|
Message-ID: <CAOQ4uxibpDTyjCJWLGG9jr-Gv9PwO==o50b9O8HGQeUfVMDFag@mail.gmail.com> Date: Wed, 27 May 2020 06:07:29 +0300 From: Amir Goldstein <amir73il@...il.com> To: Mickaël Salaün <mic@...ikod.net> Cc: linux-kernel <linux-kernel@...r.kernel.org>, Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...capital.net>, Anton Ivanov <anton.ivanov@...bridgegreys.com>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com>, Jeff Dike <jdike@...toit.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, Richard Weinberger <richard@....at>, "Serge E . Hallyn" <serge@...lyn.com>, Shuah Khan <shuah@...nel.org>, Vincent Dagonneau <vincent.dagonneau@....gouv.fr>, kernel-hardening@...ts.openwall.com, Linux API <linux-api@...r.kernel.org>, linux-arch@...r.kernel.org, linux-doc@...r.kernel.org, linux-fsdevel <linux-fsdevel@...r.kernel.org>, linux-kselftest@...r.kernel.org, LSM List <linux-security-module@...r.kernel.org>, x86@...nel.org Subject: Re: [PATCH v18 07/12] landlock: Support filesystem access-control On Wed, May 27, 2020 at 3:36 AM Mickaël Salaün <mic@...ikod.net> wrote: > > Thanks to the Landlock objects and ruleset, it is possible to identify > inodes according to a process's domain. To enable an unprivileged > process to express a file hierarchy, it first needs to open a directory > (or a file) and pass this file descriptor to the kernel through > landlock(2). When checking if a file access request is allowed, we walk > from the requested dentry to the real root, following the different > mount layers. The access to each "tagged" inodes are collected > according to their rule layer level, and ANDed to create access to the > requested file hierarchy. This makes possible to identify a lot of > files without tagging every inodes nor modifying the filesystem, while > still following the view and understanding the user has from the > filesystem. > Hi Mickael, Nice work! I am interested in the problem of system wide file access rules based on directory hierarchy [1][2]. Not the same problem, but with obvious overlaps. I sketched this untested POC [2] a while ago - It introduces the concept of "border control" LSM hooks to avoid the need to check which sections in the hierarchy an inode belongs to on every syscall. With this, you could cache a topology with id's per section and cache the section id + topology generation in the inode's security state. When inode crosses border control hooks, it's section id is updated. When directory hierarchy topology changes, some or all of the cached section id's are invalidated and rules <-> sections relations may need to be changed. Do you think something like that could be useful for landlock? Note that the POC is using d_mountpoint() as the only type of "fence" mark. It is sufficient for controlling rename in and out of containers, so I just used an already available dentry flag for "fence". If the border control hook concept is useful, this could be extended to a more generic d_border_passing(), with some internal kernel API to manage it and with all the bike shedding that comes with it... Thanks, Amir. [1] https://lore.kernel.org/linux-fsdevel/CAOQ4uxhBVhyyJv0+xSFQiGQEj60AbD3SADfKK40uAiC4GF2p9Q@mail.gmail.com/ [2] https://lore.kernel.org/linux-fsdevel/CAOQ4uxgn=YNj8cJuccx2KqxEVGZy1z3DBVYXrD=Mc7Dc=Je+-w@mail.gmail.com/ [3] https://github.com/amir73il/linux/commits/rename_xmnt
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.