linux/tools/testing/selftests/landlock, branch master

Merge tag 'landlock-6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

2022-12-13T17:14:50Z

Pull landlock updates from Mickaël Salaün: "This adds file truncation support to Landlock, contributed by Günther Noack. As described by Günther [1], the goal of these patches is to work towards a more complete coverage of file system operations that are restrictable with Landlock. The known set of currently unsupported file system operations in Landlock is described at [2]. Out of the operations listed there, truncate is the only one that modifies file contents, so these patches should make it possible to prevent the direct modification of file contents with Landlock. The new LANDLOCK_ACCESS_FS_TRUNCATE access right covers both the truncate(2) and ftruncate(2) families of syscalls, as well as open(2) with the O_TRUNC flag. This includes usages of creat() in the case where existing regular files are overwritten. Additionally, this introduces a new Landlock security blob associated with opened files, to track the available Landlock access rights at the time of opening the file. This is in line with Unix's general approach of checking the read and write permissions during open(), and associating this previously checked authorization with the opened file. An ongoing patch documents this use case [3]. In order to treat truncate(2) and ftruncate(2) calls differently in an LSM hook, we split apart the existing security_path_truncate hook into security_path_truncate (for truncation by path) and security_file_truncate (for truncation of previously opened files)" Link: https://lore.kernel.org/r/20221018182216.301684-1-gnoack3000@gmail.com [1] Link: https://www.kernel.org/doc/html/v6.1/userspace-api/landlock.html#filesystem-flags [2] Link: https://lore.kernel.org/r/20221209193813.972012-1-mic@digikod.net [3] * tag 'landlock-6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER landlock: Document Landlock's file truncation support samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE selftests/landlock: Test ftruncate on FDs created by memfd_create(2) selftests/landlock: Test FD passing from restricted to unrestricted processes selftests/landlock: Locally define __maybe_unused selftests/landlock: Test open() and ftruncate() in multiple scenarios selftests/landlock: Test file truncation support landlock: Support file truncation landlock: Document init_layer_masks() helper landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed() security: Create file_truncate hook from path_truncate hook

selftests/landlock: Build without static libraries

2022-10-19T20:10:56Z

The only (forced) static test binary doesn't depend on libcap. Because using -lcap on systems that don't have such static library would fail (e.g. on Arch Linux), let's be more specific and require only dynamic libcap linking. Fixes: a52540522c95 ("selftests/landlock: Fix out-of-tree builds") Cc: Anders Roxell Cc: Guillaume Tucker Cc: Mark Brown Cc: Shuah Khan Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20221019200536.2771316-1-mic@digikod.net

selftests/landlock: Test ftruncate on FDs created by memfd_create(2)

2022-10-19T07:01:47Z

All file descriptors that are truncatable need to have the Landlock access rights set correctly on the file's Landlock security blob. This is also the case for files that are opened by other means than open(2). Test coverage for security/landlock is 94.7% of 838 lines according to gcc/gcov-11. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221018182216.301684-10-gnoack3000@gmail.com [mic: Add test coverage in commit message] Signed-off-by: Mickaël Salaün

selftests/landlock: Test FD passing from restricted to unrestricted processes

2022-10-19T07:01:46Z

A file descriptor created in a restricted process carries Landlock restrictions with it which will apply even if the same opened file is used from an unrestricted process. This change extracts suitable FD-passing helpers from base_test.c and moves them to common.h. We use the fixture variants from the ftruncate fixture to exercise the same scenarios as in the open_and_ftruncate test, but doing the Landlock restriction and open() in a different process than the ftruncate() call. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221018182216.301684-9-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün

selftests/landlock: Locally define __maybe_unused

2022-10-19T07:01:46Z

The checkpatch tool started to flag __attribute__(__unused__), which we previously used. The header where this is normally defined is not currently compatible with selftests. This is the same approach as used in selftests/net/psock_lib.h. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221018182216.301684-8-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün

