#
41cca054 |
|
05-Mar-2024 |
Mickaël Salaün <mic@digikod.net> |
selftests/harness: Fix TEST_F()'s vfork handling Always run fixture setup in the grandchild process, and by default also run the teardown in the same process. However, this change makes it possible to run the teardown in a parent process when _metadata->teardown_parent is set to true (e.g. in fixture setup). Fix TEST_SIGNAL() by forwarding grandchild's signal to its parent. Fix seccomp tests by running the test setup in the parent of the test thread, as expected by the related test code. Fix Landlock tests by waiting for the grandchild before processing _metadata. Use of exit(3) in tests should be OK because the environment in which the vfork(2) call happen is already dedicated to the running test (with flushed stdio, setpgrp() call), see __run_test() and the call to fork(2) just before running the setup/test/teardown. Even if the test configures its own exit handlers, they will not be run by the parent because it never calls exit(3), and the test function either ends with a call to _exit(2) or a signal. Cc: Günther Noack <gnoack@google.com> Cc: Shuah Khan <shuah@kernel.org> Cc: Will Drewry <wad@chromium.org> Fixes: 0710a1a73fb4 ("selftests/harness: Merge TEST_F_FORK() into TEST_F()") Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Mickaël Salaün <mic@digikod.net> Reported-by: Mark Brown <broonie@kernel.org> Tested-by: Mark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/20240305201029.1331333-1-mic@digikod.net Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
#
69fe8ec4 |
|
28-Feb-2024 |
Jakub Kicinski <kuba@kernel.org> |
selftests: kselftest_harness: save full exit code in metadata Instead of tracking passed = 0/1 rename the field to exit_code and invert the values so that they match the KSFT_* exit codes. This will allow us to fold SKIP / XFAIL into the same value. Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
40b7835e |
|
23-Jan-2024 |
Hu Yadi <hu.yadi@h3c.com> |
selftests/landlock: Fix fs_test build with old libc One issue comes up while building selftest/landlock/fs_test on my side (gcc 7.3/glibc-2.28/kernel-4.19). gcc -Wall -O2 -isystem fs_test.c -lcap -o selftests/landlock/fs_test fs_test.c:4575:9: error: initializer element is not constant .mnt = mnt_tmp, ^~~~~~~ Signed-off-by: Hu Yadi <hu.yadi@h3c.com> Suggested-by: Jiao <jiaoxupo@h3c.com> Reviewed-by: Berlin <berlin@h3c.com> Link: https://lore.kernel.org/r/20240124022908.42100-1-hu.yadi@h3c.com Fixes: 04f9070e99a4 ("selftests/landlock: Add tests for pseudo filesystems") [mic: Factor out mount's data string and make mnt_tmp static] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
b838dd76 |
|
08-Dec-2023 |
Günther Noack <gnoack@google.com> |
selftests/landlock: Rename "permitted" to "allowed" in ftruncate tests Suggested-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20231208155121.1943775-3-gnoack@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
e2780a0b |
|
30-Nov-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests to check unhandled rule's access rights Add two tests to make sure that we cannot add a rule to a ruleset if the rule's access rights that are not handled by the ruleset: * fs: layout1.rule_with_unhandled_access * net: mini.rule_with_unhandled_access Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20231130093616.67340-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
6471c9c4 |
|
30-Nov-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests to check unknown rule's access rights Add two tests to make sure that we cannot add a rule with access rights that are unknown: * fs: layout0.rule_with_unknown_access * net: mini.rule_with_unknown_access Rename unknown_access_rights tests to ruleset_with_unknown_access . Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20231130093616.67340-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
f12f8f84 |
|
27-Oct-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for FS topology changes with network rules Add 2 tests to the layout1 fixture: * topology_changes_with_net_only: Checks that FS topology changes are not denied by network-only restrictions. * topology_changes_with_net_and_fs: Make sure that FS topology changes are still denied with FS and network restrictions. This specifically test commit d7220364039f ("landlock: Allow FS topology changes for domains without such rule type"). Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231027154615.815134-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
1fa33520 |
|
25-Oct-2023 |
Konstantin Meskhidze <konstantin.meskhidze@huawei.com> |
