[PATCH v3] samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER
Mickaël Salaün
mic at digikod.net
Mon Nov 7 20:52:38 UTC 2022
Thanks! Pushed to my -next branch.
On 07/11/2022 19:16, Günther Noack wrote:
> Add a comment to clarify how to handle best-effort backwards
> compatibility for LANDLOCK_ACCESS_FS_REFER.
>
> The "refer" access is special because these operations are always
> forbidden in ABI 1, unlike most other operations, which are permitted
> when using Landlock ABI levels where they are not supported yet.
>
> Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> ---
> samples/landlock/sandboxer.c | 17 ++++++++++++++++-
> 1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> index fd4237c64fb2..e2056c8b902c 100644
> --- a/samples/landlock/sandboxer.c
> +++ b/samples/landlock/sandboxer.c
> @@ -234,7 +234,22 @@ int main(const int argc, char *const argv[], char *const *const envp)
> /* Best-effort security. */
> switch (abi) {
> case 1:
> - /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
> + /*
> + * Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2
> + *
> + * Note: The "refer" operations (file renaming and linking
> + * across different directories) are always forbidden when using
> + * Landlock with ABI 1.
> + *
> + * If only ABI 1 is available, this sandboxer knowingly forbids
> + * refer operations.
> + *
> + * If a program *needs* to do refer operations after enabling
> + * Landlock, it can not use Landlock at ABI level 1. To be
> + * compatible with different kernel versions, such programs
> + * should then fall back to not restrict themselves at all if
> + * the running kernel only supports ABI 1.
> + */
> ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
> __attribute__((fallthrough));
> case 2:
>
> base-commit: 4bc90a766ea5af69c12ca1ea00b7fc5fe1d68831
More information about the Linux-security-module-archive
mailing list