• Mickaël Salaün's avatar
    landlock: Support filesystem access-control · cb2c7d1a
    Mickaël Salaün authored
    Using Landlock objects and ruleset, it is possible to tag inodes
    according to a process's domain.  To enable an unprivileged process to
    express a file hierarchy, it first needs to open a directory (or a file)
    and pass this file descriptor to the kernel through
    landlock_add_rule(2).  When checking if a file access request is
    allowed, we walk from the requested dentry to the real root, following
    the different mount layers.  The access to each "tagged" inodes are
    collected according to their rule layer level, and ANDed to create
    access to the requested file hierarchy.  This makes possible to identify
    a lot of files without tagging every inodes nor modifying the
    filesystem, while still following the view and understanding the user
    has from the filesystem.
    
    Add a new ARCH_EPHEMERAL_INODES for UML because it currently does not
    keep the same struct inodes for the same inodes whereas these inodes are
    in use.
    
    This commit adds a minimal set of supported filesystem access-control
    which doesn't enable to restrict all file-related actions.  This is the
    result of multiple discussions to minimize the code of Landlock to ease
    review.  Thanks to the Landlock design, extending this access-control
    without breaking user space will not be a problem.  Moreover, seccomp
    filters can be used to restrict the use of syscall families which may
    not be currently handled by Landlock.
    
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com>
    Cc: James Morris <jmorris@namei.org>
    Cc: Jann Horn <jannh@google.com>
    Cc: Jeff Dike <jdike@addtoit.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Richard Weinberger <richard@nod.at>
    Cc: Serge E. Hallyn <serge@hallyn.com>
    Signed-off-by: default avatarMickaël Salaün <mic@linux.microsoft.com>
    Link: https://lore.kernel.org/r/20210422154123.13086-8-mic@digikod.netSigned-off-by: default avatarJames Morris <jamorris@linux.microsoft.com>
    cb2c7d1a
limits.h 581 Bytes