landlock: Add support for chmod and chown system calls families

landlock: Add support for chmod and chown system calls families

[Jeffrey Bencteux]

Hi,

This patch serie add support for chmod and chown system calls families
in Landlock.

These system calls could be used when exploiting applications. Two new
flags are added for struct landlock_ruleset_attr:

* LANDLOCK_ACCESS_FS_CHMOD
* LANDLOCK_ACCESS_FS_CHOWN

Restriction is limited to files as the security.c hooks for both
system calls seem to only applies to files. More digging is needed
before being able to restrict calls to chmod and chown on directories.

It adds basic tests for both family operations, one for when it is
allowed, one for when it is not.

First patch also fixes a bug I encountered when writing the tests.

[PATCH 1/5] selftests/landlock: fix return condition on create_directory

[Jeffrey Bencteux]

If path exists when calling create_directory() in tests, i-e. when
mkdir() return with EEXISTS, directory creation fails. This patch
fixes it by allowing create_directory to use eventual existing
directories.

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
---
 tools/testing/selftests/landlock/fs_test.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 968a91c927a4..e5898dc7e53e 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -218,8 +218,11 @@ static void mkdir_parents(struct __test_metadata *const _metadata,
 static void create_directory(struct __test_metadata *const _metadata,
 			     const char *const path)
 {
+	int err;
+
 	mkdir_parents(_metadata, path);
-	ASSERT_EQ(0, mkdir(path, 0700))
+	err = mkdir(path, 0700);
+	ASSERT_FALSE(err && errno != EEXIST)
 	{
 		TH_LOG("Failed to create directory \"%s\": %s", path,
 		       strerror(errno));

base-commit: 82544d36b1729153c8aeb179e84750f0c085d3b1
-- 
2.53.0

[PATCH 2/5] landlock: add support for chmod and chown

[Jeffrey Bencteux]

Modifying file permissions and owner are operation of interest when
exploiting applications. This patch adds support for both chmod and
chown system calls family in landlock, allowing one to restrict it for
a given userland application.

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
---
 include/uapi/linux/landlock.h | 13 ++++++++++---
 security/landlock/access.h    |  2 +-
 security/landlock/audit.c     |  2 ++
 security/landlock/fs.c        | 17 ++++++++++++++++-
 security/landlock/limits.h    |  2 +-
 5 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index f88fa1f68b77..815577bda274 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -248,6 +248,12 @@ struct landlock_net_port_attr {
  *
  *   This access right is available since the fifth version of the Landlock
  *   ABI.
+ * - %LANDLOCK_ACCESS_FS_CHMOD: Modify permissions on a file with
+ *   :manpage:`chmod(2)` family system calls (:manpage:`fchmod(2)`,
+ *   :manpage:`fchmodat(2)`, :manpage:`fchmodat2(2)`).
+ * - %LANDLOCK_ACCESS_FS_CHOWN: Change owner of a file with
+ *   :manpage:`chown(2)` family system calls (:manpage:`fchown(2)`,
+ *   :manpage:`fchownat(2)`, :manpage:`lchown(2)`).
  *
  * Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
  * with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
@@ -311,9 +317,8 @@ struct landlock_net_port_attr {
  *
  *   It is currently not possible to restrict some file-related actions
  *   accessible through these syscall families: :manpage:`chdir(2)`,
- *   :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`chmod(2)`,
- *   :manpage:`chown(2)`, :manpage:`setxattr(2)`, :manpage:`utime(2)`,
- *   :manpage:`fcntl(2)`, :manpage:`access(2)`.
+ *   :manpage:`stat(2)`, :manpage:`flock(2)`, :manpage:`setxattr(2)`,
+ *   :manpage:`utime(2)`, :manpage:`fcntl(2)`, :manpage:`access(2)`.
  *   Future Landlock evolutions will enable to restrict them.
  */
 /* clang-format off */
@@ -333,6 +338,8 @@ struct landlock_net_port_attr {
 #define LANDLOCK_ACCESS_FS_REFER			(1ULL << 13)
 #define LANDLOCK_ACCESS_FS_TRUNCATE			(1ULL << 14)
 #define LANDLOCK_ACCESS_FS_IOCTL_DEV			(1ULL << 15)
+#define LANDLOCK_ACCESS_FS_CHMOD			(1ULL << 16)
+#define LANDLOCK_ACCESS_FS_CHOWN			(1ULL << 17)
 /* clang-format on */
 
 /**
diff --git a/security/landlock/access.h b/security/landlock/access.h
index 42c95747d7bd..89dc8e7b93da 100644
--- a/security/landlock/access.h
+++ b/security/landlock/access.h
@@ -34,7 +34,7 @@
 	LANDLOCK_ACCESS_FS_IOCTL_DEV)
 /* clang-format on */
 
