mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-17 05:45:20 +00:00
landlock: Reduce the maximum number of layers to 16
The maximum number of nested Landlock domains is currently 64. Because of the following fix and to help reduce the stack size, let's reduce it to 16. This seems large enough for a lot of use cases (e.g. sandboxed init service, spawning a sandboxed SSH service, in nested sandboxed containers). Reducing the number of nested domains may also help to discover misuse of Landlock (e.g. creating a domain per rule). Add and use a dedicated layer_mask_t typedef to fit with the number of layers. This might be useful when changing it and to keep it consistent with the maximum number of layers. Reviewed-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20220506161102.525323-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
parent
5f2ff33e10
commit
75c542d6c6
@ -267,8 +267,8 @@ restrict such paths with dedicated ruleset flags.
|
|||||||
Ruleset layers
|
Ruleset layers
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
There is a limit of 64 layers of stacked rulesets. This can be an issue for a
|
There is a limit of 16 layers of stacked rulesets. This can be an issue for a
|
||||||
task willing to enforce a new ruleset in complement to its 64 inherited
|
task willing to enforce a new ruleset in complement to its 16 inherited
|
||||||
rulesets. Once this limit is reached, sys_landlock_restrict_self() returns
|
rulesets. Once this limit is reached, sys_landlock_restrict_self() returns
|
||||||
E2BIG. It is then strongly suggested to carefully build rulesets once in the
|
E2BIG. It is then strongly suggested to carefully build rulesets once in the
|
||||||
life of a thread, especially for applications able to launch other applications
|
life of a thread, especially for applications able to launch other applications
|
||||||
|
@ -183,10 +183,10 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset,
|
|||||||
|
|
||||||
/* Access-control management */
|
/* Access-control management */
|
||||||
|
|
||||||
static inline u64 unmask_layers(const struct landlock_ruleset *const domain,
|
static inline layer_mask_t
|
||||||
const struct path *const path,
|
unmask_layers(const struct landlock_ruleset *const domain,
|
||||||
const access_mask_t access_request,
|
const struct path *const path, const access_mask_t access_request,
|
||||||
u64 layer_mask)
|
layer_mask_t layer_mask)
|
||||||
{
|
{
|
||||||
const struct landlock_rule *rule;
|
const struct landlock_rule *rule;
|
||||||
const struct inode *inode;
|
const struct inode *inode;
|
||||||
@ -212,11 +212,11 @@ static inline u64 unmask_layers(const struct landlock_ruleset *const domain,
|
|||||||
*/
|
*/
|
||||||
for (i = 0; i < rule->num_layers; i++) {
|
for (i = 0; i < rule->num_layers; i++) {
|
||||||
const struct landlock_layer *const layer = &rule->layers[i];
|
const struct landlock_layer *const layer = &rule->layers[i];
|
||||||
const u64 layer_level = BIT_ULL(layer->level - 1);
|
const layer_mask_t layer_bit = BIT_ULL(layer->level - 1);
|
||||||
|
|
||||||
/* Checks that the layer grants access to the full request. */
|
/* Checks that the layer grants access to the full request. */
|
||||||
if ((layer->access & access_request) == access_request) {
|
if ((layer->access & access_request) == access_request) {
|
||||||
layer_mask &= ~layer_level;
|
layer_mask &= ~layer_bit;
|
||||||
|
|
||||||
if (layer_mask == 0)
|
if (layer_mask == 0)
|
||||||
return layer_mask;
|
return layer_mask;
|
||||||
@ -231,12 +231,9 @@ static int check_access_path(const struct landlock_ruleset *const domain,
|
|||||||
{
|
{
|
||||||
bool allowed = false;
|
bool allowed = false;
|
||||||
struct path walker_path;
|
struct path walker_path;
|
||||||
u64 layer_mask;
|
layer_mask_t layer_mask;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
/* Make sure all layers can be checked. */
|
|
||||||
BUILD_BUG_ON(BITS_PER_TYPE(layer_mask) < LANDLOCK_MAX_NUM_LAYERS);
|
|
||||||
|
|
||||||
if (!access_request)
|
if (!access_request)
|
||||||
return 0;
|
return 0;
|
||||||
if (WARN_ON_ONCE(!domain || !path))
|
if (WARN_ON_ONCE(!domain || !path))
|
||||||
|
@ -15,7 +15,7 @@
|
|||||||
|
|
||||||
/* clang-format off */
|
/* clang-format off */
|
||||||
|
|
||||||
#define LANDLOCK_MAX_NUM_LAYERS 64
|
#define LANDLOCK_MAX_NUM_LAYERS 16
|
||||||
#define LANDLOCK_MAX_NUM_RULES U32_MAX
|
#define LANDLOCK_MAX_NUM_RULES U32_MAX
|
||||||
|
|
||||||
#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_MAKE_SYM
|
#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_MAKE_SYM
|
||||||
|
@ -23,6 +23,10 @@ typedef u16 access_mask_t;
|
|||||||
/* Makes sure all filesystem access rights can be stored. */
|
/* Makes sure all filesystem access rights can be stored. */
|
||||||
static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
|
static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
|
||||||
|
|
||||||
|
typedef u16 layer_mask_t;
|
||||||
|
/* Makes sure all layers can be checked. */
|
||||||
|
static_assert(BITS_PER_TYPE(layer_mask_t) >= LANDLOCK_MAX_NUM_LAYERS);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct landlock_layer - Access rights for a given layer
|
* struct landlock_layer - Access rights for a given layer
|
||||||
*/
|
*/
|
||||||
|
@ -1159,7 +1159,7 @@ TEST_F_FORK(layout1, max_layers)
|
|||||||
const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
|
const int ruleset_fd = create_ruleset(_metadata, ACCESS_RW, rules);
|
||||||
|
|
||||||
ASSERT_LE(0, ruleset_fd);
|
ASSERT_LE(0, ruleset_fd);
|
||||||
for (i = 0; i < 64; i++)
|
for (i = 0; i < 16; i++)
|
||||||
enforce_ruleset(_metadata, ruleset_fd);
|
enforce_ruleset(_metadata, ruleset_fd);
|
||||||
|
|
||||||
for (i = 0; i < 2; i++) {
|
for (i = 0; i < 2; i++) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user