1. Patchew
  2. linux
  3. [PATCH v3 0/3] landlock: documentation improvements
  4. View patch

[PATCH v3 1/3] landlock: add backwards compatibility for restrict flags

Samasth Norway Ananda posted 3 patches 1 week, 6 days ago
Only 1 patches received!
[PATCH v3 1/3] landlock: add backwards compatibility for restrict flags
Posted by Samasth Norway Ananda 1 week, 6 days ago 
Add backwards compatibility handling for the restrict flags introduced
in ABI version 7. This is shown as a separate code block (similar to
the ruleset_attr handling in the switch statement) because restrict flags
are passed to landlock_restrict_self() rather than being part of the
ruleset attributes.

Also fix misleading description of the /usr rule which incorrectly
stated it "only allow[s] reading" when the code actually allows both
reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
allowed_access).

Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
---
 Documentation/userspace-api/landlock.rst | 30 +++++++++++++++++-------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 1ed25af0499f..c8ef1392a0c7 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -157,11 +157,11 @@ This enables the creation of an inclusive ruleset that will contain our rules.
     }
 
 We can now add a new rule to this ruleset thanks to the returned file
-descriptor referring to this ruleset.  The rule will only allow reading the
-file hierarchy ``/usr``.  Without another rule, write actions would then be
-denied by the ruleset.  To add ``/usr`` to the ruleset, we open it with the
-``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
-descriptor.
+descriptor referring to this ruleset.  The rule will allow reading and
+executing the file hierarchy ``/usr``.  Without another rule, write actions
+would then be denied by the ruleset.  To add ``/usr`` to the ruleset, we open
+it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with
+this file descriptor.
 
 .. code-block:: c
 
@@ -233,10 +233,24 @@ to effectively block sending UDP datagrams to arbitrary ports.
         err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
                                 &net_port, 0);
 
+When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
+similar backwards compatibility check is needed for the restrict flags
+(see sys_landlock_restrict_self() documentation for available flags):
+
+.. code-block:: c
+
+    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
+    if (abi < 7) {
+        /* Clear logging flags unsupported before ABI 7. */
+        restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
+                            LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
+                            LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
+    }
+
 The next step is to restrict the current thread from gaining more privileges
 (e.g. through a SUID binary).  We now have a ruleset with the first rule
-allowing read access to ``/usr`` while denying all other handled accesses for
-the filesystem, and two more rules allowing DNS queries.
+allowing read and execute access to ``/usr`` while denying all other handled
+accesses for the filesystem, and two more rules allowing DNS queries.
 
 .. code-block:: c
 
@@ -250,7 +264,7 @@ The current thread is now ready to sandbox itself with the ruleset.
 
 .. code-block:: c
 
-    if (landlock_restrict_self(ruleset_fd, 0)) {
+    if (landlock_restrict_self(ruleset_fd, restrict_flags)) {
         perror("Failed to enforce ruleset");
         close(ruleset_fd);
         return 1;
-- 
2.50.1
Re: [PATCH v3 1/3] landlock: add backwards compatibility for restrict flags
Posted by Günther Noack 1 week, 1 day ago 
On Tue, Jan 27, 2026 at 07:18:10PM -0800, Samasth Norway Ananda wrote:
> Add backwards compatibility handling for the restrict flags introduced
> in ABI version 7. This is shown as a separate code block (similar to
> the ruleset_attr handling in the switch statement) because restrict flags
> are passed to landlock_restrict_self() rather than being part of the
> ruleset attributes.
> 
> Also fix misleading description of the /usr rule which incorrectly
> stated it "only allow[s] reading" when the code actually allows both
> reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
> allowed_access).
> 
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> ---
>  Documentation/userspace-api/landlock.rst | 30 +++++++++++++++++-------
>  1 file changed, 22 insertions(+), 8 deletions(-)
> 
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 1ed25af0499f..c8ef1392a0c7 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -157,11 +157,11 @@ This enables the creation of an inclusive ruleset that will contain our rules.
>      }
>  
>  We can now add a new rule to this ruleset thanks to the returned file
> -descriptor referring to this ruleset.  The rule will only allow reading the
> -file hierarchy ``/usr``.  Without another rule, write actions would then be
> -denied by the ruleset.  To add ``/usr`` to the ruleset, we open it with the
> -``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
> -descriptor.
> +descriptor referring to this ruleset.  The rule will allow reading and
> +executing the file hierarchy ``/usr``.  Without another rule, write actions
> +would then be denied by the ruleset.  To add ``/usr`` to the ruleset, we open
> +it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with
> +this file descriptor.
>  
>  .. code-block:: c
>  
> @@ -233,10 +233,24 @@ to effectively block sending UDP datagrams to arbitrary ports.
>          err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>                                  &net_port, 0);
>  
> +When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
> +similar backwards compatibility check is needed for the restrict flags
> +(see sys_landlock_restrict_self() documentation for available flags):
> +
> +.. code-block:: c
> +
> +    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> +    if (abi < 7) {
> +        /* Clear logging flags unsupported before ABI 7. */
> +        restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> +                            LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> +                            LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> +    }
> +
>  The next step is to restrict the current thread from gaining more privileges
>  (e.g. through a SUID binary).  We now have a ruleset with the first rule
> -allowing read access to ``/usr`` while denying all other handled accesses for
> -the filesystem, and two more rules allowing DNS queries.
> +allowing read and execute access to ``/usr`` while denying all other handled
> +accesses for the filesystem, and two more rules allowing DNS queries.
>  
>  .. code-block:: c
>  
> @@ -250,7 +264,7 @@ The current thread is now ready to sandbox itself with the ruleset.
>  
>  .. code-block:: c
>  
> -    if (landlock_restrict_self(ruleset_fd, 0)) {
> +    if (landlock_restrict_self(ruleset_fd, restrict_flags)) {
>          perror("Failed to enforce ruleset");
>          close(ruleset_fd);
>          return 1;
> -- 
> 2.50.1
> 

Reviewed-by: Günther Noack <gnoack3000@gmail.com>

Thanks!
–Günther
  • [PATCH v3 1/3] landlock: add backwards compatibility for restrict flags

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.