On 3/24/23 18:24, Günther Noack wrote: > https://git.kernel.org/torvalds/c/299e2b1967578b1442128ba8b3e86ed3427d3651 > > Signed-off-by: Günther Noack <gnoack3000@xxxxxxxxx> > Reviewed-by: Mickaël Salaün <mic@xxxxxxxxxxx> Patch applied. Thanks! Cheers, Alex > --- > man7/landlock.7 | 83 +++++++++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 81 insertions(+), 2 deletions(-) > > diff --git a/man7/landlock.7 b/man7/landlock.7 > index d3a7ec0d2..9c305edef 100644 > --- a/man7/landlock.7 > +++ b/man7/landlock.7 > @@ -64,9 +64,39 @@ Execute a file. > .TP > .B LANDLOCK_ACCESS_FS_WRITE_FILE > Open a file with write access. > +.IP > +When opening files for writing, > +you will often additionally need the > +.B LANDLOCK_ACCESS_FS_TRUNCATE > +right. > +In many cases, > +these system calls truncate existing files when overwriting them > +(e.g., > +.BR creat (2)). > .TP > .B LANDLOCK_ACCESS_FS_READ_FILE > Open a file with read access. > +.TP > +.B LANDLOCK_ACCESS_FS_TRUNCATE > +Truncate a file with > +.BR truncate (2), > +.BR ftruncate (2), > +.BR creat (2), > +or > +.BR open (2) > +with > +.BR O_TRUNC . > +Whether an opened file can be truncated with > +.BR ftruncate (2) > +is determined during > +.BR open (2), > +in the same way as read and write permissions are checked during > +.BR open (2) > +using > +.B LANDLOCK_ACCESS_FS_READ_FILE > +and > +.BR LANDLOCK_ACCESS_FS_WRITE_FILE . > +This access right is available since the third version of the Landlock ABI. > .PP > A directory can receive access rights related to files or directories. > The following access right is applied to the directory itself, > @@ -231,6 +261,53 @@ To be allowed to use > and related syscalls on a target process, > a sandboxed process should have a subset of the target process rules, > which means the tracee must be in a sub-domain of the tracer. > +.\" > +.SS Truncating files > +The operations covered by > +.B LANDLOCK_ACCESS_FS_WRITE_FILE > +and > +.B LANDLOCK_ACCESS_FS_TRUNCATE > +both change the contents of a file and sometimes overlap in > +non-intuitive ways. > +It is recommended to always specify both of these together. > +.PP > +A particularly surprising example is > +.BR creat (2). > +The name suggests that this system call requires > +the rights to create and write files. > +However, it also requires the truncate right > +if an existing file under the same name is already present. > +.PP > +It should also be noted that truncating files does not require the > +.B LANDLOCK_ACCESS_FS_WRITE_FILE > +right. > +Apart from the > +.BR truncate (2) > +system call, this can also be done through > +.BR open (2) > +with the flags > +.IR "O_RDONLY\ |\ O_TRUNC" . > +.PP > +When opening a file, the availability of the > +.B LANDLOCK_ACCESS_FS_TRUNCATE > +right is associated with the newly created file descriptor > +and will be used for subsequent truncation attempts using > +.BR ftruncate (2). > +The behavior is similar to opening a file for reading or writing, > +where permissions are checked during > +.BR open (2), > +but not during the subsequent > +.BR read (2) > +and > +.BR write (2) > +calls. > +.PP > +As a consequence, > +it is possible to have multiple open file descriptors for the same file, > +where one grants the right to truncate the file and the other does not. > +It is also possible to pass such file descriptors between processes, > +keeping their Landlock properties, > +even when these processes do not have an enforced Landlock ruleset. > .SH VERSIONS > Landlock was introduced in Linux 5.13. > .PP > @@ -257,6 +334,8 @@ _ _ _ > \^ \^ LANDLOCK_ACCESS_FS_MAKE_SYM > _ _ _ > 2 5.19 LANDLOCK_ACCESS_FS_REFER > +_ _ _ > +3 6.2 LANDLOCK_ACCESS_FS_TRUNCATE > .TE > .sp 1 > .PP > @@ -302,7 +381,6 @@ in kernel logs. > It is currently not possible to restrict some file-related actions > accessible through these system call families: > .BR chdir (2), > -.BR truncate (2), > .BR stat (2), > .BR flock (2), > .BR chmod (2), > @@ -340,7 +418,8 @@ attr.handled_access_fs = > LANDLOCK_ACCESS_FS_MAKE_FIFO | > LANDLOCK_ACCESS_FS_MAKE_BLOCK | > LANDLOCK_ACCESS_FS_MAKE_SYM | > - LANDLOCK_ACCESS_FS_REFER; > + LANDLOCK_ACCESS_FS_REFER | > + LANDLOCK_ACCESS_FS_TRUNCATE; > > ruleset_fd = landlock_create_ruleset(&attr, sizeof(attr), 0); > if (ruleset_fd == \-1) { -- <http://www.alejandro-colomar.es/> GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
