• Mickaël Salaün's avatar
    landlock: Add object management · 90945448
    Mickaël Salaün authored
    A Landlock object enables to identify a kernel object (e.g. an inode).
    A Landlock rule is a set of access rights allowed on an object.  Rules
    are grouped in rulesets that may be tied to a set of processes (i.e.
    subjects) to enforce a scoped access-control (i.e. a domain).
    
    Because Landlock's goal is to empower any process (especially
    unprivileged ones) to sandbox themselves, we cannot rely on a
    system-wide object identification such as file extended attributes.
    Indeed, we need innocuous, composable and modular access-controls.
    
    The main challenge with these constraints is to identify kernel objects
    while this identification is useful (i.e. when a security policy makes
    use of this object).  But this identification data should be freed once
    no policy is using it.  This ephemeral tagging should not and may not be
    written in the filesystem.  We then need to manage the lifetime of a
    rule according to the lifetime of its objects.  To avoid a global lock,
    this implementation make use of RCU and counters to safely reference
    objects.
    
    A following commit uses this generic object management for inodes.
    
    Cc: James Morris <jmorris@namei.org>
    Signed-off-by: default avatarMickaël Salaün <mic@linux.microsoft.com>
    Reviewed-by: default avatarJann Horn <jannh@google.com>
    Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/20210422154123.13086-2-mic@digikod.netSigned-off-by: default avatarJames Morris <jamorris@linux.microsoft.com>
    90945448
object.c 1.73 KB