From: "Günther Noack" <gnoack@google.com>
To: "Christian Brauner" <brauner@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Paul Moore" <paul@paul-moore.com>
Cc: linux-security-module@vger.kernel.org
Subject: LSM: Whiteout chardev creation sidesteps mknod hook
Date: Tue, 7 Apr 2026 15:05:13 +0200 [thread overview]
Message-ID: <adUBCQXrt7kmgqJT@google.com> (raw)
Hello Christian, Paul, Mickaël and LSM maintainers!
I discovered the following bug in Landlock, which potentially also
affects other LSMs:
With renameat2(2)'s RENAME_WHITEOUT flag, it is possible to create a
"whiteout object" at the source of the rename. Whiteout objects are
character devices with major/minor (0, 0) -- these devices are not
bound to any driver, so they are harmless, but still, the creation of
these files can sidestep the LANDLOCK_ACCESS_FS_MAKE_CHAR access right
in Landlock.
I am unconvinced which is the right fix here -- do you have an opinion
on this from the VFS/LSM side?
Option 1: Make filesystems call security_path_mknod() during RENAME_WHITEOUT?
Do it in the VFS rename hook.
* Pro: Fixes it for all LSMs
* Con: Call would have to be done in multiple filesystems
Option 2: Handle it in security_{path,inode}_rename()
Make Landlock handle it in security_inode_rename() by looking for the
RENAME_WHITEOUT flag.
* Con: Operation should only be denied if the file system even
implements RENAME_WHITEOUT, and we would have to maintain a list of
affected filesystems for that. (That feels like solving it at the
wrong layer of abstraction.)
* Con: Unclear whether other LSMs need a similar fix
Option 3: Declare that this is working as intended?
* Pro: (0, 0) is not a "real" character device
In cases 1 and 2, we'd likely need to double check that we are not
breaking existing scenarios involving OverlayFS, by suddenly requiring
a more lax policy for creating character devices on these directories.
Please let me know what you think. I'm specifically interested in:
1. Christian: What is the appropriate way to do this VFS wise?
2. LSM maintainers: Is this a bug that affects other LSMs as well?
Thanks,
—Günther
P.S.: For full transparency, I found this bug by pointing Google
Gemini at the Landlock codebase.
next reply other threads:[~2026-04-07 13:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 13:05 Günther Noack [this message]
2026-04-07 17:15 ` LSM: Whiteout chardev creation sidesteps mknod hook Serge Hallyn
2026-04-09 12:47 ` Christian Brauner
2026-04-11 8:36 ` Günther Noack
2026-04-13 10:18 ` Miklos Szeredi
2026-04-13 12:23 ` Günther Noack
2026-04-13 17:08 ` Stephen Smalley
2026-04-14 13:42 ` Mickaël Salaün
2026-04-14 14:07 ` Miklos Szeredi
2026-04-08 11:01 ` Mickaël Salaün
2026-04-08 12:24 ` Mickaël Salaün
2026-04-11 8:26 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adUBCQXrt7kmgqJT@google.com \
--to=gnoack@google.com \
--cc=brauner@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.