[PATCH v2 1/4] landlock: Support file truncation
Mickaël Salaün
mic at digikod.net
Thu Jul 28 16:25:52 UTC 2022
On 12/07/2022 23:14, Günther Noack wrote:
> Introduce the LANDLOCK_ACCESS_FS_TRUNCATE flag for file truncation.
>
> This flag hooks into the path_truncate LSM hook and covers file
> truncation using truncate(2), ftruncate(2), open(2) with O_TRUNC, as
> well as creat().
>
> This change also increments the Landlock ABI version, updates
> corresponding selftests, and includes minor documentation changes to
> document the flag.
>
> Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> Link: https://lore.kernel.org/all/20220707200612.132705-2-gnoack3000@gmail.com/
Please don't include Link tags pointing to the previous version of the
patch. You could add it after a "---" but you already added a link to
the v1 in your cover letter, which is great. I'll add fresh links
pointing to your emails when I'll merge your changes.
Also, don't add anything after your Signed-off-by, it should be the last
line of your commit message.
> ---
> Documentation/userspace-api/landlock.rst | 5 +++++
> include/uapi/linux/landlock.h | 13 +++++++++----
> security/landlock/fs.c | 9 ++++++++-
> security/landlock/limits.h | 2 +-
> security/landlock/syscalls.c | 2 +-
> tools/testing/selftests/landlock/base_test.c | 2 +-
> tools/testing/selftests/landlock/fs_test.c | 7 ++++---
> 7 files changed, 29 insertions(+), 11 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index b8ea59493964..b86fd94ae797 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -380,6 +380,11 @@ by the Documentation/admin-guide/cgroup-v1/memory.rst.
> Previous limitations
> ====================
>
> +File truncation (ABI 1-2)
I think "ABI < 3" should be easier to understand.
> +-------------------------
> +
> +File truncation was not restrictable in ABI 1-2, so it was always permitted.
What about:
File truncation couldn't be denied before the third Landlock ABI, so it
is always allowed for kernels only supporting the first to the second ABI.
> +
> File renaming and linking (ABI 1)
> ---------------------------------
>
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index 23df4e0e8ace..9ca7f9d0d862 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -96,7 +96,12 @@ struct landlock_path_beneath_attr {
> *
> * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
> * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access.
> + * Note that you might additionally need the LANDLOCK_ACCESS_FS_TRUNCATE
> + * right in order to overwrite files with open(2) using O_TRUNC or creat(2).
> * - %LANDLOCK_ACCESS_FS_READ_FILE: Open a file with read access.
> + * - %LANDLOCK_ACCESS_FS_TRUNCATE: Truncate a file through file truncation
> + * APIs like truncate(2), ftruncate(2), open(2) with O_TRUNC or creat(2).
> + * This access right is available since the third version of the Landlock ABI.
> *
> * A directory can receive access rights related to files or directories. The
> * following access right is applied to the directory itself, and the
> @@ -139,10 +144,9 @@ struct landlock_path_beneath_attr {
> *
> * It is currently not possible to restrict some file-related actions
> * accessible through these syscall families: :manpage:`chdir(2)`,
> - * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
> - * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
> - * :manpage:`utime(2)`, :manpage:`ioctl(2)`, :manpage:`fcntl(2)`,
> - * :manpage:`access(2)`.
> + * :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
> + * :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
> + * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`.
> * Future Landlock evolutions will enable to restrict them.
