| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251216210248.4150777-1-samasth.norway.ananda@oracle.com>
Date: Tue, 16 Dec 2025 13:02:42 -0800
From: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
To: mic@...ikod.net, gnoack@...gle.com
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH 1/3] landlock: Add missing ABI 7 case in documentation example
Add the missing case 6 and case 7 handling in the ABI version
compatibility example to properly handle LANDLOCK_RESTRICT_SELF_LOG_*
flags for kernels with ABI < 7.
This introduces the supported_restrict_flags variable which is
initialized with LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, removed
in case 6 for ABI < 7, and passed to landlock_restrict_self() to
enable logging on supported kernels.
Also fix misleading description of the /usr rule which incorrectly
stated it "only allow[s] reading" when the code actually allows both
reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
allowed_access).
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
---
Documentation/userspace-api/landlock.rst | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 1d0c2c15c22e..b8caac299056 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -97,6 +97,8 @@ version, and only use the available subset of access rights:
.. code-block:: c
int abi;
+ /* Tracks which landlock_restrict_self() flags are supported */
+ int supported_restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
abi = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 0) {
@@ -127,6 +129,17 @@ version, and only use the available subset of access rights:
/* Removes LANDLOCK_SCOPE_* for ABI < 6 */
ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
LANDLOCK_SCOPE_SIGNAL);
+ __attribute__((fallthrough));
+ case 6:
+ /*
+ * Removes LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON for ABI < 7.
+ * Note: This modifies supported_restrict_flags, not ruleset_attr,
+ * because logging flags are passed to landlock_restrict_self().
+ */
+ supported_restrict_flags &= ~LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
+ __attribute__((fallthrough));
+ case 7:
+ break;
}
This enables the creation of an inclusive ruleset that will contain our rules.
@@ -142,8 +155,9 @@ This enables the creation of an inclusive ruleset that will contain our rules.
}
We can now add a new rule to this ruleset thanks to the returned file
-descriptor referring to this ruleset. The rule will only allow reading the
-file hierarchy ``/usr``. Without another rule, write actions would then be
+descriptor referring to this ruleset. The rule will allow reading and
+executing files in the ``/usr`` hierarchy. Without another rule, write actions
+and other operations (make_dir, remove_file, etc.) would then be
denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
descriptor.
@@ -193,7 +207,7 @@ number for a specific action: HTTPS connections.
The next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary). We now have a ruleset with the first rule
-allowing read access to ``/usr`` while denying all other handled accesses for
+allowing read and execute access to ``/usr`` while denying all other handled accesses for
the filesystem, and a second rule allowing HTTPS connections.
.. code-block:: c
@@ -208,7 +222,7 @@ The current thread is now ready to sandbox itself with the ruleset.
.. code-block:: c
- if (landlock_restrict_self(ruleset_fd, 0)) {
+ if (landlock_restrict_self(ruleset_fd, supported_restrict_flags)) {
perror("Failed to enforce ruleset");
close(ruleset_fd);
return 1;
--
2.50.1
Powered by blists - more mailing lists