Landlock truncation support in Linux 6.2
Linus Torvalds released Linux 6.2 yesterday, and this kernel release
supports restricting the truncate(2) and ftruncate(2) operations
with Landlock. (The kernel patch
set
has more information and discussion.)
You can try this out today with the
go-landlock library,
which already supports this feature. To forbid file truncation when
using go-landlock, update your RestrictPaths() invocation to use
Landlock version 3 as follows:
err := landlock.V3.BestEffort().RestrictPaths(
landlock.RODirs("/usr", "/bin"),
landlock.RWDirs("/tmp"),
)
Most existing users will only need to exchange V2 for V3. When
using landlock.V3 this way, file truncation is forbidden by default.
The RWFiles() and RWDirs() helpers grant the truncation right when
used on a file or directory. (It comes hand in hand with the right to
open files for writing.)