| Message ID | 20221008111336.74806-2-gnoack3000@gmail.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | None | expand |
Sorry, please ignore this thread -- I messed it up and accidentally sent it with the wrong Reply-To headers. —Günther On Sat, Oct 08, 2022 at 01:13:36PM +0200, Günther Noack wrote: > Use the LANDLOCK_ACCESS_FS_TRUNCATE flag in the tutorial. > > Adapt the backwards compatibility example and discussion to remove the > truncation flag where needed. > > Point out potential surprising behaviour related to truncate. > > Signed-off-by: Günther Noack <gnoack3000@gmail.com> > --- > Documentation/userspace-api/landlock.rst | 67 +++++++++++++++++++++--- > 1 file changed, 60 insertions(+), 7 deletions(-) > > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst > index cec780c2f497..d8cd8cd9ce25 100644 > --- a/Documentation/userspace-api/landlock.rst > +++ b/Documentation/userspace-api/landlock.rst > @@ -8,7 +8,7 @@ Landlock: unprivileged access control > ===================================== > > :Author: Mickaël Salaün > -:Date: September 2022 > +:Date: October 2022 > > The goal of Landlock is to enable to restrict ambient rights (e.g. global > filesystem access) for a set of processes. Because Landlock is a stackable > @@ -60,7 +60,8 @@ the need to be explicit about the denied-by-default access rights. > LANDLOCK_ACCESS_FS_MAKE_FIFO | > LANDLOCK_ACCESS_FS_MAKE_BLOCK | > LANDLOCK_ACCESS_FS_MAKE_SYM | > - LANDLOCK_ACCESS_FS_REFER, > + LANDLOCK_ACCESS_FS_REFER | > + LANDLOCK_ACCESS_FS_TRUNCATE, > }; > > Because we may not know on which kernel version an application will be > @@ -69,16 +70,28 @@ should try to protect users as much as possible whatever the kernel they are > using. To avoid binary enforcement (i.e. either all security features or > none), we can leverage a dedicated Landlock command to get the current version > of the Landlock ABI and adapt the handled accesses. Let's check if we should > -remove the ``LANDLOCK_ACCESS_FS_REFER`` access right which is only supported > -starting with the second version of the ABI. > +remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE`` > +access rights, which are only supported starting with the second and third > +version of the ABI. > > .. code-block:: c > > int abi; > > abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); > - if (abi < 2) { > + if (abi < 0) { > + /* Degrades gracefully if Landlock is not handled. */ > + perror("The running kernel does not enable to use Landlock"); > + return 0; > + } > + switch (abi) { > + case 1: > + /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ > ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; > + __attribute__((fallthrough)); > + case 2: > + /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ > + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; > } > > This enables to create an inclusive ruleset that will contain our rules. > @@ -127,8 +140,8 @@ descriptor. > > It may also be required to create rules following the same logic as explained > for the ruleset creation, by filtering access rights according to the Landlock > -ABI version. In this example, this is not required because > -``LANDLOCK_ACCESS_FS_REFER`` is not allowed by any rule. > +ABI version. In this example, this is not required because all of the requested > +``allowed_access`` rights are already available in ABI 1. > > We now have a ruleset with one rule allowing read access to ``/usr`` while > denying all other handled accesses for the filesystem. The next step is to > @@ -252,6 +265,37 @@ To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target > process, a sandboxed process should have a subset of the target process rules, > which means the tracee must be in a sub-domain of the tracer. > > +Truncating files > +---------------- > + > +The operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and > +``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes > +overlap in non-intuitive ways. It is recommended to always specify both of > +these together. > + > +A particularly surprising example is :manpage:`creat(2)`. The name suggests > +that this system call requires the rights to create and write files. However, > +it also requires the truncate right if an existing file under the same name is > +already present. > + > +It should also be noted that truncating files does not require the > +``LANDLOCK_ACCESS_FS_WRITE_FILE`` right. Apart from the :manpage:`truncate(2)` > +system call, this can also be done through :manpage:`open(2)` with the flags > +``O_RDONLY | O_TRUNC``. > + > +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` > +right is associated with the newly created file descriptor and will be used for > +subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is > +similar to opening a file for reading or writing, where permissions are checked > +during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and > +:manpage:`write(2)` calls. > + > +As a consequence, it is possible to have multiple open file descriptors for the > +same file, where one grants the right to truncate the file and the other does > +not. It is also possible to pass such file descriptors between processes, > +keeping their Landlock properties, even when these processes do not have an > +enforced Landlock ruleset. > + > Compatibility > ============= > > @@ -398,6 +442,15 @@ Starting with the Landlock ABI version 2, it is now possible to securely > control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER`` > access right. > > +File truncation (ABI < 3) > +------------------------- > + > +File truncation could not be denied before the third Landlock ABI, so it is > +always allowed when using a kernel that only supports the first or second ABI. > + > +Starting with the Landlock ABI version 3, it is now possible to securely control > +truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right. > + > .. _kernel_support: > > Kernel support > -- > 2.38.0 > --
