From: "Günther Noack" <firstname.lastname@example.org>
Cc: "Mickaël Salaün" <email@example.com>,
"James Morris" <firstname.lastname@example.org>,
"Paul Moore" <email@example.com>,
"Serge E . Hallyn" <firstname.lastname@example.org>,
"Konstantin Meskhidze" <email@example.com>,
"Günther Noack" <firstname.lastname@example.org>
Subject: [PATCH v6 0/5] landlock: truncate support
Date: Thu, 8 Sep 2022 21:58:00 +0200 [thread overview]
Message-ID: <email@example.com> (raw)
The goal of these patches is to work towards a more complete coverage
of file system operations that are restrictable with Landlock.
The known set of currently unsupported file system operations in
Landlock is described at . Out of the operations listed there,
truncate is the only one that modifies file contents, so these patches
should make it possible to prevent the direct modification of file
contents with Landlock.
The patch introduces the truncation restriction feature as an
additional bit in the access_mask_t bitmap, in line with the existing
The truncation flag covers both the truncate(2) and ftruncate(2)
families of syscalls, as well as open(2) with the O_TRUNC flag.
This includes usages of creat() in the case where existing regular
files are overwritten.
Apart from Landlock, file truncation can also be restricted using
seccomp-bpf, but it is more difficult to use (requires BPF, requires
keeping up-to-date syscall lists) and it is not configurable by file
hierarchy, as Landlock is. The simplicity and flexibility of the
Landlock approach makes it worthwhile adding.
While it's possible to use the "write file" and "truncate" rights
independent of each other, it simplifies the mental model for
userspace callers to always use them together.
Specifically, the following behaviours might be surprising for users
when using these independently:
* The commonly creat() syscall requires the truncate right when
overwriting existing files, as it is equivalent to open(2) with
* The "write file" right is not always required to truncate a file,
even through the open(2) syscall (when using O_RDONLY|O_TRUNC).
Nevertheless, keeping the two flags separate is the correct approach
to guarantee backwards compatibility for existing Landlock users.
Notably, the availability of the truncate right is associated with an
opened file when opening the file and is later checked to authorize
ftruncate(2) operations. This is similar to how the write mode gets
remembered after a open(..., O_WRONLY) to authorize later write()
operations. These opened file descriptors can also be passed between
processes and will continue to enforce their truncation properties
when these processes attempt an ftruncate().
These patches are based on version 6.0-rc4.
* LSM hooks: create file_truncate hook in addition to path_truncate.
Use it in the existing path_truncate call sites where appropriate.
* landlock: check LANDLOCK_ACCESS_FS_TRUNCATE right during open(), and
associate that right with the opened struct file in a security blob.
Introduce get_path_access_rights() helper function.
* selftests: test ftruncate in a separate test, to exercise that
the rights are associated with the file descriptor.
* Documentation: Rework documentation to reflect new ftruncate() semantics.
* Applied small fixes by Mickaël Salaün which he added on top of V5, in
(I hope I found them all.)
* Fix wording in userspace-api headers and in landlock.rst.
* Move the truncation limitation section one to the bottom.
* Move all .rst changes into the documentation commit.
* Remove _metadata argument from helpers where it became unnecessary.
* Open writable file descriptors at the top of both tests, before Landlock
is enabled, to exercise ftruncate() independently from open().
* Simplify test_ftruncate and decouple it from exercising open().
* test_creat(): Return errno on close() failure (it does not conflict).
* Fix /* comment style */
* Reorder blocks of EXPECT_EQ checks to be consistent within a test.
* Add missing |O_TRUNC to a check in one test.
* Put the truncate_unhandled test before the other.
* Clarify wording and syntax as discussed in review.
* Use a less confusing error message in the example.
* Stop using ASSERT_EQ in test helpers, return EBADFD instead.
(This is an intentionally uncommon error code, so that the source
of the error is clear and the test can distinguish test setup
failures from failures in the actual system call under test.)
* Use additional clarifying comments in the kernel backwards
* Explicitly test ftruncate with readonly file descriptors
* Extract test_ftruncate, test_truncate, test_creat helpers,
which simplified the previously mixed usage of EXPECT/ASSERT.
* Test creat() behaviour as part of the big truncation test.
