[v26,07/12] landlock: Support filesystem access-control

From: Mickaël Salaün <mic@linux.microsoft.com>

Thanks to the Landlock objects and ruleset, it is possible to identify
inodes according to a process's domain.  To enable an unprivileged
process to express a file hierarchy, it first needs to open a directory
(or a file) and pass this file descriptor to the kernel through
landlock_add_rule(2).  When checking if a file access request is
allowed, we walk from the requested dentry to the real root, following
the different mount layers.  The access to each "tagged" inodes are
collected according to their rule layer level, and ANDed to create
access to the requested file hierarchy.  This makes possible to identify
a lot of files without tagging every inodes nor modifying the
filesystem, while still following the view and understanding the user
has from the filesystem.

Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not
keep the same struct inodes for the same inodes whereas these inodes are
in use.

This commit adds a minimal set of supported filesystem access-control
which doesn't enable to restrict all file-related actions.  This is the
result of multiple discussions to minimize the code of Landlock to ease
review.  Thanks to the Landlock design, extending this access-control
without breaking user space will not be a problem.  Moreover, seccomp
filters can be used to restrict the use of syscall families which may
not be currently handled by Landlock.

Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
Cc: James Morris <jmorris@namei.org>
Cc: Jann Horn <jannh@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Richard Weinberger <richard@nod.at>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
---

Changes since v25:
* Move build_check_layer() to ruleset.c, and add built-time checks for
  the fs_access_mask and access variables according to
  _LANDLOCK_ACCESS_FS_MASK.
* Move limits to a dedicated file and rename them:
  _LANDLOCK_ACCESS_FS_LAST and _LANDLOCK_ACCESS_FS_MASK.
* Set build_check_layer() as non-inline to trigger a warning if it is
  not called.
* Use BITS_PER_TYPE() macro.
* Rename function to landlock_add_fs_hooks().
* Cosmetic variable renames.

Changes since v24:
* Use the new struct landlock_rule and landlock_layer to not mix
  accesses from different layers.  Revert "Enforce deterministic
  interleaved path rules" from v24, and fix the layer check.  This
  enables to follow a sane semantic: an access is granted if, for each
  policy layer, at least one rule encountered on the pathwalk grants the
  access, regardless of their position in the layer stack (suggested by
  Jann Horn).  See layout1.interleaved_masked_accesses tests from
  tools/testing/selftests/landlock/fs_test.c for corner cases.
* Add build-time checks for layers.
* Use the new landlock_insert_rule() API.

Changes since v23:
* Enforce deterministic interleaved path rules.  To have consistent
  layered rules, granting access to a path implies that all accesses
  tied to inodes, from the requested file to the real root, must be
  checked.  Otherwise, stacked rules may result to overzealous
  restrictions.  By excluding the ability to add exceptions in the same
  layer (e.g. /a allowed, /a/b denied, and /a/b/c allowed), we get
  deterministic interleaved path rules.  This removes an optimization
  which could be replaced by a proper cache mechanism.  This also
  further simplifies and explain check_access_path_continue().
* Fix memory allocation error handling in landlock_create_object()
  calls.  This prevent to inadvertently hold an inode.
* In get_inode_object(), improve comments, make code more readable and
  move kfree() call out of the lock window.
* Use the simplified landlock_insert_rule() API.

Changes since v22:
* Simplify check_access_path_continue() (suggested by Jann Horn).
* Remove prefetch() call for now (suggested by Jann Horn).
* Fix spelling and remove superfluous comment (spotted by Jann Horn).
* Cosmetic variable renaming.

Changes since v21:
* Rename ARCH_EPHEMERAL_STATES to ARCH_EPHEMERAL_INODES (suggested by
  James Morris).
* Remove the LANDLOCK_ACCESS_FS_CHROOT right because chroot(2) (which
  requires CAP_SYS_CHROOT) doesn't enable to bypass Landlock (as tests
  demonstrate it), and because it is often used by sandboxes, it would
  be counterproductive to forbid it.  This also reduces the code size.
* Clean up documentation.

Changes since v19:
* Fix spelling (spotted by Randy Dunlap).

Changes since v18:
* Remove useless include.
* Fix spelling.

Changes since v17:
* Replace landlock_release_inodes() with security_sb_delete() (requested
  by James Morris).
* Replace struct super_block->s_landlock_inode_refs with the LSM
  infrastructure management of the superblock (requested by James
  Morris).
* Fix mknod restriction with a zero mode (spotted by Vincent Dagonneau).
* Minimize executed code in path_mknod and file_open hooks when the
  current tasks is not sandboxed.
* Remove useless checks on the file pointer and inode in
  hook_file_open() .
* Constify domain pointers.
* Rename inode_landlock() to landlock_inode().
* Import include/uapi/linux/landlock.h and _LANDLOCK_ACCESS_FS_* from
  the ruleset and domain management patch.
* Explain the rational of this minimal set of access-control.
  https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/

Changes since v16:
* Add ARCH_EPHEMERAL_STATES and enable it for UML.