selftests/landlock: Test open() and ftruncate() in multiple scenarios

2022-10-19T07:01:44Z

This test uses multiple fixture variants to exercise a broader set of scnenarios. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221018182216.301684-7-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün

selftests/landlock: Test file truncation support

2022-10-19T07:01:44Z

These tests exercise the following truncation operations: * truncate() (truncate by path) * ftruncate() (truncate by file descriptor) * open with the O_TRUNC flag * special case: creat(), which is open with O_CREAT|O_WRONLY|O_TRUNC. in the following scenarios: * Files with read, write and truncate rights. * Files with read and truncate rights. * Files with the truncate right. * Files without the truncate right. In particular, the following scenarios are enforced with the test: * open() with O_TRUNC requires the truncate right, if it truncates a file. open() already checks security_path_truncate() in this case, and it required no additional check in the Landlock LSM's file_open hook. * creat() requires the truncate right when called with an existing filename. * creat() does *not* require the truncate right when it's creating a new file. * ftruncate() requires that the file was opened by a thread that had the truncate right for the file at the time of open(). (The rights are carried along with the opened file.) Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221018182216.301684-6-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün

landlock: Support file truncation

2022-10-19T07:01:44Z

Introduce the LANDLOCK_ACCESS_FS_TRUNCATE flag for file truncation. This flag hooks into the path_truncate, file_truncate and file_alloc_security LSM hooks and covers file truncation using truncate(2), ftruncate(2), open(2) with O_TRUNC, as well as creat(). This change also increments the Landlock ABI version, updates corresponding selftests, and updates code documentation to document the flag. In security/security.c, allocate security blobs at pointer-aligned offsets. This fixes the problem where one LSM's security blob can shift another LSM's security blob to an unaligned address (reported by Nathan Chancellor). The following operations are restricted: open(2): requires the LANDLOCK_ACCESS_FS_TRUNCATE right if a file gets implicitly truncated as part of the open() (e.g. using O_TRUNC). Notable special cases: * open(..., O_RDONLY|O_TRUNC) can truncate files as well in Linux * open() with O_TRUNC does *not* need the TRUNCATE right when it creates a new file. truncate(2) (on a path): requires the LANDLOCK_ACCESS_FS_TRUNCATE right. ftruncate(2) (on a file): requires that the file had the TRUNCATE right when it was previously opened. File descriptors acquired by other means than open(2) (e.g. memfd_create(2)) continue to support truncation with ftruncate(2). Cc: Nathan Chancellor Signed-off-by: Günther Noack Acked-by: Paul Moore (LSM) Link: https://lore.kernel.org/r/20221018182216.301684-5-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün

selftests/landlock: Fix out-of-tree builds

2022-09-14T14:37:38Z

These changes simplify the Makefile and handle these 5 ways to build Landlock tests: - make -C tools/testing/selftests/landlock - make -C tools/testing/selftests TARGETS=landlock gen_tar - make TARGETS=landlock kselftest-gen_tar - make TARGETS=landlock O=build kselftest-gen_tar - make -C /tmp/linux TARGETS=landlock O=/tmp/build kselftest-gen_tar This also makes $(KHDR_INCLUDES) available to other test collections when building in their directory. Fixes: f1227dc7d041 ("selftests/landlock: fix broken include of linux/landlock.h") Fixes: 3bb267a36185 ("selftests: drop khdr make target") Cc: Anders Roxell Cc: Guillaume Tucker Cc: Mark Brown Cc: Shuah Khan Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20220909103402.1501802-1-mic@digikod.net

Merge tag 'landlock-6.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

2022-09-02T22:24:08Z

Pull landlock fix from Mickaël Salaün: "This fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right when multiple rulesets/domains are stacked. The expected behaviour was that an additional ruleset can only restrict the set of permitted operations, but in this particular case, it was potentially possible to re-gain the LANDLOCK_ACCESS_FS_REFER right" * tag 'landlock-6.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER