From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE3A3C433F5 for ; Fri, 6 May 2022 16:07:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443485AbiEFQK7 (ORCPT ); Fri, 6 May 2022 12:10:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443433AbiEFQKr (ORCPT ); Fri, 6 May 2022 12:10:47 -0400 Received: from smtp-8faf.mail.infomaniak.ch (smtp-8faf.mail.infomaniak.ch [83.166.143.175]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F6A02E2; Fri, 6 May 2022 09:07:00 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS22VjzzMqwSb; Fri, 6 May 2022 18:06:58 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS20gxszlhSLv; Fri, 6 May 2022 18:06:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853218; bh=yivXrqwHOjEJuB5JO2dFkVkVifT0vIdSPlaZ68dxcTE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mvtnmkxj8G1I3mF9KjXpG4pgD7uoCILsZIPoo5A7yu4bfGGeLBSKir4P1G2+Bug/W PHN2E38FCKMoMVLe7wIYjF2pABAeE9nCUAece9ecWukrrw27RRIc5wcPMLuZSNxcT0 Grtvtx+sJ/JoLha/UImCZLqdx93NLKZlkj+qVEo4= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 01/10] landlock: Fix landlock_add_rule(2) documentation Date: Fri, 6 May 2022 18:08:11 +0200 Message-Id: <20220506160820.524344-2-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org It is not mandatory to pass a file descriptor obtained with the O_PATH flag. Also, replace rule's accesses with ruleset's accesses. Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-2-mic@digikod.net --- include/uapi/linux/landlock.h | 5 +++-- security/landlock/syscalls.c | 7 +++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 15c31abb0d76..21c8d58283c9 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -62,8 +62,9 @@ struct landlock_path_beneath_attr { */ __u64 allowed_access; /** - * @parent_fd: File descriptor, open with ``O_PATH``, which identifies - * the parent directory of a file hierarchy, or just a file. + * @parent_fd: File descriptor, preferably opened with ``O_PATH``, + * which identifies the parent directory of a file hierarchy, or just a + * file. */ __s32 parent_fd; /* diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 2fde978bf8ca..7edc1d50e2bf 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -292,14 +292,13 @@ static int get_path_from_fd(const s32 fd, struct path= *const path) * * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot = time; * - EINVAL: @flags is not 0, or inconsistent access in the rule (i.e. - * &landlock_path_beneath_attr.allowed_access is not a subset of the rul= e's - * accesses); + * &landlock_path_beneath_attr.allowed_access is not a subset of the + * ruleset handled accesses); * - ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_acce= ss); * - EBADF: @ruleset_fd is not a file descriptor for the current thread, o= r a * member of @rule_attr is not a file descriptor as expected; * - EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of - * @rule_attr is not the expected file descriptor type (e.g. file open - * without O_PATH); + * @rule_attr is not the expected file descriptor type; * - EPERM: @ruleset_fd has no write access to the underlying ruleset; * - EFAULT: @rule_attr inconsistency. */ --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7AB01C433F5 for ; Fri, 6 May 2022 16:07:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443517AbiEFQLJ (ORCPT ); Fri, 6 May 2022 12:11:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443440AbiEFQKs (ORCPT ); Fri, 6 May 2022 12:10:48 -0400 Received: from smtp-42a9.mail.infomaniak.ch (smtp-42a9.mail.infomaniak.ch [IPv6:2001:1600:3:17::42a9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EAE4AC2A for ; Fri, 6 May 2022 09:07:00 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS274v7zMqwTF; Fri, 6 May 2022 18:06:58 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS25C3nzlhSM0; Fri, 6 May 2022 18:06:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853218; bh=AduYp70JJClX3H7fyrnMjxM4mEDJGdCPkPgFeSVZSNA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HRd2e9dcc/zmgOBEtzRIDeZBAr5LsAg51vKVCdAxvFxawfnEEI/4+c+ZvIgVIPiWO 3vD53c/qHsyb8ic9wA7Jk+fAHcKxN8UNjIJ8ChmeFR5FrXtELeUD3kZXw5nZMYAijr 0VTnvXkGjcXaYaOziNVosPxzxfzQb8Qo8A0iaLsI= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 02/10] selftests/landlock: Make tests build with old libc Date: Fri, 6 May 2022 18:08:12 +0200 Message-Id: <20220506160820.524344-3-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Replace SYS_ with __NR_. Using the __NR_ notation, provided by UAPI, is useful