Changes since v15:
* Replace layer_levels and layer_depth with a bitfield of layers: this
  enables to properly manage superset and subset of access rights,
  whatever their order in the stack of layers.
  Cf. https://lore.kernel.org/lkml/e07fe473-1801-01cc-12ae-b3167f95250e@digikod.net/
* Allow to open pipes and similar special files through /proc/self/fd/.
* Properly handle internal filesystems such as nsfs: always allow these
  kind of roots because disconnected path cannot be evaluated.
* Remove the LANDLOCK_ACCESS_FS_LINK_TO and
  LANDLOCK_ACCESS_FS_RENAME_{TO,FROM}, but use the
  LANDLOCK_ACCESS_FS_REMOVE_{FILE,DIR} and LANDLOCK_ACCESS_FS_MAKE_*
  instead.  Indeed, it is not possible for now (and not really useful)
  to express the semantic of a source and a destination.
* Check access rights to remove a directory or a file with rename(2).
* Forbid reparenting when linking or renaming.  This is needed to easily
  protect against possible privilege escalation by changing the place of
  a file or directory in relation to an enforced access policy (from the
  set of layers).  This will be relaxed in the future.
* Update hooks to take into account replacement of the object's self and
  beneath access bitfields with one.  Simplify the code.
* Check file related access rights.
* Check d_is_negative() instead of !d_backing_inode() in
  check_access_path_continue(), and continue the path walk while there
  is no mapped inode e.g., with rename(2).
* Check private inode in check_access_path().
* Optimize get_file_access() when dealing with a directory.
* Add missing atomic.h .

Changes since v14:
* Simplify the object, rule and ruleset management at the expense of a
  less aggressive memory freeing (contributed by Jann Horn, with
  additional modifications):
  - Rewrite release_inode() to use inode->sb->s_landlock_inode_refs.
  - Remove useless checks in landlock_release_inodes(), clean object
    pointer according to the new struct landlock_object and wait for all
    iput() to complete.
  - Rewrite get_inode_object() according to the new struct
    landlock_object.  If there is a race-condition when cleaning up an
    object, we retry until the concurrent thread finished the object
    cleaning.
  Cf. https://lore.kernel.org/lkml/CAG48ez21bEn0wL1bbmTiiu8j9jP5iEWtHOwz4tURUJ+ki0ydYw@mail.gmail.com/
* Fix nested domains by implementing a notion of layer level and depth:
  - Check for matching level ranges when walking through a file path.
  - Only allow access if every layer granted the access request.
* Handles files without mount points (e.g. pipes).
* Hardens path walk by checking inode pointer values.
* Prefetches d_parent when walking to the root directory.
* Remove useless inode_alloc_security hook() (suggested by Jann Horn):
  already initialized by lsm_inode_alloc().
* Remove the inode_free_security hook.
* Remove access checks that may be required for FD-only requests:
  truncate, getattr, lock, chmod, chown, chgrp, ioctl.  This will be
  handle in a future evolution of Landlock, but right now the goal is to
  lighten the code to ease review.
* Constify variables.
* Move ABI checks into syscall.c .
* Cosmetic variable renames.

Changes since v11:
* Add back, revamp and make a fully working filesystem access-control
  based on paths and inodes.
* Remove the eBPF dependency.

Previous changes:
https://lore.kernel.org/lkml/20190721213116.23476-6-mic@digikod.net/
---
 MAINTAINERS                   |   1 +
 arch/Kconfig                  |   7 +
 arch/um/Kconfig               |   1 +
 include/uapi/linux/landlock.h |  75 ++++
 security/landlock/Kconfig     |   2 +-
 security/landlock/Makefile    |   2 +-
 security/landlock/fs.c        | 622 ++++++++++++++++++++++++++++++++++
 security/landlock/fs.h        |  56 +++
 security/landlock/limits.h    |   4 +
 security/landlock/ruleset.c   |   4 +
 security/landlock/setup.c     |   7 +
 security/landlock/setup.h     |   2 +
 12 files changed, 781 insertions(+), 2 deletions(-)
 create mode 100644 include/uapi/linux/landlock.h
 create mode 100644 security/landlock/fs.c
 create mode 100644 security/landlock/fs.h

On Wed, Dec 9, 2020 at 8:28 PM Mickaël Salaün <mic@digikod.net> wrote:
> Thanks to the Landlock objects and ruleset, it is possible to identify

> inodes according to a process's domain.  To enable an unprivileged

> process to express a file hierarchy, it first needs to open a directory

> (or a file) and pass this file descriptor to the kernel through

> landlock_add_rule(2).  When checking if a file access request is

> allowed, we walk from the requested dentry to the real root, following

> the different mount layers.  The access to each "tagged" inodes are

> collected according to their rule layer level, and ANDed to create

> access to the requested file hierarchy.  This makes possible to identify

> a lot of files without tagging every inodes nor modifying the

> filesystem, while still following the view and understanding the user

> has from the filesystem.

