Commit 48676ddc authored by Mickaël Salaün's avatar Mickaël Salaün Committed by Zhong Jinghua
Browse files

landlock: Add object management 

mainline inclusion
from mainline-v5.13-rc1
commit 90945448
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I6DJU0
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=90945448e9830aa1b39d7acaa4e0724a001e2ff8



--------------------------------

A Landlock object enables to identify a kernel object (e.g. an inode).
A Landlock rule is a set of access rights allowed on an object.  Rules
are grouped in rulesets that may be tied to a set of processes (i.e.
subjects) to enforce a scoped access-control (i.e. a domain).

Because Landlock's goal is to empower any process (especially
unprivileged ones) to sandbox themselves, we cannot rely on a
system-wide object identification such as file extended attributes.
Indeed, we need innocuous, composable and modular access-controls.

The main challenge with these constraints is to identify kernel objects
while this identification is useful (i.e. when a security policy makes
use of this object).  But this identification data should be freed once
no policy is using it.  This ephemeral tagging should not and may not be
written in the filesystem.  We then need to manage the lifetime of a
rule according to the lifetime of its objects.  To avoid a global lock,
this implementation make use of RCU and counters to safely reference
objects.

A following commit uses this generic object management for inodes.

Cc: James Morris <jmorris@namei.org>
Signed-off-by: default avatarMickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: default avatarJann Horn <jannh@google.com>
Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210422154123.13086-2-mic@digikod.net


Signed-off-by: default avatarJames Morris <jamorris@linux.microsoft.com>
Signed-off-by: default avatarYi Yang <yiyang13@huawei.com>
parent 31f254d2

MAINTAINERS

+10 −0
Original line number Diff line number Diff line
@@ -9945,6 +9945,16 @@ F: net/core/sock_map.c 
F:	net/ipv4/tcp_bpf.c

F:	net/ipv4/udp_bpf.c









LANDLOCK SECURITY MODULE









M:	Mickaël Salaün <mic@digikod.net>









L:	linux-security-module@vger.kernel.org









S:	Supported









W:	https://landlock.io









T:	git https://github.com/landlock-lsm/linux.git









F:	security/landlock/









K:	landlock









K:	LANDLOCK

















LANTIQ / INTEL Ethernet drivers









M:	Hauke Mehrtens <hauke@hauke-m.de>









L:	netdev@vger.kernel.org
































security/Kconfig



+1
−0






























Original line number
Diff line number
Diff line







@@ -230,6 +230,7 @@ source "security/loadpin/Kconfig"







source "security/yama/Kconfig"









source "security/safesetid/Kconfig"









source "security/lockdown/Kconfig"









source "security/landlock/Kconfig"



















source "security/integrity/Kconfig"










































security/Makefile



+2
−0






























Original line number
Diff line number
Diff line







@@ -13,6 +13,7 @@ subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin







subdir-$(CONFIG_SECURITY_SAFESETID)    += safesetid









subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown









subdir-$(CONFIG_BPF_LSM)		+= bpf









subdir-$(CONFIG_SECURITY_LANDLOCK)	+= landlock



















# always enable default capabilities









obj-y					+= commoncap.o








@@ -32,6 +33,7 @@ obj-$(CONFIG_SECURITY_SAFESETID)       += safesetid/







obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/









obj-$(CONFIG_CGROUPS)			+= device_cgroup.o









obj-$(CONFIG_BPF_LSM)			+= bpf/









obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/



















# Object integrity file lists









subdir-$(CONFIG_INTEGRITY)		+= integrity
































security/landlock/Kconfig
0 → 100644



+21
−0






























Original line number
Diff line number
Diff line









# SPDX-License-Identifier: GPL-2.0-only



















config SECURITY_LANDLOCK









	bool "Landlock support"









	depends on SECURITY









	select SECURITY_PATH









	help









	  Landlock is a sandboxing mechanism that enables processes to restrict









	  themselves (and their future children) by gradually enforcing









	  tailored access control policies.  A Landlock security policy is a









	  set of access rights (e.g. open a file in read-only, make a









	  directory, etc.) tied to a file hierarchy.  Such policy can be









	  configured and enforced by any processes for themselves using the









	  dedicated system calls: landlock_create_ruleset(),









	  landlock_add_rule(), and landlock_restrict_self().



















	  See Documentation/userspace-api/landlock.rst for further information.



















	  If you are unsure how to answer this question, answer N.  Otherwise,









	  you should also prepend "landlock," to the content of CONFIG_LSM to









	  enable Landlock at boot time.
























security/landlock/Makefile
0 → 100644



+3
−0






























Original line number
Diff line number
Diff line









obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o



















landlock-y := object.o