From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f52.google.com (mail-yx1-f52.google.com [74.125.224.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99694378D72 for ; Tue, 7 Apr 2026 20:02:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592131; cv=none; b=IHF/m2U6ExbEDyz/6hAbyUgDLXXWApBHxmVAJk+d/5X3TQzAqsK1k4nR+3VDrh4f38gadzJqo3iUkuyEOjdQS4mrDRMrMEht50rnutN0k0DNhgQVHvV0uzb7ZjiAZWpnE0F7cwrfWM1FzH3OQq2XVlgwyJLzWvNV7mT9j4JdXBg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592131; c=relaxed/simple; bh=DUJQPT4pI6d6O3nRTbSOEFVYfglO/X4iEmFEaVSGtWE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=sRRINixQ8G0PMtoo9cSHjmLShWcugR6HKlfWFiVjIUsSuMvkJ/yf0/hr9RRY8T6dcDllMsqoDLlHugHC1oqwE31Ncl9lhOkCfGtmKdiQHDMGD4CTrCRBhmiDbln6Ag2tQNexC8V7dCnOY2AzkDNh7/w5vV7gRVm5xtaQBxZsOIs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=S/o0aP5g; arc=none smtp.client-ip=74.125.224.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="S/o0aP5g" Received: by mail-yx1-f52.google.com with SMTP id 956f58d0204a3-65003f40a22so2739495d50.2 for ; Tue, 07 Apr 2026 13:02:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592128; x=1776196928; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=B3hXiO0yfZprs+OVS+Ms3KTUqBIKUxwmTA7k1ZKLB/8=; b=S/o0aP5g195vtqeoTdhB3NtJNw86h4kQjxV8xcqBiQl4M0/Iul2KcxlE0WGZ5+ZTWW +aDnKZVD5IFztgUyEV5I42Rur8iPImwNb2YD+qSFrVhZRhOsYGd9IJMppiYQTcmG+eFD HZmDgDlWEnje9UL3M49aGTdKOpVt0QNPaVjONs6/MNnf9kwWq+U96iwXK4aci7GnL5C/ wNbO6RdFUyKL0lF6B1v9pQbDHa1mU17V8cAAguEUsZtRXlHr1tnTdmJr33TgVtgLqICx u2Srv6YrHZ/65CS/G7xyl6WqMEYGQKFSEHSIPQEe5pMsfFXOELkm4Wx4KW6m4f8IwXae kIqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592128; x=1776196928; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=B3hXiO0yfZprs+OVS+Ms3KTUqBIKUxwmTA7k1ZKLB/8=; b=N61IglZpvqaxmQnuk6JUUNitwcGFWnqYm9tb7v4Rdu/4iydhW90Tro8Pt/dILgi0+o ABXcRHvk+hj08Urz0DGZwg7jKHn932MBRTEitms1nZr+7qEepezymH3RdEZHOnndwDQp mA7WZVVc9OcF2/e0K9rcK/gu8Wx7MLaA5sgP6EAxrAg3KIBuT2OPnybVLjpbIyWxFBwu Rubqbbf7TWu3BpDHZtCawgqhlqr87oNP+pSf+PdxuWUavePYMwSwyV2mUI2nYjS0RyPf tKp9htQKeFanNyM/g2oDJChoIWvurzQHkRc6kTXE1iJVUlCiswcFyH49eM8KtbCloy76 BpwA== X-Forwarded-Encrypted: i=1; AJvYcCWdz1zxyTBKcOgN62njM3AegMmegzj1hk2tKM8aeei8QzqZ/BUD/CSDWTmTmwty1f/uMDDKCg2ZmLElqvA=@vger.kernel.org X-Gm-Message-State: AOJu0YzKmPFPxZGb8mHYcDd3QZzn50K3p+lp87JuvqBIzSVHHZRc1YUJ g7N6HXALMaTQfwofMfpJUbnREdSCEC+SSAA6oSWC3QgPTsdwEl0ip+RV X-Gm-Gg: AeBDietmgE519D7KTXykHUU8mewJwcqjz07HhtvfDZpUF+/rtpYxQ3hnmFLj5ht1vpU egnt6fhFh0LDmU54KT6yFXz+NHmAjT/YZZo9YL1yBVzXC96A8MXLwDbh9m2pyR8C4+5Z4wYizvc miRvb/Yb61F7DIKNlsLaTtHOJp7ps2tFAe892qBuueUVcegk/TA4kqLiKCVShVS60WcrSSlA96v sCt2zRhFzIi2yhal3+zSXj3JIQunM6bXVGKgWBAIuyTd9p/jP9v4I94TrKlh1FdljPX68ILJQ2L jRjF+0sERPVdeV+d0VtEqtSUr4//Rzl4SZBWiyozpxAdPhAgqXV7vftNW7EPSxrPfRMekv5r7MS 9u+xK51a9nny4qsVJi0jEUN15VxIQqXrNrMyHuHLDuBTwUsGkzFTNbzgK5DFtgIkAR8JYhzuhWb 6Tp9UJhdvrDAk5DsNZmv0sqNWNT9bFHzZvHpXsuvls/lJH8GP0L8qJAMR5CN0kq0/DgSZPguyI X-Received: by 2002:a05:690e:138a:b0:650:4a79:f3db with SMTP id 956f58d0204a3-6504a79fcf0mr17361543d50.51.1775592127362; Tue, 07 Apr 2026 13:02:07 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:07 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 01/20] landlock: Move operations from syscall into ruleset code Date: Tue, 7 Apr 2026 16:01:23 -0400 Message-ID: <20260407200157.3874806-2-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Refactor syscall restriction code, associated constants and helpers, into ruleset.h/c. This helps increase consistency by making syscall.c a consumer of ruleset.h/c's logic. Subsequent patches in this series add consumers of this logic. Functions for getting and putting references on a landlock ruleset were also exposed in the patch for the subsequent consumers, transitioning them from static to linked functions with headers. Signed-off-by: Justin Suess --- include/linux/landlock.h | 92 ++++++++++++++++++ security/landlock/ruleset.c | 179 +++++++++++++++++++++++++++++++++++ security/landlock/ruleset.h | 19 ++-- security/landlock/syscalls.c | 151 +++-------------------------- 4 files changed, 296 insertions(+), 145 deletions(-) create mode 100644 include/linux/landlock.h diff --git a/include/linux/landlock.h b/include/linux/landlock.h new file mode 100644 index 000000000000..fae7d138ef8b --- /dev/null +++ b/include/linux/landlock.h @@ -0,0 +1,92 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* + * Landlock - Internal cross subsystem header + * + * Copyright =C2=A9 2026 Justin Suess + */ + +#ifndef _LINUX_LANDLOCK_H +#define _LINUX_LANDLOCK_H + +#include +#include +#include +#include +#include + +struct landlock_ruleset; + +#ifdef CONFIG_SECURITY_LANDLOCK + +/* + * Returns an owned ruleset from a FD. It is thus needed to call + * landlock_put_ruleset() on the returned value. + */ +struct landlock_ruleset *landlock_get_ruleset_from_fd(int fd, fmode_t mode= ); + +/* + * Acquires an additional reference to a ruleset if it is still alive. + */ +bool landlock_try_get_ruleset(struct landlock_ruleset *ruleset); + +/* + * Releases a previously acquired ruleset. + */ +void landlock_put_ruleset(struct landlock_ruleset *ruleset); + +/* + * Releases a previously acquired ruleset after an RCU-safe deferral. + */ +void landlock_put_ruleset_deferred(struct landlock_ruleset *ruleset); + +/* + * Restricts @cred with @ruleset and the supplied @flags. + * + * landlock_restrict_cred_precheck() must be called first. + * + * The caller owns @cred and is responsible for committing or aborting it. + * @ruleset may be NULL only with LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OF= F. + */ +int landlock_restrict_cred_precheck(__u32 flags, bool in_task_context); + +int landlock_restrict_cred(struct cred *cred, struct landlock_ruleset *rul= eset, + __u32 flags); + +#else /* !CONFIG_SECURITY_LANDLOCK */ + +static inline struct landlock_ruleset * +landlock_get_ruleset_from_fd(int fd, fmode_t mode) +{ + return ERR_PTR(-EOPNOTSUPP); +} + +static inline bool landlock_try_get_ruleset(struct landlock_ruleset *rules= et) +{ + return false; +} + +static inline void landlock_put_ruleset(struct landlock_ruleset *ruleset) +{ +} + +static inline void +landlock_put_ruleset_deferred(struct landlock_ruleset *ruleset) +{ +} + +static inline int landlock_restrict_cred(struct cred *cred, + struct landlock_ruleset *ruleset, + __u32 flags) +{ + return -EOPNOTSUPP; +} + +static inline int landlock_restrict_cred_precheck(__u32 flags, + bool in_task_context) +{ + return -EOPNOTSUPP; +} + +#endif /* !CONFIG_SECURITY_LANDLOCK */ + +#endif /* _LINUX_LANDLOCK_H */ diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index 181df7736bb9..2333a3dc5f33 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -8,25 +8,204 @@ =20 #include #include +#include #include #include #include #include +#include #include #include #include #include #include #include +#include #include #include #include =20 #include "access.h" +#include "cred.h" #include "domain.h" #include "limits.h" #include "object.h" #include "ruleset.h" +#include "setup.h" +#include "tsync.h" + +static int fop_ruleset_release(struct inode *const inode, + struct file *const filp) +{ + struct landlock_ruleset *ruleset =3D filp->private_data; + + landlock_put_ruleset(ruleset); + return 0; +} + +static ssize_t fop_dummy_read(struct file *const filp, char __user *const = buf, + const size_t size, loff_t *const ppos) +{ + /* Dummy handler to enable FMODE_CAN_READ. */ + return -EINVAL; +} + +static ssize_t fop_dummy_write(struct file *const filp, + const char __user *const buf, const size_t size, + loff_t *const ppos) +{ + /* Dummy handler to enable FMODE_CAN_WRITE. */ + return -EINVAL; +} + +/* + * A ruleset file descriptor enables to build a ruleset by adding (i.e. + * writing) rule after rule, without relying on the task's context. This + * reentrant design is also used in a read way to enforce the ruleset on t= he + * current task. + */ +const struct file_operations ruleset_fops =3D { + .release =3D fop_ruleset_release, + .read =3D fop_dummy_read, + .write =3D fop_dummy_write, +}; + +/* + * Returns an owned ruleset from a FD. It is thus needed to call + * landlock_put_ruleset() on the return value. + */ +struct landlock_ruleset *landlock_get_ruleset_from_fd(const int fd, + const fmode_t mode) +{ + CLASS(fd, ruleset_f)(fd); + struct landlock_ruleset *ruleset; + + if (fd_empty(ruleset_f)) + return ERR_PTR(-EBADF); + + /* Checks FD type and access right. */ + if (fd_file(ruleset_f)->f_op !=3D &ruleset_fops) + return ERR_PTR(-EBADFD); + if (!