| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260128031814.2945394-2-samasth.norway.ananda@oracle.com>
Date: Tue, 27 Jan 2026 19:18:10 -0800
From: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
To: gnoack@...gle.com, mic@...ikod.net
Cc: linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
samasth.norway.ananda@...cle.com
Subject: [PATCH v3 1/3] landlock: add backwards compatibility for restrict flags
Add backwards compatibility handling for the restrict flags introduced
in ABI version 7. This is shown as a separate code block (similar to
the ruleset_attr handling in the switch statement) because restrict flags
are passed to landlock_restrict_self() rather than being part of the
ruleset attributes.
Also fix misleading description of the /usr rule which incorrectly
stated it "only allow[s] reading" when the code actually allows both
reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
allowed_access).
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
---
Documentation/userspace-api/landlock.rst | 30 +++++++++++++++++-------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 1ed25af0499f..c8ef1392a0c7 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -157,11 +157,11 @@ This enables the creation of an inclusive ruleset that will contain our rules.
}
We can now add a new rule to this ruleset thanks to the returned file
-descriptor referring to this ruleset. The rule will only allow reading the
-file hierarchy ``/usr``. Without another rule, write actions would then be
-denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the
-``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
-descriptor.
+descriptor referring to this ruleset. The rule will allow reading and
+executing the file hierarchy ``/usr``. Without another rule, write actions
+would then be denied by the ruleset. To add ``/usr`` to the ruleset, we open
+it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with
+this file descriptor.
.. code-block:: c
@@ -233,10 +233,24 @@ to effectively block sending UDP datagrams to arbitrary ports.
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
&net_port, 0);
+When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
+similar backwards compatibility check is needed for the restrict flags
+(see sys_landlock_restrict_self() documentation for available flags):
+
+.. code-block:: c
+
+ __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
+ if (abi < 7) {
+ /* Clear logging flags unsupported before ABI 7. */
+ restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
+ LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
+ LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
+ }
+
The next step is to restrict the current thread from gaining more privileges
(e.g. through a SUID binary). We now have a ruleset with the first rule
-allowing read access to ``/usr`` while denying all other handled accesses for
-the filesystem, and two more rules allowing DNS queries.
+allowing read and execute access to ``/usr`` while denying all other handled
+accesses for the filesystem, and two more rules allowing DNS queries.
.. code-block:: c
@@ -250,7 +264,7 @@ The current thread is now ready to sandbox itself with the ruleset.
.. code-block:: c
- if (landlock_restrict_self(ruleset_fd, 0)) {
+ if (landlock_restrict_self(ruleset_fd, restrict_flags)) {
perror("Failed to enforce ruleset");
close(ruleset_fd);
return 1;
--
2.50.1
Powered by blists - more mailing lists