From faeb9197669c23d983f6485d278b20f0194432f4 Mon Sep 17 00:00:00 2001 From: Günther Noack Date: Tue, 18 Oct 2022 20:22:15 +0200 Subject: samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the sandboxer sample to restrict truncate actions. This is automatically enabled by default if the running kernel supports LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the LL_FS_RW environment variable. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221018182216.301684-11-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün --- samples/landlock/sandboxer.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'samples') diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index f29bb3c72230..fd4237c64fb2 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list) #define ACCESS_FILE ( \ LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ - LANDLOCK_ACCESS_FS_READ_FILE) + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_TRUNCATE) /* clang-format on */ @@ -160,11 +161,12 @@ out_free_name: LANDLOCK_ACCESS_FS_MAKE_FIFO | \ LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ - LANDLOCK_ACCESS_FS_REFER) + LANDLOCK_ACCESS_FS_REFER | \ + LANDLOCK_ACCESS_FS_TRUNCATE) /* clang-format on */ -#define LANDLOCK_ABI_LAST 2 +#define LANDLOCK_ABI_LAST 3 int main(const int argc, char *const argv[], char *const *const envp) { @@ -234,6 +236,10 @@ int main(const int argc, char *const argv[], char *const *const envp) case 1: /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + __attribute__((fallthrough)); + case 2: + /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; fprintf(stderr, "Hint: You should update the running kernel " -- cgit v1.2.3 From f6e53fb2d7bd70547ba53232415976cb70ad6d97 Mon Sep 17 00:00:00 2001 From: Günther Noack Date: Mon, 7 Nov 2022 19:16:51 +0100 Subject: samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a comment to clarify how to handle best-effort backwards compatibility for LANDLOCK_ACCESS_FS_REFER. The "refer" access is special because these operations are always forbidden in ABI 1, unlike most other operations, which are permitted when using Landlock ABI levels where they are not supported yet. Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20221107181651.4555-1-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün --- samples/landlock/sandboxer.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'samples') diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index fd4237c64fb2..e2056c8b902c 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -234,7 +234,22 @@ int main(const int argc, char *const argv[], char *const *const envp) /* Best-effort security. */ switch (abi) { case 1: - /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ + /* + * Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 + * + * Note: The "refer" operations (file renaming and linking + * across different directories) are always forbidden when using + * Landlock with ABI 1. + * + * If only ABI 1 is available, this sandboxer knowingly forbids + * refer operations. + * + * If a program *needs* to do refer operations after enabling + * Landlock, it can not use Landlock at ABI level 1. To be + * compatible with different kernel versions, such programs + * should then fall back to not restrict themselves at all if + * the running kernel only supports ABI 1. + */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; __attribute__((fallthrough)); case 2: -- cgit v1.2.3