| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2240250.GUtdWV9SEq@daniel-desktop3>
Date: Thu, 13 Nov 2025 22:23:32 -0500
From: Daniel Tang <danielzgtg.opensource@...il.com>
To: linux-security-module@...r.kernel.org
Cc: Günther Noack <gnoack@...gle.com>,
Paul Moore <paul@...l-moore.com>,
Mickaël Salaün <mic@...ikod.net>,
linux-kernel@...r.kernel.org
Subject: [PATCH] landlock: Document fexecve sadly reopening files
Relying on "Files or directories opened before the sandboxing are not
subject to these restrictions," I tried to modify `setpriv` to allow
`--landlock-access fs:execute busybox --help`. Sadly, support for this
use case is absent in fs/exec.c.
Signed-off-by: Daniel Tang <danielzgtg.opensource@...il.com>
---
include/uapi/linux/landlock.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index f030adc462ee..a69e9fef703c 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -206,7 +206,7 @@ struct landlock_net_port_attr {
*
* The following access rights apply only to files:
*
- * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
+ * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. Note fexecve(2) reopens it.
* - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When
* opening files for writing, you will often additionally need the
* %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls
--
2.51.0
Powered by blists - more mailing lists