selftests/landlock: Share enforce_ruleset() helper Move enforce_ruleset() helper function to common.h so that it can be used both by filesystem tests and network ones. Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231026014751.414649-10-konstantin.meskhidze@huawei.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
2a201549 |
|
30-Aug-2023 |
Ding Xiang <dingxiang@cmss.chinamobile.com> |
selftests/landlock: Fix a resource leak The opened file should be closed before return, otherwise resource leak will occur. Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com> Link: https://lore.kernel.org/r/20230830101148.3738-1-dingxiang@cmss.chinamobile.com Fixes: 3de64b656b3c ("selftests/landlock: Add supports_filesystem() helper") Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
35ca4239 |
|
12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add hostfs tests Add tests for the hostfs filesystems to make sure it has a consistent inode management, which is required for Landlock's file hierarchy identification. This adds 5 new tests for layout3_fs with the hostfs variant. Add hostfs to the new (architecture-specific) config.um file. The hostfs filesystem, only available for an User-Mode Linux kernel, is special because we cannot explicitly mount it. The layout3_fs.hostfs variant tests are skipped if the current test directory is not backed by this filesystem. The layout3_fs.hostfs.tag_inode_dir_child and layout3_fs.hostfs.tag_inode_file tests pass thanks to a previous commit fixing hostfs inode management. Without this fix, the deny-by-default policy would apply and all access requests would be denied. Link: https://lore.kernel.org/r/20230612191430.339153-7-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
04f9070e |
|
12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for pseudo filesystems Add generic and read-only tests for 6 pseudo filesystems to make sure they have a consistent inode management, which is required for Landlock's file hierarchy identification: - tmpfs - ramfs - cgroup2 - proc - sysfs Update related kernel configuration to support these new filesystems, remove useless CONFIG_SECURITY_PATH, and sort all entries. If these filesystems are not supported by the kernel running tests, the related tests are skipped. Expanding variants, this adds 25 new tests for layout3_fs: - tag_inode_dir_parent - tag_inode_dir_mnt - tag_inode_dir_child - tag_inode_dir_file - release_inodes Test coverage for security/landlock with kernel debug code: - 94.7% of 835 lines according to gcc/gcov-12 - 93.0% of 852 lines according to gcc/gcov-13 Test coverage for security/landlock without kernel debug code: - 95.5% of 624 lines according to gcc/gcov-12 - 93.1% of 641 lines according to gcc/gcov-13 Link: https://lore.kernel.org/r/20230612191430.339153-6-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
55ab3fbe |
|
12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Make mounts configurable Add a new struct mnt_opt to define a mount point with the mount_opt() helper. This doesn't change tests but prepare for the next commit. Link: https://lore.kernel.org/r/20230612191430.339153-5-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
3de64b65 |
|
12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add supports_filesystem() helper Replace supports_overlayfs() with supports_filesystem() to be able to check several filesystems. This will be useful in a following commit. Only check for overlay filesystem once in the setup step, and then rely on self->skip_test. Cc: Guenter Roeck <groeck@chromium.org> Cc: Jeff Xu <jeffxu@google.com> Link: https://lore.kernel.org/r/20230612191430.339153-4-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
592efeb4 |
|
12-Jun-2023 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Don't create useless file layouts Add and use a layout0 test fixture to not populate the tmpfs filesystem if it is not required for tests: unknown_access_rights, proc_nsfs, unpriv and max_layers. This doesn't change these tests but it speeds up their setup and makes them less prone to error. This prepare the ground for a next commit. Link: https://lore.kernel.org/r/20230612191430.339153-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
366617a6 |
|
12-Jan-2023 |
Jeff Xu <jeffxu@google.com> |
selftests/landlock: Skip overlayfs tests when not supported overlayfs may be disabled in the kernel configuration, causing related tests to fail. Check that overlayfs is supported at runtime, so we can skip layout2_overlay.* accordingly. Signed-off-by: Jeff Xu <jeffxu@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230113053229.1281774-2-jeffxu@google.com [mic: Reword comments and constify variables] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
0d8c658b |
|
