From 2b42bcee6f27bf66521ae201274462db634e2347 Mon Sep 17 00:00:00 2001 From: Robert Hambrock Date: Tue, 5 Nov 2024 04:30:05 +0100 Subject: [PATCH 1/6] log Landlock ABI version --- core/parachain/pvf/kagome_pvf_worker.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp index 9ad170c465..ab7b22eabd 100644 --- a/core/parachain/pvf/kagome_pvf_worker.cpp +++ b/core/parachain/pvf/kagome_pvf_worker.cpp @@ -160,6 +160,8 @@ namespace kagome::parachain { auto abi = ::syscall( SYS_landlock_create_ruleset, NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + auto logger = log::createLogger("Landlock", "parachain"); + SL_INFO(logger, "Landlock ABI version: {} ", abi); if (abi < 0) { return getLastErr("landlock_create_ruleset"); } @@ -173,6 +175,7 @@ namespace kagome::parachain { | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM + #ifdef LANDLOCK_ACCESS_FS_REFER | LANDLOCK_ACCESS_FS_REFER #endif From ee79fe3b66cf5cfa817b5ebf9747ae577c380eab Mon Sep 17 00:00:00 2001 From: Robert Hambrock Date: Tue, 5 Nov 2024 04:36:58 +0100 Subject: [PATCH 2/6] fix "lcr failed: Argument list too long" --- core/parachain/pvf/kagome_pvf_worker.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp index ab7b22eabd..24dc332315 100644 --- a/core/parachain/pvf/kagome_pvf_worker.cpp +++ b/core/parachain/pvf/kagome_pvf_worker.cpp @@ -182,8 +182,8 @@ namespace kagome::parachain { #ifdef LANDLOCK_ACCESS_FS_TRUNCATE | LANDLOCK_ACCESS_FS_TRUNCATE #endif - , #ifdef LANDLOCK_ACCESS_NET_CONNECT_TCP + , .handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, #endif From d2071b4394da286e3431951d411088ab414245fd Mon Sep 17 00:00:00 2001 From: Robert Hambrock Date: Tue, 5 Nov 2024 04:45:14 +0100 Subject: [PATCH 3/6] dynamically determine Landlock V of running kernel Prior implementation assumed landlock version from flag declarations in headers on compilation host, which do not necessarily match flags available at runtime, in particular on a different runtime target. To include a Landlock flag, now need both availability of flag on compilation host and runtime target. --- core/parachain/pvf/kagome_pvf_worker.cpp | 42 ++++++++++++++++-------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp index 24dc332315..7c195916f2 100644 --- a/core/parachain/pvf/kagome_pvf_worker.cpp +++ b/core/parachain/pvf/kagome_pvf_worker.cpp @@ -15,6 +15,7 @@ #ifdef __linux__ #include +#include #include #include #include @@ -166,26 +167,41 @@ namespace kagome::parachain { return getLastErr("landlock_create_ruleset"); } - struct landlock_ruleset_attr ruleset_attr = { - .handled_access_fs = - LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE - | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR - | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE - | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR - | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK - | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK - | LANDLOCK_ACCESS_FS_MAKE_SYM + __u64 access_fs = + LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE + | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR + | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE + | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR + | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK + | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK + | LANDLOCK_ACCESS_FS_MAKE_SYM; #ifdef LANDLOCK_ACCESS_FS_REFER - | LANDLOCK_ACCESS_FS_REFER + if (abi >= 2) { + SL_INFO(logger, "Adding FS REFER", abi); + access_fs |= LANDLOCK_ACCESS_FS_REFER; + } #endif #ifdef LANDLOCK_ACCESS_FS_TRUNCATE - | LANDLOCK_ACCESS_FS_TRUNCATE + if (abi >= 3) { + SL_INFO(logger, "Adding FS TRUNCATE"); + access_fs |= LANDLOCK_ACCESS_FS_TRUNCATE; + } +#endif +#ifdef LANDLOCK_ACCESS_NET_CONNECT_TCP + __u64 access_net = 0; + if (abi >= 4) { + SL_INFO(logger, "Adding NET TCP"); + access_net = + LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP; + } #endif + + struct landlock_ruleset_attr ruleset_attr = { + .handled_access_fs = access_fs #ifdef LANDLOCK_ACCESS_NET_CONNECT_TCP , - .handled_access_net = - LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP, + .handled_access_net = access_net #endif }; From e2f248d1a8d50fec777a77c0e20c4440d99512fd