lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260201.3b3b0fb4f042@gnoack.org>
Date: Sun, 1 Feb 2026 13:23:45 +0100
From: Günther Noack <gnoack3000@...il.com>
To: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
Cc: gnoack@...gle.com, mic@...ikod.net,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 2/3] landlock: add errata documentation section

On Tue, Jan 27, 2026 at 07:18:11PM -0800, Samasth Norway Ananda wrote:
> Add errata section with code examples for querying errata and a warning
> that most applications should not check errata. Use kernel-doc directives
> to include errata descriptions from the header files instead of manual
> links.
> 
> Also enhance existing DOC sections in security/landlock/errata/abi-*.h
> files with Impact sections, and update the code comment in syscalls.c
> to remind developers to update errata documentation when applicable.
> 
> This addresses the gap where the kernel implements errata tracking
> but provides no user-facing documentation on how to use it, while
> improving the existing technical documentation in-place rather than
> duplicating it.
> 
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@...cle.com>
> ---
>  Documentation/userspace-api/landlock.rst | 67 ++++++++++++++++++++++--
>  security/landlock/errata/abi-1.h         |  8 +++
>  security/landlock/errata/abi-4.h         |  7 +++
>  security/landlock/errata/abi-6.h         | 10 ++++
>  security/landlock/syscalls.c             |  4 +-
>  5 files changed, 91 insertions(+), 5 deletions(-)
> 
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index c8ef1392a0c7..405b2d73e699 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -8,7 +8,7 @@ Landlock: unprivileged access control
>  =====================================
>  
>  :Author: Mickaël Salaün
> -:Date: December 2025
> +:Date: January 2026
>  
>  The goal of Landlock is to enable restriction of ambient rights (e.g. global
>  filesystem or network access) for a set of processes.  Because Landlock
> @@ -492,9 +492,68 @@ system call:
>          printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n");
>      }
>  
> -The following kernel interfaces are implicitly supported by the first ABI
> -version.  Features only supported from a specific version are explicitly marked
> -as such.
> +All Landlock kernel interfaces are supported by the first ABI version unless
> +explicitly noted in their documentation.
> +
> +Landlock errata
> +---------------
> +
> +In addition to ABI versions, Landlock provides an errata mechanism to track
> +fixes for issues that may affect backwards compatibility or require userspace
> +awareness.  The errata bitmask can be queried using:
> +
> +.. code-block:: c
> +
> +    int errata;
> +
> +    errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA);
> +    if (errata < 0) {
> +        /* Landlock not available or disabled */
> +        return 0;
> +    }
> +
> +The returned value is a bitmask where each bit represents a specific erratum.
> +If bit N is set (``errata & (1 << (N - 1))``), then erratum N has been fixed
> +in the running kernel.
> +
> +.. warning::
> +
> +   **Most applications should NOT check errata.** In 99.9% of cases, checking
> +   errata is unnecessary, increases code complexity, and can potentially
> +   decrease protection if misused.  For example, disabling the sandbox when an
> +   erratum is not fixed could leave the system less secure than using
> +   Landlock's best-effort protection.  When in doubt, ignore errata.
> +
> +.. kernel-doc:: security/landlock/errata/abi-4.h
> +    :doc: erratum_1
> +
> +.. kernel-doc:: security/landlock/errata/abi-6.h
> +    :doc: erratum_2
> +
> +.. kernel-doc:: security/landlock/errata/abi-1.h
> +    :doc: erratum_3
> +
> +How to check for errata
> +~~~~~~~~~~~~~~~~~~~~~~~
> +
> +If you determine that your application needs to check for specific errata,
> +use this pattern:
> +
> +.. code-block:: c
> +
> +    int errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA);
> +    if (errata >= 0) {
> +        /* Check for specific erratum (1-indexed) */