18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test ftruncate on FDs created by memfd_create(2) All file descriptors that are truncatable need to have the Landlock access rights set correctly on the file's Landlock security blob. This is also the case for files that are opened by other means than open(2). Test coverage for security/landlock is 94.7% of 838 lines according to gcc/gcov-11. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-10-gnoack3000@gmail.com [mic: Add test coverage in commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
a1a202a5 |
|
18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test FD passing from restricted to unrestricted processes A file descriptor created in a restricted process carries Landlock restrictions with it which will apply even if the same opened file is used from an unrestricted process. This change extracts suitable FD-passing helpers from base_test.c and moves them to common.h. We use the fixture variants from the ftruncate fixture to exercise the same scenarios as in the open_and_ftruncate test, but doing the Landlock restriction and open() in a different process than the ftruncate() call. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-9-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
41729af2 |
|
18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test open() and ftruncate() in multiple scenarios This test uses multiple fixture variants to exercise a broader set of scnenarios. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-7-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
225351ab |
|
18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
selftests/landlock: Test file truncation support These tests exercise the following truncation operations: * truncate() (truncate by path) * ftruncate() (truncate by file descriptor) * open with the O_TRUNC flag * special case: creat(), which is open with O_CREAT|O_WRONLY|O_TRUNC. in the following scenarios: * Files with read, write and truncate rights. * Files with read and truncate rights. * Files with the truncate right. * Files without the truncate right. In particular, the following scenarios are enforced with the test: * open() with O_TRUNC requires the truncate right, if it truncates a file. open() already checks security_path_truncate() in this case, and it required no additional check in the Landlock LSM's file_open hook. * creat() requires the truncate right when called with an existing filename. * creat() does *not* require the truncate right when it's creating a new file. * ftruncate() requires that the file was opened by a thread that had the truncate right for the file at the time of open(). (The rights are carried along with the opened file.) Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-6-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
b9f5ce27 |
|
18-Oct-2022 |
Günther Noack <gnoack3000@gmail.com> |
landlock: Support file truncation Introduce the LANDLOCK_ACCESS_FS_TRUNCATE flag for file truncation. This flag hooks into the path_truncate, file_truncate and file_alloc_security LSM hooks and covers file truncation using truncate(2), ftruncate(2), open(2) with O_TRUNC, as well as creat(). This change also increments the Landlock ABI version, updates corresponding selftests, and updates code documentation to document the flag. In security/security.c, allocate security blobs at pointer-aligned offsets. This fixes the problem where one LSM's security blob can shift another LSM's security blob to an unaligned address (reported by Nathan Chancellor). The following operations are restricted: open(2): requires the LANDLOCK_ACCESS_FS_TRUNCATE right if a file gets implicitly truncated as part of the open() (e.g. using O_TRUNC). Notable special cases: * open(..., O_RDONLY|O_TRUNC) can truncate files as well in Linux * open() with O_TRUNC does *not* need the TRUNCATE right when it creates a new file. truncate(2) (on a path): requires the LANDLOCK_ACCESS_FS_TRUNCATE right. ftruncate(2) (on a file): requires that the file had the TRUNCATE right when it was previously opened. File descriptors acquired by other means than open(2) (e.g. memfd_create(2)) continue to support truncation with ftruncate(2). Cc: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Günther Noack <gnoack3000@gmail.com> Acked-by: Paul Moore <paul@paul-moore.com> (LSM) Link: https://lore.kernel.org/r/20221018182216.301684-5-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
55e55920 |
|
