|
"Disabled but requested by user space. "
|
||||||
|
"You should enable Landlock at boot time: "
|
||||||
|
"https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration\n");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* copy_min_struct_from_user - Safe future-proof argument copying
|
* copy_min_struct_from_user - Safe future-proof argument copying
|
||||||
*
|
*
|
||||||
@ -173,7 +185,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
|
|||||||
/* Build-time checks. */
|
/* Build-time checks. */
|
||||||
build_check_abi();
|
build_check_abi();
|
||||||
|
|
||||||
if (!landlock_initialized)
|
if (!is_initialized())
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
if (flags) {
|
if (flags) {
|
||||||
@ -398,7 +410,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
|
|||||||
struct landlock_ruleset *ruleset;
|
struct landlock_ruleset *ruleset;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
if (!landlock_initialized)
|
if (!is_initialized())
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
/* No flag for now. */
|
/* No flag for now. */
|
||||||
@ -458,7 +470,7 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
|
|||||||
struct landlock_cred_security *new_llcred;
|
struct landlock_cred_security *new_llcred;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
if (!landlock_initialized)
|
if (!is_initialized())
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -16,9 +16,9 @@
|
|||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "cred.h"
|
#include "cred.h"
|
||||||
#include "ptrace.h"
|
|
||||||
#include "ruleset.h"
|
#include "ruleset.h"
|
||||||
#include "setup.h"
|
#include "setup.h"
|
||||||
|
#include "task.h"
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* domain_scope_le - Checks domain ordering for scoped ptrace
|
* domain_scope_le - Checks domain ordering for scoped ptrace
|
||||||
@ -113,7 +113,7 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = {
|
|||||||
LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
|
LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
|
||||||
};
|
};
|
||||||
|
|
||||||
__init void landlock_add_ptrace_hooks(void)
|
__init void landlock_add_task_hooks(void)
|
||||||
{
|
{
|
||||||
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
security_add_hooks(landlock_hooks, ARRAY_SIZE(landlock_hooks),
|
||||||
&landlock_lsmid);
|
&landlock_lsmid);
|
@ -6,9 +6,9 @@
|
|||||||
* Copyright © 2019 ANSSI
|
* Copyright © 2019 ANSSI
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef _SECURITY_LANDLOCK_PTRACE_H
|
#ifndef _SECURITY_LANDLOCK_TASK_H
|
||||||
#define _SECURITY_LANDLOCK_PTRACE_H
|
#define _SECURITY_LANDLOCK_TASK_H
|
||||||
|
|
||||||
__init void landlock_add_ptrace_hooks(void);
|
__init void landlock_add_task_hooks(void);
|
||||||
|
|
||||||
#endif /* _SECURITY_LANDLOCK_PTRACE_H */
|
#endif /* _SECURITY_LANDLOCK_TASK_H */
|
@ -43,6 +43,7 @@ CONFIG_REGMAP_BUILD=y
|
|||||||
|
|
||||||
CONFIG_SECURITY=y
|
CONFIG_SECURITY=y
|
||||||
CONFIG_SECURITY_APPARMOR=y
|
CONFIG_SECURITY_APPARMOR=y
|