to build tests on systems without the SYS_ definitions. Replace SYS_pivot_root with __NR_pivot_root, and SYS_move_mount with __NR_move_mount. Define renameat2() and RENAME_EXCHANGE if they are unknown to old build systems. Cc: Shuah Khan Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-3-mic@digikod.net --- Changes since v1: * Format with clang-format and rebase. --- tools/testing/selftests/landlock/fs_test.c | 23 +++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index 28b01cb30c78..cc7fa7b17578 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -22,6 +22,19 @@ =20 #include "common.h" =20 +#ifndef renameat2 +int renameat2(int olddirfd, const char *oldpath, int newdirfd, + const char *newpath, unsigned int flags) +{ + return syscall(__NR_renameat2, olddirfd, oldpath, newdirfd, newpath, + flags); +} +#endif + +#ifndef RENAME_EXCHANGE +#define RENAME_EXCHANGE (1 << 1) +#endif + #define TMP_DIR "tmp" #define BINARY_PATH "./true" =20 @@ -1279,7 +1292,7 @@ TEST_F_FORK(layout1, rule_inside_mount_ns) int ruleset_fd; =20 set_cap(_metadata, CAP_SYS_ADMIN); - ASSERT_EQ(0, syscall(SYS_pivot_root, dir_s3d2, dir_s3d3)) + ASSERT_EQ(0, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)) { TH_LOG("Failed to pivot root: %s", strerror(errno)); }; @@ -1313,7 +1326,7 @@ TEST_F_FORK(layout1, mount_and_pivot) set_cap(_metadata, CAP_SYS_ADMIN); ASSERT_EQ(-1, mount(NULL, dir_s3d2, NULL, MS_RDONLY, NULL)); ASSERT_EQ(EPERM, errno); - ASSERT_EQ(-1, syscall(SYS_pivot_root, dir_s3d2, dir_s3d3)); + ASSERT_EQ(-1, syscall(__NR_pivot_root, dir_s3d2, dir_s3d3)); ASSERT_EQ(EPERM, errno); clear_cap(_metadata, CAP_SYS_ADMIN); } @@ -1332,13 +1345,13 @@ TEST_F_FORK(layout1, move_mount) ASSERT_LE(0, ruleset_fd); =20 set_cap(_metadata, CAP_SYS_ADMIN); - ASSERT_EQ(0, syscall(SYS_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, + ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, dir_s1d2, 0)) { TH_LOG("Failed to move mount: %s", strerror(errno)); } =20 - ASSERT_EQ(0, syscall(SYS_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, + ASSERT_EQ(0, syscall(__NR_move_mount, AT_FDCWD, dir_s1d2, AT_FDCWD, dir_s3d2, 0)); clear_cap(_metadata, CAP_SYS_ADMIN); =20 @@ -1346,7 +1359,7 @@ TEST_F_FORK(layout1, move_mount) ASSERT_EQ(0, close(ruleset_fd)); =20 set_cap(_metadata, CAP_SYS_ADMIN); - ASSERT_EQ(-1, syscall(SYS_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, + ASSERT_EQ(-1, syscall(__NR_move_mount, AT_FDCWD, dir_s3d2, AT_FDCWD, dir_s1d2, 0)); ASSERT_EQ(EPERM, errno); clear_cap(_metadata, CAP_SYS_ADMIN); --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C347CC433F5 for ; Fri, 6 May 2022 16:07:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443462AbiEFQKz (ORCPT ); Fri, 6 May 2022 12:10:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443436AbiEFQKs (ORCPT ); Fri, 6 May 2022 12:10:48 -0400 Received: from smtp-bc0d.mail.infomaniak.ch (smtp-bc0d.mail.infomaniak.ch [45.157.188.13]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1D885517F8 for ; Fri, 6 May 2022 09:07:00 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS34MJqzMqwSp; Fri, 6 May 2022 18:06:59 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS32l31zlhMBg; Fri, 6 May 2022 18:06:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853219; bh=vG2/gV61tHlvAQI7l0YN0fWRhamXraC0NU13ogkNew8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Os1dbOKVHJH6OgKRepFmxVJILBwJPunGoO4Sy2WNKH97mrfPsTIEzcFH0Mjwxim/b ksMkkR91Slkhru/HYTxEEQsa4Jjkfq4yjv1XJf+malOmArZ5xsgrEzb7hzs5Ytbyzy wQ+jzsaT8LzH9u2AffxJbHLUdk/e4veUFpIHyEB8= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 03/10] selftests/landlock: Extend tests for minimal valid attribute size Date: Fri, 6 May 2022 18:08:13 +0200 Message-Id: <20220506160820.524344-4-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This might be useful when the struct landlock_ruleset_attr will get more fields. Cc: Shuah Khan Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-4-mic@digikod.net --- Changes since v1: * Format with clang-format and rebase. --- tools/testing/selftests/landlock/base_test.