>

> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not

> keep the same struct inodes for the same inodes whereas these inodes are

> in use.

>

> This commit adds a minimal set of supported filesystem access-control

> which doesn't enable to restrict all file-related actions.  This is the

> result of multiple discussions to minimize the code of Landlock to ease

> review.  Thanks to the Landlock design, extending this access-control

> without breaking user space will not be a problem.  Moreover, seccomp

> filters can be used to restrict the use of syscall families which may

> not be currently handled by Landlock.

[...]
> +static bool check_access_path_continue(

> +               const struct landlock_ruleset *const domain,

> +               const struct path *const path, const u32 access_request,

> +               u64 *const layer_mask)

> +{

[...]
> +       /*

> +        * An access is granted if, for each policy layer, at least one rule

> +        * encountered on the pathwalk grants the access, regardless of their

> +        * position in the layer stack.  We must then check not-yet-seen layers

> +        * for each inode, from the last one added to the first one.

> +        */

> +       for (i = 0; i < rule->num_layers; i++) {

> +               const struct landlock_layer *const layer = &rule->layers[i];

> +               const u64 layer_level = BIT_ULL(layer->level - 1);

> +

> +               if (!(layer_level & *layer_mask))

> +                       continue;

> +               if ((layer->access & access_request) != access_request)

> +                       return false;

> +               *layer_mask &= ~layer_level;


Hmm... shouldn't the last 5 lines be replaced by the following?

if ((layer->access & access_request) == access_request)
    *layer_mask &= ~layer_level;

And then, since this function would always return true, you could
change its return type to "void".


As far as I can tell, the current version will still, if a ruleset
looks like this:

/usr read+write
/usr/lib/ read

reject write access to /usr/lib, right?


> +       }

> +       return true;

> +}

On 14/01/2021 04:22, Jann Horn wrote:
> On Wed, Dec 9, 2020 at 8:28 PM Mickaël Salaün <mic@digikod.net> wrote:

>> Thanks to the Landlock objects and ruleset, it is possible to identify

>> inodes according to a process's domain.  To enable an unprivileged

>> process to express a file hierarchy, it first needs to open a directory

>> (or a file) and pass this file descriptor to the kernel through

>> landlock_add_rule(2).  When checking if a file access request is

>> allowed, we walk from the requested dentry to the real root, following

>> the different mount layers.  The access to each "tagged" inodes are

>> collected according to their rule layer level, and ANDed to create

>> access to the requested file hierarchy.  This makes possible to identify

>> a lot of files without tagging every inodes nor modifying the

>> filesystem, while still following the view and understanding the user

>> has from the filesystem.

>>

>> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not

>> keep the same struct inodes for the same inodes whereas these inodes are

>> in use.

>>

>> This commit adds a minimal set of supported filesystem access-control

>> which doesn't enable to restrict all file-related actions.  This is the

>> result of multiple discussions to minimize the code of Landlock to ease

>> review.  Thanks to the Landlock design, extending this access-control

>> without breaking user space will not be a problem.  Moreover, seccomp

>> filters can be used to restrict the use of syscall families which may

>> not be currently handled by Landlock.

> [...]

>> +static bool check_access_path_continue(

>> +               const struct landlock_ruleset *const domain,

>> +               const struct path *const path, const u32 access_request,

>> +               u64 *const layer_mask)

>> +{

> [...]

>> +       /*

>> +        * An access is granted if, for each policy layer, at least one rule

>> +        * encountered on the pathwalk grants the access, regardless of their

>> +        * position in the layer stack.  We must then check not-yet-seen layers

>> +        * for each inode, from the last one added to the first one.

>> +        */

>> +       for (i = 0; i < rule->num_layers; i++) {

>> +               const struct landlock_layer *const layer = &rule->layers[i];

>> +               const u64 layer_level = BIT_ULL(layer->level - 1);

>> +

>> +               if (!(layer_level & *layer_mask))

>> +                       continue;

>> +               if ((layer->access & access_request) != access_request)

>> +                       return false;

>> +               *layer_mask &= ~layer_level;

> 

> Hmm... shouldn't the last 5 lines be replaced by the following?

> 

> if ((layer->access & access_request) == access_request)

>     *layer_mask &= ~layer_level;

> 

> And then, since this function would always return true, you could

> change its return type to "void".

> 

> 

> As far as I can tell, the current version will still, if a ruleset

> looks like this:

> 

> /usr read+write

> /usr/lib/ read

> 

> reject write access to /usr/lib, right?


If these two rules are from different layers, then yes it would work as
intended. However, if these rules are from the same layer the path walk
will not stop at /usr/lib but go down to /usr, which grants write
access. This is the reason I wrote it like this and the
layout1.inherit_subset test checks that. I'm updating the documentation
to better explain how an access is checked with one or multiple layers.