Mon Sep 17 00:00:00 2001 From: Robert Hambrock Date: Tue, 5 Nov 2024 05:03:42 +0100 Subject: [PATCH 4/6] refactor: mutate final struct directly --- core/parachain/pvf/kagome_pvf_worker.cpp | 33 +++++++++--------------- 1 file changed, 12 insertions(+), 21 deletions(-) diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp index 7c195916f2..79ea4c9f02 100644 --- a/core/parachain/pvf/kagome_pvf_worker.cpp +++ b/core/parachain/pvf/kagome_pvf_worker.cpp @@ -15,7 +15,6 @@ #ifdef __linux__ #include -#include #include #include #include @@ -167,44 +166,36 @@ namespace kagome::parachain { return getLastErr("landlock_create_ruleset"); } - __u64 access_fs = - LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE - | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR - | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE - | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR - | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK - | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK - | LANDLOCK_ACCESS_FS_MAKE_SYM; + struct landlock_ruleset_attr ruleset_attr = { + .handled_access_fs = + LANDLOCK_ACCESS_FS_EXECUTE | LANDLOCK_ACCESS_FS_WRITE_FILE + | LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR + | LANDLOCK_ACCESS_FS_REMOVE_DIR | LANDLOCK_ACCESS_FS_REMOVE_FILE + | LANDLOCK_ACCESS_FS_MAKE_CHAR | LANDLOCK_ACCESS_FS_MAKE_DIR + | LANDLOCK_ACCESS_FS_MAKE_REG | LANDLOCK_ACCESS_FS_MAKE_SOCK + | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK + | LANDLOCK_ACCESS_FS_MAKE_SYM}; #ifdef LANDLOCK_ACCESS_FS_REFER if (abi >= 2) { SL_INFO(logger, "Adding FS REFER", abi); - access_fs |= LANDLOCK_ACCESS_FS_REFER; + ruleset_attr.handled_access_fs |= LANDLOCK_ACCESS_FS_REFER; } #endif #ifdef LANDLOCK_ACCESS_FS_TRUNCATE if (abi >= 3) { SL_INFO(logger, "Adding FS TRUNCATE"); - access_fs |= LANDLOCK_ACCESS_FS_TRUNCATE; + ruleset_attr.handled_access_fs |= LANDLOCK_ACCESS_FS_TRUNCATE; } #endif #ifdef LANDLOCK_ACCESS_NET_CONNECT_TCP - __u64 access_net = 0; if (abi >= 4) { SL_INFO(logger, "Adding NET TCP"); - access_net = + ruleset_attr.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP; } #endif - struct landlock_ruleset_attr ruleset_attr = { - .handled_access_fs = access_fs -#ifdef LANDLOCK_ACCESS_NET_CONNECT_TCP - , - .handled_access_net = access_net -#endif - }; - auto ruleset_fd = ::syscall( SYS_landlock_create_ruleset, &ruleset_attr, sizeof(ruleset_attr), 0); if (ruleset_fd < 0) { From 6145b464f0766d1ed43acb0e0f3503425e6b3fcb Mon Sep 17 00:00:00 2001 From: Robert Hambrock Date: Tue, 5 Nov 2024 05:12:54 +0100 Subject: [PATCH 5/6] remove debug logging --- core/parachain/pvf/kagome_pvf_worker.cpp | 3 --- 1 file changed, 3 deletions(-) diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp index 79ea4c9f02..fc04d71a8c 100644 --- a/core/parachain/pvf/kagome_pvf_worker.cpp +++ b/core/parachain/pvf/kagome_pvf_worker.cpp @@ -178,19 +178,16 @@ namespace kagome::parachain { #ifdef LANDLOCK_ACCESS_FS_REFER if (abi >= 2) { - SL_INFO(logger, "Adding FS REFER", abi); ruleset_attr.handled_access_fs |= LANDLOCK_ACCESS_FS_REFER; } #endif #ifdef LANDLOCK_ACCESS_FS_TRUNCATE if (abi >= 3) { - SL_INFO(logger, "Adding FS TRUNCATE"); ruleset_attr.handled_access_fs |= LANDLOCK_ACCESS_FS_TRUNCATE; } #endif #ifdef LANDLOCK_ACCESS_NET_CONNECT_TCP if (abi >= 4) { - SL_INFO(logger, "Adding NET TCP"); ruleset_attr.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP | LANDLOCK_ACCESS_NET_CONNECT_TCP; } From fca5dfa1233b2568847d77b370817235ef046781 Mon Sep 17 00:00:00 2001 From: Robert Hambrock Date: Tue, 5 Nov 2024 06:04:52 +0100 Subject: [PATCH 6/6] add brief doc --- core/parachain/pvf/kagome_pvf_worker.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/parachain/pvf/kagome_pvf_worker.cpp b/core/parachain/pvf/kagome_pvf_worker.cpp index fc04d71a8c..bb157b7b77 100644 --- a/core/parachain/pvf/kagome_pvf_worker.cpp +++ b/core/parachain/pvf/kagome_pvf_worker.cpp @@ -176,6 +176,8 @@ namespace kagome::parachain { | LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM}; + // only add Landlock V2+ features if defined and supported by the (runtime) + // kernel #ifdef LANDLOCK_ACCESS_FS_REFER if (abi >= 2) { ruleset_attr.handled_access_fs |= LANDLOCK_ACCESS_FS_REFER;