Re: [PATCH v2 4/4] landlock: Document Landlock's file truncation support
From: Mickaël Salaün <mic@digikod.net>
Date: 2022-07-29 10:57:12
Also in:
linux-doc
On 12/07/2022 23:14, Günther Noack wrote:
quoted hunk ↗ jump to hunk
Use the LANDLOCK_ACCESS_FS_TRUNCATE flag in the tutorial. Adapt the backwards compatibility example and discussion to remove the truncation flag if needed. Signed-off-by: Günther Noack <redacted> Link: https://lore.kernel.org/all/20220707200612.132705-1-gnoack3000@gmail.com/ (local) --- Documentation/userspace-api/landlock.rst | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-)diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index b86fd94ae797..41fa464cc8b8 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst@@ -60,7 +60,8 @@ the need to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | - LANDLOCK_ACCESS_FS_REFER, + LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_TRUNCATE, }; Because we may not know on which kernel version an application will be@@ -69,14 +70,22 @@ should try to protect users as much as possible whatever the kernel they are using. To avoid binary enforcement (i.e. either all security features or none), we can leverage a dedicated Landlock command to get the current version of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove the `LANDLOCK_ACCESS_FS_REFER` access right which is only supported -starting with the second version of the ABI. +remove the `LANDLOCK_ACCESS_FS_REFER` and `LANDLOCK_ACCESS_FS_TRUNCATE` access +rights, which are only supported starting with the second and third version of +the ABI. .. code-block:: c int abi; abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); + if (abi == -1) { + perror("Landlock is unsupported on this kernel");
"Landlock is not supported with the running kernel"?
+ return 1;
+ }
+ if (abi < 3) {
+ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
+ }I guess we could use the same switch/case code as for the sample. I'm not sure what would be the less confusing for users though.
quoted hunk ↗ jump to hunk
if (abi < 2) { ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; }@@ -127,8 +136,8 @@ descriptor. It may also be required to create rules following the same logic as explained for the ruleset creation, by filtering access rights according to the Landlock -ABI version. In this example, this is not required because -`LANDLOCK_ACCESS_FS_REFER` is not allowed by any rule. +ABI version. In this example, this is not required because all of the requested +``allowed_access`` rights are already available in ABI 1.
Good!
We now have a ruleset with one rule allowing read access to ``/usr`` while denying all other handled accesses for the filesystem. The next step is to