From nobody Tue Feb 10 23:53:26 2026 Received: from smtp-190e.mail.infomaniak.ch (smtp-190e.mail.infomaniak.ch [185.125.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C479156F4D for ; Thu, 16 May 2024 18:19:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.14 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715883594; cv=none; b=AOUeQrnf927e2KRqA+NLo5vy37dnufqyNRkS1t15q2v15+buAydN/NeC/W600i/f3QnUyO9PXx4h4V+a7ZH4w2rDgwrueKPTBWaf3aDzQq3CBk6ngfdcqK9SAcDfPinWxaeQotZ3NQcnn/136IApwH5PMvyPyzEMiVwC5DAs34g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715883594; c=relaxed/simple; bh=5KRWtyLsaH6DIVboHThP86V5QZIcRzReg8vtxsJ0D1M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=C2JQO8WWco3VQFt4tsYGW5tDJyXgfkPh8pZ99AyrilWavZ731tApyoGTgjBhl9zbipAz7hmgt8NoBnEcRcEXxJihDz+KlB7oOMjMtiiH68cUvQYn5NumsoHdvXzLU3Pkl3N2sYiVpIw6jYtvuhlQIpkgzyhstEsHKN6oPMwDRHg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=1+TVKVPP; arc=none smtp.client-ip=185.125.25.14 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="1+TVKVPP" Received: from smtp-4-0001.mail.infomaniak.ch (smtp-4-0001.mail.infomaniak.ch [10.7.10.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4VgJKG6Z0lzC4V; Thu, 16 May 2024 20:19:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1715883586; bh=3HPBFcfXIupAj8rBMIh3SYeVvxw0d3/RL490PTDHfy4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1+TVKVPPz2feTbBej8nkBd3KW28RYulRNpHiWy9t/UGYLMlYCv7QjnZZVoO5mqqHM 61vb+X7HZ0ksaxu1M8Tte4U0KvKv53pPHV0EheOGfYx+JV5juMpI8oQKkwSTx2xa0+ SgOF2+JNnrENcTF2daXVpZp7/FyX8/I9wwhcfizg= Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4VgJKG1fLNzhPV; Thu, 16 May 2024 20:19:46 +0200 (CEST) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: =?UTF-8?q?G=C3=BCnther=20Noack?= , Paul Moore Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , "Serge E . Hallyn" , nathan@kernel.org, ndesaulniers@google.com, syzkaller-bugs@googlegroups.com, trix@redhat.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, stable@vger.kernel.org, syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com Subject: [PATCH v1 1/2] landlock: Fix d_parent walk Date: Thu, 16 May 2024 20:19:34 +0200 Message-ID: <20240516181935.1645983-2-mic@digikod.net> In-Reply-To: <20240516181935.1645983-1-mic@digikod.net> References: <20240516181935.1645983-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Infomaniak-Routing: alpha The canary in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. Add tests to check error codes when renaming or linking a mount root directory. This previously triggered a kernel warning. The linux/mount.h file is not sorted with other headers to ease backport to Linux 6.1 . Cc: G=C3=BCnther Noack Cc: Paul Moore Cc: stable@vger.kernel.org Reported-by: syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDL= OCK_ACCESS_FS_REFER") Closes: https://lore.kernel.org/r/000000000000553d3f0618198200@google.com Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20240516181935.1645983-2-mic@digikod.net --- security/landlock/fs.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/security/landlock/fs.c b/security/landlock/fs.c index 22d8b7c28074..7877a64cc6b8 100644 --- a/security/landlock/fs.c +++ b/security/landlock/fs.c @@ -1110,6 +1110,7 @@ static int current_check_refer_path(struct dentry *co= nst old_dentry, bool allow_parent1, allow_parent2; access_mask_t access_request_parent1, access_request_parent2; struct path mnt_dir; + struct dentry *old_parent; layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] =3D {}, layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] =3D {}; =20 @@ -1157,9 +1158,17 @@ static int current_check_refer_path(struct dentry *c= onst old_dentry, mnt_dir.mnt =3D new_dir->mnt; mnt_dir.dentry =3D new_dir->mnt->mnt_root; =20 + /* + * old_dentry may be the root of the common mount point and + * !IS_ROOT(old_dentry) at the same time (e.g. with open_tree() and + * OPEN_TREE_CLONE). We do not need to call dget(old_parent) because + * we keep a reference to old_dentry. + */ + old_parent =3D (old_dentry =3D=3D mnt_dir.dentry) ? old_dentry : + old_dentry->d_parent; + /* new_dir->dentry is equal to new_dentry->d_parent */ - allow_parent1 =3D collect_domain_accesses(dom, mnt_dir.dentry, - old_dentry->d_parent, + allow_parent1 =3D collect_domain_accesses(dom, mnt_dir.dentry, old_parent, &layer_masks_parent1); allow_parent2 =3D collect_domain_accesses( dom, mnt_dir.dentry, new_dir->dentry, &layer_masks_parent2); --=20 2.45.0 From nobody Tue Feb 10 23:53:26 2026 Received: from smtp-190a.mail.infomaniak.ch (smtp-190a.mail.infomaniak.ch [185.125.25.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CEDB916130C for ; Thu, 16 May 2024 18:19:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.125.25.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715883599; cv=none; b=YvbhmqVTwwIzoYEHcwQkW8svWFpgP9zFAnhAZAEIsfakqTCODrtaNWw29Mxb3HedVGJsGlOLw4gn3BbGH4M9K1ROGamt+o5aObU/n/N5OgONL/0ytIy6mEmflMele8T7c6Wb7wBamFfFdVYizEiZ9UuwyfjQsvBAcIKc/5zfRQ8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715883599; c=relaxed/simple; bh=PEuSbZLhQKUIRPOEn8RJsEZy8kxbEUrcpbilId0eRIk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=rB9iGHCqixDntTy6MHZ/4RIDso18NbTnOeeu3b4CbqLeEslcu5EoZ9bRYL7KHVCyhXgfu2H+Bw9Zl8q3AxsD+T+zzHQn43OyGRTu+ajq4nLMY75YjOABBl1OtFxq6zI7aw23Ve/juWiwDnZXDevaYM7H7KpPKeSEq5F/eQu1e5g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=fR0LeHvV; arc=none smtp.client-ip=185.125.25.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="fR0LeHvV" Received: from smtp-3-0000.mail.infomaniak.ch (smtp-3-0000.mail.infomaniak.ch [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4VgJKH6GxyzC4W; Thu, 16 May 2024 20:19:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1715883587; bh=KYMR4OePvmGxZRLXtqNU+jKooqvr8rCEU9LlTK0H0Rc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fR0LeHvVhl4K8KsQhRfiKMCXN08Rdgq31ZOrg3FnXBHUHr2eKtBaAHw22DBH6/IzJ eVSRlsRUKw6eLatFhjobrpgVMYoBoTfe6Iz/dA0iYE4qgjHrUaXwFBffduqOvm1mhv 8o1AGUGQS1JXhScTzxIkH2QvkdK53RBaaJmB6p6s= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4VgJKH2sc5zrSg; Thu, 16 May 2024 20:19:47 +0200 (CEST) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: =?UTF-8?q?G=C3=BCnther=20Noack?= , Paul Moore Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , "Serge E . Hallyn" , nathan@kernel.org, ndesaulniers@google.com, syzkaller-bugs@googlegroups.com, trix@redhat.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v1 2/2] selftests/landlock: Add layout1.refer_mount_root Date: Thu, 16 May 2024 20:19:35 +0200 Message-ID: <20240516181935.1645983-3-mic@digikod.net> In-Reply-To: <20240516181935.1645983-1-mic@digikod.net> References: <20240516181935.1645983-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Infomaniak-Routing: alpha Add tests to check error codes when linking or renaming a mount root directory. This previously triggered a kernel warning, but it is fixed with the previous commit. Cc: G=C3=BCnther Noack Cc: Paul Moore Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20240516181935.1645983-3-mic@digikod.net --- tools/testing/selftests/landlock/fs_test.c | 45 ++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index 6b5a9ff88c3d..7d063c652be1 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -35,6 +35,7 @@ * See https://sourceware.org/glibc/wiki/Synchronizing_Headers. */ #include +#include =20 #include "common.h" =20 @@ -47,6 +48,13 @@ int renameat2(int olddirfd, const char *oldpath, int new= dirfd, } #endif =20 +#ifndef open_tree +int open_tree(int dfd, const char *filename, unsigned int flags) +{ + return syscall(__NR_open_tree, dfd, filename, flags); +} +#endif + #ifndef RENAME_EXCHANGE #define RENAME_EXCHANGE (1 << 1) #endif @@ -2400,6 +2408,43 @@ TEST_F_FORK(layout1, refer_denied_by_default4) layer_dir_s1d1_refer); } =20 +/* + * Tests walking through a denied root mount. + */ +TEST_F_FORK(layout1, refer_mount_root_deny) +{ + const struct landlock_ruleset_attr ruleset_attr =3D { + .handled_access_fs =3D LANDLOCK_ACCESS_FS_MAKE_DIR, + }; + int root_fd, ruleset_fd; + + /* Creates a mount object from a non-mount point. */ + set_cap(_metadata, CAP_SYS_ADMIN); + root_fd =3D + open_tree(AT_FDCWD, dir_s1d1, + AT_EMPTY_PATH | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC); + clear_cap(_metadata, CAP_SYS_ADMIN); + ASSERT_LE(0, root_fd); + + ruleset_fd =3D + landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + ASSERT_LE(0, ruleset_fd); + + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); + EXPECT_EQ(0, close(ruleset_fd)); + + /* Link denied by Landlock: EACCES. */ + EXPECT_EQ(-1, linkat(root_fd, ".", root_fd, "does_not_exist", 0)); + EXPECT_EQ(EACCES, errno); + + /* renameat2() always returns EBUSY. */ + EXPECT_EQ(-1, renameat2(root_fd, ".", root_fd, "does_not_exist", 0)); + EXPECT_EQ(EBUSY, errno); + + EXPECT_EQ(0, close(root_fd)); +} + TEST_F_FORK(layout1, reparent_link) { const struct rule layer1[] =3D { --=20 2.45.0