* Stop testing the truncate64(2) and ftruncate64(2) syscalls.
This simplifies the tests a bit. The kernel implementations are the
same as for truncate(2) and ftruncate(2), so there is little benefit
from testing them exhaustively. (We aren't testing all open(2)
* Use switch() to implement best effort mode.
* Give more background on surprising truncation behaviour.
* Use switch() in the example too, to stay in-line with the sample tool.
* Small fixes in header file to address previous comments.
* Fix some typos and const usages.
* Documentation: Mention the truncation flag where needed.
* Documentation: Point out connection between truncation and file writing.
* samples: Add file truncation to the landlock/sandboxer.c sample tool.
* selftests: Exercise open(2) with O_TRUNC and creat(2) exhaustively.
* selftests: Exercise truncation syscalls when the truncate right
is not handled by Landlock.
Günther Noack (5):
security: create file_truncate hook from path_truncate hook
landlock: Support file truncation
selftests/landlock: Selftests for file truncation support
samples/landlock: Extend sample tool to support
landlock: Document Landlock's file truncation support
Documentation/userspace-api/landlock.rst | 62 +++-
fs/namei.c | 6 +-
fs/open.c | 4 +-
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 6 +
include/uapi/linux/landlock.h | 18 +-
samples/landlock/sandboxer.c | 23 +-
security/apparmor/lsm.c | 6 +
security/landlock/fs.c | 88 +++++-
security/landlock/fs.h | 18 ++
security/landlock/limits.h | 2 +-
security/landlock/setup.c | 1 +
security/landlock/syscalls.c | 2 +-
security/security.c | 5 +
security/tomoyo/tomoyo.c | 13 +
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/fs_test.c | 287 ++++++++++++++++++-
17 files changed, 508 insertions(+), 36 deletions(-)
next reply other threads:[~2022-09-08 19:59 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-08 19:58 Günther Noack [this message]
2022-09-08 19:58 ` [PATCH v6 1/5] security: create file_truncate hook from path_truncate hook Günther Noack
2022-09-08 20:09 ` Paul Moore
2022-09-08 20:50 ` Günther Noack
2022-09-08 22:04 ` Tetsuo Handa
2022-09-08 20:28 ` Günther Noack
2022-09-16 17:30 ` Mickaël Salaün
2022-09-26 16:07 ` Günther Noack
2022-09-28 20:04 ` Mickaël Salaün
2022-09-29 2:55 ` Namjae Jeon
2022-09-09 3:37 ` John Johansen
2022-09-09 13:50 ` Mickaël Salaün
2022-09-08 19:58 ` [PATCH v6 2/5] landlock: Support file truncation Günther Noack
2022-09-09 13:51 ` Mickaël Salaün
2022-09-12 15:28 ` Günther Noack
2022-09-12 18:37 ` Mickaël Salaün
2022-09-12 19:04 ` Günther Noack
2022-09-12 19:41 ` Mickaël Salaün
2022-09-23 11:21 ` Günther Noack
2022-09-23 20:53 ` Mickaël Salaün
2022-09-25 18:09 ` Günther Noack
2022-09-28 18:32 ` Mickaël Salaün
2022-09-29 19:22 ` Günther Noack
2022-09-30 15:56 ` Mickaël Salaün
2022-09-08 19:58 ` [PATCH v6 3/5] selftests/landlock: Selftests for file truncation support Günther Noack
2022-09-16 17:05 ` Mickaël Salaün
2022-09-23 17:50 ` Günther Noack
2022-09-23 20:54 ` Mickaël Salaün
2022-09-25 18:10 ` Günther Noack
2022-09-08 19:58 ` [PATCH v6 4/5] samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE Günther Noack
2022-09-12 19:05 ` Mickaël Salaün
2022-09-12 19:07 ` Günther Noack
2022-09-08 19:58 ` [PATCH v6 5/5] landlock: Document Landlock's file truncation support Günther Noack
2022-09-09 13:51 ` Mickaël Salaün
2022-09-12 15:46 ` Günther Noack
2022-09-12 17:47 ` Mickaël Salaün
2022-09-12 19:05 ` Günther Noack
2022-09-12 19:15 ` Mickaël Salaün
2022-09-23 11:30 ` Günther Noack
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.