Doing this way also enables to stop the path walk earlier, which is the
original purpose of this function.


> 

> 

>> +       }

>> +       return true;

>> +}

On Thu, Jan 14, 2021 at 7:54 PM Mickaël Salaün <mic@digikod.net> wrote:
> On 14/01/2021 04:22, Jann Horn wrote:

> > On Wed, Dec 9, 2020 at 8:28 PM Mickaël Salaün <mic@digikod.net> wrote:

> >> Thanks to the Landlock objects and ruleset, it is possible to identify

> >> inodes according to a process's domain.  To enable an unprivileged

> >> process to express a file hierarchy, it first needs to open a directory

> >> (or a file) and pass this file descriptor to the kernel through

> >> landlock_add_rule(2).  When checking if a file access request is

> >> allowed, we walk from the requested dentry to the real root, following

> >> the different mount layers.  The access to each "tagged" inodes are

> >> collected according to their rule layer level, and ANDed to create

> >> access to the requested file hierarchy.  This makes possible to identify

> >> a lot of files without tagging every inodes nor modifying the

> >> filesystem, while still following the view and understanding the user

> >> has from the filesystem.

> >>

> >> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not

> >> keep the same struct inodes for the same inodes whereas these inodes are

> >> in use.

> >>

> >> This commit adds a minimal set of supported filesystem access-control

> >> which doesn't enable to restrict all file-related actions.  This is the

> >> result of multiple discussions to minimize the code of Landlock to ease

> >> review.  Thanks to the Landlock design, extending this access-control

> >> without breaking user space will not be a problem.  Moreover, seccomp

> >> filters can be used to restrict the use of syscall families which may

> >> not be currently handled by Landlock.

> > [...]

> >> +static bool check_access_path_continue(

> >> +               const struct landlock_ruleset *const domain,

> >> +               const struct path *const path, const u32 access_request,

> >> +               u64 *const layer_mask)

> >> +{

> > [...]

> >> +       /*

> >> +        * An access is granted if, for each policy layer, at least one rule

> >> +        * encountered on the pathwalk grants the access, regardless of their

> >> +        * position in the layer stack.  We must then check not-yet-seen layers

> >> +        * for each inode, from the last one added to the first one.

> >> +        */

> >> +       for (i = 0; i < rule->num_layers; i++) {

> >> +               const struct landlock_layer *const layer = &rule->layers[i];

> >> +               const u64 layer_level = BIT_ULL(layer->level - 1);

> >> +

> >> +               if (!(layer_level & *layer_mask))

> >> +                       continue;

> >> +               if ((layer->access & access_request) != access_request)

> >> +                       return false;

> >> +               *layer_mask &= ~layer_level;

> >

> > Hmm... shouldn't the last 5 lines be replaced by the following?

> >

> > if ((layer->access & access_request) == access_request)

> >     *layer_mask &= ~layer_level;

> >

> > And then, since this function would always return true, you could

> > change its return type to "void".

> >

> >

> > As far as I can tell, the current version will still, if a ruleset

> > looks like this:

> >

> > /usr read+write

> > /usr/lib/ read

> >

> > reject write access to /usr/lib, right?

>

> If these two rules are from different layers, then yes it would work as

> intended. However, if these rules are from the same layer the path walk

> will not stop at /usr/lib but go down to /usr, which grants write

> access.


I don't see why the code would do what you're saying it does. And an
experiment seems to confirm what I said; I checked out landlock-v26,
and the behavior I get is:

user@vm:~/landlock$ dd if=/dev/null of=/tmp/aaa
0+0 records in
0+0 records out
0 bytes copied, 0.00106365 s, 0.0 kB/s
user@vm:~/landlock$ LL_FS_RO='/lib' LL_FS_RW='/' ./sandboxer dd
if=/dev/null of=/tmp/aaa
0+0 records in
0+0 records out
0 bytes copied, 0.000491814 s, 0.0 kB/s
user@vm:~/landlock$ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd
if=/dev/null of=/tmp/aaa
dd: failed to open '/tmp/aaa': Permission denied
user@vm:~/landlock$

Granting read access to /tmp prevents writing to it, even though write
access was granted to /.

On 14/01/2021 23:43, Jann Horn wrote:
> On Thu, Jan 14, 2021 at 7:54 PM Mickaël Salaün <mic@digikod.net> wrote:

>> On 14/01/2021 04:22, Jann Horn wrote:

>>> On Wed, Dec 9, 2020 at 8:28 PM Mickaël Salaün <mic@digikod.net> wrote:

>>>> Thanks to the Landlock objects and ruleset, it is possible to identify

>>>> inodes according to a process's domain.  To enable an unprivileged

>>>> process to express a file hierarchy, it first needs to open a directory

>>>> (or a file) and pass this file descriptor to the kernel through

>>>> landlock_add_rule(2).  When checking if a file access request is

>>>> allowed, we walk from the requested dentry to the real root, following

>>>> the different mount layers.  The access to each "tagged" inodes are

>>>> collected according to their rule layer level, and ANDed to create

>>>> access to the requested file hierarchy.  This makes possible to identify

>>>> a lot of files without tagging every inodes nor modifying the

>>>> filesystem, while still following the view and understanding the user

>>>> has from the filesystem.

