Landlock Forwards Compatibility Problem

Scenario

• A program uses Landlock through some Landlock library, but without specifying what operations should be restricted.
• At a later time, both the underlying kernel and the Landlock library version get updated.
• The newer version of the Landlock library might start restricting operations which were not previously restricted, and this can break programs.

Example

• A hypothetical library call was written under the assumption that this will restrict file operations:

  hypotheticalLibrary::enableLandlock(rw("/etc", "/usr", "/bin", "/tmp"))
  

• The library gets upgraded and suddenly supports Landlock ABI v4
• TCP bind() and connect() operations stop working for the program which does that call.

Solution

Program authors should double check from time to time whether they can use new Landlock features. Ideally, they should be made aware of these potential breakages at some point during the workflow of upgrading their libraries.

Variant A

When upgrading the library, force library users to revisit their library usage as part of the upgrade process.

Variant B

In the library’s API, make sure that all callers opt-in explicitly for the specific operations that they want to restrict.