[PATCH] samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER

[PATCH] samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER

[Günther Noack]

Add a comment to clarify how to handle best-effort backwards
compatibility for LANDLOCK_ACCESS_FS_REFER.

The "refer" access is special because these operations are always
forbidden in ABI 1, unlike most other operations, which are permitted
when using Landlock ABI levels where they are not supported yet.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 samples/landlock/sandboxer.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index fd4237c64fb2..901acb383124 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -234,7 +234,21 @@ int main(const int argc, char *const argv[], char *const *const envp)
 	/* Best-effort security. */
 	switch (abi) {
 	case 1:
-		/* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
+		/*
+		 * Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2
+		 *
+		 * Note: The "refer" operations (file renaming and linking
+		 * across different directories) are always forbidden when using
+		 * Landlock with ABI 1.
+		 *
+		 * If only ABI 1 is available, the sample tool knowingly forbids
+		 * refer operations.
+		 *
+		 * If a program *needs* to do refer operations after enabling
+		 * Landlock, it can not use Landlock at ABI level 1.  To be
+		 * compatible across different kernels, such programs should
+		 * fall back to not using Landlock instead.
+		 */
 		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
 		__attribute__((fallthrough));
 	case 2:

base-commit: 4bc90a766ea5af69c12ca1ea00b7fc5fe1d68831
-- 
2.38.1

Re: [PATCH] samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER

[Mickaël Salaün]

Thanks Günther. Here are small changes:

On 30/10/2022 07:11, Günther Noack wrote:
> Add a comment to clarify how to handle best-effort backwards
> compatibility for LANDLOCK_ACCESS_FS_REFER.
> 
> The "refer" access is special because these operations are always
> forbidden in ABI 1, unlike most other operations, which are permitted
> when using Landlock ABI levels where they are not supported yet.
> 
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
>   samples/landlock/sandboxer.c | 16 +++++++++++++++-
>   1 file changed, 15 insertions(+), 1 deletion(-)
> 
> diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> index fd4237c64fb2..901acb383124 100644
> --- a/samples/landlock/sandboxer.c
> +++ b/samples/landlock/sandboxer.c
> @@ -234,7 +234,21 @@ int main(const int argc, char *const argv[], char *const *const envp)
>   	/* Best-effort security. */
>   	switch (abi) {
>   	case 1:
> -		/* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
> +		/*
> +		 * Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2
> +		 *
> +		 * Note: The "refer" operations (file renaming and linking
> +		 * across different directories) are always forbidden when using
> +		 * Landlock with ABI 1.
> +		 *
> +		 * If only ABI 1 is available, the sample tool knowingly forbids

s/the sample tool/this sandboxer/

> +		 * refer operations.
> +		 *
> +		 * If a program *needs* to do refer operations after enabling
> +		 * Landlock, it can not use Landlock at ABI level 1.  To be
> +		 * compatible across different kernels, such programs should
> +		 * fall back to not using Landlock instead.

To be compatible with different kernel versions, such programs should 
then fall back to not restrict themselves at all if the running kernel 
only supports ABI 1.


> +		 */
>   		ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
>   		__attribute__((fallthrough));
>   	case 2:
> 
> base-commit: 4bc90a766ea5af69c12ca1ea00b7fc5fe1d68831

Re: [PATCH] samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER

[Günther Noack]

On Thu, Nov 03, 2022 at 03:21:32PM +0100, Mickaël Salaün wrote:
> On 30/10/2022 07:11, Günther Noack wrote:
> > Add a comment to clarify how to handle best-effort backwards
> > compatibility for LANDLOCK_ACCESS_FS_REFER.
> > 
> > The "refer" access is special because these operations are always
> > forbidden in ABI 1, unlike most other operations, which are permitted
> > when using Landlock ABI levels where they are not supported yet.
> > 
> > Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> > ---
> >   samples/landlock/sandboxer.c | 16 +++++++++++++++-
> >   1 file changed, 15 insertions(+), 1 deletion(-)
> > 
> > diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
> > index fd4237c64fb2..901acb383124 100644
> > --- a/samples/landlock/sandboxer.c
> > +++ b/samples/landlock/sandboxer.c
> > @@ -234,7 +234,21 @@ int main(const int argc, char *const argv[], char *const *const envp)
> > +		 * If only ABI 1 is available, the sample tool knowingly forbids
> 
> s/the sample tool/this sandboxer/
> 
> > +		 * refer operations.
> > +		 *
> > +		 * If a program *needs* to do refer operations after enabling
> > +		 * Landlock, it can not use Landlock at ABI level 1.  To be
> > +		 * compatible across different kernels, such programs should
> > +		 * fall back to not using Landlock instead.
> 
> To be compatible with different kernel versions, such programs should then
> fall back to not restrict themselves at all if the running kernel only
> supports ABI 1.

Thanks for the review, Mickaël! Both suggestions applied, and sent V2.

—Günther

--