31-Aug-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER This change fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right when multiple rulesets/domains are stacked. The expected behaviour was that an additional ruleset can only restrict the set of permitted operations, but in this particular case, it was potentially possible to re-gain the LANDLOCK_ACCESS_FS_REFER right. With the introduction of LANDLOCK_ACCESS_FS_REFER, we added the first globally denied-by-default access right. Indeed, this lifted an initial Landlock limitation to rename and link files, which was initially always denied when the source or the destination were different directories. This led to an inconsistent backward compatibility behavior which was only taken into account if no domain layer were using the new LANDLOCK_ACCESS_FS_REFER right. However, when restricting a thread with a new ruleset handling LANDLOCK_ACCESS_FS_REFER, all inherited parent rulesets/layers not explicitly handling LANDLOCK_ACCESS_FS_REFER would behave as if they were handling this access right and with all their rules allowing it. This means that renaming and linking files could became allowed by these parent layers, but all the other required accesses must also be granted: all layers must allow file removal or creation, and renaming and linking operations cannot lead to privilege escalation according to the Landlock policy. See detailed explanation in commit b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER"). To say it another way, this bug may lift the renaming and linking limitations of the initial Landlock version, and a same ruleset can enforce different restrictions depending on previous or next enforced ruleset (i.e. inconsistent behavior). The LANDLOCK_ACCESS_FS_REFER right cannot give access to data not already allowed, but this doesn't follow the contract of the first Landlock ABI. This fix puts back the limitation for sandboxes that didn't opt-in for this additional right. For instance, if a first ruleset allows LANDLOCK_ACCESS_FS_MAKE_REG on /dst and LANDLOCK_ACCESS_FS_REMOVE_FILE on /src, renaming /src/file to /dst/file is denied. However, without this fix, stacking a new ruleset which allows LANDLOCK_ACCESS_FS_REFER on / would now permit the sandboxed thread to rename /src/file to /dst/file . This change fixes the (absolute) rule access rights, which now always forbid LANDLOCK_ACCESS_FS_REFER except when it is explicitly allowed when creating a rule. Making all domain handle LANDLOCK_ACCESS_FS_REFER was an initial approach but there is two downsides: * it makes the code more complex because we still want to check that a rule allowing LANDLOCK_ACCESS_FS_REFER is legitimate according to the ruleset's handled access rights (i.e. ABI v1 != ABI v2); * it would not allow to identify if the user created a ruleset explicitly handling LANDLOCK_ACCESS_FS_REFER or not, which will be an issue to audit Landlock. Instead, this change adds an ACCESS_INITIALLY_DENIED list of denied-by-default rights, which (only) contains LANDLOCK_ACCESS_FS_REFER. All domains are treated as if they are also handling this list, but without modifying their fs_access_masks field. A side effect is that the errno code returned by rename(2) or link(2) *may* be changed from EXDEV to EACCES according to the enforced restrictions. Indeed, we now have the mechanic to identify if an access is denied because of a required right (e.g. LANDLOCK_ACCESS_FS_MAKE_REG, LANDLOCK_ACCESS_FS_REMOVE_FILE) or if it is denied because of missing LANDLOCK_ACCESS_FS_REFER rights. This may result in different errno codes than for the initial Landlock version, but this approach is more consistent and better for rename/link compatibility reasons, and it wasn't possible before (hence no backport to ABI v1). The layout1.rename_file test reflects this change. Add 4 layout1.refer_denied_by_default* test suites to check that the behavior of a ruleset not handling LANDLOCK_ACCESS_FS_REFER (ABI v1) is unchanged even if another layer handles LANDLOCK_ACCESS_FS_REFER (i.e. ABI v1 precedence). Make sure rule's absolute access rights are correct by testing with and without a matching path. Add test_rename() and test_exchange() helpers. Extend layout1.inval tests to check that a denied-by-default access right is not necessarily part of a domain's handled access rights. Test coverage for security/landlock is 95.3% of 599 lines according to gcc/gcov-11. Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20220831203840.1370732-1-mic@digikod.net Cc: stable@vger.kernel.org [mic: Constify and slightly simplify test helpers] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