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index cec780c2f497..d8cd8cd9ce25 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: September 2022 +:Date: October 2022 The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. Because Landlock is a stackable @@ -60,7 +60,8 @@ the need to be explicit about the denied-by-default access rights. LANDLOCK_ACCESS_FS_MAKE_FIFO | LANDLOCK_ACCESS_FS_MAKE_BLOCK | LANDLOCK_ACCESS_FS_MAKE_SYM | - LANDLOCK_ACCESS_FS_REFER, + LANDLOCK_ACCESS_FS_REFER | + LANDLOCK_ACCESS_FS_TRUNCATE, }; Because we may not know on which kernel version an application will be @@ -69,16 +70,28 @@ should try to protect users as much as possible whatever the kernel they are using. To avoid binary enforcement (i.e. either all security features or none), we can leverage a dedicated Landlock command to get the current version of the Landlock ABI and adapt the handled accesses. Let's check if we should -remove the ``LANDLOCK_ACCESS_FS_REFER`` access right which is only supported -starting with the second version of the ABI. +remove the ``LANDLOCK_ACCESS_FS_REFER`` or ``LANDLOCK_ACCESS_FS_TRUNCATE`` +access rights, which are only supported starting with the second and third +version of the ABI. .. code-block:: c int abi; abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION); - if (abi < 2) { + if (abi < 0) { + /* Degrades gracefully if Landlock is not handled. */ + perror("The running kernel does not enable to use Landlock"); + return 0; + } + switch (abi) { + case 1: + /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + __attribute__((fallthrough)); + case 2: + /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; } This enables to create an inclusive ruleset that will contain our rules. @@ -127,8 +140,8 @@ descriptor. It may also be required to create rules following the same logic as explained for the ruleset creation, by filtering access rights according to the Landlock -ABI version. In this example, this is not required because -``LANDLOCK_ACCESS_FS_REFER`` is not allowed by any rule. +ABI version. In this example, this is not required because all of the requested +``allowed_access`` rights are already available in ABI 1. We now have a ruleset with one rule allowing read access to ``/usr`` while denying all other handled accesses for the filesystem. The next step is to @@ -252,6 +265,37 @@ To be allowed to use :manpage:`ptrace(2)` and related syscalls on a target process, a sandboxed process should have a subset of the target process rules, which means the tracee must be in a sub-domain of the tracer. +Truncating files +---------------- + +The operations covered by ``LANDLOCK_ACCESS_FS_WRITE_FILE`` and +``LANDLOCK_ACCESS_FS_TRUNCATE`` both change the contents of a file and sometimes +overlap in non-intuitive ways. It is recommended to always specify both of +these together. + +A particularly surprising example is :manpage:`creat(2)`. The name suggests +that this system call requires the rights to create and write files. However, +it also requires the truncate right if an existing file under the same name is +already present. + +It should also be noted that truncating files does not require the +``LANDLOCK_ACCESS_FS_WRITE_FILE`` right. Apart from the :manpage:`truncate(2)` +system call, this can also be done through :manpage:`open(2)` with the flags +``O_RDONLY | O_TRUNC``. + +When opening a file, the availability of the ``LANDLOCK_ACCESS_FS_TRUNCATE`` +right is associated with the newly created file descriptor and will be used for +subsequent truncation attempts using :manpage:`ftruncate(2)`. The behavior is +similar to opening a file for reading or writing, where permissions are checked +during :manpage:`open(2)`, but not during the subsequent :manpage:`read(2)` and +:manpage:`write(2)` calls. + +As a consequence, it is possible to have multiple open file descriptors for the +same file, where one grants the right to truncate the file and the other does +not. It is also possible to pass such file descriptors between processes, +keeping their Landlock properties, even when these processes do not have an +enforced Landlock ruleset. + Compatibility ============= @@ -398,6 +442,15 @@ Starting with the Landlock ABI version 2, it is now possible to securely control renaming and linking thanks to the new ``LANDLOCK_ACCESS_FS_REFER`` access right. +File truncation (ABI < 3) +------------------------- + +File truncation could not be denied before the third Landlock ABI, so it is +always allowed when using a kernel that only supports the first or second ABI. + +Starting with the Landlock ABI version 3, it is now possible to securely control +truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right. + .. _kernel_support: Kernel support
Use the LANDLOCK_ACCESS_FS_TRUNCATE flag in the tutorial. Adapt the backwards compatibility example and discussion to remove the truncation flag where needed. Point out potential surprising behaviour related to truncate. Signed-off-by: Günther Noack <gnoack3000@gmail.com> --- Documentation/userspace-api/landlock.rst | 67 +++++++++++++++++++++--- 1 file changed, 60 insertions(+), 7 deletions(-)