On 27/02/2018 05:17, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 12:41 AM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote: >> A landlocked process has less privileges than a non-landlocked process >> and must then be subject to additional restrictions when manipulating >> processes. To be allowed to use ptrace(2) and related syscalls on a >> target process, a landlocked process must have a subset of the target >> process' rules. >> >> Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx> >> Cc: Alexei Starovoitov <ast@xxxxxxxxxx> >> Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx> >> Cc: Daniel Borkmann <daniel@xxxxxxxxxxxxx> >> Cc: David S. Miller <davem@xxxxxxxxxxxxx> >> Cc: James Morris <james.l.morris@xxxxxxxxxx> >> Cc: Kees Cook <keescook@xxxxxxxxxxxx> >> Cc: Serge E. Hallyn <serge@xxxxxxxxxx> >> --- >> >> Changes since v6: >> * factor out ptrace check >> * constify pointers >> * cleanup headers >> * use the new security_add_hooks() >> --- >> security/landlock/Makefile | 2 +- >> security/landlock/hooks_ptrace.c | 124 +++++++++++++++++++++++++++++++++++++++ >> security/landlock/hooks_ptrace.h | 11 ++++ >> security/landlock/init.c | 2 + >> 4 files changed, 138 insertions(+), 1 deletion(-) >> create mode 100644 security/landlock/hooks_ptrace.c >> create mode 100644 security/landlock/hooks_ptrace.h >> >> diff --git a/security/landlock/Makefile b/security/landlock/Makefile >> index d0f532a93b4e..605504d852d3 100644 >> --- a/security/landlock/Makefile >> +++ b/security/landlock/Makefile >> @@ -3,4 +3,4 @@ obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o >> landlock-y := init.o chain.o task.o \ >> tag.o tag_fs.o \ >> enforce.o enforce_seccomp.o \ >> - hooks.o hooks_cred.o hooks_fs.o >> + hooks.o hooks_cred.o hooks_fs.o hooks_ptrace.o >> diff --git a/security/landlock/hooks_ptrace.c b/security/landlock/hooks_ptrace.c >> new file mode 100644 >> index 000000000000..f1b977b9c808 >> --- /dev/null >> +++ b/security/landlock/hooks_ptrace.c >> @@ -0,0 +1,124 @@ >> +/* >> + * Landlock LSM - ptrace hooks >> + * >> + * Copyright © 2017 Mickaël Salaün <mic@xxxxxxxxxxx> >> + * >> + * This program is free software; you can redistribute it and/or modify >> + * it under the terms of the GNU General Public License version 2, as >> + * published by the Free Software Foundation. >> + */ >> + >> +#include <asm/current.h> >> +#include <linux/errno.h> >> +#include <linux/kernel.h> /* ARRAY_SIZE */ >> +#include <linux/lsm_hooks.h> >> +#include <linux/sched.h> /* struct task_struct */ >> +#include <linux/seccomp.h> >> + >> +#include "common.h" /* struct landlock_prog_set */ >> +#include "hooks.h" /* landlocked() */ >> +#include "hooks_ptrace.h" >> + >> +static bool progs_are_subset(const struct landlock_prog_set *parent, >> + const struct landlock_prog_set *child) >> +{ >> + size_t i; >> + >> + if (!parent || !child) >> + return false; >> + if (parent == child) >> + return true; >> + >> + for (i = 0; i < ARRAY_SIZE(child->programs); i++) { > > ARRAY_SIZE(child->programs) seems misleading. Is there no define > NUM_LANDLOCK_PROG_TYPES or similar? Yes, there is _LANDLOCK_HOOK_LAST, but this code seems more readable exactly because it does not require the developer (or the code checking tools) to know about this static value.
Attachment:
signature.asc
Description: OpenPGP digital signature