f4056b92 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add 11 new test suites dedicated to file reparenting These test suites try to check all edge cases for directory and file renaming or linking involving a new parent directory, with and without LANDLOCK_ACCESS_FS_REFER and other access rights. layout1: * reparent_refer: Tests simple FS_REFER usage. * reparent_link: Tests a mix of FS_MAKE_REG and FS_REFER with links. * reparent_rename: Tests a mix of FS_MAKE_REG and FS_REFER with renames and RENAME_EXCHANGE. * reparent_exdev_layers_rename1/2: Tests renames with two layers. * reparent_exdev_layers_exchange1/2/3: Tests exchanges with two layers. * reparent_remove: Tests file and directory removal with rename. * reparent_dom_superset: Tests access partial ordering. layout1_bind: * reparent_cross_mount: Tests FS_REFER propagation across mount points. Test coverage for security/landlock is 95.4% of 604 lines according to gcc/gcov-11. Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-9-mic@digikod.net
|
#
b91c3e4e |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers to allow sandboxed processes to link and rename files from and to a specific set of file hierarchies. This access right should be composed with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename, and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename. This lift a Landlock limitation that always denied changing the parent of an inode. Renaming or linking to the same directory is still always allowed, whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not considered a threat to user data. However, creating multiple links or renaming to a different parent directory may lead to privilege escalations if not handled properly. Indeed, we must be sure that the source doesn't gain more privileges by being accessible from the destination. This is handled by making sure that the source hierarchy (including the referenced file or directory itself) restricts at least as much the destination hierarchy. If it is not the case, an EXDEV error is returned, making it potentially possible for user space to copy the file hierarchy instead of moving or linking it. Instead of creating different access rights for the source and the destination, we choose to make it simple and consistent for users. Indeed, considering the previous constraint, it would be weird to require such destination access right to be also granted to the source (to make it a superset). Moreover, RENAME_EXCHANGE would also add to the confusion because of paths being both a source and a destination. See the provided documentation for additional details. New tests are provided with a following commit. Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
|
#
8ba0005f |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Fix same-layer rule unions The original behavior was to check if the full set of requested accesses was allowed by at least a rule of every relevant layer. This didn't take into account requests for multiple accesses and same-layer rules allowing the union of these accesses in a complementary way. As a result, multiple accesses requested on a file hierarchy matching rules that, together, allowed these accesses, but without a unique rule allowing all of them, was illegitimately denied. This case should be rare in practice and it can only be triggered by the path_rename or file_open hook implementations. For instance, if, for the same layer, a rule allows execution beneath /a/b and another rule allows read beneath /a, requesting access to read and execute at the same time for /a/b should be allowed for this layer. This was an inconsistency because the union of same-layer rule accesses was already allowed if requested once at a time anyway. This fix changes the way allowed accesses are gathered over a path walk. To take into account all these rule accesses, we store in a matrix all layer granting the set of requested accesses, according to the handled accesses. To avoid heap allocation, we use an array on the stack which is 2*13 bytes. A following commit bringing the LANDLOCK_ACCESS_FS_REFER access right will increase this size to reach 112 bytes (2*14*4) in case of link or rename actions. Add a new layout1.layer_rule_unions test to check that accesses from different rules pertaining to the same layer are ORed in a file hierarchy. Also test that it is not the case for rules from different layers. Reviewed-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20220506161102.525323-5-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
75c542d6 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
landlock: Reduce the maximum number of layers to 16 The maximum number of nested Landlock domains is currently 64. Because of the following fix and to help reduce the stack size, let's reduce it to 16. This seems large enough for a lot of use cases (e.g. sandboxed init service, spawning a sandboxed SSH service, in nested sandboxed containers). Reducing the number of nested domains may also help to discover misuse of Landlock (e.g. creating a domain per rule). Add and use a dedicated layer_mask_t typedef to fit with the number of layers. This might be useful when changing it and to keep it consistent with the maximum number of layers. Reviewed-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20220506161102.525323-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
