Changes in Kconfig

b4007fd2 - landlock: Add support for KUnit tests

Thu, 18 Jan 2024 11:36:32 +0000

landlock: Add support for KUnit testsAdd the SECURITY_LANDLOCK_KUNIT_TEST option to enable KUnit tests forLandlock. The minimal required configuration is listed in thesecurity/landlock/.kunitconfig file.Add an initial landlock_fs KUnit test suite with 7 test cases forfilesystem helpers. These are related to the LANDLOCK_ACCESS_FS_REFERright.There is one KUnit test case per:* mutated state (e.g. test_scope_to_request_*) or,* shared state between tests (e.g. test_is_eaccess_*).Add macros to improve readability of tests (i.e. one per line). Testcases are collocated with the tested functions to help maintenance andimprove documentation. This is why SECURITY_LANDLOCK_KUNIT_TEST cannotbe set as module.This is a nice complement to Landlock's user space kselftests. Weexpect new Landlock features to come with KUnit tests as well.Thanks to UML support, we can run all KUnit tests for Landlock with:./tools/testing/kunit/kunit.py run --kunitconfig security/landlock[00:00:00] ======================= landlock_fs =======================[00:00:00] [PASSED] test_no_more_access[00:00:00] [PASSED] test_scope_to_request_with_exec_none[00:00:00] [PASSED] test_scope_to_request_with_exec_some[00:00:00] [PASSED] test_scope_to_request_without_access[00:00:00] [PASSED] test_is_eacces_with_none[00:00:00] [PASSED] test_is_eacces_with_refer[00:00:00] [PASSED] test_is_eacces_with_write[00:00:00] =================== [PASSED] landlock_fs ===================[00:00:00] ============================================================[00:00:00] Testing complete. Ran 7 tests: passed: 7Cc: Konstantin Meskhidze Reviewed-by: Günther Noack Link: https://lore.kernel.org/r/20240118113632.1948478-1-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Kconfig

fff69fb0 - landlock: Support network rules with TCP bind and connect

Thu, 26 Oct 2023 01:47:47 +0000

landlock: Support network rules with TCP bind and connectAdd network rules support in the ruleset management helpers and thelandlock_create_ruleset() syscall. Extend user space API to supportnetwork actions:* Add new network access rights: LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP.* Add a new network rule type: LANDLOCK_RULE_NET_PORT tied to struct landlock_net_port_attr. The allowed_access field contains the network access rights, and the port field contains the port value according to the controlled protocol. This field can take up to a 64-bit value but the maximum value depends on the related protocol (e.g. 16-bit value for TCP). Network port is in host endianness [1].* Add a new handled_access_net field to struct landlock_ruleset_attr that contains network access rights.* Increment the Landlock ABI version to 4.Implement socket_bind() and socket_connect() LSM hooks, which enableto control TCP socket binding and connection to specific ports.Expand access_masks_t from u16 to u32 to be able to store network accessrights alongside filesystem access rights for rulesets' handled accessrights.Access rights are not tied to socket file descriptors but checked atbind() or connect() call time against the caller's Landlock domain. Forthe filesystem, a file descriptor is a direct access to a file/data.However, for network sockets, we cannot identify for which data or peera newly created socket will give access to. Indeed, we need to wait fora connect or bind request to identify the use case for this socket.Likewise a directory file descriptor may enable to open another file(i.e. a new data item), but this opening is also restricted by thecaller's domain, not the file descriptor's access rights [2].[1] https://lore.kernel.org/r/278ab07f-7583-a4e0-3d37-1bacd091531d@digikod.net[2] https://lore.kernel.org/r/263c1eb3-602f-57fe-8450-3f138581bee7@digikod.netSigned-off-by: Konstantin Meskhidze Link: https://lore.kernel.org/r/20231026014751.414649-9-konstantin.meskhidze@huawei.com[mic: Extend commit message, fix typo in comments, and specifyendianness in the documentation]Co-developed-by: Mickaël Salaün Signed-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Kconfig