>>>>

>>>> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not

>>>> keep the same struct inodes for the same inodes whereas these inodes are

>>>> in use.

>>>>

>>>> This commit adds a minimal set of supported filesystem access-control

>>>> which doesn't enable to restrict all file-related actions.  This is the

>>>> result of multiple discussions to minimize the code of Landlock to ease

>>>> review.  Thanks to the Landlock design, extending this access-control

>>>> without breaking user space will not be a problem.  Moreover, seccomp

>>>> filters can be used to restrict the use of syscall families which may

>>>> not be currently handled by Landlock.

>>> [...]

>>>> +static bool check_access_path_continue(

>>>> +               const struct landlock_ruleset *const domain,

>>>> +               const struct path *const path, const u32 access_request,

>>>> +               u64 *const layer_mask)

>>>> +{

>>> [...]

>>>> +       /*

>>>> +        * An access is granted if, for each policy layer, at least one rule

>>>> +        * encountered on the pathwalk grants the access, regardless of their

>>>> +        * position in the layer stack.  We must then check not-yet-seen layers

>>>> +        * for each inode, from the last one added to the first one.

>>>> +        */

>>>> +       for (i = 0; i < rule->num_layers; i++) {

>>>> +               const struct landlock_layer *const layer = &rule->layers[i];

>>>> +               const u64 layer_level = BIT_ULL(layer->level - 1);

>>>> +

>>>> +               if (!(layer_level & *layer_mask))

>>>> +                       continue;

>>>> +               if ((layer->access & access_request) != access_request)

>>>> +                       return false;

>>>> +               *layer_mask &= ~layer_level;

>>>

>>> Hmm... shouldn't the last 5 lines be replaced by the following?

>>>

>>> if ((layer->access & access_request) == access_request)

>>>     *layer_mask &= ~layer_level;

>>>

>>> And then, since this function would always return true, you could

>>> change its return type to "void".

>>>

>>>

>>> As far as I can tell, the current version will still, if a ruleset

>>> looks like this:

>>>

>>> /usr read+write

>>> /usr/lib/ read

>>>

>>> reject write access to /usr/lib, right?

>>

>> If these two rules are from different layers, then yes it would work as

>> intended. However, if these rules are from the same layer the path walk

>> will not stop at /usr/lib but go down to /usr, which grants write

>> access.

> 

> I don't see why the code would do what you're saying it does. And an

> experiment seems to confirm what I said; I checked out landlock-v26,

> and the behavior I get is:


There is a misunderstanding, I was responding to your proposition to
modify check_access_path_continue(), not about the behavior of landlock-v26.

> 

> user@vm:~/landlock$ dd if=/dev/null of=/tmp/aaa

> 0+0 records in

> 0+0 records out

> 0 bytes copied, 0.00106365 s, 0.0 kB/s

> user@vm:~/landlock$ LL_FS_RO='/lib' LL_FS_RW='/' ./sandboxer dd

> if=/dev/null of=/tmp/aaa

> 0+0 records in

> 0+0 records out

> 0 bytes copied, 0.000491814 s, 0.0 kB/s

> user@vm:~/landlock$ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd

> if=/dev/null of=/tmp/aaa

> dd: failed to open '/tmp/aaa': Permission denied

> user@vm:~/landlock$

> 

> Granting read access to /tmp prevents writing to it, even though write

> access was granted to /.

> 


It indeed works like this with landlock-v26. However, with your above
proposition, it would work like this:

$ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd if=/dev/null of=/tmp/aaa
0+0 records in
0+0 records out
0 bytes copied, 0.000187265 s, 0.0 kB/s

…which is not what users would expect I guess. :)

On Fri, Jan 15, 2021 at 10:10 AM Mickaël Salaün <mic@digikod.net> wrote:
> On 14/01/2021 23:43, Jann Horn wrote:

> > On Thu, Jan 14, 2021 at 7:54 PM Mickaël Salaün <mic@digikod.net> wrote:

> >> On 14/01/2021 04:22, Jann Horn wrote:

> >>> On Wed, Dec 9, 2020 at 8:28 PM Mickaël Salaün <mic@digikod.net> wrote:

> >>>> Thanks to the Landlock objects and ruleset, it is possible to identify

> >>>> inodes according to a process's domain.  To enable an unprivileged

> >>>> process to express a file hierarchy, it first needs to open a directory

> >>>> (or a file) and pass this file descriptor to the kernel through

> >>>> landlock_add_rule(2).  When checking if a file access request is

> >>>> allowed, we walk from the requested dentry to the real root, following

> >>>> the different mount layers.  The access to each "tagged" inodes are

> >>>> collected according to their rule layer level, and ANDed to create

> >>>> access to the requested file hierarchy.  This makes possible to identify

> >>>> a lot of files without tagging every inodes nor modifying the

> >>>> filesystem, while still following the view and understanding the user

> >>>> has from the filesystem.

