[PATCH v3 0/4] landlock: truncate support
Günther Noack
gnoack3000 at gmail.com
Thu Aug 4 19:37:42 UTC 2022
The goal of these patches is to work towards a more complete coverage
of file system operations that are restrictable with Landlock.
The known set of currently unsupported file system operations in
Landlock is described at [1]. Out of the operations listed there,
truncate is the only one that modifies file contents, so these patches
should make it possible to prevent the direct modification of file
contents with Landlock.
The patch introduces the truncation restriction feature as an
additional bit in the access_mask_t bitmap, in line with the existing
supported operations.
The truncation flag covers both the truncate(2) and ftruncate(2)
families of syscalls, as well as open(2) with the O_TRUNC flag.
This includes usages of creat() in the case where existing regular
files are overwritten.
Apart from Landlock, file truncation can also be restricted using
seccomp-bpf, but it is more difficult to use (requires BPF, requires
keeping up-to-date syscall lists) and it is not configurable by file
hierarchy, as Landlock is. The simplicity and flexibility of the
Landlock approach makes it worthwhile adding.
While it's possible to use the "write file" and "truncate" rights
independent of each other, it simplifies the mental model for
userspace callers to always use them together.
Specifically, the following behaviours might be surprising for users
when using these independently:
* The commonly creat() syscall requires the truncate right when
overwriting existing files, as it is equivalent to open(2) with
O_TRUNC|O_CREAT|O_WRONLY.
* The "write file" right is not always required to truncate a file,
even through the open(2) syscall (when using O_RDONLY|O_TRUNC).
Nevertheless, keeping the two flags separate is the correct approach
to guarantee backwards compatibility for existing Landlock users.
These patches are based on version 5.19.
Best regards,
Günther
[1] https://docs.kernel.org/userspace-api/landlock.html#filesystem-flags
History:
v3:
* selftests:
* Explicitly test ftruncate with readonly file descriptors
(returns EINVAL).
* Extract test_ftruncate, test_truncate, test_creat helpers,
which simplified the previously mixed usage of EXPECT/ASSERT.
* Test creat() behaviour as part of the big truncation test.
* Stop testing the truncate64(2) and ftruncate64(2) syscalls.
This simplifies the tests a bit. The kernel implementations are the
same as for truncate(2) and ftruncate(2), so there is little benefit
from testing them exhaustively. (We aren't testing all open(2)
variants either.)
* samples/landlock/sandboxer.c:
* Use switch() to implement best effort mode.
* Documentation:
* Give more background on surprising truncation behaviour.
* Use switch() in the example too, to stay in-line with the sample tool.
* Small fixes in header file to address previous comments.
* misc:
* Fix some typos and const usages.
v2:
* Documentation: Mention the truncation flag where needed.
* Documentation: Point out connection between truncation and file writing.
* samples: Add file truncation to the landlock/sandboxer.c sample tool.
* selftests: Exercise open(2) with O_TRUNC and creat(2) exhaustively.
* selftests: Exercise truncation syscalls when the truncate right
is not handled by Landlock.
Previous versions:
v1: https://lore.kernel.org/all/20220707200612.132705-1-gnoack3000@gmail.com/
v2: https://lore.kernel.org/all/20220712211405.14705-1-gnoack3000@gmail.com/
Günther Noack (4):
landlock: Support file truncation
selftests/landlock: Selftests for file truncation support
samples/landlock: Extend sample tool to support
LANDLOCK_ACCESS_FS_TRUNCATE
landlock: Document Landlock's file truncation support
Documentation/userspace-api/landlock.rst | 47 ++++-
include/uapi/linux/landlock.h | 17 +-
samples/landlock/sandboxer.c | 21 +-
security/landlock/fs.c | 9 +-
security/landlock/limits.h | 2 +-
security/landlock/syscalls.c | 2 +-
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/fs_test.c | 211 ++++++++++++++++++-
8 files changed, 283 insertions(+), 28 deletions(-)
base-commit: 3d7cb6b04c3f3115719235cc6866b10326de34cd
--
2.37.1
More information about the Linux-security-module-archive
mailing list