From: Paul Moore <paul@paul-moore.com>
To: "Günther Noack" <gnoack@google.com>
Cc: linux-security-module@vger.kernel.org,
"Mickaël Salaün" <mic@digikod.net>, "Jeff Xu" <jeffxu@google.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Jorge Lucangeli Obes" <jorgelo@chromium.org>,
"Allen Webb" <allenwebb@google.com>,
"Dmitry Torokhov" <dtor@google.com>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Matt Bobrowski" <repnop@google.com>,
linux-fsdevel@vger.kernel.org,
"Christian Brauner" <brauner@kernel.org>,
"Dave Chinner" <david@fromorbit.com>
Subject: Re: [PATCH v10 1/9] security: Create security_file_vfs_ioctl hook
Date: Thu, 14 Mar 2024 13:56:25 -0400 [thread overview]
Message-ID: <CAHC9VhRojXNSU9zi2BrP8z6JmOmT3DAqGNtinvvz=tL1XhVdyg@mail.gmail.com> (raw)
In-Reply-To: <20240309075320.160128-2-gnoack@google.com>
On Sat, Mar 9, 2024 at 2:53 AM Günther Noack <gnoack@google.com> wrote:
>
> This LSM hook gets called just before the fs/ioctl.c logic delegates
> the requested IOCTL command to the file-specific implementation as
> implemented by f_op->unlocked_ioctl (or f_op->ioctl_compat).
>
> It is impractical for LSMs to make security guarantees about these
> f_op operations without having intimate knowledge of how they are
> implemented.
>
> Therefore, depending on the enabled Landlock policy, Landlock aims to
> block the calls to filp->f_op->unlocked_ioctl(), but permit the calls
> to the IOCTL commands which are already implemented in fs/ioctl.c.
>
> The current call graph is:
>
> * ioctl syscall
> * security_file_ioctl() LSM hook
> * do_vfs_ioctl() - standard operations
> * file_ioctl() - standard file operations
> * vfs_ioctl() - delegate to file (if do_vfs_ioctl() is a no-op)
> * filp->f_op->unlocked_ioctl()
>
> Why not use the existing security_file_ioctl() hook?
>
> With the existing security_file_ioctl() hook, it is technically
> feasible to prevent the call to filp->f_op->unlocked_ioctl(), but it
> would be difficult to maintain: security_file_ioctl() gets called
> further up the call stack, so an implementation of it would need to
> predict whether the logic further below will decide to call
> f_op->unlocked_ioctl(). That can only be done by mirroring the logic
> in do_vfs_ioctl() to some extent, and keeping this in sync.
Once again, I don't see this as an impossible task, and I would think
that you would want to inspect each new ioctl command/op added in
do_vfs_ioctl() anyway to ensure it doesn't introduce an unwanted
behavior from a Landlock sandbox perspective. Looking at the git
log/blame, it also doesn't appear that new do_vfs_ioctl() ioctls are
added very frequently, meaning that keeping Landlock sync'd with
fs/ioctl.c shouldn't be a terrible task.
I'm also not excited about the overlap between the existing
security_file_ioctl() hook and the proposed security_file_vfs_ioctl()
hook. There are some cases where we have no choice and we have to
tolerate the overlap, but this doesn't look like one of those cases to
me.
I'm sorry, but I don't agree with this new hook.
--
paul-moore.com
next prev parent reply other threads:[~2024-03-14 17:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-09 7:53 [PATCH v10 0/9] Landlock: IOCTL support Günther Noack
2024-03-09 7:53 ` [PATCH v10 1/9] security: Create security_file_vfs_ioctl hook Günther Noack
2024-03-14 17:56 ` Paul Moore [this message]
2024-03-15 14:58 ` [RFC PATCH] fs: Add an use vfs_get_ioctl_handler() Mickaël Salaün
2024-03-15 18:30 ` [PATCH v10 1/9] security: Create security_file_vfs_ioctl hook Mickaël Salaün
2024-03-09 7:53 ` [PATCH v10 2/9] landlock: Add IOCTL access right for character and block devices Günther Noack
2024-03-11 14:46 ` Mickaël Salaün
2024-03-11 16:55 ` Alejandro Colomar
2024-03-09 7:53 ` [PATCH v10 3/9] selftests/landlock: Test IOCTL support Günther Noack
2024-03-09 7:53 ` [PATCH v10 4/9] selftests/landlock: Test IOCTL with memfds Günther Noack
2024-03-09 7:53 ` [PATCH v10 5/9] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) Günther Noack
2024-03-09 7:53 ` [PATCH v10 6/9] selftests/landlock: Test IOCTLs on named pipes Günther Noack
2024-03-22 7:48 ` Mickaël Salaün
2024-03-22 8:45 ` Mickaël Salaün
2024-03-22 14:39 ` Günther Noack
2024-03-22 15:04 ` Mickaël Salaün
2024-03-09 7:53 ` [PATCH v10 7/9] selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets Günther Noack
2024-03-22 7:57 ` Mickaël Salaün
2024-03-22 14:43 ` Günther Noack
2024-03-09 7:53 ` [PATCH v10 8/9] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL_DEV Günther Noack
2024-03-09 7:53 ` [PATCH v10 9/9] landlock: Document IOCTL support Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRojXNSU9zi2BrP8z6JmOmT3DAqGNtinvvz=tL1XhVdyg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=allenwebb@google.com \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=david@fromorbit.com \
--cc=dtor@google.com \
--cc=gnoack@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=repnop@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).