||||||
|
CONFIG_SECURITY_LANDLOCK=y
|
||||||
|
|
||||||
CONFIG_SOUND=y
|
CONFIG_SOUND=y
|
||||||
CONFIG_SND=y
|
CONFIG_SND=y
|
||||||
|
@ -74,31 +74,19 @@ static void _init_caps(struct __test_metadata *const _metadata, bool drop_all)
|
|||||||
EXPECT_EQ(0, cap_set_secbits(noroot));
|
EXPECT_EQ(0, cap_set_secbits(noroot));
|
||||||
|
|
||||||
cap_p = cap_get_proc();
|
cap_p = cap_get_proc();
|
||||||
EXPECT_NE(NULL, cap_p)
|
EXPECT_NE(NULL, cap_p);
|
||||||
{
|
EXPECT_NE(-1, cap_clear(cap_p));
|
||||||
TH_LOG("Failed to cap_get_proc: %s", strerror(errno));
|
|
||||||
}
|
|
||||||
EXPECT_NE(-1, cap_clear(cap_p))
|
|
||||||
{
|
|
||||||
TH_LOG("Failed to cap_clear: %s", strerror(errno));
|
|
||||||
}
|
|
||||||
if (!drop_all) {
|
if (!drop_all) {
|
||||||
EXPECT_NE(-1, cap_set_flag(cap_p, CAP_PERMITTED,
|
EXPECT_NE(-1, cap_set_flag(cap_p, CAP_PERMITTED,
|
||||||
ARRAY_SIZE(caps), caps, CAP_SET))
|
ARRAY_SIZE(caps), caps, CAP_SET));
|
||||||
{
|
|
||||||
TH_LOG("Failed to cap_set_flag: %s", strerror(errno));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Automatically resets ambient capabilities. */
|
/* Automatically resets ambient capabilities. */
|
||||||
EXPECT_NE(-1, cap_set_proc(cap_p))
|
EXPECT_NE(-1, cap_set_proc(cap_p))
|
||||||
{
|
{
|
||||||
TH_LOG("Failed to cap_set_proc: %s", strerror(errno));
|
TH_LOG("Failed to set capabilities: %s", strerror(errno));
|
||||||
}
|
|
||||||
EXPECT_NE(-1, cap_free(cap_p))
|
|
||||||
{
|
|
||||||
TH_LOG("Failed to cap_free: %s", strerror(errno));
|
|
||||||
}
|
}
|
||||||
|
EXPECT_NE(-1, cap_free(cap_p));
|
||||||
|
|
||||||
/* Quickly checks that ambient capabilities are cleared. */
|
/* Quickly checks that ambient capabilities are cleared. */
|
||||||
EXPECT_NE(-1, cap_get_ambient(caps[0]));
|
EXPECT_NE(-1, cap_get_ambient(caps[0]));
|
||||||
@ -122,22 +110,13 @@ static void _change_cap(struct __test_metadata *const _metadata,
|
|||||||
cap_t cap_p;
|
cap_t cap_p;
|
||||||
|
|
||||||
cap_p = cap_get_proc();
|
cap_p = cap_get_proc();
|
||||||
EXPECT_NE(NULL, cap_p)
|
EXPECT_NE(NULL, cap_p);
|
||||||
{
|
EXPECT_NE(-1, cap_set_flag(cap_p, flag, 1, &cap, value));
|
||||||
TH_LOG("Failed to cap_get_proc: %s", strerror(errno));
|
|
||||||
}
|
|
||||||
EXPECT_NE(-1, cap_set_flag(cap_p, flag, 1, &cap, value))
|
|
||||||
{
|
|
||||||
TH_LOG("Failed to cap_set_flag: %s", strerror(errno));
|
|
||||||
}
|
|
||||||
EXPECT_NE(-1, cap_set_proc(cap_p))
|
EXPECT_NE(-1, cap_set_proc(cap_p))
|
||||||
{
|
{
|
||||||
TH_LOG("Failed to cap_set_proc: %s", strerror(errno));
|
TH_LOG("Failed to set capability %d: %s", cap, strerror(errno));
|
||||||
}
|
|
||||||
EXPECT_NE(-1, cap_free(cap_p))
|
|
||||||
{
|
|
||||||
TH_LOG("Failed to cap_free: %s", strerror(errno));
|
|
||||||
}
|
}
|
||||||
|
EXPECT_NE(-1, cap_free(cap_p));
|
||||||
}
|
}
|
||||||
|
|
||||||
static void __maybe_unused set_cap(struct __test_metadata *const _metadata,
|
static void __maybe_unused set_cap(struct __test_metadata *const _metadata,
|
||||||
|
Loading…
Reference in New Issue
Block a user