(fd_file(ruleset_f)->f_mode & mode)) + return ERR_PTR(-EPERM); + ruleset =3D fd_file(ruleset_f)->private_data; + if (WARN_ON_ONCE(ruleset->num_layers !=3D 1)) + return ERR_PTR(-EINVAL); + landlock_get_ruleset(ruleset); + return ruleset; +} + +void landlock_get_ruleset(struct landlock_ruleset *const ruleset) +{ + if (ruleset) + refcount_inc(&ruleset->usage); +} + +bool landlock_try_get_ruleset(struct landlock_ruleset *const ruleset) +{ + return ruleset && refcount_inc_not_zero(&ruleset->usage); +} + +int landlock_restrict_cred_precheck(const __u32 flags, + const bool in_task_context) +{ + if (!landlock_initialized) + return -EOPNOTSUPP; + + /* + * LANDLOCK_RESTRICT_SELF_TSYNC requires that the current task is + * the target of restriction. + */ + if ((flags & LANDLOCK_RESTRICT_SELF_TSYNC) && !in_task_context) + return -EINVAL; + + /* + * Similar checks as for seccomp(2), except that an -EPERM may be + * returned. + */ + if (!task_no_new_privs(current) && + !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) { + return -EPERM; + } + + if (flags & ~LANDLOCK_MASK_RESTRICT_SELF) + return -EINVAL; + + return 0; +} + +int landlock_restrict_cred(struct cred *const cred, + struct landlock_ruleset *const ruleset, + const __u32 flags) +{ + struct landlock_cred_security *new_llcred; + bool __maybe_unused log_same_exec, log_new_exec, log_subdomains, + prev_log_subdomains; + + /* + * It is allowed to set LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF without + * a ruleset, optionally combined with LANDLOCK_RESTRICT_SELF_TSYNC, but + * no other flag must be set. + */ + if (!ruleset && + (flags & ~LANDLOCK_RESTRICT_SELF_TSYNC) !=3D + LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF) + return -EINVAL; + + /* Translates "off" flag to boolean. */ + log_same_exec =3D !(flags & LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF); + /* Translates "on" flag to boolean. */ + log_new_exec =3D !!(flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON); + /* Translates "off" flag to boolean. */ + log_subdomains =3D !(flags & LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF); + + new_llcred =3D landlock_cred(cred); + +#ifdef CONFIG_AUDIT + prev_log_subdomains =3D !new_llcred->log_subdomains_off; + new_llcred->log_subdomains_off =3D !prev_log_subdomains || + !log_subdomains; +#endif /* CONFIG_AUDIT */ + + /* + * The only case when a ruleset may not be set is if + * LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF is set, optionally combined + * with LANDLOCK_RESTRICT_SELF_TSYNC. + * We could optimize this case by not committing @cred if this flag was + * already set, but it is not worth the complexity. + */ + if (ruleset) { + struct landlock_ruleset *const new_dom =3D + landlock_merge_ruleset(new_llcred->domain, ruleset); + + if (IS_ERR(new_dom)) + return PTR_ERR(new_dom); + +#ifdef CONFIG_AUDIT + new_dom->hierarchy->log_same_exec =3D log_same_exec; + new_dom->hierarchy->log_new_exec =3D log_new_exec; + if ((!log_same_exec && !log_new_exec) || !prev_log_subdomains) + new_dom->hierarchy->log_status =3D LANDLOCK_LOG_DISABLED; +#endif /* CONFIG_AUDIT */ + + landlock_put_ruleset(new_llcred->domain); + new_llcred->domain =3D new_dom; + +#ifdef CONFIG_AUDIT + new_llcred->domain_exec |=3D BIT(new_dom->num_layers - 1); +#endif /* CONFIG_AUDIT */ + } + + if (flags & LANDLOCK_RESTRICT_SELF_TSYNC) { + const int tsync_err =3D + landlock_restrict_sibling_threads(current_cred(), cred); + + if (tsync_err) + return tsync_err; + } + + return 0; +} =20 static struct landlock_ruleset *create_ruleset(const u32 num_layers) { diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 889f4b30301a..0facc5cb6555 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -11,6 +11,8 @@ =20 #include #include +#include +#include #include #include #include @@ -20,6 +22,8 @@ #include "limits.h" #include "object.h" =20 +extern const struct file_operations ruleset_fops; + struct landlock_hierarchy; =20 /** @@ -194,6 +198,8 @@ landlock_create_ruleset(const access_mask_t access_mask= _fs, const access_mask_t access_mask_net, const access_mask_t scope_mask); =20 +void landlock_get_ruleset(struct landlock_ruleset *ruleset); + void landlock_put_ruleset(struct landlock_ruleset *const ruleset); void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset); =20 @@ -204,6 +210,13 @@ int landlock_insert_rule(struct landlock_ruleset *cons= t ruleset, const struct landlock_id id, const access_mask_t access); =20 +int landlock_restrict_cred_precheck(const __u32 flags, + const bool in_task_context); + +int landlock_restrict_cred(struct cred *const cred, + struct landlock_ruleset *const ruleset, + const __u32 flags); + struct landlock_ruleset * landlock_merge_ruleset(struct landlock_ruleset *const parent, struct landlock_ruleset *const ruleset); @@ -212,12 +225,6 @@ const struct landlock_rule * landlock_find_rule(const struct landlock_ruleset *const ruleset, const struct landlock_id id); =20 -static inline void landlock_get_ruleset(struct landlock_ruleset *const rul= eset) -{ - if (ruleset) - refcount_inc(&ruleset->usage); -} - /** * landlock_union_access_masks - Return all access rights handled in the * domain diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index accfd2e5a0cd..c710e8b16150 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -121,42 +121,6 @@ static void build_check_abi(void) =20 /* Ruleset handling */ =20 -static int fop_ruleset_release(struct inode *const inode, - struct file *const filp) -{ - struct landlock_ruleset *ruleset =3D filp->private_data; - - landlock_put_ruleset(ruleset); - return 0; -} - -static ssize_t fop_dummy_read(struct file *const filp, char __user *const = buf, - const size_t size, loff_t *const ppos) -{ - /* Dummy handler to enable FMODE_CAN_READ. */ - return -EINVAL; -} - -static ssize_t fop_dummy_write(struct file *const filp, - const char __user *const buf, const size_t size, - loff_t *const ppos) -{ - /* Dummy handler to enable FMODE_CAN_WRITE. */ - return -EINVAL; -} - -/* - * A ruleset file descriptor enables to build a ruleset by adding (i.e. - * writing) rule after rule, without relying on the task's context. This - * reentrant design is also used in a read way to enforce the ruleset on t= he - * current task. - */ -static const struct file_operations ruleset_fops =3D { - .release =3D fop_ruleset_release, - .read =3D fop_dummy_read, - .write =3D fop_dummy_write, -}; - /* * The Landlock ABI version should be incremented for each new Landlock-re= lated * user space visible change (e.g. Landlock syscalls). This version should @@ -264,31 +228,6 @@ SYSCALL_DEFINE3(landlock_create_ruleset, return ruleset_fd; } =20 -/* - * Returns an owned ruleset from a FD. It is thus needed to call - * landlock_put_ruleset() on the return value. - */ -static struct landlock_ruleset *get_ruleset_from_fd(const int fd, - const fmode_t mode) -{ - CLASS(fd, ruleset_f)(fd); - struct landlock_ruleset *ruleset; - - if (fd_empty(ruleset_f)) - return ERR_PTR(-EBADF); - - /* Checks FD type and access right. */ - if (fd_file(ruleset_f)->f_op !=3D &ruleset_fops) - return ERR_PTR(-EBADFD); - if (!(fd_file(ruleset_f)->f_mode & mode)) - return ERR_PTR(-EPERM); - ruleset =3D fd_file(ruleset_f)->private_data; - if (WARN_ON_ONCE(ruleset->num_layers !=3D 1)) - return ERR_PTR(-EINVAL); - landlock_get_ruleset(ruleset); - return ruleset; -} - /* Path handling */ =20 /* @@ -437,7 +376,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_f= d, return -EINVAL; =20 /* Gets and checks the ruleset. */ - ruleset =3D get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE); + ruleset =3D landlock_get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE); if (IS_ERR(ruleset)) return PTR_ERR(ruleset); =20 @@ -487,33 +426,13 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset= _fd, SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32, flags) { - struct landlock_ruleset *ruleset __free(landlock_put_ruleset) =3D NULL; struct cred *new_cred; - struct landlock_cred_security *new_llcred; - bool __maybe_unused log_same_exec, log_new_exec, log_subdomains, - prev_log_subdomains; - - if (!is_initialized()) - return -EOPNOTSUPP; - - /* - * Similar checks as for seccomp(2), except that an -EPERM may be - * returned. - */ - if (!task_no_new_privs(current) && - !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) - return -EPERM; - - if ((flags | LANDLOCK_MASK_RESTRICT_SELF) !=3D - LANDLOCK_MASK_RESTRICT_SELF) - return -EINVAL; + struct landlock_ruleset *ruleset __free(landlock_put_ruleset) =3D NULL; + int err; =20 - /* Translates "off" flag to boolean. */ - log_same_exec =3D !