> */
> /* clang-format off */
> @@ -160,6 +164,7 @@ struct landlock_path_beneath_attr {
> #define LANDLOCK_ACCESS_FS_MAKE_BLOCK (1ULL << 11)
> #define LANDLOCK_ACCESS_FS_MAKE_SYM (1ULL << 12)
> #define LANDLOCK_ACCESS_FS_REFER (1ULL << 13)
> +#define LANDLOCK_ACCESS_FS_TRUNCATE (1ULL << 14)
> /* clang-format on */
>
> #endif /* _UAPI_LINUX_LANDLOCK_H */
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index ec5a6247cd3e..c57f581a9cd5 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -146,7 +146,8 @@ static struct landlock_object *get_inode_object(struct inode *const inode)
> #define ACCESS_FILE ( \
> LANDLOCK_ACCESS_FS_EXECUTE | \
> LANDLOCK_ACCESS_FS_WRITE_FILE | \
> - LANDLOCK_ACCESS_FS_READ_FILE)
> + LANDLOCK_ACCESS_FS_READ_FILE | \
> + LANDLOCK_ACCESS_FS_TRUNCATE)
> /* clang-format on */
>
> /*
> @@ -1140,6 +1141,11 @@ static int hook_path_rmdir(const struct path *const dir,
> return current_check_access_path(dir, LANDLOCK_ACCESS_FS_REMOVE_DIR);
> }
>
> +static int hook_path_truncate(const struct path *const path)
> +{
> + return current_check_access_path(path, LANDLOCK_ACCESS_FS_TRUNCATE);
> +}
> +
> /* File hooks */
>
> static inline access_mask_t get_file_access(const struct file *const file)
> @@ -1192,6 +1198,7 @@ static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(path_symlink, hook_path_symlink),
> LSM_HOOK_INIT(path_unlink, hook_path_unlink),
> LSM_HOOK_INIT(path_rmdir, hook_path_rmdir),
> + LSM_HOOK_INIT(path_truncate, hook_path_truncate),
>
> LSM_HOOK_INIT(file_open, hook_file_open),
> };
> diff --git a/security/landlock/limits.h b/security/landlock/limits.h
> index b54184ab9439..82288f0e9e5e 100644
> --- a/security/landlock/limits.h
> +++ b/security/landlock/limits.h
> @@ -18,7 +18,7 @@
> #define LANDLOCK_MAX_NUM_LAYERS 16
> #define LANDLOCK_MAX_NUM_RULES U32_MAX
>
> -#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_REFER
> +#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_TRUNCATE
> #define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
> #define LANDLOCK_NUM_ACCESS_FS __const_hweight64(LANDLOCK_MASK_ACCESS_FS)
>
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 735a0865ea11..f4d6fc7ed17f 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -129,7 +129,7 @@ static const struct file_operations ruleset_fops = {
> .write = fop_dummy_write,
> };
>
> -#define LANDLOCK_ABI_VERSION 2
> +#define LANDLOCK_ABI_VERSION 3
>
> /**
> * sys_landlock_create_ruleset - Create a new ruleset
> diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
> index da9290817866..72cdae277b02 100644
> --- a/tools/testing/selftests/landlock/base_test.c
> +++ b/tools/testing/selftests/landlock/base_test.c
> @@ -75,7 +75,7 @@ TEST(abi_version)
> const struct landlock_ruleset_attr ruleset_attr = {
> .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
> };
> - ASSERT_EQ(2, landlock_create_ruleset(NULL, 0,
> + ASSERT_EQ(3, landlock_create_ruleset(NULL, 0,
> LANDLOCK_CREATE_RULESET_VERSION));
>
> ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
> diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
> index 21a2ce8fa739..cb77eaa01c91 100644
> --- a/tools/testing/selftests/landlock/fs_test.c
> +++ b/tools/testing/selftests/landlock/fs_test.c
> @@ -399,9 +399,10 @@ TEST_F_FORK(layout1, inval)
> #define ACCESS_FILE ( \
> LANDLOCK_ACCESS_FS_EXECUTE | \
> LANDLOCK_ACCESS_FS_WRITE_FILE | \
> - LANDLOCK_ACCESS_FS_READ_FILE)
> + LANDLOCK_ACCESS_FS_READ_FILE | \
> + LANDLOCK_ACCESS_FS_TRUNCATE)
>
> -#define ACCESS_LAST LANDLOCK_ACCESS_FS_REFER
> +#define ACCESS_LAST LANDLOCK_ACCESS_FS_TRUNCATE
>
> #define ACCESS_ALL ( \
> ACCESS_FILE | \
> @@ -415,7 +416,7 @@ TEST_F_FORK(layout1, inval)
> LANDLOCK_ACCESS_FS_MAKE_FIFO | \
> LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
> LANDLOCK_ACCESS_FS_MAKE_SYM | \
> - ACCESS_LAST)
> + LANDLOCK_ACCESS_FS_REFER)
>
> /* clang-format on */
>
More information about the Linux-security-module-archive
mailing list