system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-07-21 18:51:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux/security/landlock
History
Günther Noack b25f7415eb
landlock: Add IOCTL access right for character and block devices 
Introduces the LANDLOCK_ACCESS_FS_IOCTL_DEV right
and increments the Landlock ABI version to 5.

This access right applies to device-custom IOCTL commands
when they are invoked on block or character device files.

Like the truncate right, this right is associated with a file
descriptor at the time of open(2), and gets respected even when the
file descriptor is used outside of the thread which it was originally
opened in.

Therefore, a newly enabled Landlock policy does not apply to file
descriptors which are already open.

If the LANDLOCK_ACCESS_FS_IOCTL_DEV right is handled, only a small
number of safe IOCTL commands will be permitted on newly opened device
files.  These include FIOCLEX, FIONCLEX, FIONBIO and FIOASYNC, as well
as other IOCTL commands for regular files which are implemented in
fs/ioctl.c.

Noteworthy scenarios which require special attention:

TTY devices are often passed into a process from the parent process,
and so a newly enabled Landlock policy does not retroactively apply to
them automatically.  In the past, TTY devices have often supported
IOCTL commands like TIOCSTI and some TIOCLINUX subcommands, which were
letting callers control the TTY input buffer (and simulate
keypresses).  This should be restricted to CAP_SYS_ADMIN programs on
modern kernels though.

Known limitations:

The LANDLOCK_ACCESS_FS_IOCTL_DEV access right is a coarse-grained
control over IOCTL commands.

Landlock users may use path-based restrictions in combination with
their knowledge about the file system layout to control what IOCTLs
can be done.

Cc: Paul Moore <paul@paul-moore.com>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20240419161122.2023765-2-gnoack@google.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>
2024-05-13 06:58:29 +02:00
..
.kunitconfig landlock: Add support for KUnit tests 2024-02-27 11:21:45 +01:00
common.h landlock: Add support for KUnit tests 2024-02-27 11:21:45 +01:00
cred.c LSM: Identify modules by more than name 2023-11-12 22:54:42 -05:00
cred.h landlock: Format with clang-format 2022-05-09 12:31:10 +02:00
fs.c landlock: Add IOCTL access right for character and block devices 2024-05-13 06:58:29 +02:00
fs.h landlock: Support file truncation 2022-10-19 09:01:44 +02:00
Kconfig landlock: Add support for KUnit tests 2024-02-27 11:21:45 +01:00
limits.h landlock: Add IOCTL access right for character and block devices 2024-05-13 06:58:29 +02:00
Makefile landlock: Rename "ptrace" files to "task" 2024-03-08 18:22:16 +01:00
net.c landlock: Simplify current_check_access_socket() 2024-03-08 18:22:13 +01:00
net.h landlock: Support network rules with TCP bind and connect 2023-10-26 21:07:15 +02:00
object.c landlock: Format with clang-format 2022-05-09 12:31:10 +02:00
object.h landlock: Format with clang-format 2022-05-09 12:31:10 +02:00
ruleset.c landlock: Optimize the number of calls to get_access_mask slightly 2024-01-03 12:43:17 +01:00
ruleset.h landlock: Support network rules with TCP bind and connect 2023-10-26 21:07:15 +02:00
setup.c landlock: Rename "ptrace" files to "task" 2024-03-08 18:22:16 +01:00
setup.h LSM: Identify modules by more than name 2023-11-12 22:54:42 -05:00
syscalls.c landlock: Add IOCTL access right for character and block devices 2024-05-13 06:58:29 +02:00
task.c landlock: Rename "ptrace" files to "task" 2024-03-08 18:22:16 +01:00
task.h landlock: Rename "ptrace" files to "task" 2024-03-08 18:22:16 +01:00