(flags & LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF); - /* Translates "on" flag to boolean. */ - log_new_exec =3D !!(flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON); - /* Translates "off" flag to boolean. */ - log_subdomains =3D !(flags & LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF); + err =3D landlock_restrict_cred_precheck(flags, true); + if (err) + return err; =20 /* * It is allowed to set LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF with @@ -525,7 +444,8 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, rule= set_fd, const __u32, (flags & ~LANDLOCK_RESTRICT_SELF_TSYNC) =3D=3D LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF)) { /* Gets and checks the ruleset. */ - ruleset =3D get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ); + ruleset =3D landlock_get_ruleset_from_fd(ruleset_fd, + FMODE_CAN_READ); if (IS_ERR(ruleset)) return PTR_ERR(ruleset); } @@ -535,57 +455,10 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, ru= leset_fd, const __u32, if (!new_cred) return -ENOMEM; =20 - new_llcred =3D landlock_cred(new_cred); - -#ifdef CONFIG_AUDIT - prev_log_subdomains =3D !new_llcred->log_subdomains_off; - new_llcred->log_subdomains_off =3D !prev_log_subdomains || - !log_subdomains; -#endif /* CONFIG_AUDIT */ - - /* - * The only case when a ruleset may not be set is if - * LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF is set (optionally with - * LANDLOCK_RESTRICT_SELF_TSYNC) and ruleset_fd is -1. We could - * optimize this case by not calling commit_creds() if this flag was - * already set, but it is not worth the complexity. - */ - if (ruleset) { - /* - * There is no possible race condition while copying and - * manipulating the current credentials because they are - * dedicated per thread. - */ - struct landlock_ruleset *const new_dom =3D - landlock_merge_ruleset(new_llcred->domain, ruleset); - if (IS_ERR(new_dom)) { - abort_creds(new_cred); - return PTR_ERR(new_dom); - } - -#ifdef CONFIG_AUDIT - new_dom->hierarchy->log_same_exec =3D log_same_exec; - new_dom->hierarchy->log_new_exec =3D log_new_exec; - if ((!log_same_exec && !log_new_exec) || !prev_log_subdomains) - new_dom->hierarchy->log_status =3D LANDLOCK_LOG_DISABLED; -#endif /* CONFIG_AUDIT */ - - /* Replaces the old (prepared) domain. */ - landlock_put_ruleset(new_llcred->domain); - new_llcred->domain =3D new_dom; - -#ifdef CONFIG_AUDIT - new_llcred->domain_exec |=3D BIT(new_dom->num_layers - 1); -#endif /* CONFIG_AUDIT */ - } - - if (flags & LANDLOCK_RESTRICT_SELF_TSYNC) { - const int err =3D landlock_restrict_sibling_threads( - current_cred(), new_cred); - if (err) { - abort_creds(new_cred); - return err; - } + err =3D landlock_restrict_cred(new_cred, ruleset, flags); + if (err) { + abort_creds(new_cred); + return err; } =20 return commit_creds(new_cred); --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f41.google.com (mail-yx1-f41.google.com [74.125.224.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BDFF233BBCF for ; Tue, 7 Apr 2026 20:02:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592134; cv=none; b=K232lnwEBALqNmRzIfwHwgWPfAUGqt9l6OOKqcnPCPAeXZLRQ4Eq9IzYP64nUj7QBvZQB0qV29f14hyVqaG/Dstnb7l/6+fKZhxkUhcm/nvx+MMus2Mh3QJ/Du96lBdD32aFm1NC8eqH07u7D12LYVJTiPcTxDNaW5MtLPXUMns= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592134; c=relaxed/simple; bh=Dee8MfAKMe0QwuIpc5y6Dzt4zMQop/ntPF4kvvPkRss=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ojyrsnFknv0eEZHSnSe3KCaSGrNskv+2BTOo6PttpdTGkdcB1JSaC+fLW+VKvAysm9uJyQzwbaChjI+sol48gTgtWrjhwsSkE1E0CuQBMP9No3FV51uJBCifZNB97YzLYggCsPwMNf+ykQpxdkFIAC4ejHjo8QXDvudtDeuwRxo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=rMgpsQPK; arc=none smtp.client-ip=74.125.224.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="rMgpsQPK" Received: by mail-yx1-f41.google.com with SMTP id 956f58d0204a3-64d5a7926cfso5249756d50.2 for ; Tue, 07 Apr 2026 13:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592131; x=1776196931; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0UmxJY/q2Oo334eKqLugdqqv8hk8/P18b8cE3ViJmCY=; b=rMgpsQPKjnw8VCy0QAoXC16jjtyWekFYxg/0jOjufBd83tVs67UzEFeiox+TWuoZkj tEnX6R4juW7Q87o07wMiUHdW+DddTdNepYTccxqyTfV0cpfPOooAKFOj+XexEPo7atz8 TQkc4pmFg/70qTQ4V3nKfTpVLYyz6gL+pV3xhMvjj0AKYTUS8jCiGpr9BhwPaIcQaMX7 Wlv9FG+S9dg0ml8fUOca7xHERILcR0tXMUaAu+ArUj7QHTNpG+Nq1B26LLG5JoOwN37j Ci1agYGVQAnw6W7uF3TmVrsLaOBYv7crTAoZcG03P42t88GFV6/heJA3K9AAFPo/16mC 6u1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592131; x=1776196931; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0UmxJY/q2Oo334eKqLugdqqv8hk8/P18b8cE3ViJmCY=; b=k9QQmoBKGL6bw4xrBzgRVavpvDGrniV12tGbrhevYINyZno2X+GjQcDyfYKERsYz/2 jbbvTh1JpGZ4O63dgLGVWSTXSp3f6vnMoej4bUfVOJcBOWjmvqNWLLSIlBcmwv7wkX3U 28bjAdlZSVd2v8YFr7RgPq8ryxjJOj0GhcCOoCKIE1wzOITf4g+RG/htGHps8fq4qbem 1kP4aoZzmbjTyWqlE4FnRXC+j3fU+eXxm4DkijYnUt/JPnXOeTeQ78trv5+/jVGZJYk+ tNNa4jayxtnmJQMGEOP5Cu9I2nH9DYJPxNCTvAeQWWW94DnQpZ201TkhR/xgRlkcD/PV KsqA== X-Forwarded-Encrypted: i=1; AJvYcCVHNcVhkBW/TzDtVzu7tD+ZONbIvP9q2gRaILTpKHxX7Uqtqhl4Cm5dXrgFuxV2OWBavxdgpEGagTqr8zE=@vger.kernel.org X-Gm-Message-State: AOJu0Yx3NQ4TAmKviQ9fX3vS5h1QlNK7JRMUVOMCkBLTrZUsAiijgh5o +KrBNe2Ymgp/IKTJRoQb9FQ/zbzmgbNC2Q1wnKu3T3l+9/Om0jvBvhcT X-Gm-Gg: AeBDiesT3F056jUQxs7lTNyyPfVqDJj5Lj5JwIWpyOAL7/ce6Ej1VPAmSLfbkLLA3xv vC+BxibB9MM4Xoif0Gf94EVPFJjaVyC+tBSz+ZfaIB1+HqAWUq60w9ZMfTd84us4YohwyJ9CiyI Dr8l4O5cAwRbEKbIoZHSyXGE//JQiQe1GL3zgxIRWhJ5WCdp4KRhoHLAkjYXQgPYrT3pCMOptsp QYmGtW1atQ7c1cgW+Bcn9tKXAYzzPmojv4Y793ge2sttpYm1NOolCzLDZpwzSNv1TXMlcIoGR9q aSPhsSbv2IPARDWo+/BFjdS37oM38eZeiZb1spO8XU/7axdMDyXTm/wVfkZC9eLqtla8lhuaU9b GMYux8SLd62T19VN4tsZtcyfXvmWKsqmrfABPzDZuoYk0UK/+hWZOz9MhyQLisT+3/2IVwX3ly0 PH4a04V9nuEwS6t5QpOcOnv+c9tzLGpsL7FSPZA/XH4kaNutw3TbJF6tdOwXX+XBThi/vznH4A X-Received: by 2002:a05:690e:4390:b0:650:3ddb:822c with SMTP id 956f58d0204a3-650486954ebmr13732325d50.6.1775592130617; Tue, 07 Apr 2026 13:02:10 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:10 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 02/20] execve: Add set_nnp_on_point_of_no_return Date: Tue, 7 Apr 2026 16:01:24 -0400 Message-ID: <20260407200157.3874806-3-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Allow LSM hooks to set a new bitfield in the binprm, ensuring that the next execution will run with task_set_no_new_privs by executing task_set_no_new_privs only past the point of no return. This differs semantically from task_set_no_new_privs, which is not safe to set from bprm_creds_for_exec/creds_from_file because a failed execution will result in no_new_privs being set on the original task. The setting of this flag from the LSM hook will not alter the current task's no_new_privs field until after the point of no return, so if we have a failed execution in execve there will be no side effect. Setting this field will not result in any change to the escalation or LSM checks for the current execution transition, only for subsequent ones. Signed-off-by: Justin Suess --- fs/exec.c | 8 ++++++++ include/linux/binfmts.h | 7 ++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index 9ea3a775d51e..6ab700af57d9 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1111,6 +1111,14 @@ int begin_new_exec(struct linux_binprm * bprm) */ bprm->point_of_no_return =3D true; =20 + /* + * If requested that we set NO_NEW_PRIVS on the task, do so now that we're + * committed to exec. We set it here in case it wasn't safe to set it + * before the point of no return. + */ + if (bprm->set_nnp_on_point_of_no_return) + task_set_no_new_privs(current); + /* Make this the only thread in the thread group */ retval =3D de_thread(me); if (retval) diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 65abd5ab8836..9e420b055c4a 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -49,7 +49,12 @@ struct linux_binprm { * Set by user space to check executability according to the * caller's environment. */ - is_check:1; + is_check:1, + /* + * Set when a NNP should be applied to the new program's + * credentials during exec past the point of no return. + */ + set_nnp_on_point_of_no_return:1; struct file *executable; /* Executable to pass to the interpreter */ struct file *interpreter; struct file *file; --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f44.google.com (mail-yx1-f44.google.com [74.125.224.