From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "Günther Noack" <gnoack@google.com>,
linux-security-module@vger.kernel.org,
"Justin Suess" <utilityemal77@gmail.com>,
"Tingmao Wang" <m@maowtm.org>
Subject: Re: [PATCH v1] landlock: Demonstrate best-effort allowed_access filtering
Date: Fri, 15 May 2026 19:53:27 +0200 [thread overview]
Message-ID: <20260515.3306db78edb3@gnoack.org> (raw)
In-Reply-To: <20260513151856.148423-1-mic@digikod.net>
On Wed, May 13, 2026 at 05:18:53PM +0200, Mickaël Salaün wrote:
> Landlock provides best-effort sandboxing across ABI versions:
> applications request the rights they need, and on older kernels the
> unsupported rights are silently dropped from handled_access_* by the
> documented compatibility switch. The recommended pattern for
> landlock_add_rule(2) calls is to mirror this filtering at the rule
> level, which wasn't explicitly described in the exemple.
>
> Show the pattern explicitly in the filesystem and network rule examples
> by masking each rule's allowed_access against the ruleset's
> handled_access_* and adding the rule only when at least one bit remains
> set. This makes the recommended best-effort pattern self-documenting.
>
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> ---
> Documentation/userspace-api/landlock.rst | 48 +++++++++++++-----------
> 1 file changed, 27 insertions(+), 21 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index fd8b78c31f2f..45861fa75685 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -8,7 +8,7 @@ Landlock: unprivileged access control
> =====================================
>
> :Author: Mickaël Salaün
> -:Date: March 2026
> +:Date: May 2026
>
> The goal of Landlock is to enable restriction of ambient rights (e.g. global
> filesystem or network access) for a set of processes. Because Landlock
> @@ -155,7 +155,7 @@ this file descriptor.
>
> .. code-block:: c
>
> - int err;
> + int err = 0;
> struct landlock_path_beneath_attr path_beneath = {
> .allowed_access =
> LANDLOCK_ACCESS_FS_EXECUTE |
> @@ -163,25 +163,29 @@ this file descriptor.
> LANDLOCK_ACCESS_FS_READ_DIR,
> };
>
> - path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
> - if (path_beneath.parent_fd < 0) {
> - perror("Failed to open file");
> - close(ruleset_fd);
> - return 1;
> - }
> - err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
> - &path_beneath, 0);
> - close(path_beneath.parent_fd);
> - if (err) {
> - perror("Failed to update ruleset");
> - close(ruleset_fd);
> - return 1;
> + path_beneath.allowed_access &= ruleset_attr.handled_access_fs;
> + if (path_beneath.allowed_access) {
> + path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
> + if (path_beneath.parent_fd < 0) {
> + perror("Failed to open file");
> + close(ruleset_fd);
> + return 1;
> + }
> + err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
> + &path_beneath, 0);
> + close(path_beneath.parent_fd);
> + if (err) {
> + perror("Failed to update ruleset");
> + close(ruleset_fd);
> + return 1;
> + }
> }
>
> -It may also be required to create rules following the same logic as explained
> -for the ruleset creation, by filtering access rights according to the Landlock
> -ABI version. In this example, this is not required because all of the requested
> -``allowed_access`` rights are already available in ABI 1.
> +As shown above, masking the rule's ``allowed_access`` against the ruleset's
> +``handled_access_*`` is the recommended best-effort pattern: rights the running
> +kernel does not support are dropped (the compatibility switch above already
> +cleared them in ``handled_access_*``), and the rule is skipped if no supported
> +right remains.
>
> For network access-control, we can add a set of rules that allow to use a port
> number for a specific action: HTTPS connections.
> @@ -193,8 +197,10 @@ number for a specific action: HTTPS connections.
> .port = 443,
> };
>
> - err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
> - &net_port, 0);
> + net_port.allowed_access &= ruleset_attr.handled_access_net;
> + if (net_port.allowed_access)
> + err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
> + &net_port, 0);
>
> When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
> similar backwards compatibility check is needed for the restrict flags
> --
> 2.54.0
>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Thanks for the documentation improvement!
–Günther
P.S.: Please don't forget to also transfer this change to the
landlock(7) man page, where we are using the same code example. I
believe the overlap is mostly in the code there, and the text is
slightly different.
prev parent reply other threads:[~2026-05-15 17:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 15:18 [PATCH v1] landlock: Demonstrate best-effort allowed_access filtering Mickaël Salaün
2026-05-15 17:53 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515.3306db78edb3@gnoack.org \
--to=gnoack3000@gmail.com \
--cc=gnoack@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=mic@digikod.net \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.