On Fri, Mar 22, 2024, at 16:09, Günther Noack wrote:
> From: Mickaël Salaün <mic@xxxxxxxxxxx>
>
> Add a new vfs_get_ioctl_handler() helper to identify if an IOCTL command
> is handled by the first IOCTL layer. Each IOCTL command is now handled
> by a dedicated function, and all of them use the same signature.
Sorry I didn't already reply the previous time you sent this.
I don't really like the idea of going through another indirect
pointer for each of the ioctls here, both because of the
complexity at the source level, and the potential cost on
architectures that need heavy barriers around indirect
function calls.
> -static int ioctl_fibmap(struct file *filp, int __user *p)
> +static int ioctl_fibmap(struct file *filp, unsigned int fd, unsigned
> long arg)
> {
> + int __user *p = (void __user *)arg;
The new version doesn't seem like an improvement when you
need the extra type casts here.
As a completely different approach, would it perhaps be
sufficient to define security_file_ioctl_compat() in a
way that it may return a special error code signifying
"don't call into fops->{unlocked,compat}_ioctl"?
This way landlock could trivially allow ioctls on e.g.
normal file systems, sockets and block devices but prevent
them on character devices it does not trust.
Arnd
