Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.11.8 2024-10-04T14:38:51+00:00 2024-10-04T14:38:51+00:00 Paul Moore paul@paul-moore.com 2024-07-09T23:43:06+00:00 urn:sha1:51590af12f00cb03dc1b2f53230f58c85e2d41bc commit 63dff3e48871b0583be5032ff8fb7260c349a18c upstream. The LSM framework has an existing inode_free_security() hook which is used by LSMs that manage state associated with an inode, but due to the use of RCU to protect the inode, special care must be taken to ensure that the LSMs do not fully release the inode state until it is safe from a RCU perspective. This patch implements a new inode_free_security_rcu() implementation hook which is called when it is safe to free the LSM's internal inode state. Unfortunately, this new hook does not have access to the inode itself as it may already be released, so the existing inode_free_security() hook is retained for those LSMs which require access to the inode. Cc: stable@vger.kernel.org Reported-by: syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/00000000000076ba3b0617f65cc8@google.com Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-07-27T20:16:53+00:00 Linus Torvalds torvalds@linux-foundation.org 2024-07-27T20:16:53+00:00 urn:sha1:86b405ad8d0d2994a7ffbacb8fcf83be8afb952c Pull landlock fix from Mickaël Salaün: "Jann Horn reported a sandbox bypass for Landlock. This includes the fix and new tests. This should be backported" * tag 'landlock-6.11-rc1-houdini-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: selftests/landlock: Add cred_transfer test landlock: Don't lose track of restrictions on cred_transfer 2024-07-24T15:34:54+00:00 Jann Horn jannh@google.com 2024-07-24T12:49:01+00:00 urn:sha1:39705a6c29f8a2b93cf5b99528a55366c50014d1 When a process' cred struct is replaced, this _almost_ always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost. This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself. Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.) Cc: stable@kernel.org Fixes: 385975dca53e ("landlock: Set up the security framework and manage credentials") Signed-off-by: Jann Horn <jannh@google.com> Link: https://lore.kernel.org/r/20240724-landlock-houdini-fix-v1-1-df89a4560ca3@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-07-18T06:27:47+00:00 Günther Noack gnoack@google.com 2024-07-15T16:03:29+00:00 urn:sha1:f4b89d8ce5a835afa51404977ee7e3889c2b9722 * Fix some typos, incomplete or confusing phrases. * Split paragraphs where appropriate. * List the same error code multiple times, if it has multiple possible causes. * Bring wording closer to the man page wording, which has undergone more thorough review (esp. for LANDLOCK_ACCESS_FS_WRITE_FILE). * Small semantic clarifications * Call the ephemeral port range "ephemeral" * Clarify reasons for EFAULT in landlock_add_rule() * Clarify @rule_type doc for landlock_add_rule() This is a collection of small fixes which I collected when preparing the corresponding man pages [1]. Cc: Alejandro Colomar <alx@kernel.org> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20240715155554.2791018-1-gnoack@google.com [1] Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240715160328.2792835-2-gnoack@google.com [mic: Add label to link, fix formatting spotted by make htmldocs, synchronize userspace-api documentation's date] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-07-08T08:51:10+00:00 Günther Noack gnoack@google.com 2024-06-10T08:21:15+00:00 urn:sha1:395a02d04ed4d9b9ae2d7cadfd9b14a64fe240b5 When defined using bit-fields, the compiler takes care of packing the bits in a memory-efficient way and frees us from defining LANDLOCK_SHIFT_ACCESS_* by hand. The exact memory layout does not matter in our use case. The manual definition of LANDLOCK_SHIFT_ACCESS_* has resulted in bugs in at least two recent patch sets [1] [2] where new kinds of handled access rights were introduced. Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/ebd680cc-25d6-ee14-4856-310f5e5e28e4@huawei-partners.com [1] Link: https://lore.kernel.org/r/ZmLEoBfHyUR3nKAV@google.com [2] Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240610082115.1693267-1-gnoack@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-31T14:41:52+00:00 Mickaël Salaün mic@digikod.net 2024-05-16T18:19:34+00:00 urn:sha1:88da52ccd66e65f2e63a6c35c9dff55d448ef4dc The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when trying to link a root mount point. This cannot work in practice because this directory is mounted, but the VFS check is done after the call to security_path_link(). Do not use source directory's d_parent when the source directory is the mount point. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Cc: stable@vger.kernel.org Reported-by: syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") Closes: https://lore.kernel.org/r/000000000000553d3f0618198200@google.com Link: https://lore.kernel.org/r/20240516181935.1645983-2-mic@digikod.net [mic: Fix commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-13T04:58:29+00:00 Günther Noack gnoack@google.com 2024-04-19T16:11:12+00:00 urn:sha1:b25f7415eb4108aa32dd3e74289d7f997090708f Introduces the LANDLOCK_ACCESS_FS_IOCTL_DEV right and increments the Landlock ABI version to 5. This access right applies to device-custom IOCTL commands when they are invoked on block or character device files. Like the truncate right, this right is associated with a file descriptor at the time of open(2), and gets respected even when the file descriptor is used outside of the thread which it was originally opened in. Therefore, a newly enabled Landlock policy does not apply to file descriptors which are already open. If the LANDLOCK_ACCESS_FS_IOCTL_DEV right is handled, only a small number of safe IOCTL commands will be permitted on newly opened device files. These include FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC, as well as other IOCTL commands for regular files which are implemented in fs/ioctl.c. Noteworthy scenarios which require special attention: TTY devices are often passed into a process from the parent process, and so a newly enabled Landlock policy does not retroactively apply to them automatically. In the past, TTY devices have often supported IOCTL commands like TIOCSTI and some TIOCLINUX subcommands, which were letting callers control the TTY input buffer (and simulate keypresses). This should be restricted to CAP_SYS_ADMIN programs on modern kernels though. Known limitations: The LANDLOCK_ACCESS_FS_IOCTL_DEV access right is a coarse-grained control over IOCTL commands. Landlock users may use path-based restrictions in combination with their knowledge about the file system layout to control what IOCTLs can be done. Cc: Paul Moore <paul@paul-moore.com> Cc: Christian Brauner <brauner@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240419161122.2023765-2-gnoack@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-03-08T17:22:16+00:00 Mickaël Salaün mic@digikod.net 2024-03-07T09:52:03+00:00 urn:sha1:63817febd1f3c27f633b2bce0d6db328e59fd019 Use landlock_cred(file->f_cred)->domain instead of landlock_get_current_domain() in security_file_open() hook implementation. This should not change the current behavior but could avoid potential race conditions in case of current task's credentials change. This will also ensure consistency with upcoming audit support relying on file->f_cred. Add and use a new get_fs_domain() helper to mask non-filesystem domains. file->f_cred is set by path_openat()/alloc_empty_file()/init_file() just before calling security_file_alloc(). Cc: Christian Brauner <brauner@kernel.org> Cc: Günther Noack <gnoack@google.com> Cc: Jann Horn <jannh@google.com> Cc: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20240307095203.1467189-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-03-08T17:22:16+00:00 Mickaël Salaün mic@digikod.net 2024-03-07T09:39:23+00:00 urn:sha1:e3e37fe022a486d83c71eacb59fb5b6b0ebdbf78 ptrace.[ch] are currently only used for the ptrace LSM hooks but their scope will expand with IPCs and audit support. Rename ptrace.[ch] to task.[ch], which better reflect their content. Similarly, rename landlock_add_ptrace_hooks() to landlock_add_task_hooks(). Keep header files for now. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20240307093923.1466071-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-03-08T17:22:13+00:00 Mickaël Salaün mic@digikod.net 2024-03-07T09:39:22+00:00 urn:sha1:088e2efaf3d25be67f5dbcc26cfe08d7797dff39 Remove the handled_access variable in current_check_access_socket() and update access_request instead. One up-to-date variable avoids picking the wrong one. Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20240307093923.1466071-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>