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD8A637AA75 for ; Tue, 7 Apr 2026 20:02:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592136; cv=none; b=kjuAMIT1S49Vpv9IDwQStblg3SuyoStcCfBdXMX5fbMCmBzGWb0BjcSK7m81c/LOkLlWgy4d/qJti0L1rENNsuDh4KWezGFbq/O0SZMn+RMq82TXEoI4NfvM10wHuvtvzmVeFvUNRCicPeeHu9qpUcls2TX76rGmoWcXhAcwIls= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592136; c=relaxed/simple; bh=QfcqOPYSWwNNOKxeV5EzGcyXRm21S5vm7zVLVxiKRzU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=a5BVaWLV0OHgpCFA/Ie/LG24y5FxC5XdzS68ghl0Xsy9Zii3Rr6sgFOaigt1a+8ZLJ8iLcdMKRcOCrojBD5osizHW673CkRapOWhQI3iX/YH5eArlWElEnGk0jhcgQ4HLVPgoYm6E+VAFjxfzGb1Vla4TbSHx/XYxNZHnbSYYYc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Jc6adJix; arc=none smtp.client-ip=74.125.224.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Jc6adJix" Received: by mail-yx1-f44.google.com with SMTP id 956f58d0204a3-65009bfdcfdso5823649d50.2 for ; Tue, 07 Apr 2026 13:02:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592134; x=1776196934; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v++DqAC2ai97VyjzvpsGprr+M8r5ODU4UXIMOffYmak=; b=Jc6adJixkz2BaRAwat/TDmF0P3aArOw9Tv6BE5zjER1RtZT8aOC/wbjwQ9X/wtCPvr FTMffO14ciVpllkhh1sE1lDfrN3noiKJezs8N6TVgNuYoNVaXS5DgHGht+sk10y6mi6C ZjHIkiZVGGyriadpXhBRlHTU4a1quFUny9uSo+EW9XUsB39dA+v4NfrRaiDIjTTYM+eu vAoYspysvwkINb14oN7BYIMqqY4/2t10OrHJ7p+OKyFr+O1vxF4aB/BKn8tQI4KAu4pH qFrYRTl1i4pRz/3AtNiFyb4w6fDQWHJE27KAKJX9LWqVXFTLu+KCnV9GpG7Z9tfVNpJ1 DUTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592134; x=1776196934; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=v++DqAC2ai97VyjzvpsGprr+M8r5ODU4UXIMOffYmak=; b=nPjsklLfxBfs+jZgKKqght8Psk8H3QCE7bT8a8mAeLg/rZeSQOiK3r1eOulznIqXf6 NUfUueU6APkapt6e9FikEPw7EfevEe1Dd0cLlyle+Mu/i/SQGovBAN2uVRPBogyUopGB v+WvUgkFL4ZdeWTrxOyYlzHJd4BsQswb44aS/LKNonoeSEXx/UNPdAEUHqePiOnK057E PuPMH5NpWVJjZAJz9vUrZhEt57/bTWX5pfvzk8N7gn6Wg6FSCA0eICSzaeS72CRRtqW/ ozMdEBbb3CJ6eCwBDA1OV4ljqV++RzYtvsA0EnAOJYaVJGejtaKcK81DYgFQc878LEsw ff6A== X-Forwarded-Encrypted: i=1; AJvYcCXy+xH9Q2wbkdP4gRvYLGrzAFlIduF7Xzb2TRZ4Gyaz7BIiVocTcjzmJ5QjcS2FKoqjcKGhHcR3d0Gbpoc=@vger.kernel.org X-Gm-Message-State: AOJu0YyuX0TuwxiN8H1Dj+qieM0NE8LrN5JYALChgbZ6GZZ9JqDL6p29 /IRAfTZ5h9srC87KtnOGzKSxK3Lckxx9G3dxeikryQHud1+pIxj3JrE1 X-Gm-Gg: AeBDietussL2hJ3E7+GoW2jEIgRb1lKCs+7YqT2QIL5/7kh59nS2EHZ7IrmfFO3DCpv 5O1tN5f8wgAEx5t8vJ8ZBNFxs+xPCLBjCC0L1T3+JV++wnZXzZ5h0of64/OFZ+raS1vMxSEcLk4 6QHKoAI8sp1FhJ9+ikpmtF2otj4d+rc3Y8BLUgIdObzEc8MDP+uVteUd646jtDAjBhCLKT9XC1i qbgkytyETlZZbD9HyIMlouTgzgHFiilkhHix0NZ/6indRFoPooU8xcs9nN00k7cT5k/TGrjTOof oPgxNhkY7fTNv4OSUn8Zt4ux6BFSs25dkvS2fnjtxq1A7MurA6OVgNe7MDW/AizX/wRXMkqWp5U YDXVSihj6IrqFbXPJuIfTZbTrrvVAr/iXJ1qkGAt+NbY0rTgqRCWDh4zlnqfsZkG6yQOxWRDRjg 01gPAHG3osC59MuTpy2C5s30pxf2Qsx+IwscL60u//o+WZTTI21ZEnpJV0fhEj3wM864gT8tfD X-Received: by 2002:a05:690e:e81:b0:64e:efc7:b1b6 with SMTP id 956f58d0204a3-650487ff725mr16689929d50.36.1775592133740; Tue, 07 Apr 2026 13:02:13 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:13 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 03/20] landlock: Implement LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Date: Tue, 7 Apr 2026 16:01:25 -0400 Message-ID: <20260407200157.3874806-4-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a flag LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS, which executes task_set_no_new_privs on the current credentials, but only if the process lacks the CAP_SYS_ADMIN capability. While this operation is redundant for code running from userspace (indeed callers may achieve the same logic by calling prctl w/ PR_SET_NO_NEW_PRIVS), this flag enables callers without access to the syscall abi (defined in subsequent patches) to restrict processes from gaining additional capabilities. This is important to ensure that consumers can meet the task_no_new_privs || CAP_SYS_ADMIN invariant enforced by Landlock without having syscall access. Signed-off-by: Justin Suess --- include/uapi/linux/landlock.h | 14 ++++++++++++++ security/landlock/limits.h | 2 +- security/landlock/ruleset.c | 12 +++++++++++- security/landlock/syscalls.c | 7 +++++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index 10a346e55e95..de2537755bbe 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -131,12 +131,26 @@ struct landlock_ruleset_attr { * * If the calling thread is running with no_new_privs, this operation * enables no_new_privs on the sibling threads as well. + * + * %LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS + * Sets no_new_privs on the calling thread before applying the Landlock= domain. + * This flag is useful for convenience as well as for applying a rulese= t from + * an outside context (e.g BPF). This flag only has an effect on when b= oth + * no_new_privs isn't already set and the caller doesn't possess CAP_SY= S_ADMIN. + * + * This flag has slightly different behavior when used from BPF. Instea= d of + * setting no_new_privs on the current task, it sets a flag on the bprm= so that + * no_new_privs is set on the task at exec point-of-no-return. This gua= rantees + * that the current execution is unaffected, and may escalate as usual = until the + * next exec, but the resulting task cannot gain more privileges throug= h later + * exec transitions. */ /* clang-format off */ #define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF (1U << 0) #define LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON (1U << 1) #define LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF (1U << 2) #define LANDLOCK_RESTRICT_SELF_TSYNC (1U << 3) +#define LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS (1U << 4) /* clang-format on */ =20 /** diff --git a/security/landlock/limits.h b/security/landlock/limits.h index b454ad73b15e..9eafc64fba3f 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -31,7 +31,7 @@ #define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1) #define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE) =20 -#define LANDLOCK_LAST_RESTRICT_SELF LANDLOCK_RESTRICT_SELF_TSYNC +#define LANDLOCK_LAST_RESTRICT_SELF LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS #define LANDLOCK_MASK_RESTRICT_SELF ((LANDLOCK_LAST_RESTRICT_SELF << 1) - = 1) =20 /* clang-format on */ diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index 2333a3dc5f33..4f0305796165 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -121,10 +121,12 @@ int landlock_restrict_cred_precheck(const __u32 flags, =20 /* * Similar checks as for seccomp(2), except that an -EPERM may be - * returned. + * returned, or no_new_privs may be set by the caller via + * LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS. */ if (!task_no_new_privs(current) && !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) { + if (!(flags & LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS)) return -EPERM; } =20 @@ -197,6 +199,14 @@ int landlock_restrict_cred(struct cred *const cred, } =20 if (flags & LANDLOCK_RESTRICT_SELF_TSYNC) { + /* + * We know we can set no_new_privs on the current task + * because this path is only valid in the syscall context + */ + if ((flags & LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS) && + !task_no_new_privs(current) && + !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) + task_set_no_new_privs(current); const int tsync_err =3D landlock_restrict_sibling_threads(current_cred(), cred); =20 diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index c710e8b16150..6723806723d5 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -402,6 +402,7 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_f= d, * - %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON * - %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF * - %LANDLOCK_RESTRICT_SELF_TSYNC + * - %LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS * * This system call enforces a Landlock ruleset on the current thread. * Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its @@ -461,5 +462,11 @@ SYSCALL_DEFINE2(landlock_restrict_self, const int, rul= eset_fd, const __u32, return err; } =20 + /* In syscall context we can set no_new_privs directly. */ + if ((flags & LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS) && + !task_no_new_privs(current) && + !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) + task_set_no_new_privs(current); + return commit_creds(new_cred); } --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53E8037B3F2 for ; Tue, 7 Apr 2026 20:02:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592140; cv=none; b=NYlh08XNq8hK4N2PMA07L2J55cH2BJaIrTRydsdmS4HANDDwmjdtS5lWGLQQhUVlqqo28+PP318KU3acnT/1whuUb7PP4slBEgrTYEEkTMdB65xKxOOrmRgKwJA+pYr/ptwHO8IwjXONMoTvqTFMorJuU2YkYvUkbf05L24eJDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592140; c=relaxed/simple; bh=TxTM6F1N7H2DtjjKI06cP0wJ5qOuJLMMiPRjlSy7Oa4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CitNfcdXrLMEDCnyTmFb0q2yBJrtrE8fdRi7Bx7BDyiNflohMJXRxU5ESchl14KPS67yHweOKWKl4rMIhr3DAANUyMnXJlXK42isYJSiXE523HDFO3z61Z+Ts8iy8j+u/ySgmVV99mtn9qdQj8A6y76oW9WpFCsDUDvOvU2sxIw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XapqU92G; arc=none smtp.client-ip=209.85.128.