| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260103002722.1465371-2-samasth.norway.ananda@oracle.com>
Date: Fri, 2 Jan 2026 16:27:13 -0800
From: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
To: mic@...ikod.net, gnoack@...gle.com
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH v2 1/3] landlock: Add missing ABI 7 case in documentation example
Add the missing case 6 and case 7 handling in the ABI version
compatibility example to properly handle ABI < 7 kernels.
Add an optional backwards compatibility section for restrict flags
between the case analysis and landlock_restrict_self() call. The main
tutorial example remains unchanged with
landlock_restrict_self(ruleset_fd, 0) to keep it simple for users who
don't need logging flags.
Also fix misleading description of the /usr rule which incorrectly
stated it "only allow[s] reading" when the code actually allows both
reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
allowed_access).
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
---
Documentation/userspace-api/landlock.rst | 35 +++++++++++++++++++++---
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 1d0c2c15c22e..650c7b368561 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -127,6 +127,12 @@ version, and only use the available subset of access rights:
/* Removes LANDLOCK_SCOPE_* for ABI < 6 */
ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
LANDLOCK_SCOPE_SIGNAL);
+ __attribute__((fallthrough));
+ case 6:
+ /* Removes logging flags for ABI < 7 */
+ __attribute__((fallthrough));
+ case 7:
+ break;
}
This enables the creation of an inclusive ruleset that will contain our rules.
@@ -142,8 +148,9 @@ This enables the creation of an inclusive ruleset that will contain our rules.
}
We can now add a new rule to this ruleset thanks to the returned file
-descriptor referring to this ruleset. The rule will only allow reading the
-file hierarchy ``/usr``. Without another rule, write actions would then be
+descriptor referring to this ruleset. The rule will allow reading and
+executing files in the ``/usr`` hierarchy. Without another rule, write actions
+and other operations (make_dir, remove_file, etc.) would then be
denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
descriptor.
@@ -191,10 +198,30 @@ number for a specific action: HTTPS connections.
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&net_port, 0);
+Backwards compatibility for restrict flags
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, the
+following backwards compatibility check needs to be taken into account:
+
+.. code-block:: c
+
+ /*
+ * Desired restriction flags, see ABI version section above.
+ * This value is only an example and differs by use case.
+ */
+ int restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
+ if (abi < 7) {
+ /* Clear logging flags unsupported in ABI < 7 */
+ restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
+ LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
+ LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
+ }
+
The next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary). We now have a ruleset with the first rule
-allowing read access to ``/usr`` while denying all other handled accesses for
-the filesystem, and a second rule allowing HTTPS connections.
+allowing read and execute access to ``/usr`` while denying all other handled
+accesses for the filesystem, and a second rule allowing HTTPS connections.
.. code-block:: c
--
2.50.1
Powered by blists - more mailing lists