Support Landlock syscalls #2380
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
Codecov Report
|
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
|
Hi Mickaël, I am excited to see syzkaller descriptions being developed along with the new kernel subsystems! I reviewed the descriptions themselves and they look good to me, I don't have any significant comments.
When/if we are merging this, it would also be good to update syzbot configs: We can merge and start testing it once it's in linux-next. As far as I understand it's on trajectory of being merged, I think I've seen an LWN article about it or something. And we will need signed CLA to do anything with this PR. As far as I know Microsoft has a corp CLA, you may ask me privately for details. |
Oh, what's this? Any manual changes will be overwritten on the next regenerate. |
Hi Dmitry!
OK, I'll rename it to landlock_add_rule$LANDLOCK_RULE_PATH_BENEATH.
OK
OK, I'll add this with a dedicated commit.
Yes, I think it is on a good trajectory.
I'm dealing with that, it should be OK. Thanks. |
I guess it's because I use the (1ULL << 0) notation: https://github.com/landlock-lsm/linux/blob/landlock-v26/include/uapi/linux/landlock.h#L114 I can take a look to fix this in syz-extract. (1ULL << 0) should work... I would expect. |
I didn't see your reply as an edit of my comment. Please add new comments to reply, it helps understand who wrote it and enables notifications. I didn't investigate much yet, but there is already 342 matches for "???" in sys/linux/*.const, mostly for some architectures but not always: Could this issue be caused by incorrect include path? |
Oh, sorry, I pressed a wrong menu item.
Some constants are not present on some architectures, e.g. KVM is not supported on all arches.
This is caused by a missing include file for this const. |
|
I fixed the I added two tests to help coverage, which is now 68% for security/landlock/ with syzkaller. I'm working on new ones. One question though: do we need |
It's only needed if the syscall makes this or subsequent syscalls return random errno values. syzkaller may use returned errno values as some coarse substitute of coverage, returning random garbage from syscalls interferes with this feature. |
Because it's an access control system, Landlock may indirectly change the errno value of a subsequent syscall with |
If it's only EACCES, then, no, we don't need breaks_returns. It's only for completely random integers. 1 value is not a problem and these can potentially return EACCESS on their own. |
|
Does the errno in calls like |
I don't understand the question. Please elaborate. |
|
Comments like |
They are not cosmetic, they are checked by pkg/runtest: |
l0kod
force-pushed
the
landlock
branch
2 times, most recently
from
e77df45
to
8e6110b
Compare
|
The addition of fork() is redundant with #2412 but I will remove it from this branch if merged. |
|
I think this should be good now, but still not ready to merge because not in -next. |
|
I reached 72% of coverage for security/landlock/ . The code not (yet) covered deals with race-conditions and internal errors (e.g. ENOMEM). |
|
Is there a way to declare that a syscall changes the state of the calling thread? This could be relevant to force threaded=0 after a call to landlock_restrict_self() as well as seccomp(). |
How would it be used by the fuzzer? We don't declare properties that we don't use (unnecessary/untested). |
I may have misunderstood how syzkaller works, but it seems that it can call each syscall in a dedicated thread, hence the threaded=0 option for tests. In this case, if seccomp() or landlock_restrict_self() are called on a dedicated thread, successive sibling syscalls will not be restricted. |
It will call subsequent syscalls on separate threads only if a previous syscall has blocked. If syscalls don't block, it will call syscalls on the same thread. |
l0kod
force-pushed
the
landlock
branch
2 times, most recently
from
46c058f
to
406040b
Compare
|
I set the initial version to 5.13 though: 7dd0716#diff-708f4878ad38e69670500dbc92727f5c063a942ca2a458864a05a35657b7b907R17 |
|
We could start testing it now, syzbot has instances on linux-next. You can set the version to |
Add config fragments for Landlock LSM. Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Based on Linux next-20210319: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=f00397ee41c79b6155b9b44abd0055b2c0621349 Co-developed-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr> Signed-off-by: Vincent Dagonneau <vincent.dagonneau@ssi.gouv.fr> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
This test helps cover security/landlock/fs.c:hook_sb_delete() Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
This test helps cover security/landlock/fs.c:check_access_path() Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
This test helps cover security/landlock/ptrace.c Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
This test helps cover most types of access checks in security/landlock/fs.c Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
This test covers mount namespace manipulation forbidden in security/landlock/fs.c Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
|
We also need to regenerate kernel configs with The change looks good to me. Waiting for the CI to finish to merge. |
|
Thanks Dmitry! |
I guess something is missing, this instance doesn't have Landlock yet: https://storage.googleapis.com/syzkaller/cover/ci-upstream-linux-next-kasan-gce-root.html |
|
linux-next is boot broken: |
Hi,
This is a WIP for Landlock (v26), a new LSM not upstream yet, but hopefully soon: https://lore.kernel.org/lkml/20201209192839.1396820-1-mic@digikod.net/
I'm working on a v27 patch series, but it should not change much the kernel part, mostly tests.
Landlock adds 3 new syscalls which are cover with this commit. I'm using syzkaller with it and it seems to work. :)
See the documentation: https://landlock.io/linux-doc/landlock-v26/userspace-api/landlock.html
and the syscall implementations: https://github.com/landlock-lsm/linux/blob/landlock-v26/security/landlock/syscall.c
Could you please give some feedback and advices to improve this patch?
I'll update this PR when Landlock will be merged upstream.
This is a team work with @vdagonneau-anssi.