Re: landlock not works well on FUSE filesystem?

["Mickaël Salaün" <mic@digikod.net>]

Hi,

On Thu, Aug 28, 2025 at 01:49:08AM +0000, 姚平 wrote:
> Hi, all.
> 
> I’m trying to use landlock on android 15 which uses kernel 6.6, but meet some troubles when enable landlock on files in fuse filesystem. Here is what I did:
> 
> I use https://elixir.bootlin.com/linux/v6.6.101/source/samples/landlock/sandboxer.c to build a sandboxer and a very simple program sandboxer-test as the sandboxed target.
> The simple target program just reads first line from a file and writes a line to another file.
> I run tests in /data/local/tmp with SELinux disabled. In each test, I enable Landlock with a ruleset, both including and excluding the filepath being tested.
> 
> Test1: test files on /data, landlock works like a charm
> ===Ruleset includes tested files:
> >LL_FS_RO="/apex/:/linkerconfig:/data/local/tmp/sandbox:" LL_FS_RW="/data/local/tmp/files" /data/local/tmp/sandboxer /data/local/tmp/sandbox/sandboxer-test /data/local/tmp/files/ro/readme.txt /data/local/tmp/files/rw/writeme.txt
> First line from input file '/data/local/tmp/files/ro/readme.txt':
> hello there~~~
> 
> writed to output file '/data/local/tmp/files/rw/writeme.txt':
> hello world
> 
> ===Ruleset excludes test files:
> > LL_FS_RO="/apex/:/linkerconfig:/data/local/tmp/sandbox:" LL_FS_RW="/data/local/tmp/sandbox" /data/local/tmp/sandboxer /data/local/tmp/sandbox/sandboxer-test /data/local/tmp/files/ro/readme.txt /data/local/tmp/files/rw/writeme.txt

This would not change your test but LL_FS_RW should point to something
else than the sandboxer binary.  Well, we should probably allow this
variable to not be set.

> Error opening input file '/data/local/tmp/files/ro/readme.txt': Permission denied
> Error opening output file '/data/local/tmp/files/rw/writeme.txt': Permission denied
> 
> Test2: test files on /tmp, landlock works like a charm
> ===Ruleset includes tested files:
> > LL_FS_RO="/apex/:/linkerconfig:/data/local/tmp/sandbox:"LL_FS_RW="/tmp" /data/local/tmp/sandboxer /data/local/tmp/sandbox/sandboxer-test /tmp/ro.txt /tmp/rw.txt
> First line from input file '/tmp/ro.txt':
> hello there~~
> 
> writed to output file '/tmp/rw.txt':
> hello world
> 
> ===Ruleset excludes test files:
> > LL_FS_RO="/apex/:/linkerconfig:/data/local/tmp/sandbox:"LL_FS_RW="/data" /data/local/tmp/sandboxer /data/local/tmp/sandbox/sandboxer-test /tmp/ro.txt /tmp/rw.txt
> Error opening input file '/tmp/ro.txt': Permission denied
> Error opening output file '/tmp/rw.txt': Permission denied
> 
> Test3: test files on /storage/emulated, landlock not works.
> ===Ruleset includes tested files:
> >LL_FS_RO="/apex/:/linkerconfig:/data/local/tmp/sandbox:"LL_FS_RW="/storage/emulated/0/Android/data/com.vivo.nativetest/files" /data/local/tmp/sandboxer /data/local/tmp/sandbox/sandboxer-test /storage/emulated/0/Android/data/com.vivo.nativetest/files/ro.txt /storage/emulated/0/Android/data/com.vivo.nativetest/files/rw.txt
> Error opening input file '/storage/emulated/0/Android/data/com.vivo.nativetest/files/ro.txt': Permission denied
> Error opening output file '/storage/emulated/0/Android/data/com.vivo.nativetest/files/rw.txt': Permission denied
> 
> ===Ruleset excludes tested files:
> >LL_FS_RO="/apex/:/linkerconfig:/data/local/tmp/sandbox:"LL_FS_RW="/data" /data/local/tmp/sandboxer /data/local/tmp/sandbox/sandboxer-test /storage/emulated/0/Android/data/com.test.nativetest/files/ro.txt /storage/emulated/0/Android/data/com.test.nativetest/files/rw.txt
> Error opening input file '/storage/emulated/0/Android/data/com.test.nativetest/files/ro.txt': Permission denied
> Error opening output file '/storage/emulated/0/Android/data/com.test.nativetest/files/rw.txt': Permission denied
> 
> Here are the mount infos:
> 
> /dev/block/dm-57 on /data type f2fs (rw,lazytime,seclabel,nosuid,nodev,noatime,background_gc=on,nogc_merge,discard,discard_unit=block,user_xattr,inline_xattr,acl,inline_data,inline_dentry,noflush_merge,barrier,extent_cache,mode=adaptive,active_logs=6,reserve_root=134217,resuid=0,resgid=1065,inlinecrypt,alloc_mode=default,checkpoint_merge,fsync_mode=nobarrier,compress_algorithm=zstd:1,compress_log_size=3,compress_mode=user,compress_cache,memory=normal,errors=continue)
> /dev/fuse on /storage/emulated type fuse (rw,lazytime,nosuid,nodev,noexec,noatime,user_id=0,group_id=0,allow_other)
> tmpfs on /tmp type tmpfs (rw,seclabel,relatime,size=5604712k,nr_inodes=1401178)
> 
> As you can see, the only difference in the 3 tests is the tested file’s location. I’m not sure if this related to the filesystem type or I did something wrong.

Yes, it might be related to the sdcard FUSE implementation.

Could you please adapt a bit tools/testing/selftests/landlock/fs_test.c
(in the kernel source tree) and patch it with
https://lore.kernel.org/all/20250704171345.1393451-1-mic@digikod.net/
to check that the layout3_fs tests with FUSE work as expected?
You can just remove the non-layout3_fs tests, change the mount point
for FUSE, build and run fs_test.

My tests with another FUSE FS seems to work fine, but they may be
incomplete, or maybe the sdcard FUSE FS has a bug.

Also, see this patch to run all Landlock FS tests against a specified
directory/FS:
https://lore.kernel.org/all/20250830034753.186551-1-m@maowtm.org/

> 
> Can someone help me to solve this problem?
> 
> thanks a lot.
> 
> ________________________________
> 本邮件及其附件内容可能含有机密和/或隐私信息，仅供指定个人或机构使用。若您非发件人指定收件人或其代理人，请勿使用、传播、复制或存储此邮件之任何内容或其附件。如您误收本邮件，请即以回复或电话方式通知发件人，并将原始邮件、附件及其所有复本删除。谢谢。
> The contents of this message and any attachments may contain confidential and/or privileged information and are intended exclusively for the addressee(s). If you are not the intended recipient of this message or their agent, please note that any use, dissemination, copying, or storage of this message or its attachments is not allowed. If you receive this message in error, please notify the sender by reply the message or phone and delete this message, any attachments and any copies immediately.
> Thank you