samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE

Update the sandboxer sample to restrict truncate actions. This is
automatically enabled by default if the running kernel supports
LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the
LL_FS_RW environment variable.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20221018182216.301684-11-gnoack3000@gmail.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index f29bb3c..fd4237c 100644 (file)
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -76,7 +76,8 @@ static int parse_path(char *env_path, const char ***const path_list)
 #define ACCESS_FILE ( \
        LANDLOCK_ACCESS_FS_EXECUTE | \
        LANDLOCK_ACCESS_FS_WRITE_FILE | \
-       LANDLOCK_ACCESS_FS_READ_FILE)
+       LANDLOCK_ACCESS_FS_READ_FILE | \
+       LANDLOCK_ACCESS_FS_TRUNCATE)
 
 /* clang-format on */
 
@@ -160,11 +161,12 @@ out_free_name:
        LANDLOCK_ACCESS_FS_MAKE_FIFO | \
        LANDLOCK_ACCESS_FS_MAKE_BLOCK | \
        LANDLOCK_ACCESS_FS_MAKE_SYM | \
-       LANDLOCK_ACCESS_FS_REFER)
+       LANDLOCK_ACCESS_FS_REFER | \
+       LANDLOCK_ACCESS_FS_TRUNCATE)
 
 /* clang-format on */
 
-#define LANDLOCK_ABI_LAST 2
+#define LANDLOCK_ABI_LAST 3
 
 int main(const int argc, char *const argv[], char *const *const envp)
 {
@@ -234,6 +236,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
        case 1:
                /* Removes LANDLOCK_ACCESS_FS_REFER for ABI < 2 */
                ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+               __attribute__((fallthrough));
+       case 2:
+               /* Removes LANDLOCK_ACCESS_FS_TRUNCATE for ABI < 3 */
+               ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_TRUNCATE;
 
                fprintf(stderr,
                        "Hint: You should update the running kernel "