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XapqU92G" Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-79ea87af213so4895687b3.0 for ; Tue, 07 Apr 2026 13:02:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592137; x=1776196937; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/loJFnjXSN783AYVg43XDm3Fgil2FddDxgAAf1bvBGc=; b=XapqU92G/1CwMVjfyXp8v9ihxutFMZ+VhtabRLfMwAdJYTClsSWCxpBkDVyYtkuoxl UNQe6WBIQMLxRRutXqI+Pq3cjYEvGpkRjoiIMDexKrap+8Ne8Fln4jZXDW9qeY3gMgqD 8y+HTlevqyC14bRRMH6NDiHY+wc1XLeFW0vkapjuB76wjBnHGTsGHxrGHAb96RJaTk7m uDe8zxG2+3MUxthtnL5T2Vr2O6d+MCOG4WXuFekj+eKMFrAMf2NwsBkqZbLg2UvgIF3s FzJKMtXXBuYPaLmiBN/eT9DWnph6NhOWI4AQHxF1Div6GWF/vWxjX5XfUek0Pm1xod4K 7U1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592137; x=1776196937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/loJFnjXSN783AYVg43XDm3Fgil2FddDxgAAf1bvBGc=; b=qqPiUfuk/m2xeEy+WAU+LC1FM2VH/6QuJhimk0R8lw1J8695mJsZrRZFZ5fiRabNjB za2JJV1EPNucyNKmIfuuiaITiDeHu/U5Bb+QbWxwEQ17taiGgjuL7sOgpWJQFCPaVG5m gslbI49zMenS1JYfUnHjL2JdAsuIchFzIH5je3M9MRMvlX/9yjq5UfiQlLVT0oO4rgNK r9ULPN9l//c7Rtff3f33Vy8us23k+9PzO22yhiRnuWbrX5aGuDwVHuxpdG4FShQJfeNt Pk2n+yj5EwhTlHzy4Grp1ytiv/a1MpuX8ugPxMhEFhnsmQksuUs1LjGRvJGW9Nqo7FNQ Rf3g== X-Forwarded-Encrypted: i=1; AJvYcCWsjPQJyZ7XJ0mNUZfrrGDQQcZ+D3W4ThpXztO5TeOy8RjxFbVu3WK6XIAUR6Cp2aevt1xoN7hO48cGvDY=@vger.kernel.org X-Gm-Message-State: AOJu0YxxwuXXzwTeDNb55k9h7V8BF21AlY/0yY+g87JgGTTu7iIUWrOT a+Dp4soAWe8C4lnMQ1kDtRUNfeVaGiziJgRdGQv4y6ri7nq0cuDyacyg X-Gm-Gg: AeBDievtXPt0TMIZX0VyON2lLBzWF6rAEA8J6I8JvI5Sl0ojWK34qmlIF4G3nvqYqGQ DAmq2Y0Z15a7AXiAyImsX17Ls1BtrzfJmrJQqwIi9G/Hjzt9LmDe3o84HCmawabVECG1IxsgcKI Ifa7oRpr6q/M/RF1TjCdaInZZLyoCLYzJVj2bTqb8jLDFVYz+MqL55ujDnf1sJH4iCkokm9Tglv v7Ywv5HcIjJSIQOlktUuYEAq2xWfqDxV8/klzBRnWUPfII/T6pqfb/gXWfgBFFzMRAfwy5dob2q uo75wWEJhaW/x6NSOUYcpJDwDaFGdulf0rXfRNxffBMtwXAat+G0roU9MqB6TKfqWib/nXzbayu 37edqJ6+hdM+Bns1LbO33YSUFZEXVLhAKGyNgsIfLwnnplov/UKARABD2+F171/hBzcqkmQv48f 8OJDCI1ZIKztpwJIc1nF1UzoZvMWHYUdK1NGFRaxRmdQo68A/qG6OHgFuTLgzQly38witmzC6I/ ECpPFb53og= X-Received: by 2002:a05:690e:400b:b0:650:176f:1ae3 with SMTP id 956f58d0204a3-650480e71d0mr13922125d50.25.1775592136975; Tue, 07 Apr 2026 13:02:16 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:16 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 04/20] selftests/landlock: Cover LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Date: Tue, 7 Apr 2026 16:01:26 -0400 Message-ID: <20260407200157.3874806-5-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add tests to cover LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS. Add a new field to the scoped domain variant specifying whether the test is to be run by manually calling prctl(PR_SET_NO_NEW_PRIVS,...) or to call it with this flag. Add variants for the scoped domain tests validating the flag works identically to the manual prctl call for userspace code. Fix a small issue in restrict_self_checks_ordering which assumed -1 was always an invalid flag by properly computing an invalid flag from the last known flag. Signed-off-by: Justin Suess --- tools/testing/selftests/landlock/base_test.c | 8 +- tools/testing/selftests/landlock/common.h | 24 +++- tools/testing/selftests/landlock/fs_test.c | 103 ++++++++++-------- tools/testing/selftests/landlock/net_test.c | 55 ++++++---- .../testing/selftests/landlock/ptrace_test.c | 14 +-- .../landlock/scoped_abstract_unix_test.c | 51 ++++++--- .../selftests/landlock/scoped_base_variants.h | 23 ++++ .../selftests/landlock/scoped_common.h | 5 +- .../selftests/landlock/scoped_signal_test.c | 30 +++-- 9 files changed, 206 insertions(+), 107 deletions(-) diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index 30d37234086c..a4c38541de70 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -244,6 +244,8 @@ TEST(restrict_self_checks_ordering) }; const int ruleset_fd =3D landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); + const int last_flag =3D LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS; + const int invalid_flag =3D last_flag << 1; =20 ASSERT_LE(0, ruleset_fd); path_beneath_attr.parent_fd =3D @@ -255,7 +257,7 @@ TEST(restrict_self_checks_ordering) =20 /* Checks unprivileged enforcement without no_new_privs. */ drop_caps(_metadata); - ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(-1, landlock_restrict_self(-1, invalid_flag)); ASSERT_EQ(EPERM, errno); ASSERT_EQ(-1, landlock_restrict_self(-1, 0)); ASSERT_EQ(EPERM, errno); @@ -265,7 +267,7 @@ TEST(restrict_self_checks_ordering) ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); =20 /* Checks invalid flags. */ - ASSERT_EQ(-1, landlock_restrict_self(-1, -1)); + ASSERT_EQ(-1, landlock_restrict_self(-1, invalid_flag)); ASSERT_EQ(EINVAL, errno); =20 /* Checks invalid ruleset FD. */ @@ -306,7 +308,7 @@ TEST(restrict_self_fd_logging_flags) =20 TEST(restrict_self_logging_flags) { - const __u32 last_flag =3D LANDLOCK_RESTRICT_SELF_TSYNC; + const __u32 last_flag =3D LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS; =20 /* Tests invalid flag combinations. */ =20 diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/self= tests/landlock/common.h index 90551650299c..f6d6a6a99c52 100644 --- a/tools/testing/selftests/landlock/common.h +++ b/tools/testing/selftests/landlock/common.h @@ -194,11 +194,27 @@ static int __maybe_unused send_fd(int usock, int fd_t= x) return 0; } =20 +/* + * Scoped domain options + */ +struct scoped_domain_opts { + bool use_restrict_self_no_new_privs; +}; + +static const struct scoped_domain_opts default_scoped_domain_opts =3D { 0 = }; + static void __maybe_unused -enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset= _fd) +enforce_ruleset(struct __test_metadata *const _metadata, const int ruleset= _fd, + const struct scoped_domain_opts opts) { - ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); - ASSERT_EQ(0, landlock_restrict_self(ruleset_fd, 0)) + /* Skip the explicit prctl() when the syscall flag sets no_new_privs. */ + if (!opts.use_restrict_self_no_new_privs) + ASSERT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); + ASSERT_EQ(0, + landlock_restrict_self(ruleset_fd, + opts.use_restrict_self_no_new_privs ? + LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS : + 0)) { TH_LOG("Failed to enforce ruleset: %s", strerror(errno)); } @@ -216,7 +232,7 @@ drop_access_rights(struct __test_metadata *const _metad= ata, { TH_LOG("Failed to create a ruleset: %s", strerror(errno)); } - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/sel= ftests/landlock/fs_test.c index cdb47fc1fc0a..b82b44405dbe 100644 --- a/tools/testing/selftests/landlock/fs_test.c +++ b/tools/testing/selftests/landlock/fs_test.c @@ -790,7 +790,18 @@ static void enforce_fs(struct __test_metadata *const _= metadata, { const int ruleset_fd =3D create_ruleset(_metadata, access_fs, rules); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); + EXPECT_EQ(0, close(ruleset_fd)); +} + +static void enforce_resolve_unix(struct __test_metadata *const _metadata, + const struct rule rules[], + const struct scoped_domain_opts opts) +{ + const int ruleset_fd =3D + create_ruleset(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules); + + enforce_ruleset(_metadata, ruleset_fd, opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -805,14 +816,15 @@ TEST_F_FORK(layout0, proc_nsfs) {}, }; struct landlock_path_beneath_attr path_beneath; - const int ruleset_fd =3D create_ruleset( - _metadata, rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, - rules); + const int ruleset_fd =3D + create_ruleset(_metadata, + rules[0].access | LANDLOCK_ACCESS_FS_READ_DIR, + rules); =20 ASSERT_LE(0, ruleset_fd); ASSERT_EQ(0, test_open("/proc/self/ns/mnt", O_RDONLY)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 ASSERT_EQ(EACCES, test_open("/", O_RDONLY)); ASSERT_EQ(EACCES, test_open("/dev", O_RDONLY)); @@ -862,7 +874,7 @@ TEST_F_FORK(layout0, unpriv) ASSERT_EQ(EPERM, errno); =20 /* enforce_ruleset() calls prctl(no_new_privs). */ - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); ASSERT_EQ(0, close(ruleset_fd)); } =20 @@ -1289,7 +1301,7 @@ TEST_F_FORK(layout1, inherit_subset) }; const int ruleset_fd =3D create_ruleset(_metadata, ACCESS_RW, rules); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY | O_DIRECTORY)); @@ -1322,7 +1334,7 @@ TEST_F_FORK(layout1, inherit_subset) * LANDLOCK_ACCESS_FS_WRITE_FILE must not be allowed because it would * be a privilege escalation. */ - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 /* Same tests and results as above. */ ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); @@ -1343,7 +1355,7 @@ TEST_F_FORK(layout1, inherit_subset) * directory: dir_s1d1. */ add_path_beneath(_metadata, ruleset_fd, ACCESS_RW, dir_s1d1); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 /* Same tests and results as above. */ ASSERT_EQ(EACCES, test_open(file1_s1d1, O_WRONLY)); @@ -1366,7 +1378,7 @@ TEST_F_FORK(layout1, inherit_subset) */ add_path_beneath(_metadata, ruleset_fd, LANDLOCK_ACCESS_FS_WRITE_FILE, dir_s1d3); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); ASSERT_EQ(0, close(ruleset_fd)); =20 /* @@ -1404,7 +1416,7 @@ TEST_F_FORK(layout1, inherit_superset) }; const int ruleset_fd =3D create_ruleset(_metadata, ACCESS_RW, rules); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 /* Readdir access is denied for dir_s1d2. */ ASSERT_EQ(EACCES, test_open(dir_s1d2, O_RDONLY | O_DIRECTORY)); @@ -1418,7 +1430,7 @@ TEST_F_FORK(layout1, inherit_superset) LANDLOCK_ACCESS_FS_READ_FILE | LANDLOCK_ACCESS_FS_READ_DIR, dir_s1d2); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 /* Readdir access is still denied for dir_s1d2. */ @@ -1442,7 +1454,8 @@ TEST_F_FORK(layout0, max_layers) const int ruleset_fd =3D create_ruleset(_metadata, ACCESS_RW, rules); =20 for (i =3D 0; i < 16; i++) - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); =20 for (i =3D 0; i < 2; i++) { err =3D landlock_restrict_self(ruleset_fd, 0); @@ -1472,12 +1485,12 @@ TEST_F_FORK(layout1, empty_or_same_ruleset) /* Nests a policy which denies read access to all directories. */ ruleset_fd =3D create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_DIR, NULL); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); ASSERT_EQ(EACCES, test_open(file1_s1d1, O_RDONLY)); ASSERT_EQ(EACCES, test_open(dir_s1d1, O_RDONLY)); =20 /* Enforces a second time with the same ruleset. */ - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); ASSERT_EQ(0, close(ruleset_fd)); } =20 @@ -1725,7 +1738,7 @@ TEST_F_FORK(layout1, release_inodes) ASSERT_EQ(0, umount(dir_s3d2)); clear_cap(_metadata, CAP_SYS_ADMIN); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY)); @@ -1766,7 +1779,7 @@ TEST_F_FORK(layout1, covered_rule) =20 ASSERT_EQ(0, test_open(dir_s3d2, O_RDONLY)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); ASSERT_EQ(0, close(ruleset_fd)); =20 /* Checks that access to the new mount point is denied. */ @@ -1828,7 +1841,7 @@ static void test_relative_path(struct __test_metadata= *const _metadata, } =20 set_cap(_metadata, CAP_SYS_CHROOT); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 switch (rel) { case REL_OPEN: @@ -4402,9 +4415,9 @@ static void test_connect_to_parent(struct __test_meta= data *const _metadata, char buf[1]; =20 if (variant->domain_both) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL); + enforce_resolve_unix(_metadata, NULL, variant->domain_opts); else if (flags & ENFORCE_ALL) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules); + enforce_resolve_unix(_metadata, rules, variant->domain_opts); =20 unlink(path); ASSERT_EQ(0, pipe2(readiness_pipe, O_CLOEXEC)); @@ -4414,11 +4427,11 @@ static void test_connect_to_parent(struct __test_me= tadata *const _metadata, =20 if (child_pid =3D=3D 0) { if (variant->domain_child) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, - NULL); + enforce_resolve_unix(_metadata, NULL, + variant->domain_opts); else if (flags & ENFORCE_ALL) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, - rules); + enforce_resolve_unix(_metadata, rules, + variant->domain_opts); =20 /* Wait for server to be available. */ EXPECT_EQ(0, close(readiness_pipe[1])); @@ -4444,9 +4457,9 @@ static void test_connect_to_parent(struct __test_meta= data *const _metadata, } =20 if (variant->domain_parent) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL); + enforce_resolve_unix(_metadata, NULL, variant->domain_opts); else if (flags & ENFORCE_ALL) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules); + enforce_resolve_unix(_metadata, rules, variant->domain_opts); =20 srv_fd =3D set_up_named_unix_server(_metadata, sock_type, path); =20 @@ -4485,9 +4498,9 @@ static void test_connect_to_child(struct __test_metad= ata *const _metadata, char buf[1]; =20 if (variant->domain_both) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL); + enforce_resolve_unix(_metadata, NULL, variant->domain_opts); else if (flags & ENFORCE_ALL) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules); + enforce_resolve_unix(_metadata, rules, variant->domain_opts); =20 unlink(path); ASSERT_EQ(0, pipe2(readiness_pipe, O_CLOEXEC)); @@ -4498,11 +4511,11 @@ static void test_connect_to_child(struct __test_met= adata *const _metadata, =20 if (child_pid =3D=3D 0) { if (variant->domain_child) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, - NULL); + enforce_resolve_unix(_metadata, NULL, + variant->domain_opts); else if (flags & ENFORCE_ALL) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, - rules); + enforce_resolve_unix(_metadata, rules, + variant->domain_opts); =20 srv_fd =3D set_up_named_unix_server(_metadata, sock_type, path); =20 @@ -4526,9 +4539,9 @@ static void test_connect_to_child(struct __test_metad= ata *const _metadata, } =20 if (variant->domain_parent) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, NULL); + enforce_resolve_unix(_metadata, NULL, variant->domain_opts); else if (flags & ENFORCE_ALL) - enforce_fs(_metadata, LANDLOCK_ACCESS_FS_RESOLVE_UNIX, rules); + enforce_resolve_unix(_metadata, rules, variant->domain_opts); =20 /* Wait for server to be available. */ EXPECT_EQ(0, close(readiness_pipe[1])); @@ -5072,7 +5085,7 @@ TEST_F_FORK(layout1_bind, path_disconnected) create_ruleset(_metadata, ACCESS_RW, layer3_only_s1d2); int bind_s1d3_fd; =20 - enforce_ruleset(_metadata, ruleset_fd_l1); + enforce_ruleset(_metadata, ruleset_fd_l1, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l1)); =20 bind_s1d3_fd =3D open(bind_dir_s1d3, O_PATH | O_CLOEXEC); @@ -5102,7 +5115,7 @@ TEST_F_FORK(layout1_bind, path_disconnected) test_open_rel(bind_s1d3_fd, "..", O_RDONLY | O_DIRECTORY)); =20 /* This should still work with a narrower rule. */ - enforce_ruleset(_metadata, ruleset_fd_l2); + enforce_ruleset(_metadata, ruleset_fd_l2, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l2)); =20 EXPECT_EQ(0, test_open(file1_s4d1, O_RDONLY)); @@ -5114,7 +5127,7 @@ TEST_F_FORK(layout1_bind, path_disconnected) EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY)); EXPECT_EQ(EACCES, test_open_rel(bind_s1d3_fd, file2_name, O_RDONLY)); =20 - enforce_ruleset(_metadata, ruleset_fd_l3); + enforce_ruleset(_metadata, ruleset_fd_l3, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l3)); =20 EXPECT_EQ(EACCES, test_open(file1_s4d1, O_RDONLY)); @@ -5176,7 +5189,7 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename) ruleset_fd_l2 =3D create_ruleset(_metadata, LANDLOCK_ACCESS_FS_READ_FILE, layer2_only_s1d2); =20 - enforce_ruleset(_metadata, ruleset_fd_l1); + enforce_ruleset(_metadata, ruleset_fd_l1, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l1)); =20 bind_s1d3_fd =3D open(bind_dir_s1d3, O_PATH | O_CLOEXEC); @@ -5201,7 +5214,8 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename) child_pid =3D fork(); ASSERT_LE(0, child_pid); if (child_pid =3D=3D 0) { - enforce_ruleset(_metadata, ruleset_fd_l2); + enforce_ruleset(_metadata, ruleset_fd_l2, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l2)); EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY)); EXPECT_EQ(EACCES, test_open(file1_s4d2, O_RDONLY)); @@ -5238,7 +5252,8 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename) child_pid =3D fork(); ASSERT_LE(0, child_pid); if (child_pid =3D=3D 0) { - enforce_ruleset(_metadata, ruleset_fd_l2); + enforce_ruleset(_metadata, ruleset_fd_l2, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l2)); EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY)); EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY)); @@ -5290,7 +5305,7 @@ TEST_F_FORK(layout1_bind, path_disconnected_rename) } =20 /* Checks again that we can access it under l2. */ - enforce_ruleset(_metadata, ruleset_fd_l2); + enforce_ruleset(_metadata, ruleset_fd_l2, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd_l2)); EXPECT_EQ(0, test_open_rel(bind_s1d3_fd, file1_name, O_RDONLY)); EXPECT_EQ(0, test_open(file1_s1d3, O_RDONLY)); @@ -5914,7 +5929,7 @@ TEST_F_FORK(layout4_disconnected_leafs, read_rename_e= xchange) EXPECT_EQ(ENOENT, test_open_rel(s1d41_bind_fd, "..", O_DIRECTORY)); EXPECT_EQ(ENOENT, test_open_rel(s1d42_bind_fd, "..", O_DIRECTORY)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 EXPECT_EQ(variant->expected_read_result, @@ -6430,7 +6445,7 @@ TEST_F_FORK(layout5_disconnected_branch, read_rename_= exchange) EXPECT_EQ(0, test_open_rel(s1d3_bind_fd, "..", O_DIRECTORY)); EXPECT_EQ(ENOENT, test_open_rel(s1d3_bind_fd, "../..", O_DIRECTORY)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 EXPECT_EQ(variant->expected_read_result, @@ -7201,7 +7216,7 @@ TEST_F_FORK(layout3_fs, release_inodes) ASSERT_EQ(0, mount_opt(&mnt_tmp, TMP_DIR)); clear_cap(_metadata, CAP_SYS_ADMIN); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); ASSERT_EQ(0, close(ruleset_fd)); =20 /* Checks that access to the new mount point is denied. */ diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/se= lftests/landlock/net_test.c index 4c528154ea92..33a39a264f6b 100644 --- a/tools/testing/selftests/landlock/net_test.c +++ b/tools/testing/selftests/landlock/net_test.c @@ -671,7 +671,8 @@ TEST_F(protocol, bind) landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_connect_p1, 0)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -721,7 +722,8 @@ TEST_F(protocol, connect) landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_p1, 0)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -755,7 +757,8 @@ TEST_F(protocol, bind_unspec) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -788,7 +791,8 @@ TEST_F(protocol, bind_unspec) ASSERT_LE(0, ruleset_fd); =20 /* Denies bind. */ - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -874,7 +878,8 @@ TEST_F(protocol, connect_unspec) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_connect, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -902,7 +907,8 @@ TEST_F(protocol, connect_unspec) ASSERT_LE(0, ruleset_fd); =20 /* Denies connect. */ - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1034,7 +1040,8 @@ TEST_F(ipv4, from_unix_to_inet) landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_connect_p0, 0)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1181,7 +1188,8 @@ TEST_F(tcp_layers, ruleset_overlap) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_connect, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1197,7 +1205,8 @@ TEST_F(tcp_layers, ruleset_overlap) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1213,7 +1222,8 @@ TEST_F(tcp_layers, ruleset_overlap) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_connect, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1244,7 +1254,8 @@ TEST_F(tcp_layers, ruleset_expand) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &bind_srv0, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1276,7 +1287,8 @@ TEST_F(tcp_layers, ruleset_expand) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_p1, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1298,7 +1310,8 @@ TEST_F(tcp_layers, ruleset_expand) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_p0, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1546,7 +1559,7 @@ TEST_F(mini, tcp_port_overflow) &port_overflow4, 0)); EXPECT_EQ(EINVAL, errno); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 test_bind_and_connect(_metadata, &srv_denied, true, true); test_bind_and_connect(_metadata, &srv_max_allowed, false, false); @@ -1611,7 +1624,7 @@ TEST_F(ipv4_tcp, port_endianness) &connect_big_endian_p0, 0)); ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &bind_connect_host_endian_p1, 0)); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); =20 /* No restriction for big endinan CPU. */ test_bind_and_connect(_metadata, &self->srv0, false, little_endian); @@ -1652,7 +1665,7 @@ TEST_F(ipv4_tcp, with_fs) ASSERT_EQ(0, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind, 0)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 /* Tests file access. */ @@ -1766,7 +1779,8 @@ TEST_F(port_specific, bind_connect_zero) landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_connect_zero, 0)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1843,7 +1857,8 @@ TEST_F(port_specific, bind_connect_1023) landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &tcp_bind_connect, 0)); =20 - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, + default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -1982,7 +1997,7 @@ TEST_F(audit, bind) ruleset_fd =3D landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); ASSERT_LE(0, ruleset_fd); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 sock_fd =3D socket_variant(&self->srv0); @@ -2010,7 +2025,7 @@ TEST_F(audit, connect) ruleset_fd =3D landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0); ASSERT_LE(0, ruleset_fd); - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, default_scoped_domain_opts); EXPECT_EQ(0, close(ruleset_fd)); =20 sock_fd =3D socket_variant(&self->srv0); diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing= /selftests/landlock/ptrace_test.c index 1b6c8b53bf33..1c29cde8707a 100644 --- a/tools/testing/selftests/landlock/ptrace_test.c +++ b/tools/testing/selftests/landlock/ptrace_test.c @@ -25,7 +25,8 @@ #define YAMA_SCOPE_DISABLED 0 #define YAMA_SCOPE_RELATIONAL 1 =20 -static void create_domain(struct __test_metadata *const _metadata) +static void create_domain(struct __test_metadata *const _metadata, + const struct scoped_domain_opts opts) { int ruleset_fd; struct landlock_ruleset_attr ruleset_attr =3D { @@ -38,8 +39,7 @@ static void create_domain(struct __test_metadata *const _= metadata) { TH_LOG("Failed to create a ruleset: %s", strerror(errno)); } - EXPECT_EQ(0, prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)); - EXPECT_EQ(0, landlock_restrict_self(ruleset_fd, 0)); + enforce_ruleset(_metadata, ruleset_fd, opts); EXPECT_EQ(0, close(ruleset_fd)); } =20 @@ -169,7 +169,7 @@ TEST_F(scoped_domains, trace) ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); if (variant->domain_both) { - create_domain(_metadata); + create_domain(_metadata, variant->domain_opts); if (!__test_passed(_metadata)) /* Aborts before forking. */ return; @@ -183,7 +183,7 @@ TEST_F(scoped_domains, trace) ASSERT_EQ(0, close(pipe_parent[1])); ASSERT_EQ(0, close(pipe_child[0])); if (variant->domain_child) - create_domain(_metadata); + create_domain(_metadata, variant->domain_opts); =20 /* Waits for the parent to be in a domain, if any. */ ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); @@ -238,7 +238,7 @@ TEST_F(scoped_domains, trace) ASSERT_EQ(0, close(pipe_child[1])); ASSERT_EQ(0, close(pipe_parent[0])); if (variant->domain_parent) - create_domain(_metadata); + create_domain(_metadata, variant->domain_opts); =20 /* Signals that the parent is in a domain, if any. */ ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); @@ -396,7 +396,7 @@ TEST_F(audit, trace) =20 ASSERT_EQ(0, close(pipe_child[1])); ASSERT_EQ(0, close(pipe_parent[0])); - create_domain(_metadata); + create_domain(_metadata, default_scoped_domain_opts); =20 /* Signals that the parent is in a domain. */ ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); diff --git a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c b= /tools/testing/selftests/landlock/scoped_abstract_unix_test.c index c47491d2d1c1..d89f54edf9d5 100644 --- a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c +++ b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c @@ -88,7 +88,8 @@ TEST_F(scoped_domains, connect_to_parent) ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); if (variant->domain_both) { create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + variant->domain_opts); if (!__test_passed(_metadata)) return; } @@ -103,7 +104,8 @@ TEST_F(scoped_domains, connect_to_parent) EXPECT_EQ(0, close(pipe_parent[1])); if (variant->domain_child) create_scoped_domain( - _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + variant->domain_opts); =20 stream_client =3D socket(AF_UNIX, SOCK_STREAM, 0); ASSERT_LE(0, stream_client); @@ -138,7 +140,8 @@ TEST_F(scoped_domains, connect_to_parent) EXPECT_EQ(0, close(pipe_parent[0])); if (variant->domain_parent) create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + variant->domain_opts); =20 stream_server =3D socket(AF_UNIX, SOCK_STREAM, 0); ASSERT_LE(0, stream_server); @@ -186,7 +189,8 @@ TEST_F(scoped_domains, connect_to_child) ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); if (variant->domain_both) { create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + variant->domain_opts); if (!