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index 3faeae4233a4..be9b937256ac 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -35,6 +35,8 @@ TEST(inconsistent_attr) ASSERT_EQ(EINVAL, errno); ASSERT_EQ(-1, landlock_create_ruleset(ruleset_attr, 1, 0)); ASSERT_EQ(EINVAL, errno); + ASSERT_EQ(-1, landlock_create_ruleset(ruleset_attr, 7, 0)); + ASSERT_EQ(EINVAL, errno); =20 ASSERT_EQ(-1, landlock_create_ruleset(NULL, 1, 0)); /* The size if less than sizeof(struct landlock_attr_enforce). */ @@ -47,6 +49,9 @@ TEST(inconsistent_attr) ASSERT_EQ(-1, landlock_create_ruleset(ruleset_attr, page_size + 1, 0)); ASSERT_EQ(E2BIG, errno); =20 + /* Checks minimal valid attribute size. */ + ASSERT_EQ(-1, landlock_create_ruleset(ruleset_attr, 8, 0)); + ASSERT_EQ(ENOMSG, errno); ASSERT_EQ(-1, landlock_create_ruleset( ruleset_attr, sizeof(struct landlock_ruleset_attr), 0)); --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E457C433FE for ; Fri, 6 May 2022 16:07:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443478AbiEFQLD (ORCPT ); Fri, 6 May 2022 12:11:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443442AbiEFQKs (ORCPT ); Fri, 6 May 2022 12:10:48 -0400 Received: from smtp-42a9.mail.infomaniak.ch (smtp-42a9.mail.infomaniak.ch [IPv6:2001:1600:3:17::42a9]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1CD156C0D for ; Fri, 6 May 2022 09:07:01 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS41jJtzMr2ZJ; Fri, 6 May 2022 18:07:00 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS36zpTzlhMC1; Fri, 6 May 2022 18:06:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853220; bh=kL99cMtumD1QSIju+JYUr1ezJx54p7MQnxDHvS0ug5o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K7yCdbhtnjRe+nxPNSrDCHTy9c7mQejcD3NxaH0m24ixTY2jesKdu4jlM9gqw6y9A kvHQR81mVeCaee/gP/xcdmCOXwKTZ3wfamX9O6Z2uZCyIsbdXaIRPfzQhPQ5eURt+O FQ4QVth19fHjMTsFAGQFXPRi+b8KzQWeQ1b5nv9c= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 04/10] selftests/landlock: Add tests for unknown access rights Date: Fri, 6 May 2022 18:08:14 +0200 Message-Id: <20220506160820.524344-5-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make sure that trying to use unknown access rights returns an error. Cc: Shuah Khan Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-5-mic@digikod.net --- Changes since v1: * Format with clang-format and rebase. --- tools/testing/selftests/landlock/fs_test.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index cc7fa7b17578..f293b7e2a1a7 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -448,6 +448,22 @@ TEST_F_FORK(layout1, file_access_rights) ASSERT_EQ(0, close(path_beneath.parent_fd)); } =20 +TEST_F_FORK(layout1, unknown_access_rights) +{ + __u64 access_mask; + + for (access_mask =3D 1ULL << 63; access_mask !=3D ACCESS_LAST; + access_mask >>=3D 1) { + struct landlock_ruleset_attr ruleset_attr =3D { + .handled_access_fs =3D access_mask, + }; + + ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, + sizeof(ruleset_attr), 0)); + ASSERT_EQ(EINVAL, errno); + } +} + static void add_path_beneath(struct __test_metadata *const _metadata, const int ruleset_fd, const __u64 allowed_access, const char *const path) --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E884C433F5 for ; Fri, 6 May 2022 16:07:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443475AbiEFQLc (ORCPT ); Fri, 6 May 2022 12:11:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443426AbiEFQKs (ORCPT ); Fri, 6 May 2022 12:10:48 -0400 Received: from smtp-190b.mail.infomaniak.ch (smtp-190b.mail.infomaniak.ch [IPv6:2001:1600:3:17::190b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96B606D95C for ; Fri, 6 May 2022 09:07:02 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS46QNyzMqwSk; Fri, 6 May 2022 18:07:00 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS44KfTzlhMBg; Fri, 6 May 2022 18:07:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853220; bh=pONfXKuTok6YIRXg0U1RNOakHlPIXE+u75ZPbnhzYa0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hv2Ir+vmvtKtiuC9n4RKClUnQhQr5W0pO/QvwpWvSuNkUhbbO8wuZ9HJQZ/Vwc3P0 suzrm9VvRcg12NvvQHM6LfnS491uWLDhaJVcpYXOUqkKN4uB+862aX/w4kUd+N8TG5 6/9QMWZSk9nYJ4P99NykEfUndW7VkHhXhlKePVCY= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 05/10] selftests/landlock: Extend access right tests to directories Date: Fri, 6 May 2022 18:08:15 +0200 Message-Id: <20220506160820.524344-6-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Make sure that all filesystem access rights can be tied to directories. Rename layout1.file_access_rights to layout1.file_and_dir_access_rights to reflect this change. Cc: Shuah Khan Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-6-mic@digikod.net --- Changes since v1: * Format with clang-format and rebase. --- tools/testing/selftests/landlock/fs_test.c | 30 ++++++++++++++++------ 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index