[PATCH v3 1/4] landlock: Support file truncation
Mickaël Salaün
mic at digikod.net
Thu Aug 11 16:59:28 UTC 2022
On 04/08/2022 21:37, Günther Noack wrote:
> Introduce the LANDLOCK_ACCESS_FS_TRUNCATE flag for file truncation.
>
> This flag hooks into the path_truncate LSM hook and covers file
> truncation using truncate(2), ftruncate(2), open(2) with O_TRUNC, as
> well as creat().
>
> This change also increments the Landlock ABI version, updates
> corresponding selftests, and includes minor documentation changes to
> document the flag.
>
> Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> ---
> Documentation/userspace-api/landlock.rst | 6 ++++++
> include/uapi/linux/landlock.h | 17 ++++++++++++-----
> security/landlock/fs.c | 9 ++++++++-
> security/landlock/limits.h | 2 +-
> security/landlock/syscalls.c | 2 +-
> tools/testing/selftests/landlock/base_test.c | 2 +-
> tools/testing/selftests/landlock/fs_test.c | 7 ++++---
> 7 files changed, 33 insertions(+), 12 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index b8ea59493964..d92e335380d4 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -380,6 +380,12 @@ by the Documentation/admin-guide/cgroup-v1/memory.rst.
> Previous limitations
> ====================
>
> +File truncation (ABI < 3)
> +-------------------------
> +
> +File truncation could not be denied before the third Landlock ABI, so it is
> +always allowed when using a kernel that only supports the first or second ABI.
I think this addition could make the documentation more consistent and
helpful:
Starting with the Landlock ABI version 3, it is now possible to securely
control truncation thanks to the new `LANDLOCK_ACCESS_FS_TRUNCATE`
access right.
> +
> File renaming and linking (ABI 1)
> ---------------------------------
>
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index 23df4e0e8ace..1beb8289708d 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -95,8 +95,15 @@ struct landlock_path_beneath_attr {
> * A file can only receive these access rights:
> *
> * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
> - * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
> + * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. Note that
> + * you might additionally need the LANDLOCK_ACCESS_FS_TRUNCATE right in order
Please use backquotes for code such as `LANDLOCK_ACCESS_FS_TRUNCATE`,
`O_TRUNC`…
> + * to overwrite files with :manpage:`open(2)` using O_TRUNC or
> + * :manpage:`creat(2)`.
> * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
> + * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file through file truncation APIs
> + * like :manpage:`truncate(2)`, :manpage:`ftruncate(2)`, or
> + * :manpage:`open(2)` with O_TRUNC or :manpage:`creat(2)`. This access right
> + * is available since the third version of the Landlock ABI.
> *
> * A directory can receive access rights related to files or directories. The
> * following access right is applied to the directory itself, and the
> @@ -139,10 +146,9 @@ struct landlock_path_beneath_attr {
> *
> * It is currently not possible to restrict some file-related actions
> * accessible through these syscall families: :manpage:`chdir(2)`,
> - * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
> - * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
> - * :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`,
> - * :manpage:`access(2)`.
> + * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
> + * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
> + * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`.
> * Future Landlock evolutions will enable to restrict them.
> */
> /* clang-format off */
More information about the Linux-security-module-archive
mailing list