74ce793b - hostfs: Fix ephemeral inodes

Mon, 12 Jun 2023 19:14:25 +0000

hostfs: Fix ephemeral inodeshostfs creates a new inode for each opened or created file, whichcreated useless inode allocations and forbade identifying a host filewith a kernel inode.Fix this uncommon filesystem behavior by tying kernel inodes to hostfile's inode and device IDs. Even if the host filesystem inodes may berecycled, this cannot happen while a file referencing it is opened,which is the case with hostfs. It should be noted that hostfs inode IDsmay not be unique for the same hostfs superblock because multiple host's(backed) superblocks may be used.Delete inodes when dropping them to force backed host's file descriptorsclosing.This enables to entirely remove ARCH_EPHEMERAL_INODES, and then makesLandlock fully supported by UML. This is very useful for testingchanges.These changes also factor out and simplify some helpers thanks to thenew hostfs_inode_update() and the hostfs_iget() revamp: read_name(),hostfs_create(), hostfs_lookup(), hostfs_mknod(), andhostfs_fill_sb_common().A following commit with new Landlock tests check this new hostfs inodeconsistency.Cc: Anton Ivanov Cc: Johannes Berg Acked-by: Richard Weinberger Link: https://lore.kernel.org/r/20230612191430.339153-2-mic@digikod.netSigned-off-by: Mickaël Salaün List of files: /linux-6.15/security/landlock/Kconfig

cb2c7d1a - landlock: Support filesystem access-control

Thu, 22 Apr 2021 15:41:17 +0000

landlock: Support filesystem access-controlUsing Landlock objects and ruleset, it is possible to tag inodesaccording to a process's domain. To enable an unprivileged process toexpress a file hierarchy, it first needs to open a directory (or a file)and pass this file descriptor to the kernel throughlandlock_add_rule(2). When checking if a file access request isallowed, we walk from the requested dentry to the real root, followingthe different mount layers. The access to each "tagged" inodes arecollected according to their rule layer level, and ANDed to createaccess to the requested file hierarchy. This makes possible to identifya lot of files without tagging every inodes nor modifying thefilesystem, while still following the view and understanding the userhas from the filesystem.Add a new ARCH_EPHEMERAL_INODES for UML because it currently does notkeep the same struct inodes for the same inodes whereas these inodes arein use.This commit adds a minimal set of supported filesystem access-controlwhich doesn't enable to restrict all file-related actions. This is theresult of multiple discussions to minimize the code of Landlock to easereview. Thanks to the Landlock design, extending this access-controlwithout breaking user space will not be a problem. Moreover, seccompfilters can be used to restrict the use of syscall families which maynot be currently handled by Landlock.Cc: Al Viro Cc: Anton Ivanov Cc: James Morris Cc: Jann Horn Cc: Jeff Dike Cc: Kees Cook Cc: Richard Weinberger Cc: Serge E. Hallyn Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20210422154123.13086-8-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Kconfig

90945448 - landlock: Add object management

Thu, 22 Apr 2021 15:41:11 +0000

landlock: Add object managementA Landlock object enables to identify a kernel object (e.g. an inode).A Landlock rule is a set of access rights allowed on an object. Rulesare grouped in rulesets that may be tied to a set of processes (i.e.subjects) to enforce a scoped access-control (i.e. a domain).Because Landlock's goal is to empower any process (especiallyunprivileged ones) to sandbox themselves, we cannot rely on asystem-wide object identification such as file extended attributes.Indeed, we need innocuous, composable and modular access-controls.The main challenge with these constraints is to identify kernel objectswhile this identification is useful (i.e. when a security policy makesuse of this object). But this identification data should be freed onceno policy is using it. This ephemeral tagging should not and may not bewritten in the filesystem. We then need to manage the lifetime of arule according to the lifetime of its objects. To avoid a global lock,this implementation make use of RCU and counters to safely referenceobjects.A following commit uses this generic object management for inodes.Cc: James Morris Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Acked-by: Serge Hallyn Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20210422154123.13086-2-mic@digikod.netSigned-off-by: James Morris List of files: /linux-6.15/security/landlock/Kconfig