From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Christian Brauner <brauner@kernel.org>,
linux-security-module@vger.kernel.org,
Paul Moore <paul@paul-moore.com>,
Amir Goldstein <amir73il@gmail.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Serge Hallyn <serge@hallyn.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: Re: [PATCH v3 1/3] landlock: Require LANDLOCK_ACCESS_FS_MAKE_WHITEOUT for RENAME_WHITEOUT
Date: Fri, 17 Jul 2026 11:23:08 +0200 [thread overview]
Message-ID: <aln0fPINrjf8vXkO@google.com> (raw)
In-Reply-To: <aivEo6bV_phFFJg5@google.com>
On Fri, Jun 12, 2026 at 10:34:43AM +0200, Günther Noack wrote:
> On Wed, Jun 10, 2026 at 03:38:56PM +0200, Mickaël Salaün wrote:
> > Making MAKE_CHAR not covering MAKE_WHITEOUT is not addressed (see
> > previous discussion). MAKE_CHAR should not restrict whiteout creation
> > *if* MAKE_WHITEOUT is handled.
>
> (This is option (3) from your reply to V1 [1].)
>
> I am skeptical of this approach, because it complicates how userspace
> needs to deal with this access right. Consider the following
> scenario: A program wants to install the policy:
>
> * DENY MAKE_WHITEOUT, MAKE_CHAR
> * ALLOW MAKE_WHITEOUT in /foo (path_beneath rule)
>
> Then, if the kernel ABI predates make-whiteout, with the usual
> best-effort fallback (clearing out the unsupported bits), this ruleset
> becomes:
>
> * DENY MAKE_CHAR
> * (no ALLOW rule)
>
> But this ruleset is incorrect, because it denies mknod("/foo/x",
> S_IFCHR | mode, makedev(0, 0)) in /foo, which was explicitly allowed
> in the earlier ruleset.
>
> So in order to implement the best-effort fallback, I guess userspace
> libraries would now have to take into account whether there are any
> rules where MAKE_WHITEOUT is specifically allowed, and if so, they
> can't restrict MAKE_CHAR either? I find this a bit complicated and I
> think it's foreseeable that library implementers will predominantly
> get this wrong.
>
>
> Let me circle back to the other options you mentioned in [1], quoting
> them here for reference:
> > I see four options:
> >
> > 1. Consider whiteouts as regular files and make them handled by
> > LANDLOCK_ACCESS_FS_MAKE_REG. This would require an erratum and would
> > make sense for direct mknod calls, but it would be weird for
> > renameat2 calls than move a file and should only require
> > LANDLOCK_ACCESS_FS_REMOVE_FILE from the user point of view.
>
> It would be weird for renameat2 calls to require MAKE_REG in the
> source directory, but the weirdness would only affect
> fuse-overlayfs-style programs and could be documented explicitly for
> them for the case that they start using Landlock.
>
> Normal programs that just call rename() on an existing FUSE-Overlayfs
> filesystem would *not* require the MAKE_REG right, because the FUSE
> process would do that on their behalf with the FUSE processes'
> credentials.
>
> >
> > 2. Add a new LANDLOCK_ACCESS_FS_MAKE_WHITEOUT right to handle whitout
> > creation (direct and indirect?) and keep LANDLOCK_ACCESS_FS_MAKE_CHAR
> > handle direct whiteout creation (and don't backport anything). It
> > looks inconsistent from an access control point of view.
>
> MAKE_WHITEOUT to handle rename(RENAME_WHITEOUT) and MAKE_CHAR to
> handle mknod(chardev (0, 0)) -- This is a bit inconsistent, but it
> does not make a difference for any programs other than the ones
> calling rename(RENAME_WHITEOUT) (i.e., overlayfs-fuse), and it could
> be documented for that one use case.
>
> I find this a pragmatic balance, and it does not require special logic
> for the best-effort fallback either. Could you be persuaded to go
> this route instead?
