• M
    landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER · b91c3e4e
    Mickaël Salaün 提交于
    Add a new LANDLOCK_ACCESS_FS_REFER access right to enable policy writers
    to allow sandboxed processes to link and rename files from and to a
    specific set of file hierarchies.  This access right should be composed
    with LANDLOCK_ACCESS_FS_MAKE_* for the destination of a link or rename,
    and with LANDLOCK_ACCESS_FS_REMOVE_* for a source of a rename.  This
    lift a Landlock limitation that always denied changing the parent of an
    inode.
    
    Renaming or linking to the same directory is still always allowed,
    whatever LANDLOCK_ACCESS_FS_REFER is used or not, because it is not
    considered a threat to user data.
    
    However, creating multiple links or renaming to a different parent
    directory may lead to privilege escalations if not handled properly.
    Indeed, we must be sure that the source doesn't gain more privileges by
    being accessible from the destination.  This is handled by making sure
    that the source hierarchy (including the referenced file or directory
    itself) restricts at least as much the destination hierarchy.  If it is
    not the case, an EXDEV error is returned, making it potentially possible
    for user space to copy the file hierarchy instead of moving or linking
    it.
    
    Instead of creating different access rights for the source and the
    destination, we choose to make it simple and consistent for users.
    Indeed, considering the previous constraint, it would be weird to
    require such destination access right to be also granted to the source
    (to make it a superset).  Moreover, RENAME_EXCHANGE would also add to
    the confusion because of paths being both a source and a destination.
    
    See the provided documentation for additional details.
    
    New tests are provided with a following commit.
    Reviewed-by: NPaul Moore <paul@paul-moore.com>
    Signed-off-by: NMickaël Salaün <mic@digikod.net>
    Link: https://lore.kernel.org/r/20220506161102.525323-8-mic@digikod.net
    b91c3e4e
syscalls.c 12.8 KB