> +        if (errata & (1 << (erratum_number - 1))) {
> +            /* Erratum N is fixed in this kernel */
> +        } else {
> +            /* Erratum N is NOT fixed - consider implications for your use case */
> +        }
> +    }
> +
> +**Important:** Only check errata if your application specifically relies on
> +behavior that changed due to the fix.  The fixes generally make Landlock less
> +restrictive or more correct, not more restrictive.
>  
>  Kernel interface
>  ================
> diff --git a/security/landlock/errata/abi-1.h b/security/landlock/errata/abi-1.h
> index e8a2bff2e5b6..3f099555f059 100644
> --- a/security/landlock/errata/abi-1.h
> +++ b/security/landlock/errata/abi-1.h
> @@ -12,5 +12,13 @@
>   * hierarchy down to its filesystem root and those from the related mount point
>   * hierarchy.  This prevents access right widening through rename or link
>   * actions.
> + *
> + * Impact:
> + *
> + * Without this fix, it was possible to widen access rights through rename or
> + * link actions involving disconnected directories, potentially bypassing
> + * ``LANDLOCK_ACCESS_FS_REFER`` restrictions.  This could allow privilege
> + * escalation in complex mount scenarios where directories become disconnected
> + * from their original mount points.
>   */
>  LANDLOCK_ERRATUM(3)
> diff --git a/security/landlock/errata/abi-4.h b/security/landlock/errata/abi-4.h
> index c052ee54f89f..fe11ec7d7ddf 100644
> --- a/security/landlock/errata/abi-4.h
> +++ b/security/landlock/errata/abi-4.h
> @@ -11,5 +11,12 @@
>   * :manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures
>   * that only TCP sockets are subject to TCP access rights, allowing other
>   * protocols to operate without unnecessary restrictions.
> + *
> + * Impact:
> + *
> + * In kernels without this fix, using ``LANDLOCK_ACCESS_NET_BIND_TCP`` or
> + * ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` would incorrectly restrict non-TCP
> + * stream protocols (SMC, MPTCP, SCTP), potentially breaking applications
> + * that rely on these protocols while using Landlock network restrictions.
>   */
>  LANDLOCK_ERRATUM(1)
> diff --git a/security/landlock/errata/abi-6.h b/security/landlock/errata/abi-6.h
> index 5113a829f87e..5cb1475c7ea8 100644
> --- a/security/landlock/errata/abi-6.h
> +++ b/security/landlock/errata/abi-6.h
> @@ -15,5 +15,15 @@
>   * interaction between threads of the same process should always be allowed.
>   * This change ensures that any thread is allowed to send signals to any other
>   * thread within the same process, regardless of their domain.
> + *
> + * Impact:
> + *
> + * This problem only manifests when the userspace process is itself using
> + * :manpage:`libpsx(3)` or an equivalent mechanism to enforce a Landlock policy
> + * on multiple already-running threads at once.  Programs which enforce a
> + * Landlock policy at startup time and only then become multithreaded are not
> + * affected.  Without this fix, signal scoping could break multi-threaded
> + * applications that expect threads within the same process to freely signal
> + * each other.
>   */
>  LANDLOCK_ERRATUM(2)
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 8eaec8d35c44..9b7a7f39f26c 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -158,9 +158,11 @@ static const struct file_operations ruleset_fops = {
>  /*
>   * The Landlock ABI version should be incremented for each new Landlock-related
>   * user space visible change (e.g. Landlock syscalls).  This version should
> - * only be incremented once per Linux release, and the date in
> + * only be incremented once per Linux release.  When incrementing, the date in
>   * Documentation/userspace-api/landlock.rst should be updated to reflect the
>   * UAPI change.
> + * If the change involves a fix that requires userspace awareness, also update
> + * the errata documentation in Documentation/userspace-api/landlock.rst.
>   */
>  const int landlock_abi_version = 9;
>  
> -- 
> 2.50.1
> 

Reviewed-by: Günther Noack <gnoack3000@...il.com>

Thanks!
–Günther

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