archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <>
To: Linus Torvalds <>
Cc: "Mickaël Salaün" <>,
	"Alejandro Colomar" <>,
	"Günther Noack" <>,,
Subject: [GIT PULL] Landlock updates for v6.2
Date: Mon, 12 Dec 2022 13:19:18 +0100	[thread overview]
Message-ID: <> (raw)

Hi Linus,

This PR adds file truncation support to Landlock, contributed by
Günther Noack:
Please pull this Landlock changes for v6.2-rc1 .  These 12 commits
merged cleanly with your tree, and have been successfully tested in the
latest linux-next releases for more than a month.

As described by Günther, the goal of these patches is to work towards a
more complete coverage of file system operations that are restrictable
with Landlock.  The known set of currently unsupported file system
operations in Landlock is described here:
Out of the operations listed there, truncate is the only one that
modifies file contents, so these patches should make it possible to
prevent the direct modification of file contents with Landlock.

The new LANDLOCK_ACCESS_FS_TRUNCATE access right covers both the
truncate(2) and ftruncate(2) families of syscalls, as well as open(2)
with the O_TRUNC flag.  This includes usages of creat() in the case
where existing regular files are overwritten.

Additionally, this patch set introduces a new Landlock security blob
associated with opened files, to track the available Landlock access
rights at the time of opening the file. This is in line with Unix's
general approach of checking the read and write permissions during
open(), and associating this previously checked authorization with the
opened file.  An ongoing patch documents this use case:

In order to treat truncate(2) and ftruncate(2) calls differently in an
LSM hook, we split apart the existing security_path_truncate hook into
security_path_truncate (for truncation by path) and
security_file_truncate (for truncation of previously opened files).

Test coverage for security/landlock is 94.7% of 835 lines according to
gcc/gcov-12, and it was 94.6% of 809 lines before this series.

syzkaller has been updated accordingly:
Such patched instance (tailored to Landlock) has been running for
months, covering all the new truncate-related code.


The following changes since commit 9abf2313adc1ca1b6180c508c25f22f9395cc780:

  Linux 6.1-rc1 (2022-10-16 15:36:24 -0700)

are available in the Git repository at:

  git:// tags/landlock-6.2-rc1

for you to fetch changes up to f6e53fb2d7bd70547ba53232415976cb70ad6d97:

  samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER (2022-11-07 20:49:50 +0100)

Landlock updates for v6.2-rc1

Günther Noack (12):
      security: Create file_truncate hook from path_truncate hook
      landlock: Refactor check_access_path_dual() into is_access_to_paths_allowed()
      landlock: Document init_layer_masks() helper
      landlock: Support file truncation
      selftests/landlock: Test file truncation support
      selftests/landlock: Test open() and ftruncate() in multiple scenarios
      selftests/landlock: Locally define __maybe_unused
      selftests/landlock: Test FD passing from restricted to unrestricted processes
      selftests/landlock: Test ftruncate on FDs created by memfd_create(2)
      samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE
      landlock: Document Landlock's file truncation support
      samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER

 Documentation/userspace-api/landlock.rst     |  67 +++-
 fs/namei.c                                   |   2 +-
 fs/open.c                                    |   2 +-
 include/linux/lsm_hook_defs.h                |   1 +
 include/linux/lsm_hooks.h                    |  10 +-
 include/linux/security.h                     |   6 +
 include/uapi/linux/landlock.h                |  21 +-
 samples/landlock/sandboxer.c                 |  29 +-
 security/apparmor/lsm.c                      |   6 +
 security/landlock/fs.c                       | 206 +++++++++---
 security/landlock/fs.h                       |  24 ++
 security/landlock/limits.h                   |   2 +-
 security/landlock/setup.c                    |   1 +
 security/landlock/syscalls.c                 |   2 +-
 security/security.c                          |  16 +-
 security/tomoyo/tomoyo.c                     |  13 +
 tools/testing/selftests/landlock/base_test.c |  38 +--
 tools/testing/selftests/landlock/common.h    |  85 ++++-
 tools/testing/selftests/landlock/fs_test.c   | 468 ++++++++++++++++++++++++++-
 19 files changed, 878 insertions(+), 121 deletions(-)

             reply	other threads:[~2022-12-12 12:19 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-12 12:19 Mickaël Salaün [this message]
2022-12-13 18:13 ` [GIT PULL] Landlock updates for v6.2 pr-tracker-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).