-typedef u16 access_mask_t;
+typedef u32 access_mask_t;
 
 /* Makes sure all filesystem access rights can be stored. */
 static_assert(BITS_PER_TYPE(access_mask_t) >= LANDLOCK_NUM_ACCESS_FS);
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 60ff217ab95b..a4dec40d5395 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -37,6 +37,8 @@ static const char *const fs_access_strings[] = {
 	[BIT_INDEX(LANDLOCK_ACCESS_FS_REFER)] = "fs.refer",
 	[BIT_INDEX(LANDLOCK_ACCESS_FS_TRUNCATE)] = "fs.truncate",
 	[BIT_INDEX(LANDLOCK_ACCESS_FS_IOCTL_DEV)] = "fs.ioctl_dev",
+	[BIT_INDEX(LANDLOCK_ACCESS_FS_CHMOD)] = "fs.chmod",
+	[BIT_INDEX(LANDLOCK_ACCESS_FS_CHOWN)] = "fs.chown",
 };
 
 static_assert(ARRAY_SIZE(fs_access_strings) == LANDLOCK_NUM_ACCESS_FS);
diff --git a/security/landlock/fs.c b/security/landlock/fs.c
index e764470f588c..b32d91b733b9 100644
--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -314,7 +314,9 @@ static struct landlock_object *get_inode_object(struct inode *const inode)
 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
 	LANDLOCK_ACCESS_FS_READ_FILE | \
 	LANDLOCK_ACCESS_FS_TRUNCATE | \
-	LANDLOCK_ACCESS_FS_IOCTL_DEV)
+	LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+	LANDLOCK_ACCESS_FS_CHMOD | \
+	LANDLOCK_ACCESS_FS_CHOWN)
 /* clang-format on */
 
 /*
@@ -1561,6 +1563,17 @@ static int hook_path_truncate(const struct path *const path)
 	return current_check_access_path(path, LANDLOCK_ACCESS_FS_TRUNCATE);
 }
 
+static int hook_path_chmod(const struct path *const path, umode_t mode)
+{
+	return current_check_access_path(path, LANDLOCK_ACCESS_FS_CHMOD);
+}
+
+static int hook_path_chown(const struct path *const path, kuid_t uid,
+			    kgid_t gid)
+{
+	return current_check_access_path(path, LANDLOCK_ACCESS_FS_CHOWN);
+}
+
 /* File hooks */
 
 /**
@@ -1838,6 +1851,8 @@ static struct security_hook_list landlock_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(path_unlink, hook_path_unlink),
 	LSM_HOOK_INIT(path_rmdir, hook_path_rmdir),
 	LSM_HOOK_INIT(path_truncate, hook_path_truncate),
+	LSM_HOOK_INIT(path_chmod, hook_path_chmod),
+	LSM_HOOK_INIT(path_chown, hook_path_chown),
 
 	LSM_HOOK_INIT(file_alloc_security, hook_file_alloc_security),
 	LSM_HOOK_INIT(file_open, hook_file_open),
diff --git a/security/landlock/limits.h b/security/landlock/limits.h
index eb584f47288d..231d60d5bf8b 100644
--- a/security/landlock/limits.h
+++ b/security/landlock/limits.h
@@ -19,7 +19,7 @@
 #define LANDLOCK_MAX_NUM_LAYERS		16
 #define LANDLOCK_MAX_NUM_RULES		U32_MAX
 
-#define LANDLOCK_LAST_ACCESS_FS		LANDLOCK_ACCESS_FS_IOCTL_DEV
+#define LANDLOCK_LAST_ACCESS_FS		LANDLOCK_ACCESS_FS_CHOWN
 #define LANDLOCK_MASK_ACCESS_FS		((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
 #define LANDLOCK_NUM_ACCESS_FS		__const_hweight64(LANDLOCK_MASK_ACCESS_FS)
 
-- 
2.53.0

[PATCH 3/5] selftests/landlock: add tests for chmod and chown restrictions

[Jeffrey Bencteux]

This patch adds basic tests for the support of chmod and chown system
calls restriction in landlock.