> >>>>

> >>>> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not

> >>>> keep the same struct inodes for the same inodes whereas these inodes are

> >>>> in use.

> >>>>

> >>>> This commit adds a minimal set of supported filesystem access-control

> >>>> which doesn't enable to restrict all file-related actions.  This is the

> >>>> result of multiple discussions to minimize the code of Landlock to ease

> >>>> review.  Thanks to the Landlock design, extending this access-control

> >>>> without breaking user space will not be a problem.  Moreover, seccomp

> >>>> filters can be used to restrict the use of syscall families which may

> >>>> not be currently handled by Landlock.

> >>> [...]

> >>>> +static bool check_access_path_continue(

> >>>> +               const struct landlock_ruleset *const domain,

> >>>> +               const struct path *const path, const u32 access_request,

> >>>> +               u64 *const layer_mask)

> >>>> +{

> >>> [...]

> >>>> +       /*

> >>>> +        * An access is granted if, for each policy layer, at least one rule

> >>>> +        * encountered on the pathwalk grants the access, regardless of their

> >>>> +        * position in the layer stack.  We must then check not-yet-seen layers

> >>>> +        * for each inode, from the last one added to the first one.

> >>>> +        */

> >>>> +       for (i = 0; i < rule->num_layers; i++) {

> >>>> +               const struct landlock_layer *const layer = &rule->layers[i];

> >>>> +               const u64 layer_level = BIT_ULL(layer->level - 1);

> >>>> +

> >>>> +               if (!(layer_level & *layer_mask))

> >>>> +                       continue;

> >>>> +               if ((layer->access & access_request) != access_request)

> >>>> +                       return false;

> >>>> +               *layer_mask &= ~layer_level;

> >>>

> >>> Hmm... shouldn't the last 5 lines be replaced by the following?

> >>>

> >>> if ((layer->access & access_request) == access_request)

> >>>     *layer_mask &= ~layer_level;

> >>>

> >>> And then, since this function would always return true, you could

> >>> change its return type to "void".

> >>>

> >>>

> >>> As far as I can tell, the current version will still, if a ruleset

> >>> looks like this:

> >>>

> >>> /usr read+write

> >>> /usr/lib/ read

> >>>

> >>> reject write access to /usr/lib, right?

> >>

> >> If these two rules are from different layers, then yes it would work as

> >> intended. However, if these rules are from the same layer the path walk

> >> will not stop at /usr/lib but go down to /usr, which grants write

> >> access.

> >

> > I don't see why the code would do what you're saying it does. And an

> > experiment seems to confirm what I said; I checked out landlock-v26,

> > and the behavior I get is:

>

> There is a misunderstanding, I was responding to your proposition to

> modify check_access_path_continue(), not about the behavior of landlock-v26.

>

> >

> > user@vm:~/landlock$ dd if=/dev/null of=/tmp/aaa

> > 0+0 records in

> > 0+0 records out

> > 0 bytes copied, 0.00106365 s, 0.0 kB/s

> > user@vm:~/landlock$ LL_FS_RO='/lib' LL_FS_RW='/' ./sandboxer dd

> > if=/dev/null of=/tmp/aaa

> > 0+0 records in

> > 0+0 records out

> > 0 bytes copied, 0.000491814 s, 0.0 kB/s

> > user@vm:~/landlock$ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd

> > if=/dev/null of=/tmp/aaa

> > dd: failed to open '/tmp/aaa': Permission denied

> > user@vm:~/landlock$

> >

> > Granting read access to /tmp prevents writing to it, even though write

> > access was granted to /.

> >

>

> It indeed works like this with landlock-v26. However, with your above

> proposition, it would work like this:

>

> $ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd if=/dev/null of=/tmp/aaa

> 0+0 records in

> 0+0 records out

> 0 bytes copied, 0.000187265 s, 0.0 kB/s

>

> …which is not what users would expect I guess. :)


Ah, so we are disagreeing about what the right semantics are. ^^ To
me, that is exactly the behavior I would expect.