>
> > 3. Add a new LANDLOCK_ACCESS_FS_MAKE_WHITEOUT right and, when handled,
> > make LANDLOCK_ACCESS_FS_MAKE_CHAR not handle whiteout. This would be
> > a bit weird from a kernel point of view but it should work well for
> > users while still forbidding direct whiteout creation.
>
> Except for the best-effort fallback, which is IMHO prone to
> implementation bugs. (see above)
>
> On the side, the implementation of this is also non-trivial: In order
> to check for mknod(..., makedev(0, 0)), we need to check
> layer-by-layer whether the layer handles MAKE_WHITEOUT and then either
> check for MAKE_CHAR or MAKE_WHITEOUT.
>
>
> > 4. Add a new LANDLOCK_ACCESS_FS_MAKE_WHITEOUT right and make
> > LANDLOCK_ACCESS_FS_MAKE_CHAR never handle whiteout (and backport
> > MAKE_CHAR fix with an errata). This would be consistent but backport
> > a way to directly create whiteouts (e.g. with mknod).
>
> It's mostly theoretical, but lifting the mknod(chardev (0,0))
> restriction for normal mknod() calls and calling it an erratum seems
> surprising as well, because it would relax security guarantees for
> existing programs.
>
> I also pondered the alternative of creating an erratum but
> intentionally *not* backporting it, but even in that case, that
> surprising erratum still affects older programs which are deployed on
> newer kernels.
>
>
> Revisiting this discussion, I'd lean towards option 1 or 2 -- could
> you be persuaded towards one of these?
Friendly ping, Mickaël; I would like to have some feedback on this approach
before sending v4. Could you please have a look?
Thanks,
—Günther
> I have a slight preference for option 1 (using MAKE_REG) because it
> would be a narrow fix that could be backported to older kernels as
> well and would not require a new access right. Given that the use
> case for RENAME_WHITEOUT is really only for FUSE-OverlayFS and given
> that FUSE-OverlayFS anyway needs MAKE_REG permissions there, I have
> trouble imagining a scenario where a separate access right for
> MAKE_WHITEOUT is needed in a policy. It seems like a pragmatic
> choice.
>
>
> > Specific tests should check that all
> > these cases are proprely handled.
> >
> > There is no documentation update related to the new feature. A note
> > should also explain what exactly is a whiteout and why it is not
> > considered a character device (see previous discussions).
> >
> > The sandboxer is not updated.
> >
> > There is no audit tests.
>
> Acknowledged, these were missing.
>
> (I was initially hoping that this bug report wouldn't expand into a
> full-fledged feature with its own access right constant, but it is
> correct that this is all required in that case... :-/)
>
> Will add this for the next patch set revision if it is still needed.
>
> —Günther
>
> [1] https://lore.kernel.org/all/20260414.Lae5ida1eeGh@digikod.net/
next prev parent reply other threads:[~2026-07-17 9:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 9:23 [PATCH v3 0/3] landlock: Restrict renameat2 with RENAME_WHITEOUT Günther Noack
2026-06-10 9:23 ` [PATCH v3 1/3] landlock: Require LANDLOCK_ACCESS_FS_MAKE_WHITEOUT for RENAME_WHITEOUT Günther Noack
2026-06-10 13:38 ` Mickaël Salaün
2026-06-12 8:34 ` Günther Noack
2026-07-17 9:23 ` Günther Noack [this message]
2026-06-10 9:23 ` [PATCH v3 2/3] selftests/landlock: Add test for RENAME_WHITEOUT denial Günther Noack
2026-06-10 9:23 ` [PATCH v3 3/3] selftests/landlock: Test OverlayFS renames w/o LANDLOCK_ACCESS_FS_MAKE_WHITEOUT Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aln0fPINrjf8vXkO@google.com \
--to=gnoack@google.com \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=miklos@szeredi.hu \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox