Landlock Security Module Adds File Truncation Support With Linux 6.2

Merged back in Linux 5.13 last year was Landlock for allowing unprivileged application sandboxing. Landlock allows restricting ambient rights for a set of processes and is implemented as a stackable Linux security module (LSM) for establishing safe security sandboxes. With Linux 6.2 file truncation support is added for Landlock.

Landlock developers are working toward more complete coverage of file-system operations that can be restricted by this LSM. As part of that for this kernel cycle the file truncation support is ready. In turn this rounds out the coverage for the operations that modify the file contents, so with Linux 6.2 it should be possible to prevent the direct modification of file contents with Landlock.

The new LANDLOCK_ACCESS_FS_TRUNCATE flag covers both truncate and ftruncate system calls as well as the open call with the truncate flag along with the creat() call where existing files are being overwritten.

More details on this truncate support for Landlock can be found via this pull request of the now-merged code for beefing up this application sandboxing solution's capabilities for unprivileged access control.

Those wishing to learn more about Landlock in general can visit Landlock.io as the project documentation site.