Imagine that someone wants to write a program that needs to be able to
load libraries from /usr/lib (including subdirectories) and needs to
be able to write output to some user-specified output directory. So
they use something like this to sandbox their program (plus error
handling):

static void add_fs_rule(int ruleset_fd, char *path, u64 allowed_access) {
  int fd = open(path, O_PATH);
  struct landlock_path_beneath_attr path_beneath = {
    .parent_fd = fd,
    .allowed_access = allowed_access
  };
  landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
          &path_beneath, 0);
  close(fd);
}
int main(int argc, char **argv) {
  char *output_dir = argv[1];
  int ruleset_fd = landlock_create_ruleset(&ruleset_attr,
sizeof(ruleset_attr, 0);
  add_fs_rule(ruleset_fd, "/usr/lib", ACCESS_FS_ROUGHLY_READ);
  add_fs_rule(ruleset_fd, output_dir,
LANDLOCK_ACCESS_FS_WRITE_FILE|LANDLOCK_ACCESS_FS_MAKE_REG|LANDLOCK_ACCESS_FS_REMOVE_FILE);
  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
  landlock_enforce_ruleset_current(ruleset_fd, 0);
}

This will *almost* always work; but if the output directory is
/usr/lib/x86_64-linux-gnu/ , loading libraries from that directory
won't work anymore, right? So if userspace wanted this to *always*
works correctly, it would have to somehow figure out whether there is
a path upwards from the output directory (under any mount) that will
encounter /usr/lib, and set different permissions if that is the case.
That seems unnecessarily messy to me; and I think that this will make
it harder for generic commandline tools and such to adopt landlock.


If you do want to have the ability to deny access to subtrees of trees
to which access is permitted, I think that that should be made
explicit in the UAPI - e.g. you could (at a later point, after this
series has landed) introduce a new EXCLUDE flag for
landlock_add_rule() that means "I want to deny the access specified by
this rule", or something like that. (And you'd have to very carefully
document under which circumstances such rules are actually effective -
e.g. if someone grants full access to $HOME, but excludes $HOME/.ssh,
an attacker would still be able to rename $HOME/.ssh to $HOME/old_ssh,
and then if the program is later restarted and creates the ruleset
from scratch again, the old SSH folder will be accessible.)

On 15/01/2021 19:31, Jann Horn wrote:
> On Fri, Jan 15, 2021 at 10:10 AM Mickaël Salaün <mic@digikod.net> wrote:

>> On 14/01/2021 23:43, Jann Horn wrote:

>>> On Thu, Jan 14, 2021 at 7:54 PM Mickaël Salaün <mic@digikod.net> wrote:

>>>> On 14/01/2021 04:22, Jann Horn wrote:

>>>>> On Wed, Dec 9, 2020 at 8:28 PM Mickaël Salaün <mic@digikod.net> wrote:

>>>>>> Thanks to the Landlock objects and ruleset, it is possible to identify

>>>>>> inodes according to a process's domain.  To enable an unprivileged

>>>>>> process to express a file hierarchy, it first needs to open a directory

>>>>>> (or a file) and pass this file descriptor to the kernel through

>>>>>> landlock_add_rule(2).  When checking if a file access request is

>>>>>> allowed, we walk from the requested dentry to the real root, following

>>>>>> the different mount layers.  The access to each "tagged" inodes are

>>>>>> collected according to their rule layer level, and ANDed to create

>>>>>> access to the requested file hierarchy.  This makes possible to identify

>>>>>> a lot of files without tagging every inodes nor modifying the

>>>>>> filesystem, while still following the view and understanding the user

>>>>>> has from the filesystem.

>>>>>>

>>>>>> Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not

>>>>>> keep the same struct inodes for the same inodes whereas these inodes are

>>>>>> in use.

>>>>>>

>>>>>> This commit adds a minimal set of supported filesystem access-control

>>>>>> which doesn't enable to restrict all file-related actions.  This is the

>>>>>> result of multiple discussions to minimize the code of Landlock to ease

>>>>>> review.  Thanks to the Landlock design, extending this access-control

>>>>>> without breaking user space will not be a problem.  Moreover, seccomp

>>>>>> filters can be used to restrict the use of syscall families which may

>>>>>> not be currently handled by Landlock.

>>>>> [...]

>>>>>> +static bool check_access_path_continue(

>>>>>> +               const struct landlock_ruleset *const domain,

>>>>>> +               const struct path *const path, const u32 access_request,

>>>>>> +               u64 *const layer_mask)

>>>>>> +{

>>>>> [...]

>>>>>> +       /*

>>>>>> +        * An access is granted if, for each policy layer, at least one rule

>>>>>> +        * encountered on the pathwalk grants the access, regardless of their

>>>>>> +        * position in the layer stack.  We must then check not-yet-seen layers

>>>>>> +        * for each inode, from the last one added to the first one.

>>>>>> +        */

>>>>>> +       for (i = 0; i < rule->num_layers; i++) {

>>>>>> +               const struct landlock_layer *const layer = &rule->layers[i];

>>>>>> +               const u64 layer_level = BIT_ULL(layer->level - 1);

>>>>>> +

>>>>>> +               if (!(layer_level & *layer_mask))

>>>>>> +                       continue;

>>>>>> +               if ((layer->access & access_request) != access_request)

>>>>>> +                       return false;

>>>>>> +               *layer_mask &= ~layer_level;

>>>>>

>>>>> Hmm... shouldn't the last 5 lines be replaced by the following?

