"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Mickaël Salaün <mic@digikod.net>
Subject:
GoT Landlock fixes
To:
gameoftrees@openbsd.org
Cc:
Omar Polo <op@openbsd.org>, Thomas Adam <thomas@xteddy.org>, landlock@lists.linux.dev
Date:
Thu, 10 Feb 2022 18:34:54 +0100

Download raw body.

Thread 
Hi,

I noticed Omar Polo added support for Landlock to the Linux version of 
Game Of Trees [1]. This is great! However, the handled filesystem access 
is only LANDLOCK_ACCESS_FS_READ_FILE, and it will still be allowed to do 
multiple filesystem-related actions (e.g. write to files, remove 
files…). I don't know much about Game Of Trees but, according to the 
commit message, I think you would like to revoke any (currently 
supported) filesystem access. You should then add the 12 remaining 
access rights [2]. There is also a typo in the errno check, it should be 
EOPNOTSUPP (not ENOTSUP). You'll find a small patch attached. Let me 
know if I can help.

In a nutshell, the ruleset's handled_access_fs is required for backward 
and forward compatibility (i.e. the kernel and user space may not know 
each other's supported restrictions), hence the need to be explicit 
about the denied-by-default access rights.

Regards,
  Mickaël


[1] 
https://git.gameoftrees.org/gitweb/?p=got-portable.git;a=commit;h=97799ccd4b67a81f97039305d4fdd66588da9962
[2] https://docs.kernel.org/userspace-api/landlock.html#filesystem-flags
From f2c1e06c218b997f4c686a59d901b5e1948e8001 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
Date: Thu, 10 Feb 2022 18:09:52 +0100
Subject: [PATCH] portable: extend support for Landlock and fix error handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This add all the remaining currently supported (Linux >= 5.13)
filesystem restrictions: creation, removal, reading, writing and
executing.

Fix the errno check with EOPNOTSUPP in case of kernel with Landlock
support built-in but disabled at boot time.

Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 compat/landlock.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/compat/landlock.c b/compat/landlock.c
index 47a5209dbfe2..9a637bb0753f 100644
--- a/compat/landlock.c
+++ b/compat/landlock.c
@@ -76,7 +76,19 @@ landlock_no_fs(void)
 		 * rejecting *any* filesystem access, we still have to
 		 * list some "possible actions" here.
 		 */
-		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
+		.handled_access_fs = LANDLOCK_ACCESS_FS_EXECUTE | \
+				     LANDLOCK_ACCESS_FS_READ_FILE | \
+				     LANDLOCK_ACCESS_FS_READ_DIR | \
+				     LANDLOCK_ACCESS_FS_WRITE_FILE | \
+				     LANDLOCK_ACCESS_FS_REMOVE_DIR | \
+				     LANDLOCK_ACCESS_FS_REMOVE_FILE | \
+				     LANDLOCK_ACCESS_FS_MAKE_CHAR | \
+				     LANDLOCK_ACCESS_FS_MAKE_DIR | \
+				     LANDLOCK_ACCESS_FS_MAKE_REG | \
+				     LANDLOCK_ACCESS_FS_MAKE_SOCK | \
+				     LANDLOCK_ACCESS_FS_MAKE_FIFO | \
+				     LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
+				     LANDLOCK_ACCESS_FS_MAKE_SYM,
 	};
 	int fd, saved_errno;
 
@@ -86,7 +98,7 @@ landlock_no_fs(void)
 	fd = landlock_create_ruleset(&rattr, sizeof(rattr), 0);
 	if (fd == -1) {
 		/* this kernel doesn't have landlock built in */
-		if (errno == ENOSYS || errno == ENOTSUP)
+		if (errno == ENOSYS || errno == EOPNOTSUPP)
 			return 0;
 		return -1;
 	}
-- 
2.34.1