Merge tag 'landlock-6.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

=====================================

:Author: Mickaël Salaün

:Date: September 2022

:Date: October 2022

The goal of Landlock is to enable to restrict ambient rights (e.g. global

filesystem access) for a set of processes.  Because Landlock is a stackable

            LANDLOCK_ACCESS_FS_MAKE_FIFO |

            LANDLOCK_ACCESS_FS_MAKE_BLOCK |

            LANDLOCK_ACCESS_FS_MAKE_SYM |

            LANDLOCK_ACCESS_FS_REFER,

            LANDLOCK_ACCESS_FS_REFER |

            LANDLOCK_ACCESS_FS_TRUNCATE,

    };

Because we may not know on which kernel version an application will be

using.  To avoid binary enforcement (i.e. either all security features or

none), we can leverage a dedicated Landlock command to get the current version

of the Landlock ABI and adapt the handled accesses.  Let's check if we should

remove the ``LANDLOCK_ACCESS_FS_REFER`` access right which is only supported

starting with the second version of the ABI.

remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE``

access rights, which are only supported starting with the second and third

version of the ABI.

.. code-block:: c

    int abi;

    abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);

    if (abi < 2) {

    if (abi < 0) {

        /* Degrades gracefully if Landlock is not handled. */

        perror("The running kernel does not enable to use Landlock");

        return 0;

    }

    switch (abi) {

    case 1:

        /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */

        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;

        __attribute__((fallthrough));

    case 2:

        /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */

        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;

    }

This enables to create an inclusive ruleset that will contain our rules.

It may also be required to create rules following the same logic as explained

for the ruleset creation, by filtering access rights according to the Landlock

ABI version.  In this example, this is not required because

``LANDLOCK_ACCESS_FS_REFER`` is not allowed by any rule.

ABI version.  In this example, this is not required because all of the requested

``allowed_access`` rights are already available in ABI 1.

We now have a ruleset with one rule allowing read access to ``/usr`` while

denying all other handled accesses for the filesystem.  The next step is to

process, a sandboxed process should have a subset of the target process rules,

which means the tracee must be in a sub-domain of the tracer.

Truncating files

----------------

The operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and

``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes

overlap in non-intuitive ways.  It is recommended to always specify both of

these together.

A particularly surprising example is :manpage:`creat(2)`.  The name suggests

that this system call requires the rights to create and write files.  However,

it also requires the truncate right if an existing file under the same name is

already present.

It should also be noted that truncating files does not require the

``LANDLOCK_ACCESS_FS_WRITE_FILE`` right.  Apart from the :manpage:`truncate(2)`

system call, this can also be done through :manpage:`open(2)` with the flags

``O_RDONLY | O_TRUNC``.

When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE``

right is associated with the newly created file descriptor and will be used for

subsequent truncation attempts using :manpage:`ftruncate(2)`.  The behavior is

similar to opening a file for reading or writing, where permissions are checked

during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and

:manpage:`write(2)` calls.

As a consequence, it is possible to have multiple open file descriptors for the

same file, where one grants the right to truncate the file and the other does

not.  It is also possible to pass such file descriptors between processes,

keeping their Landlock properties, even when these processes do not have an

enforced Landlock ruleset.

Compatibility

=============

control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER``

access right.

File truncation (ABI < 3)

-------------------------

File truncation could not be denied before the third Landlock ABI, so it is

always allowed when using a kernel that only supports the first or second ABI.

Starting with the Landlock ABI version 3, it is now possible to securely control

truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.

.. _kernel_support:

Kernel support

	if (error)

		return error;

	error = security_path_truncate(path);

	error = security_file_truncate(filp);

	if (!error) {

		error = do_truncate(mnt_userns, path->dentry, 0,

				    ATTR_MTIME|ATTR_CTIME|ATTR_OPEN,

	if (IS_APPEND(file_inode(f.file)))

		goto out_putf;

	sb_start_write(inode->i_sb);

	error = security_path_truncate(&f.file->f_path);

	error = security_file_truncate(f.file);

	if (!error)

		error = do_truncate(file_mnt_user_ns(f.file), dentry, length,

				    ATTR_MTIME | ATTR_CTIME, f.file);

	 struct fown_struct *fown, int sig)

LSM_HOOK(int, 0, file_receive, struct file *file)

LSM_HOOK(int, 0, file_open, struct file *file)

LSM_HOOK(int, 0, file_truncate, struct file *file)

LSM_HOOK(int, 0, task_alloc, struct task_struct *task,

	 unsigned long clone_flags)

LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task)

 *	@attr is the iattr structure containing the new file attributes.

 *	Return 0 if permission is granted.

 * @path_truncate:

 *	Check permission before truncating a file.

 *	Check permission before truncating the file indicated by path.

 *	Note that truncation permissions may also be checked based on

 *	already opened files, using the @file_truncate hook.

 *	@path contains the path structure for the file.

 *	Return 0 if permission is granted.

 * @inode_getattr:

 *	to receive an open file descriptor via socket IPC.

 *	@file contains the file structure being received.

 *	Return 0 if permission is granted.

 * @file_truncate:

 *	Check permission before truncating a file, i.e. using ftruncate.

 *	Note that truncation permission may also be checked based on the path,

 *	using the @path_truncate hook.

 *	@file contains the file structure for the file.

 *	Return 0 if permission is granted.

 * @file_open:

 *	Save open-time permission checking state for later use upon

 *	file_permission, and recheck access if anything has changed