>>>>>

>>>>> if ((layer->access & access_request) == access_request)

>>>>>     *layer_mask &= ~layer_level;

>>>>>

>>>>> And then, since this function would always return true, you could

>>>>> change its return type to "void".

>>>>>

>>>>>

>>>>> As far as I can tell, the current version will still, if a ruleset

>>>>> looks like this:

>>>>>

>>>>> /usr read+write

>>>>> /usr/lib/ read

>>>>>

>>>>> reject write access to /usr/lib, right?

>>>>

>>>> If these two rules are from different layers, then yes it would work as

>>>> intended. However, if these rules are from the same layer the path walk

>>>> will not stop at /usr/lib but go down to /usr, which grants write

>>>> access.

>>>

>>> I don't see why the code would do what you're saying it does. And an

>>> experiment seems to confirm what I said; I checked out landlock-v26,

>>> and the behavior I get is:

>>

>> There is a misunderstanding, I was responding to your proposition to

>> modify check_access_path_continue(), not about the behavior of landlock-v26.

>>

>>>

>>> user@vm:~/landlock$ dd if=/dev/null of=/tmp/aaa

>>> 0+0 records in

>>> 0+0 records out

>>> 0 bytes copied, 0.00106365 s, 0.0 kB/s

>>> user@vm:~/landlock$ LL_FS_RO='/lib' LL_FS_RW='/' ./sandboxer dd

>>> if=/dev/null of=/tmp/aaa

>>> 0+0 records in

>>> 0+0 records out

>>> 0 bytes copied, 0.000491814 s, 0.0 kB/s

>>> user@vm:~/landlock$ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd

>>> if=/dev/null of=/tmp/aaa

>>> dd: failed to open '/tmp/aaa': Permission denied

>>> user@vm:~/landlock$

>>>

>>> Granting read access to /tmp prevents writing to it, even though write

>>> access was granted to /.

>>>

>>

>> It indeed works like this with landlock-v26. However, with your above

>> proposition, it would work like this:

>>

>> $ LL_FS_RO='/tmp' LL_FS_RW='/' ./sandboxer dd if=/dev/null of=/tmp/aaa

>> 0+0 records in

>> 0+0 records out

>> 0 bytes copied, 0.000187265 s, 0.0 kB/s

>>

>> …which is not what users would expect I guess. :)

> 

> Ah, so we are disagreeing about what the right semantics are. ^^ To

> me, that is exactly the behavior I would expect.

> 

> Imagine that someone wants to write a program that needs to be able to

> load libraries from /usr/lib (including subdirectories) and needs to

> be able to write output to some user-specified output directory. So

> they use something like this to sandbox their program (plus error

> handling):

> 

> static void add_fs_rule(int ruleset_fd, char *path, u64 allowed_access) {

>   int fd = open(path, O_PATH);

>   struct landlock_path_beneath_attr path_beneath = {

>     .parent_fd = fd,

>     .allowed_access = allowed_access

>   };

>   landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,

>           &path_beneath, 0);

>   close(fd);

> }

> int main(int argc, char **argv) {

>   char *output_dir = argv[1];

>   int ruleset_fd = landlock_create_ruleset(&ruleset_attr,

> sizeof(ruleset_attr, 0);

>   add_fs_rule(ruleset_fd, "/usr/lib", ACCESS_FS_ROUGHLY_READ);

>   add_fs_rule(ruleset_fd, output_dir,

> LANDLOCK_ACCESS_FS_WRITE_FILE|LANDLOCK_ACCESS_FS_MAKE_REG|LANDLOCK_ACCESS_FS_REMOVE_FILE);

>   prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

>   landlock_enforce_ruleset_current(ruleset_fd, 0);

> }

> 

> This will *almost* always work; but if the output directory is

> /usr/lib/x86_64-linux-gnu/ , loading libraries from that directory

> won't work anymore, right? So if userspace wanted this to *always*

> works correctly, it would have to somehow figure out whether there is

> a path upwards from the output directory (under any mount) that will

> encounter /usr/lib, and set different permissions if that is the case.

> That seems unnecessarily messy to me; and I think that this will make

> it harder for generic commandline tools and such to adopt landlock.

> 

> 

> If you do want to have the ability to deny access to subtrees of trees

> to which access is permitted, I think that that should be made

> explicit in the UAPI - e.g. you could (at a later point, after this

> series has landed) introduce a new EXCLUDE flag for

> landlock_add_rule() that means "I want to deny the access specified by

> this rule", or something like that. (And you'd have to very carefully

> document under which circumstances such rules are actually effective -

> e.g. if someone grants full access to $HOME, but excludes $HOME/.ssh,

> an attacker would still be able to rename $HOME/.ssh to $HOME/old_ssh,

> and then if the program is later restarted and creates the ruleset

> from scratch again, the old SSH folder will be accessible.)

> 


OK, it's indeed a more pragmatic approach. I'll take your change and
merge check_access_path_continue() with check_access_path(). Thanks!