Proxmox-Port/linux-loongson
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson synced 2025-08-28 09:22:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

landlock: Align partial refer access checks with final ones

Browse Source 
Fix a logical issue that could have been visible if the source or the
destination of a rename/link action was allowed for either the source or
the destination but not both.  However, this logical bug is unreachable
because either:
- the rename/link action is allowed by the access rights tied to the
  same mount point (without relying on access rights in a parent mount
  point) and the access request is allowed (i.e. allow_parent1 and
  allow_parent2 are true in current_check_refer_path),
- or a common rule in a parent mount point updates the access check for
  the source and the destination (cf. is_access_to_paths_allowed).

See the following layout1.refer_part_mount_tree_is_allowed test that
work with and without this fix.

This fix does not impact current code but it is required for the audit
support.

Cc: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20250108154338.1129069-12-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
Mickaël Salaün 2025-01-08 16:43:19 +01:00
parent d6c7cf84a2
commit 058518c209
No known key found for this signature in database
GPG Key ID: E5E3D0E88C82F6D2
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
security/landlock/fs.c
View File

@ -565,6 +565,12 @@ static void test_no_more_access(struct kunit *const test)
#undef NMA_TRUE #undef NMA_TRUE
#undef NMA_FALSE #undef NMA_FALSE
static bool is_layer_masks_allowed(
layer_mask_t (*const layer_masks)[LANDLOCK_NUM_ACCESS_FS])
{
return !memchr_inv(layer_masks, 0, sizeof(*layer_masks));
}
/* /*
* Removes @layer_masks accesses that are not requested. * Removes @layer_masks accesses that are not requested.
* *
@ -582,7 +588,8 @@ scope_to_request(const access_mask_t access_request,
for_each_clear_bit(access_bit, &access_req, ARRAY_SIZE(*layer_masks)) for_each_clear_bit(access_bit, &access_req, ARRAY_SIZE(*layer_masks))
(*layer_masks)[access_bit] = 0; (*layer_masks)[access_bit] = 0;
return !memchr_inv(layer_masks, 0, sizeof(*layer_masks));
return is_layer_masks_allowed(layer_masks);
} }
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
@ -771,9 +778,14 @@ static bool is_access_to_paths_allowed(
if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1)) if (WARN_ON_ONCE(domain->num_layers < 1 || !layer_masks_parent1))
return false; return false;
allowed_parent1 = is_layer_masks_allowed(layer_masks_parent1);
if (unlikely(layer_masks_parent2)) { if (unlikely(layer_masks_parent2)) {
if (WARN_ON_ONCE(!dentry_child1)) if (WARN_ON_ONCE(!dentry_child1))
return false; return false;
allowed_parent2 = is_layer_masks_allowed(layer_masks_parent2);
/* /*
* For a double request, first check for potential privilege * For a double request, first check for potential privilege
* escalation by looking at domain handled accesses (which are * escalation by looking at domain handled accesses (which are