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
---
 tools/testing/selftests/landlock/fs_test.c | 99 +++++++++++++++++++++-
 1 file changed, 98 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index e5898dc7e53e..13d276558146 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -578,7 +578,9 @@ TEST_F_FORK(layout1, inval)
 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
 	LANDLOCK_ACCESS_FS_READ_FILE | \
 	LANDLOCK_ACCESS_FS_TRUNCATE | \
-	LANDLOCK_ACCESS_FS_IOCTL_DEV)
+	LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+	LANDLOCK_ACCESS_FS_CHMOD | \
+	LANDLOCK_ACCESS_FS_CHOWN)
 
 #define ACCESS_LAST LANDLOCK_ACCESS_FS_IOCTL_DEV
 
@@ -4111,6 +4113,101 @@ TEST_F_FORK(ftruncate, open_and_ftruncate_in_different_processes)
 	ASSERT_EQ(0, close(socket_fds[1]));
 }
 
+static int test_chmod(const char *path, mode_t mode)
+{
+	if (chmod(path, mode) == -1)
+		return errno;
+	return 0;
+}
+
+TEST_F_FORK(layout1, chmod_file)
+{
+	const char *const file_rw_no_chmod = file1_s1d1;
+	const char *const file_chmod = file1_s1d2;
+
+	const struct rule rules[] = {
+		{
+			.path = file_rw_no_chmod,
+			.access = LANDLOCK_ACCESS_FS_READ_FILE |
+			LANDLOCK_ACCESS_FS_WRITE_FILE,
+		},
+		{
+			.path = file_chmod,
+			.access = LANDLOCK_ACCESS_FS_CHMOD,
+		},
+		{},
+	};
+
+	const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
+			      LANDLOCK_ACCESS_FS_WRITE_FILE |
+			      LANDLOCK_ACCESS_FS_CHMOD;
+	int ruleset_fd;
+
+	/* Enables Landlock. */
+	ruleset_fd = create_ruleset(_metadata, handled, rules);
+
+	ASSERT_LE(0, ruleset_fd);
+	enforce_ruleset(_metadata, ruleset_fd);
+	ASSERT_EQ(0, close(ruleset_fd));
+
+	/* Checks chmod rights when it is not allowed, mode is arbitrary */
+	EXPECT_EQ(EACCES, test_chmod(file_rw_no_chmod, 777));
+
+	/* Checks chmod rights when it is allowed, mode is arbitrary */
+	EXPECT_EQ(0, test_chmod(file_chmod, 777));
+}
+
+static int test_chown(const char *path, uid_t owner, gid_t group)
+{
+	if (chown(path, owner, group) == -1)
+		return errno;
+	return 0;
+}
+
+TEST_F_FORK(layout1, chown_file)
+{
+	const char *const file_rw_no_chown = file1_s1d1;
+	const char *const file_chown = file1_s1d2;
+
+	const struct rule rules[] = {
+		{
+			.path = file_rw_no_chown,
+			.access = LANDLOCK_ACCESS_FS_READ_FILE |
+			LANDLOCK_ACCESS_FS_WRITE_FILE,
+		},
+		{
+			.path = file_chown,
+			.access = LANDLOCK_ACCESS_FS_CHOWN,
+		},
+		{},
+	};
+
+	const __u64 handled = LANDLOCK_ACCESS_FS_READ_FILE |
+			      LANDLOCK_ACCESS_FS_WRITE_FILE |
+			      LANDLOCK_ACCESS_FS_CHOWN;
+	int ruleset_fd;
+
+	/* Enables Landlock. */
+	ruleset_fd = create_ruleset(_metadata, handled, rules);
+
+	ASSERT_LE(0, ruleset_fd);
+	enforce_ruleset(_metadata, ruleset_fd);
+	ASSERT_EQ(0, close(ruleset_fd));
+
+	/*
+	 * Checks chown rights when it is not allowed, owner and group are
+	 * arbitrary.
+	 */
+	EXPECT_EQ(EACCES, test_chown(file_rw_no_chown, 0, 0));
+
+	/*
+	 * Checks chown rights when it is allowed, owner and group are
+	 * arbitrary.
+	 */
+	EXPECT_EQ(0, test_chown(file_chown, 0, 0));
+}
+
+
 /* Invokes the FS_IOC_GETFLAGS IOCTL and returns its errno or 0. */
 static int test_fs_ioc_getflags_ioctl(int fd)
 {
-- 
2.53.0

[PATCH 4/5] samples/landlock: add support for chown and chmod

[Jeffrey Bencteux]

Update sandboxer.c sample code with restriction for chown and chmod
system calls families

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
---
 samples/landlock/sandboxer.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index e7af02f98208..551e9a33665a 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -111,7 +111,9 @@ static int parse_path(char *env_path, const char ***const path_list)
 	LANDLOCK_ACCESS_FS_WRITE_FILE | \
 	LANDLOCK_ACCESS_FS_READ_FILE | \
 	LANDLOCK_ACCESS_FS_TRUNCATE | \
-	LANDLOCK_ACCESS_FS_IOCTL_DEV)
+	LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+	LANDLOCK_ACCESS_FS_CHMOD | \
+	LANDLOCK_ACCESS_FS_CHOWN)
 