f293b7e2a1a7..75f9358512df 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -418,11 +418,12 @@ TEST_F_FORK(layout1, inval) =20 /* clang-format on */ =20 -TEST_F_FORK(layout1, file_access_rights) +TEST_F_FORK(layout1, file_and_dir_access_rights) { __u64 access; int err; - struct landlock_path_beneath_attr path_beneath =3D {}; + struct landlock_path_beneath_attr path_beneath_file =3D {}, + path_beneath_dir =3D {}; struct landlock_ruleset_attr ruleset_attr =3D { .handled_access_fs =3D ACCESS_ALL, }; @@ -432,20 +433,33 @@ TEST_F_FORK(layout1, file_access_rights) ASSERT_LE(0, ruleset_fd); =20 /* Tests access rights for files. */ - path_beneath.parent_fd =3D open(file1_s1d2, O_PATH | O_CLOEXEC); - ASSERT_LE(0, path_beneath.parent_fd); + path_beneath_file.parent_fd =3D open(file1_s1d2, O_PATH | O_CLOEXEC); + ASSERT_LE(0, path_beneath_file.parent_fd); + + /* Tests access rights for directories. */ + path_beneath_dir.parent_fd =3D + open(dir_s1d2, O_PATH | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, path_beneath_dir.parent_fd); + for (access =3D 1; access <=3D ACCESS_LAST; access <<=3D 1) { - path_beneath.allowed_access =3D access; + path_beneath_dir.allowed_access =3D access; + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, + LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_dir, 0)); + + path_beneath_file.allowed_access =3D access; err =3D landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, - &path_beneath, 0); - if ((access | ACCESS_FILE) =3D=3D ACCESS_FILE) { + &path_beneath_file, 0); + if (access & ACCESS_FILE) { ASSERT_EQ(0, err); } else { ASSERT_EQ(-1, err); ASSERT_EQ(EINVAL, errno); } } - ASSERT_EQ(0, close(path_beneath.parent_fd)); + ASSERT_EQ(0, close(path_beneath_file.parent_fd)); + ASSERT_EQ(0, close(path_beneath_dir.parent_fd)); + ASSERT_EQ(0, close(ruleset_fd)); } =20 TEST_F_FORK(layout1, unknown_access_rights) --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9120C433EF for ; Fri, 6 May 2022 16:07:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443521AbiEFQLQ (ORCPT ); Fri, 6 May 2022 12:11:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443451AbiEFQKs (ORCPT ); Fri, 6 May 2022 12:10:48 -0400 Received: from smtp-42ab.mail.infomaniak.ch (smtp-42ab.mail.infomaniak.ch [IPv6:2001:1600:3:17::42ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2B7E6D966 for ; Fri, 6 May 2022 09:07:02 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS53fnKzMqwT0; Fri, 6 May 2022 18:07:01 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS522HJzlhSLv; Fri, 6 May 2022 18:07:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853221; bh=vvi6q1Rd/gDcGS5JNMP6tyQE4jRuIgqkCRlVkN+I8tU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MDJBE3OAkxTtgM4XDYMHwNHpuNz+3ubYzZt7MltMMi0q72Eicei8lrhAZJsy3i776 Jtk2sRTk9s+PD5iqVzsuUptTe1GEUbLp+LTdSwky5Mzdd1Rsgna8izrUm9nwi8ifRf oGGG9LBZu8TPiEc5gBhVa8fn0yM7p8PEpQKVwDx4= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 06/10] selftests/landlock: Fully test file rename with "remove" access Date: Fri, 6 May 2022 18:08:16 +0200 Message-Id: <20220506160820.524344-7-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org These tests were missing to check the check_access_path() call with all combinations of maybe_remove(old_dentry) and maybe_remove(new_dentry). Extend layout1.link with a new complementary test and check that REMOVE_FILE is not required to link a file. Cc: Shuah Khan Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-7-mic@digikod.net --- Changes since v1: * Extend layout1.link with a second rule layer to check that REMOVE_FILE is not required to link a file. * Format with clang-format and rebase. --- tools/testing/selftests/landlock/fs_test.c | 41 +++++++++++++++++++--- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index 75f9358512df..9165f6adf7b9 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -1659,15 +1659,21 @@ TEST_F_FORK(layout1, execute) =20 TEST_F_FORK(layout1, link) { - const struct rule rules[] =3D { + const struct rule layer1[] =3D { { .path =3D dir_s1d2, .access =3D LANDLOCK_ACCESS_FS_MAKE_REG, }, {}, }; - const int ruleset_fd =3D - create_ruleset(_metadata, rules[0].access, rules); + const struct rule layer2[] =3D { + { + .path =3D dir_s1d3, + .access =3D LANDLOCK_ACCESS_FS_REMOVE_FILE, + }, + {}, + }; + int ruleset_fd =3D create_ruleset(_metadata, layer1[0].access, layer1); =20 ASSERT_LE(0, ruleset_fd); =20 @@ -1680,14 +1686,30 @@ TEST_F_FORK(layout1, link) =20 ASSERT_EQ(-1, link(file2_s1d1, file1_s1d1)); ASSERT_EQ(EACCES, errno); + /* Denies linking because of reparenting. */ ASSERT_EQ(-1, link(file1_s2d1, file1_s1d2)); ASSERT_EQ(EXDEV, errno); ASSERT_EQ(-1, link(file2_s1d2, file1_s1d3)); ASSERT_EQ(EXDEV, errno); + ASSERT_EQ(-1, link(file2_s1d3, file1_s1d2)); + ASSERT_EQ(EXDEV, errno); =20 ASSERT_EQ(0, link(file2_s1d2, file1_s1d2)); ASSERT_EQ(0, link(file2_s1d3, file1_s1d3)); + + /* Prepares for next unlinks. */ + ASSERT_EQ(0, unlink(file2_s1d2)); + ASSERT_EQ(0, unlink(file2_s1d3)); + + ruleset_fd =3D create_ruleset(_metadata, layer2[0].access, layer2); + ASSERT_LE(0, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); + + /* Checks that linkind doesn't require the ability to delete a file. */ + ASSERT_EQ(0, link(file1_s1d2, file2_s1d2)); + ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); } =20 TEST_F_FORK(layout1, rename_file) @@ -1708,7 +1730,6 @@ TEST_F_FORK(layout1, rename_file) =20 ASSERT_LE(0, ruleset_fd); =20 - ASSERT_EQ(0, unlink(file1_s1d1)); ASSERT_EQ(0, unlink(file1_s1d2)); =20 enforce_ruleset(_metadata, ruleset_fd); @@ -1744,9 +1765,15 @@ TEST_F_FORK(layout1, rename_file) ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s2d1, RENAME_EXCHANGE)); ASSERT_EQ(EACCES, errno); + /* Checks that file1_s2d1 cannot be removed (instead of ENOTDIR). */ + ASSERT_EQ(-1, rename(dir_s2d2, file1_s2d1)); + ASSERT_EQ(EACCES, errno); ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, dir_s2d2, RENAME_EXCHANGE)); ASSERT_EQ(EACCES, errno); + /* Checks that file1_s1d1 cannot be removed (instead of EISDIR). */ + ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); + ASSERT_EQ(EACCES, errno); =20 /* Renames files with different parents. */ ASSERT_EQ(-1, rename(file1_s2d2, file1_s1d2)); @@ -1809,9 +1836,15 @@ TEST_F_FORK(layout1, rename_dir) ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s1d1, AT_FDCWD, dir_s2d1, RENAME_EXCHANGE)); ASSERT_EQ(EACCES, errno); + /* Checks that dir_s1d2 cannot be removed (instead of ENOTDIR). */ + ASSERT_EQ(-1, rename(dir_s1d2, file1_s1d1)); + ASSERT_EQ(EACCES, errno); ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s1d1, AT_FDCWD, dir_s1d2, RENAME_EXCHANGE)); ASSERT_EQ(EACCES, errno); + /* Checks that dir_s1d2 cannot be removed (instead of EISDIR). */ + ASSERT_EQ(-1, rename(file1_s1d1, dir_s1d2)); + ASSERT_EQ(EACCES, errno); =20 /* * Exchanges and renames directory to the same parent, which allows --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80F70C433F5 for ; Fri, 6 May 2022 16:07:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443489AbiEFQLM (ORCPT ); Fri, 6 May 2022 12:11:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443447AbiEFQKs (ORCPT ); Fri, 6 May 2022 12:10:48 -0400 Received: from smtp-42af.mail.infomaniak.ch (smtp-42af.mail.infomaniak.ch [IPv6:2001:1600:3:17::42af]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF87D6D974 for ; Fri, 6 May 2022 09:07:03 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS614zDzMr2ZM; Fri, 6 May 2022 18:07:02 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS56LXXzlhSLv; Fri, 6 May 2022 18:07:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853222; bh=dfWnbGeiA92nwD0xKSnL0FFW806dIXnZ0eXS42gWyfg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YpQTjwImym8FVPNGcOTV8mnqLDBdkgEDQ5FYmCrqhU490BRMLeKr1sieqafXMJraG +NAkI1BH93Ugx/ZSymSFlnAS2RJBEOqWQp2PJgWU8fuijl8akO4jYEXssIqAFwY9eY EOrfWUqAVDUGIffd0iGHWqFp34ZlHN78s9KWpzAQ= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 07/10] selftests/landlock: Add tests for O_PATH Date: Fri, 6 May 2022 18:08:17 +0200 Message-Id: <20220506160820.524344-8-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The O_PATH flag is currently not handled by Landlock. Let's make sure this behavior will remain consistent with the same ruleset over time. Cc: Shuah Khan Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-8-mic@digikod.net --- Changes since v1: * New patch. --- tools/testing/selftests/landlock/fs_test.