Re: [PATCH v3 1/3] landlock: Require LANDLOCK_ACCESS_FS_MAKE_WHITEOUT for RENAME_WHITEOUT

["Günther Noack" <gnoack@google.com>]

Thanks for the review!

On Wed, Jun 10, 2026 at 03:38:56PM +0200, Mickaël Salaün wrote:
> Making MAKE_CHAR not covering MAKE_WHITEOUT is not addressed (see
> previous discussion).  MAKE_CHAR should not restrict whiteout creation
> *if* MAKE_WHITEOUT is handled.

(This is option (3) from your reply to V1 [1].)
        
I am skeptical of this approach, because it complicates how userspace
needs to deal with this access right.  Consider the following
scenario: A program wants to install the policy:

 * DENY  MAKE_WHITEOUT, MAKE_CHAR
 * ALLOW MAKE_WHITEOUT             in /foo  (path_beneath rule)

Then, if the kernel ABI predates make-whiteout, with the usual
best-effort fallback (clearing out the unsupported bits), this ruleset
becomes:

 * DENY  MAKE_CHAR
 * (no ALLOW rule)

But this ruleset is incorrect, because it denies mknod("/foo/x",
S_IFCHR | mode, makedev(0, 0)) in /foo, which was explicitly allowed
in the earlier ruleset.

So in order to implement the best-effort fallback, I guess userspace
libraries would now have to take into account whether there are any
rules where MAKE_WHITEOUT is specifically allowed, and if so, they
can't restrict MAKE_CHAR either?  I find this a bit complicated and I
think it's foreseeable that library implementers will predominantly
get this wrong.


Let me circle back to the other options you mentioned in [1], quoting
them here for reference:
> I see four options:
> 
> 1. Consider whiteouts as regular files and make them handled by
>    LANDLOCK_ACCESS_FS_MAKE_REG.  This would require an erratum and would
>    make sense for direct mknod calls, but it would be weird for
>    renameat2 calls than move a file and should only require
>    LANDLOCK_ACCESS_FS_REMOVE_FILE from the user point of view.

It would be weird for renameat2 calls to require MAKE_REG in the
source directory, but the weirdness would only affect
fuse-overlayfs-style programs and could be documented explicitly for
them for the case that they start using Landlock.

Normal programs that just call rename() on an existing FUSE-Overlayfs
filesystem would *not* require the MAKE_REG right, because the FUSE
process would do that on their behalf with the FUSE processes'
credentials.

> 
> 2. Add a new LANDLOCK_ACCESS_FS_MAKE_WHITEOUT right to handle whitout
>    creation (direct and indirect?) and keep LANDLOCK_ACCESS_FS_MAKE_CHAR
>    handle direct whiteout creation (and don't backport anything).  It
>    looks inconsistent from an access control point of view.

MAKE_WHITEOUT to handle rename(RENAME_WHITEOUT) and MAKE_CHAR to
handle mknod(chardev (0, 0)) -- This is a bit inconsistent, but it
does not make a difference for any programs other than the ones
calling rename(RENAME_WHITEOUT) (i.e., overlayfs-fuse), and it could
be documented for that one use case.

I find this a pragmatic balance, and it does not require special logic
for the best-effort fallback either.  Could you be persuaded to go
this route instead?

> 3. Add a new LANDLOCK_ACCESS_FS_MAKE_WHITEOUT right and, when handled,
>    make LANDLOCK_ACCESS_FS_MAKE_CHAR not handle whiteout.  This would be
>    a bit weird from a kernel point of view but it should work well for
>    users while still forbidding direct whiteout creation.

Except for the best-effort fallback, which is IMHO prone to
implementation bugs. (see above)

On the side, the implementation of this is also non-trivial: In order
to check for mknod(..., makedev(0, 0)), we need to check
layer-by-layer whether the layer handles MAKE_WHITEOUT and then either
check for MAKE_CHAR or MAKE_WHITEOUT.


> 4. Add a new LANDLOCK_ACCESS_FS_MAKE_WHITEOUT right and make
>    LANDLOCK_ACCESS_FS_MAKE_CHAR never handle whiteout (and backport
>    MAKE_CHAR fix with an errata).  This would be consistent but backport
>    a way to directly create whiteouts (e.g. with mknod).

It's mostly theoretical, but lifting the mknod(chardev (0,0))
restriction for normal mknod() calls and calling it an erratum seems
surprising as well, because it would relax security guarantees for
existing programs.

I also pondered the alternative of creating an erratum but
intentionally *not* backporting it, but even in that case, that
surprising erratum still affects older programs which are deployed on
newer kernels.


Revisiting this discussion, I'd lean towards option 1 or 2 -- could
you be persuaded towards one of these?

I have a slight preference for option 1 (using MAKE_REG) because it
would be a narrow fix that could be backported to older kernels as
well and would not require a new access right.  Given that the use
case for RENAME_WHITEOUT is really only for FUSE-OverlayFS and given
that FUSE-OverlayFS anyway needs MAKE_REG permissions there, I have
trouble imagining a scenario where a separate access right for
MAKE_WHITEOUT is needed in a policy.  It seems like a pragmatic
choice.


> Specific tests should check that all
> these cases are proprely handled.
>
> There is no documentation update related to the new feature.  A note
> should also explain what exactly is a whiteout and why it is not
> considered a character device (see previous discussions).
> 
> The sandboxer is not updated.
> 
> There is no audit tests.

Acknowledged, these were missing.

(I was initially hoping that this bug report wouldn't expand into a
full-fledged feature with its own access right constant, but it is
correct that this is all required in that case... :-/)

Will add this for the next patch set revision if it is still needed.

—Günther

[1] https://lore.kernel.org/all/20260414.Lae5ida1eeGh@digikod.net/