[PATCH v2 4/4] landlock: Document Landlock's file truncation support
Mickaël Salaün
mic at digikod.net
Fri Jul 29 10:47:46 UTC 2022
On 12/07/2022 23:14, Günther Noack wrote:
> Use the LANDLOCK_ACCESS_FS_TRUNCATE flag in the tutorial.
>
> Adapt the backwards compatibility example and discussion to remove the
> truncation flag if needed.
>
> Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> Link: https://lore.kernel.org/all/20220707200612.132705-1-gnoack3000@gmail.com/
> ---
> Documentation/userspace-api/landlock.rst | 19 ++++++++++++++-----
> 1 file changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index b86fd94ae797..41fa464cc8b8 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -60,7 +60,8 @@ the need to be explicit about the denied-by-default access rights.
> LANDLOCK_ACCESS_FS_MAKE_FIFO |
> LANDLOCK_ACCESS_FS_MAKE_BLOCK |
> LANDLOCK_ACCESS_FS_MAKE_SYM |
> - LANDLOCK_ACCESS_FS_REFER,
> + LANDLOCK_ACCESS_FS_REFER |
> + LANDLOCK_ACCESS_FS_TRUNCATE,
> };
>
> Because we may not know on which kernel version an application will be
> @@ -69,14 +70,22 @@ should try to protect users as much as possible whatever the kernel they are
> using. To avoid binary enforcement (i.e. either all security features or
> none), we can leverage a dedicated Landlock command to get the current version
> of the Landlock ABI and adapt the handled accesses. Let's check if we should
> -remove the `LANDLOCK_ACCESS_FS_REFER` access right which is only supported
> -starting with the second version of the ABI.
> +remove the `LANDLOCK_ACCESS_FS_REFER` and `LANDLOCK_ACCESS_FS_TRUNCATE` access
> +rights, which are only supported starting with the second and third version of
> +the ABI.
>
> .. code-block:: c
>
> int abi;
>
> abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
> + if (abi == -1) {
> + perror("Landlock is unsupported on this kernel");
"Landlock is not supported with the running kernel"?
> + return 1;
> + }
> + if (abi < 3) {
> + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
> + }
I guess we could use the same switch/case code as for the sample. I'm
not sure what would be the less confusing for users though.
> if (abi < 2) {
> ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
> }
> @@ -127,8 +136,8 @@ descriptor.
>
> It may also be required to create rules following the same logic as explained
> for the ruleset creation, by filtering access rights according to the Landlock
> -ABI version. In this example, this is not required because
> -`LANDLOCK_ACCESS_FS_REFER` is not allowed by any rule.
> +ABI version. In this example, this is not required because all of the requested
> +``allowed_access`` rights are already available in ABI 1.
Good!
>
> We now have a ruleset with one rule allowing read access to ``/usr`` while
> denying all other handled accesses for the filesystem. The next step is to
More information about the Linux-security-module-archive
mailing list