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index 9165f6adf7b9..a8f54c4462eb 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -654,17 +654,23 @@ TEST_F_FORK(layout1, effective_access) enforce_ruleset(_metadata, ruleset_fd); ASSERT_EQ(0, close(ruleset_fd)); =20 - /* Tests on a directory. */ + /* Tests on a directory (with or without O_PATH). */ ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); + ASSERT_EQ(0, test_open("/", O_RDONLY | O_PATH)); ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); + ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY | O_PATH)); ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); + ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY | O_PATH)); + ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY)); ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY)); ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY)); ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY)); =20 - /* Tests on a file. */ + /* Tests on a file (with or without O_PATH). */ ASSERT_EQ(EACCES, test_open(dir_s2d2, O_RDONLY)); + ASSERT_EQ(0, test_open(dir_s2d2, O_RDONLY | O_PATH)); + ASSERT_EQ(0, test_open(file1_s2d2, O_RDONLY)); =20 /* Checks effective read and write actions. */ --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE81CC4332F for ; Fri, 6 May 2022 16:07:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443442AbiEFQL1 (ORCPT ); Fri, 6 May 2022 12:11:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443456AbiEFQKt (ORCPT ); Fri, 6 May 2022 12:10:49 -0400 Received: from smtp-8fa9.mail.infomaniak.ch (smtp-8fa9.mail.infomaniak.ch [83.166.143.169]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C61212ACE for ; Fri, 6 May 2022 09:07:03 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS65N6wzMqwTG; Fri, 6 May 2022 18:07:02 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS63lzQzlhMC1; Fri, 6 May 2022 18:07:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853222; bh=Hg4YQ+otf1y+p9E8hTp3CeAQR8NMqxwgFOwDNjJcoQ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z7UlI8BxD2zPKHjUL1ft+VN0+qnGaU9s54EZZlpKSv1kRpOClg28Jr7jGGod4RsxK USs9BZQdEO/cWGj8dPb6Nhu4WHfj0gfB/r85IbBtqMQr90Yr6SWE+8OVwo6TCUcVHB d5Ah1CmRLgxooy/PgV35ICT9JEIxZoOT/5MgQiCw= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 08/10] landlock: Change landlock_add_rule(2) argument check ordering Date: Fri, 6 May 2022 18:08:18 +0200 Message-Id: <20220506160820.524344-9-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This makes more sense to first check the ruleset FD and then the rule attribute. It will be useful to factor out code for other rule types. Add inval_add_rule_arguments tests, extension of empty_path_beneath_attr tests, to also check error ordering for landlock_add_rule(2). Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-9-mic@digikod.net --- Changes since v1: * New patch. --- security/landlock/syscalls.c | 22 +++++++------ tools/testing/selftests/landlock/base_test.c | 34 ++++++++++++++++++-- 2 files changed, 45 insertions(+), 11 deletions(-) diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 7edc1d50e2bf..a7396220c9d4 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -318,20 +318,24 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset= _fd, if (flags) return -EINVAL; =20 - if (rule_type !=3D LANDLOCK_RULE_PATH_BENEATH) - return -EINVAL; - - /* Copies raw user space buffer, only one type for now. */ - res =3D copy_from_user(&path_beneath_attr, rule_attr, - sizeof(path_beneath_attr)); - if (res) - return -EFAULT; - /* Gets and checks the ruleset. */ ruleset =3D get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE); if (IS_ERR(ruleset)) return PTR_ERR(ruleset); =20 + if (rule_type !=3D LANDLOCK_RULE_PATH_BENEATH) { + err =3D -EINVAL; + goto out_put_ruleset; + } + + /* Copies raw user space buffer, only one type for now. */ + res =3D copy_from_user(&path_beneath_attr, rule_attr, + sizeof(path_beneath_attr)); + if (res) { + err =3D -EFAULT; + goto out_put_ruleset; + } + /* * Informs about useless rule: empty allowed_access (i.e. deny rules) * are ignored in path walks. diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index be9b937256ac..18b779471dcb 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -121,20 +121,50 @@ TEST(inval_create_ruleset_flags) ASSERT_EQ(EINVAL, errno); } =20 -TEST(empty_path_beneath_attr) +/* Tests ordering of syscall argument checks. */ +TEST(add_rule_checks_ordering) { const struct landlock_ruleset_attr ruleset_attr =3D { .handled_access_fs =3D LANDLOCK_ACCESS_FS_EXECUTE, }; + struct landlock_path_beneath_attr path_beneath_attr =3D { + .allowed_access =3D LANDLOCK_ACCESS_FS_EXECUTE, + .parent_fd =3D -1, + }; const int ruleset_fd =3D landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); =20 ASSERT_LE(0, ruleset_fd); =20 - /* Similar to struct landlock_path_beneath_attr.parent_fd =3D 0 */ + /* Checks invalid flags. */ + ASSERT_EQ(-1, landlock_add_rule(-1, 0, NULL, 1)); + ASSERT_EQ(EINVAL, errno); + + /* Checks invalid ruleset FD. */ + ASSERT_EQ(-1, landlock_add_rule(-1, 0, NULL, 0)); + ASSERT_EQ(EBADF, errno); + + /* Checks invalid rule type. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, 0, NULL, 0)); + ASSERT_EQ(EINVAL, errno); + + /* Checks invalid rule attr. */ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, NULL, 0)); ASSERT_EQ(EFAULT, errno); + + /* Checks invalid path_beneath.parent_fd. */ + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, 0)); + ASSERT_EQ(EBADF, errno); + + /* Checks valid call. */ + path_beneath_attr.parent_fd =3D + open("/tmp", O_PATH | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, path_beneath_attr.parent_fd); + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, 0)); + ASSERT_EQ(0, close(path_beneath_attr.parent_fd)); ASSERT_EQ(0, close(ruleset_fd)); } =20 --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77B39C433EF for ; Fri, 6 May 2022 16:07:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443510AbiEFQLi (ORCPT ); Fri, 6 May 2022 12:11:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443463AbiEFQKw (ORCPT ); Fri, 6 May 2022 12:10:52 -0400 Received: from smtp-1909.mail.infomaniak.ch (smtp-1909.mail.infomaniak.ch [IPv6:2001:1600:3:17::1909]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33677DF6E for ; Fri, 6 May 2022 09:07:05 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS73nFSzMr2Zd; Fri, 6 May 2022 18:07:03 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS71F6PzlhMBg; Fri, 6 May 2022 18:07:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853223; bh=8r9fKQQr9e9xPmuZNKivpJH5l0oI/VFqJDOLmqdf8pw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ykEJrNNDfpAns8GXWSiIcIwOJK5cJ/U2iYpnvLRClUaZYuenzngvEh3/62oUzrFlU +FxTfAW5f262AF2Yu1IBGmsfmccIRgp1AhAt+cd47+Rdu69g9a6teRtsopzv2Wm6DQ MLnHuBk8nHv6QjHXvLME13lOfkViXknBZyDTOSt4= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 09/10] landlock: Change landlock_restrict_self(2) check ordering Date: Fri, 6 May 2022 18:08:19 +0200 Message-Id: <20220506160820.524344-10-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org According to the Landlock goal to be a security feature available to unprivileges processes, it makes more sense to first check for no_new_privs before checking anything else (i.e. syscall arguments). Merge inval_fd_enforce and unpriv_enforce_without_no_new_privs tests into the new restrict_self_checks_ordering. This is similar to the previous commit checking other syscalls. Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-10-mic@digikod.net --- Changes since v1: * New patch. --- security/landlock/syscalls.c | 8 ++-- tools/testing/selftests/landlock/base_test.c | 47 +++++++++++++++----- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index a7396220c9d4..507d43827afe 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -405,10 +405,6 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, rul= eset_fd, const __u32, if (!landlock_initialized) return -EOPNOTSUPP; =20 - /* No flag for now. */ - if (flags) - return -EINVAL; - /* * Similar checks as for seccomp(2), except that an -EPERM may be * returned. @@ -417,6 +413,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, rul= eset_fd, const __u32, !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) return -EPERM; =20 + /* No flag for now. */ + if (flags) + return -EINVAL; + /* Gets and checks the ruleset. */ ruleset =3D get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); if (IS_ERR(ruleset)) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index 18b779471dcb..21fb33581419 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -168,22 +168,49 @@ TEST(add_rule_checks_ordering) ASSERT_EQ(0, close(ruleset_fd)); } =20 -TEST(inval_fd_enforce) +/* Tests ordering of syscall argument and permission checks. */ +TEST(restrict_self_checks_ordering) { + const struct landlock_ruleset_attr ruleset_attr =3D { + .handled_access_fs =3D LANDLOCK_ACCESS_FS_EXECUTE, + }; + struct landlock_path_beneath_attr path_beneath_attr =3D { + .allowed_access =3D LANDLOCK_ACCESS_FS_EXECUTE, + .parent_fd =3D -1, + }; + const int ruleset_fd =3D + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + + ASSERT_LE(0, ruleset_fd); + path_beneath_attr.parent_fd =3D + open("/tmp", O_PATH | O_NOFOLLOW | O_DIRECTORY | O_CLOEXEC); + ASSERT_LE(0, path_beneath_attr.parent_fd); + ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath_attr, 