Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissive mode #17

Open
l0kod opened this issue Jan 29, 2024 · 1 comment
Open

Permissive mode #17

l0kod opened this issue Jan 29, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@l0kod
Copy link
Member

l0kod commented Jan 29, 2024
edited
Loading

Before enforcing a sandbox on a fleet with potential different configurations and states, it would be useful to know whether a restriction would have an effect on legitimate use cases. By being able to have a permissive/not-enforcing mode and thanks to #3, telemetry can inform us of all access requests that would have been denied. We can then improve the sandbox configuration and get guarantees that it will not break current workstream.

This should be configurable with a new LANDLOCK_RESTRICT_SELF_PERMISSIVE flag passed to landlock_restrict_self(). Of course, this flag must only apply to the new domain layer, the inherited restrictions and the future nested restrictions will still be enforced.
@l0kod l0kod added the enhancement New feature or request label Jan 29, 2024
@l0kod
Copy link
Member Author

l0kod commented Feb 21, 2024

Related to landlock-lsm/rust-landlock#36, but this would be implemented kernel-side. Both implementation are valuables and complementary for different use cases:

  • user space libraries: debugging, testing and telemetry for (unprivileged) app developers;
  • kernel audit: debugging, testing and telemetry for system administrators.

l0kod pushed a commit that referenced this issue Sep 9, 2024
@superjamie @gregkh
ethtool: check device is present when getting link settings
842a40c 
[ Upstream commit a699781 ]

A sysfs reader can race with a device reset or removal, attempting to
read device state when the device is not actually present. eg:

     [exception RIP: qed_get_current_link+17]
  #8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
  #9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
 #10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
 #11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
 #12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
 #13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
 #14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
 #15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
 #16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
 #17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb

 crash> struct net_device.state ffff9a9d21336000
    state = 5,

state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
The device is not present, note lack of __LINK_STATE_PRESENT (0b10).

This is the same sort of panic as observed in commit 4224cfd
("net-sysfs: add check for netdevice being present to speed_show").

There are many other callers of __ethtool_get_link_ksettings() which
don't have a device presence check.

Move this check into ethtool to protect all callers.

Fixes: d519e17 ("net: export device speed and duplex via sysfs")
Fixes: 4224cfd ("net-sysfs: add check for netdevice being present to speed_show")
Signed-off-by: Jamie Bainbridge <jamie.bainbridge@gmail.com>
Link: https://patch.msgid.link/8bae218864beaa44ed01628140475b9bf641c5b0.1724393671.git.jamie.bainbridge@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Landlock
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@l0kod