Landlock Security Module Adds File Truncation Support With Linux 6.2
Landlock developers are working toward more complete coverage of file-system operations that can be restricted by this LSM. As part of that for this kernel cycle the file truncation support is ready. In turn this rounds out the coverage for the operations that modify the file contents, so with Linux 6.2 it should be possible to prevent the direct modification of file contents with Landlock.
The new LANDLOCK_ACCESS_FS_TRUNCATE flag covers both truncate and ftruncate system calls as well as the open call with the truncate flag along with the creat() call where existing files are being overwritten.
More details on this truncate support for Landlock can be found via this pull request of the now-merged code for beefing up this application sandboxing solution's capabilities for unprivileged access control.
Those wishing to learn more about Landlock in general can visit Landlock.io as the project documentation site.