d1788ad9 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for O_PATH The O_PATH flag is currently not handled by Landlock. Let's make sure this behavior will remain consistent with the same ruleset over time. Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-8-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
6a1bdd4a |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Fully test file rename with "remove" access These tests were missing to check the check_access_path() call with all combinations of maybe_remove(old_dentry) and maybe_remove(new_dentry). Extend layout1.link with a new complementary test and check that REMOVE_FILE is not required to link a file. Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-7-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
d18955d0 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Extend access right tests to directories Make sure that all filesystem access rights can be tied to directories. Rename layout1.file_access_rights to layout1.file_and_dir_access_rights to reflect this change. Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-6-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
c56b3bf5 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add tests for unknown access rights Make sure that trying to use unknown access rights returns an error. Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-5-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
87129ef1 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Make tests build with old libc Replace SYS_<syscall> with __NR_<syscall>. Using the __NR_<syscall> notation, provided by UAPI, is useful to build tests on systems without the SYS_<syscall> definitions. Replace SYS_pivot_root with __NR_pivot_root, and SYS_move_mount with __NR_move_mount. Define renameat2() and RENAME_EXCHANGE if they are unknown to old build systems. Cc: Shuah Khan <shuah@kernel.org> Link: https://lore.kernel.org/r/20220506160820.524344-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
371183fa |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Format with clang-format Let's follow a consistent and documented coding style. Everything may not be to our liking but it is better than tacit knowledge. Moreover, this will help maintain style consistency between different developers. This contains only whitespace changes. Automatically formatted with: clang-format-14 -i tools/testing/selftests/landlock/*.[ch] Link: https://lore.kernel.org/r/20220506160513.523257-6-mic@digikod.net Cc: stable@vger.kernel.org [mic: Update style according to https://lore.kernel.org/r/02494cb8-2aa5-1769-f28d-d7206f284e5a@digikod.net] Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
135464f9 |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Normalize array assignment Add a comma after each array value to make clang-format keep the current array formatting. See the following commit. Automatically modified with: sed -i 's/\t\({}\|NULL\)$/\0,/' tools/testing/selftests/landlock/fs_test.c Link: https://lore.kernel.org/r/20220506160513.523257-5-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
4598d9ab |
|
06-May-2022 |
Mickaël Salaün <mic@digikod.net> |
selftests/landlock: Add clang-format exceptions In preparation to a following commit, add clang-format on and clang-format off stanzas around constant definitions and the TEST_F_FORK macro. This enables to keep aligned values, which is much more readable than packed definitions. Add other clang-format exceptions for FIXTURE() and FIXTURE_VARIANT_ADD() declarations to force space before open brace, which is reported by checkpatch.pl . Link: https://lore.kernel.org/r/20220506160513.523257-4-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>
|
#
e1199815 |
|
22-Apr-2021 |
Mickaël Salaün <mic@linux.microsoft.com> |
selftests/landlock: Add user space tests Test all Landlock system calls, ptrace hooks semantic and filesystem access-control with multiple layouts. Test coverage for security/landlock/ is 93.6% of lines. The code not covered only deals with internal kernel errors (e.g. memory allocation) and race conditions. Cc: James Morris <jmorris@namei.org> Cc: Jann Horn <jannh@google.com> Cc: Serge E. Hallyn <serge@hallyn.com> Cc: Shuah Khan <shuah@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210422154123.13086-11-mic@digikod.net Signed-off-by: James Morris <jamorris@linux.microsoft.com>
|