[PATCH v5 0/4] landlock: truncate support
Mickaël Salaün
mic at digikod.net
Fri Sep 2 13:12:47 UTC 2022
On 02/09/2022 14:26, xiujianfeng wrote:
> Hi,
>
> 在 2022/9/2 1:10, Mickaël Salaün 写道:
>> Hmm, I think there is an issue with this series. Landlock only enforces
>> restrictions at open time or when dealing with user-supplied file paths
>> (relative or absolute). The use of the path_truncate hook in this series
>> doesn't distinguish between file descriptor from before the current
>> sandbox or from after being sandboxed. For instance, if a file
>> descriptor is received through a unix socket, it is assumed that this is
>> legitimate and no Landlock restriction apply on it, which is not the
>> case with this series anymore. It is the same for files opened before
>> the process sandbox itself.
>
> so I think this issue also exists in the chown/chmod series, right?
> there is a testcase in that patchset verify the corresponding rights
> inside the sanbox with a fd opened before sanboxing.
Correct. For LANDLOCK_ACCESS_FS_TRUNCATE, we need to add tests to make
sure that:
* a sandboxed process with the truncate restriction can open a file in
write mode, forward it to an un-sandboxed process, and make sure this
receiver cannot truncate the file descriptor, nor its dup.
* an inherited file descriptor can be truncated even if done by a
sandboxed process, except if it was created by a sandboxed process and
the truncate restriction applied on it.
However, for the file metadata accesses, I suggest you first focus on
the inode_setattr and inode_setxattr hook modifications. We'll get back
to this FD-based restrictions later.
More information about the Linux-security-module-archive
mailing list