0)); + ASSERT_EQ(0, close(path_beneath_attr.parent_fd)); + + /* Checks unprivileged enforcement without no_new_privs. */ + drop_caps(_metadata); + ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(-1, landlock_restrict_self(-1, 0)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(-1, landlock_restrict_self(ruleset_fd, 0)); + ASSERT_EQ(EPERM, errno); + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); =20 + /* Checks invalid flags. */ + ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(EINVAL, errno); + + /* Checks invalid ruleset FD. */ ASSERT_EQ(-1, landlock_restrict_self(-1, 0)); ASSERT_EQ(EBADF, errno); -} - -TEST(unpriv_enforce_without_no_new_privs) -{ - int err; =20 - drop_caps(_metadata); - err =3D landlock_restrict_self(-1, 0); - ASSERT_EQ(EPERM, errno); - ASSERT_EQ(err, -1); + /* Checks valid call. */ + ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); + ASSERT_EQ(0, close(ruleset_fd)); } =20 TEST(ruleset_fd_io) --=20 2.35.1 From nobody Fri May 15 10:51:04 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31487C433F5 for ; Fri, 6 May 2022 16:07:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1443525AbiEFQLX (ORCPT ); Fri, 6 May 2022 12:11:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443446AbiEFQKt (ORCPT ); Fri, 6 May 2022 12:10:49 -0400 Received: from smtp-bc0d.mail.infomaniak.ch (smtp-bc0d.mail.infomaniak.ch [45.157.188.13]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3984DF71 for ; Fri, 6 May 2022 09:07:05 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwS81Q89zMqpn1; Fri, 6 May 2022 18:07:04 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwS76b8czlhSM9; Fri, 6 May 2022 18:07:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1651853224; bh=02n97EaILIuqTsXFx/oybn/WrgtfMPsX5MAhsYFLVdg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mB7DYV/SYQehyM22hGE2FaNyE+qytirrVLYuOtA5/fmNG0tvMKL0uif/XtLt46KL+ qHRWNjpk5l4uTjLOaCMbVlf3BrBO22WfN+zWuHa0tCo+ZjfUUVEMqP+/UVF4dMfEm8 u7gBJc2rs1hhrslip4BwNssnXAtdCN+Q8g0+Ur3U= From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Jann Horn , Kees Cook , Konstantin Meskhidze , Nathan Chancellor , Nick Desaulniers , Paul Moore , Shuah Khan , linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 10/10] selftests/landlock: Test landlock_create_ruleset(2) argument check ordering Date: Fri, 6 May 2022 18:08:20 +0200 Message-Id: <20220506160820.524344-11-mic@digikod.net> In-Reply-To: <20220506160820.524344-1-mic@digikod.net> References: <20220506160820.524344-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add inval_create_ruleset_arguments, extension of inval_create_ruleset_flags, to also check error ordering for landlock_create_ruleset(2). This is similar to the previous commit checking landlock_add_rule(2). Test coverage for security/landlock is 94.4% of 504 lines accorging to gcc/gcov-11. Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20220506160820.524344-11-mic@digikod.net --- Changes since v1: * New patch. --- tools/testing/selftests/landlock/base_test.c | 21 +++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index 21fb33581419..35f64832b869 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -97,14 +97,17 @@ TEST(abi_version) ASSERT_EQ(EINVAL, errno); } =20 -TEST(inval_create_ruleset_flags) +/* Tests ordering of syscall argument checks. */ +TEST(create_ruleset_checks_ordering) { const int last_flag =3D LANDLOCK_CREATE_RULESET_VERSION; const int invalid_flag =3D last_flag << 1; + int ruleset_fd; const struct landlock_ruleset_attr ruleset_attr =3D { .handled_access_fs =3D LANDLOCK_ACCESS_FS_READ_FILE, }; =20 + /* Checks priority for invalid flags. */ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0, invalid_flag)); ASSERT_EQ(EINVAL, errno); =20 @@ -119,6 +122,22 @@ TEST(inval_create_ruleset_flags) landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), invalid_flag)); ASSERT_EQ(EINVAL, errno); + + /* Checks too big ruleset_attr size. */ + ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, -1, 0)); + ASSERT_EQ(E2BIG, errno); + + /* Checks too small ruleset_attr size. */ + ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, 0)); + ASSERT_EQ(EINVAL, errno); + ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 1, 0)); + ASSERT_EQ(EINVAL, errno); + + /* Checks valid call. */ + ruleset_fd =3D + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + ASSERT_EQ(0, close(ruleset_fd)); } =20 /* Tests ordering of syscall argument checks. */ --=20 2.35.1