 /* clang-format on */
 
@@ -295,7 +297,9 @@ static bool check_ruleset_scope(const char *const env_var,
 	LANDLOCK_ACCESS_FS_MAKE_SYM | \
 	LANDLOCK_ACCESS_FS_REFER | \
 	LANDLOCK_ACCESS_FS_TRUNCATE | \
-	LANDLOCK_ACCESS_FS_IOCTL_DEV)
+	LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+	LANDLOCK_ACCESS_FS_CHMOD | \
+	LANDLOCK_ACCESS_FS_CHOWN)
 
 /* clang-format on */
 
-- 
2.53.0

[PATCH 5/5] landlock: Document chmod and chown support in example code

[Jeffrey Bencteux]

Add missing LANDLOCK_ACCESS_FS_* flags in Landlock documentation

Signed-off-by: Jeffrey Bencteux <jeff@bencteux.fr>
---
 Documentation/userspace-api/landlock.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 13134bccdd39..4eb7ed3dcbfe 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -77,7 +77,9 @@ to be explicit about the denied-by-default access rights.
             LANDLOCK_ACCESS_FS_MAKE_SYM |
             LANDLOCK_ACCESS_FS_REFER |
             LANDLOCK_ACCESS_FS_TRUNCATE |
-            LANDLOCK_ACCESS_FS_IOCTL_DEV,
+            LANDLOCK_ACCESS_FS_IOCTL_DEV |
+            LANDLOCK_ACCESS_FS_CHMOD |
+            LANDLOCK_ACCESS_FS_CHOWN,
         .handled_access_net =
             LANDLOCK_ACCESS_NET_BIND_TCP |
             LANDLOCK_ACCESS_NET_CONNECT_TCP,
-- 
2.53.0

Re: landlock: Add support for chmod and chown system calls families

[Günther Noack]

Hello Jeffrey,

On Sun, Apr 12, 2026 at 11:50:39AM +0200, Jeffrey Bencteux wrote:
> This patch serie add support for chmod and chown system calls families
> in Landlock.
> 
> These system calls could be used when exploiting applications. Two new
> flags are added for struct landlock_ruleset_attr:
> 
> * LANDLOCK_ACCESS_FS_CHMOD
> * LANDLOCK_ACCESS_FS_CHOWN
> 
> Restriction is limited to files as the security.c hooks for both
> system calls seem to only applies to files. More digging is needed
> before being able to restrict calls to chmod and chown on directories.
> 
> It adds basic tests for both family operations, one for when it is
> allowed, one for when it is not.
> 
> First patch also fixes a bug I encountered when writing the tests.

Thanks for the initial patch!

Before you start your investigation completely from scratch,
did you see the prior work on this topic?

* https://github.com/landlock-lsm/linux/issues/11
* https://lore.kernel.org/all/20220822114701.26975-1-xiujianfeng@huawei.com/

That specific patchset was unfortunately abandoned at the time, but I
suspect that some of the discussion still applies for your patchset as
well?

In my understanding, it was in the end blocked on a LSM hook change.
(If this is needed, a common approach for doing that hook change is to
add it to the same patch series as one of the earliest commits.)

—Günther

Re: landlock: Add support for chmod and chown system calls families

[Jeffrey Bencteux]

Hi Günther,

On Mon, Apr 13, 2026 at 02:36:43PM +0200, Günther Noack wrote:
> Before you start your investigation completely from scratch,
> did you see the prior work on this topic?
> 
> * https://github.com/landlock-lsm/linux/issues/11
> * https://lore.kernel.org/all/20220822114701.26975-1-xiujianfeng@huawei.com/

I missed it, thanks for pointing it out.

> That specific patchset was unfortunately abandoned at the time, but I
> suspect that some of the discussion still applies for your patchset as
> well?

Indeed, my feeling it that Xiu's patchset is more elaborate than mine.

> In my understanding, it was in the end blocked on a LSM hook change.
> (If this is needed, a common approach for doing that hook change is to
> add it to the same patch series as one of the earliest commits.)

To my understanding, it is too. The implementation of
LANDLOCK_ACCESS_FS_(READ|WRITE)_METADATA are tied to several LSM hooks
changes (currently working with dentry/inode and not struct path as
arguments as discussed here:
https://lore.kernel.org/all/df99abcc-e7ec-ad34-27fa-25abee28a300@digikod.net