linux/security
Mickaël Salaün f4906938bd landlock: Fix asymmetric private inodes referring
commit d9818b3e90 upstream.

When linking or renaming a file, if only one of the source or
destination directory is backed by an S_PRIVATE inode, then the related
set of layer masks would be used as uninitialized by
is_access_to_paths_allowed().  This would result to indeterministic
access for one side instead of always being allowed.

This bug could only be triggered with a mounted filesystem containing
both S_PRIVATE and !S_PRIVATE inodes, which doesn't seem possible.

The collect_domain_accesses() calls return early if
is_nouser_or_private() returns false, which means that the directory's
superblock has SB_NOUSER or its inode has S_PRIVATE.  Because rename or
link actions are only allowed on the same mounted filesystem, the
superblock is always the same for both source and destination
directories.  However, it might be possible in theory to have an
S_PRIVATE parent source inode with an !S_PRIVATE parent destination
inode, or vice versa.

To make sure this case is not an issue, explicitly initialized both set
of layer masks to 0, which means to allow all actions on the related
side.  If at least on side has !S_PRIVATE, then
collect_domain_accesses() and is_access_to_paths_allowed() check for the
required access rights.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Günther Noack <gnoack@google.com>
Cc: Jann Horn <jannh@google.com>
Cc: Shervin Oloumi <enlightened@chromium.org>
Cc: stable@vger.kernel.org
Fixes: b91c3e4ea7 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER")
Link: https://lore.kernel.org/r/20240219190345.2928627-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-03-06 14:48:39 +00:00
..
apparmor apparmor: avoid crash when parsed profile name is empty 2024-01-25 15:35:54 -08:00
bpf selinux: remove the runtime disable functionality 2023-03-20 12:34:23 -04:00
integrity ima: detect changes to the backing overlay file 2023-11-28 17:20:03 +00:00
keys Revert "KEYS: encrypted: Add check for strsep" 2024-01-25 15:36:01 -08:00
landlock landlock: Fix asymmetric private inodes referring 2024-03-06 14:48:39 +00:00
loadpin LoadPin: Annotate struct dm_verity_loadpin_trusted_root_digest with __counted_by 2023-08-25 16:07:30 -07:00
lockdown selinux: remove the runtime disable functionality 2023-03-20 12:34:23 -04:00
safesetid SafeSetID: fix UID printed instead of GID 2023-06-20 20:26:00 -04:00
selinux lsm: new security_file_ioctl_compat() hook 2024-01-31 16:18:54 -08:00
smack lsm: new security_file_ioctl_compat() hook 2024-01-31 16:18:54 -08:00
tomoyo tomoyo: fix UAF write bug in tomoyo_write_control() 2024-03-06 14:48:39 +00:00
yama sysctl-6.4-rc1 2023-04-27 16:52:33 -07:00
commoncap.c lsm: constify the 'target' parameter in security_capget() 2023-08-08 16:48:47 -04:00
device_cgroup.c device_cgroup: Fix kernel-doc warnings in device_cgroup 2023-06-21 09:30:49 -04:00
inode.c security: convert to ctime accessor functions 2023-07-24 10:30:08 +02:00
Kconfig mm/slab: remove HAVE_HARDENED_USERCOPY_ALLOCATOR 2023-05-24 15:38:17 +02:00
Kconfig.hardening hardening: Move BUG_ON_DATA_CORRUPTION to hardening options 2023-08-15 14:57:25 -07:00
lsm_audit.c lsm: fix a number of misspellings 2023-05-25 17:52:15 -04:00
Makefile security: remove unneeded subdir-$(CONFIG_...) 2021-09-03 08:17:20 +09:00
min_addr.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
security.c lsm: fix the logic in security_inode_getsecctx() 2024-02-23 09:25:02 +01:00