| Message ID | 20221001154908.49665-9-gnoack3000@gmail.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | landlock: truncate support | expand |
On 01/10/2022 17:49, Günther Noack wrote: > Update the sandboxer sample to restrict truncate actions. This is > automatically enabled by default if the running kernel supports > LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the > LL_FS_RW environment variable. > > Signed-off-by: Günther Noack <gnoack3000@gmail.com> > --- > samples/landlock/sandboxer.c | 23 ++++++++++++++--------- > 1 file changed, 14 insertions(+), 9 deletions(-) > > diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c > index 3e404e51ec64..771b6b10d519 100644 > --- a/samples/landlock/sandboxer.c > +++ b/samples/landlock/sandboxer.c > @@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list) > #define ACCESS_FILE ( \ > LANDLOCK_ACCESS_FS_EXECUTE | \ > LANDLOCK_ACCESS_FS_WRITE_FILE | \ > - LANDLOCK_ACCESS_FS_READ_FILE) > + LANDLOCK_ACCESS_FS_READ_FILE | \ > + LANDLOCK_ACCESS_FS_TRUNCATE) > > /* clang-format on */ > > @@ -160,10 +161,8 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, > LANDLOCK_ACCESS_FS_MAKE_FIFO | \ > LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ > LANDLOCK_ACCESS_FS_MAKE_SYM | \ > - LANDLOCK_ACCESS_FS_REFER) > - > -#define ACCESS_ABI_2 ( \ > - LANDLOCK_ACCESS_FS_REFER) > + LANDLOCK_ACCESS_FS_REFER | \ > + LANDLOCK_ACCESS_FS_TRUNCATE) > > /* clang-format on */ > > @@ -226,11 +225,17 @@ int main(const int argc, char *const argv[], char *const *const envp) > return 1; > } > /* Best-effort security. */ > - if (abi < 2) { > - ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2; > - access_fs_ro &= ~ACCESS_ABI_2; > - access_fs_rw &= ~ACCESS_ABI_2; You can now base your patches on the current Linus' master branch, these three commits are now merged: https://git.kernel.org/mic/c/2fff00c81d4c37a037cf704d2d219fbcb45aea3c The (inlined) documentation also needs to be updated according to this commit to align with the double backtick convention. > + switch (abi) { > + case 1: > + /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ > + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; > + __attribute__((fallthrough)); > + case 2: > + /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ > + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; > } > + access_fs_ro &= ruleset_attr.handled_access_fs; > + access_fs_rw &= ruleset_attr.handled_access_fs; > > ruleset_fd = > landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
On Wed, Oct 05, 2022 at 08:57:23PM +0200, Mickaël Salaün wrote: > > On 01/10/2022 17:49, Günther Noack wrote: > > Update the sandboxer sample to restrict truncate actions. This is > > automatically enabled by default if the running kernel supports > > LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the > > LL_FS_RW environment variable. > > > > Signed-off-by: Günther Noack <gnoack3000@gmail.com> > > --- > > samples/landlock/sandboxer.c | 23 ++++++++++++++--------- > > 1 file changed, 14 insertions(+), 9 deletions(-) > > > > diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c > > index 3e404e51ec64..771b6b10d519 100644 > > --- a/samples/landlock/sandboxer.c > > +++ b/samples/landlock/sandboxer.c > > @@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list) > > #define ACCESS_FILE ( \ > > LANDLOCK_ACCESS_FS_EXECUTE | \ > > LANDLOCK_ACCESS_FS_WRITE_FILE | \ > > - LANDLOCK_ACCESS_FS_READ_FILE) > > + LANDLOCK_ACCESS_FS_READ_FILE | \ > > + LANDLOCK_ACCESS_FS_TRUNCATE) > > /* clang-format on */ > > @@ -160,10 +161,8 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, > > LANDLOCK_ACCESS_FS_MAKE_FIFO | \ > > LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ > > LANDLOCK_ACCESS_FS_MAKE_SYM | \ > > - LANDLOCK_ACCESS_FS_REFER) > > - > > -#define ACCESS_ABI_2 ( \ > > - LANDLOCK_ACCESS_FS_REFER) > > + LANDLOCK_ACCESS_FS_REFER | \ > > + LANDLOCK_ACCESS_FS_TRUNCATE) > > /* clang-format on */ > > @@ -226,11 +225,17 @@ int main(const int argc, char *const argv[], char *const *const envp) > > return 1; > > } > > /* Best-effort security. */ > > - if (abi < 2) { > > - ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2; > > - access_fs_ro &= ~ACCESS_ABI_2; > > - access_fs_rw &= ~ACCESS_ABI_2; > > You can now base your patches on the current Linus' master branch, these > three commits are now merged: > https://git.kernel.org/mic/c/2fff00c81d4c37a037cf704d2d219fbcb45aea3c Thanks, rebased. > The (inlined) documentation also needs to be updated according to this > commit to align with the double backtick convention. There were no occurrences of the double backtick in the sample tool, I assume this is OK? > > + switch (abi) { > > + case 1: > > + /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ > > + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; > > + __attribute__((fallthrough)); > > + case 2: > > + /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ > > + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; > > } > > + access_fs_ro &= ruleset_attr.handled_access_fs; > > + access_fs_rw &= ruleset_attr.handled_access_fs; > > ruleset_fd = > > landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); --
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 3e404e51ec64..771b6b10d519 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list) #define ACCESS_FILE ( \ LANDLOCK_ACCESS_FS_EXECUTE | \ LANDLOCK_ACCESS_FS_WRITE_FILE | \ - LANDLOCK_ACCESS_FS_READ_FILE) + LANDLOCK_ACCESS_FS_READ_FILE | \ + LANDLOCK_ACCESS_FS_TRUNCATE) /* clang-format on */ @@ -160,10 +161,8 @@ static int populate_ruleset(const char *const env_var, const int ruleset_fd, LANDLOCK_ACCESS_FS_MAKE_FIFO | \ LANDLOCK_ACCESS_FS_MAKE_BLOCK | \ LANDLOCK_ACCESS_FS_MAKE_SYM | \ - LANDLOCK_ACCESS_FS_REFER) - -#define ACCESS_ABI_2 ( \ - LANDLOCK_ACCESS_FS_REFER) + LANDLOCK_ACCESS_FS_REFER | \ + LANDLOCK_ACCESS_FS_TRUNCATE) /* clang-format on */ @@ -226,11 +225,17 @@ int main(const int argc, char *const argv[], char *const *const envp) return 1; } /* Best-effort security. */ - if (abi < 2) { - ruleset_attr.handled_access_fs &= ~ACCESS_ABI_2; - access_fs_ro &= ~ACCESS_ABI_2; - access_fs_rw &= ~ACCESS_ABI_2; + switch (abi) { + case 1: + /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + __attribute__((fallthrough)); + case 2: + /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */ + ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE; } + access_fs_ro &= ruleset_attr.handled_access_fs; + access_fs_rw &= ruleset_attr.handled_access_fs; ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
Update the sandboxer sample to restrict truncate actions. This is automatically enabled by default if the running kernel supports LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the LL_FS_RW environment variable. Signed-off-by: Günther Noack <gnoack3000@gmail.com> --- samples/landlock/sandboxer.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-)