__test_passed(_metadata)) return; } @@ -200,7 +204,8 @@ TEST_F(scoped_domains, connect_to_child) EXPECT_EQ(0, close(pipe_child[0])); if (variant->domain_child) create_scoped_domain( - _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + variant->domain_opts); =20 /* Waits for the parent to be in a domain, if any. */ ASSERT_EQ(1, read(pipe_parent[0], &buf, 1)); @@ -231,7 +236,8 @@ TEST_F(scoped_domains, connect_to_child) =20 if (variant->domain_parent) create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + variant->domain_opts); =20 /* Signals that the parent is in a domain, if any. */ ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); @@ -344,7 +350,8 @@ TEST_F(scoped_audit, connect_to_child) EXPECT_EQ(0, close(pipe_child[1])); EXPECT_EQ(0, close(pipe_parent[0])); =20 - create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 /* Signals that the parent is in a domain, if any. */ ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); @@ -429,7 +436,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping) create_fs_domain(_metadata); else if (variant->domain_all =3D=3D SCOPE_SANDBOX) create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 child =3D fork(); ASSERT_LE(0, child); @@ -444,7 +452,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping) create_fs_domain(_metadata); else if (variant->domain_children =3D=3D SCOPE_SANDBOX) create_scoped_domain( - _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 grand_child =3D fork(); ASSERT_LE(0, grand_child); @@ -461,7 +470,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping) else if (variant->domain_grand_child =3D=3D SCOPE_SANDBOX) create_scoped_domain( _metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 stream_client =3D socket(AF_UNIX, SOCK_STREAM, 0); ASSERT_LE(0, stream_client); @@ -525,7 +535,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping) create_fs_domain(_metadata); else if (variant->domain_child =3D=3D SCOPE_SANDBOX) create_scoped_domain( - _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 stream_server_child =3D socket(AF_UNIX, SOCK_STREAM, 0); ASSERT_LE(0, stream_server_child); @@ -552,7 +563,8 @@ TEST_F(scoped_vs_unscoped, unix_scoping) create_fs_domain(_metadata); else if (variant->domain_parent =3D=3D SCOPE_SANDBOX) create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 stream_server_parent =3D socket(AF_UNIX, SOCK_STREAM, 0); ASSERT_LE(0, stream_server_parent); @@ -656,7 +668,8 @@ TEST_F(outside_socket, socket_with_different_domain) =20 /* Client always has a domain. */ create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 if (variant->child_socket) { int data_socket, passed_socket, stream_server; @@ -713,7 +726,8 @@ TEST_F(outside_socket, socket_with_different_domain) ASSERT_LE(0, server_socket); =20 /* Server always has a domain. */ - create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 ASSERT_EQ(0, bind(server_socket, &self->address.unix_addr, self->address.unix_addr_len)); @@ -820,7 +834,8 @@ TEST_F(various_address_sockets, scoped_pathname_sockets) =20 if (variant->domain =3D=3D SCOPE_SANDBOX) create_scoped_domain( - _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); else if (variant->domain =3D=3D OTHER_SANDBOX) create_fs_domain(_metadata); =20 @@ -1027,7 +1042,8 @@ TEST(datagram_sockets) =20 /* Scopes the domain. */ create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 /* * Connected socket sends data to the receiver, but the @@ -1108,7 +1124,8 @@ TEST(self_connect) if (child =3D=3D 0) { /* Child's domain is scoped. */ create_scoped_domain(_metadata, - LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET); + LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, + default_scoped_domain_opts); =20 /* * The child inherits the sockets, and cannot connect or diff --git a/tools/testing/selftests/landlock/scoped_base_variants.h b/tool= s/testing/selftests/landlock/scoped_base_variants.h index 7116728ebc68..bbdf19ef18ef 100644 --- a/tools/testing/selftests/landlock/scoped_base_variants.h +++ b/tools/testing/selftests/landlock/scoped_base_variants.h @@ -20,6 +20,7 @@ FIXTURE_VARIANT(scoped_domains) bool domain_both; bool domain_parent; bool domain_child; + struct scoped_domain_opts domain_opts; }; =20 /* @@ -54,6 +55,17 @@ FIXTURE_VARIANT_ADD(scoped_domains, child_domain) { .domain_child =3D true, }; =20 +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoped_domains, child_domain_restrict_self_no_new_priv= s) { + /* clang-format on */ + .domain_both =3D false, + .domain_parent =3D false, + .domain_child =3D true, + .domain_opts =3D { + .use_restrict_self_no_new_privs =3D true, + }, +}; + /* * Parent domain * .------. @@ -70,6 +82,17 @@ FIXTURE_VARIANT_ADD(scoped_domains, parent_domain) { .domain_child =3D false, }; =20 +/* clang-format off */ +FIXTURE_VARIANT_ADD(scoped_domains, parent_domain_restrict_self_no_new_pri= vs) { + /* clang-format on */ + .domain_both =3D false, + .domain_parent =3D true, + .domain_child =3D false, + .domain_opts =3D { + .use_restrict_self_no_new_privs =3D true, + }, +}; + /* * Parent + child domain (siblings) * .------. diff --git a/tools/testing/selftests/landlock/scoped_common.h b/tools/testi= ng/selftests/landlock/scoped_common.h index a9a912d30c4d..23990758eef8 100644 --- a/tools/testing/selftests/landlock/scoped_common.h +++ b/tools/testing/selftests/landlock/scoped_common.h @@ -10,7 +10,8 @@ #include =20 static void create_scoped_domain(struct __test_metadata *const _metadata, - const __u16 scope) + const __u16 scope, + const struct scoped_domain_opts opts) { int ruleset_fd; const struct landlock_ruleset_attr ruleset_attr =3D { @@ -23,6 +24,6 @@ static void create_scoped_domain(struct __test_metadata *= const _metadata, { TH_LOG("Failed to create a ruleset: %s", strerror(errno)); } - enforce_ruleset(_metadata, ruleset_fd); + enforce_ruleset(_metadata, ruleset_fd, opts); EXPECT_EQ(0, close(ruleset_fd)); } diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/= testing/selftests/landlock/scoped_signal_test.c index d8bf33417619..dfda4a3e5374 100644 --- a/tools/testing/selftests/landlock/scoped_signal_test.c +++ b/tools/testing/selftests/landlock/scoped_signal_test.c @@ -111,7 +111,8 @@ TEST_F(scoping_signals, send_sig_to_parent) ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1)); EXPECT_EQ(0, close(pipe_parent[0])); =20 - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 /* * The child process cannot send signal to the parent @@ -183,7 +184,8 @@ TEST_F(scoped_domains, check_access_signal) can_signal_child =3D !variant->domain_parent; =20 if (variant->domain_both) - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + variant->domain_opts); =20 ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC)); ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); @@ -197,7 +199,8 @@ TEST_F(scoped_domains, check_access_signal) EXPECT_EQ(0, close(pipe_parent[1])); =20 if (variant->domain_child) - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + variant->domain_opts); =20 ASSERT_EQ(1, write(pipe_child[1], ".", 1)); EXPECT_EQ(0, close(pipe_child[1])); @@ -226,7 +229,8 @@ TEST_F(scoped_domains, check_access_signal) EXPECT_EQ(0, close(pipe_child[1])); =20 if (variant->domain_parent) - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + variant->domain_opts); =20 ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1)); EXPECT_EQ(0, close(pipe_child[0])); @@ -280,7 +284,8 @@ TEST(signal_scoping_thread_before) &thread_pipe[0])); =20 /* Enforces restriction after creating the thread. */ - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 EXPECT_EQ(0, pthread_kill(no_sandbox_thread, 0)); EXPECT_EQ(1, write(thread_pipe[1], ".", 1)); @@ -302,7 +307,8 @@ TEST(signal_scoping_thread_after) ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC)); =20 /* Enforces restriction before creating the thread. */ - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_sync, &thread_pipe[0])); @@ -360,7 +366,8 @@ TEST(signal_scoping_thread_setuid) &arg)); =20 /* Enforces restriction after creating the thread. */ - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 EXPECT_NE(arg.new_uid, getuid()); EXPECT_EQ(0, setuid(arg.new_uid)); @@ -469,7 +476,8 @@ TEST_F(fown, sigurg_socket) ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC)); =20 if (variant->sandbox_setown =3D=3D SANDBOX_BEFORE_FORK) - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 child =3D fork(); ASSERT_LE(0, child); @@ -531,7 +539,8 @@ TEST_F(fown, sigurg_socket) ASSERT_LE(0, recv_socket); =20 if (variant->sandbox_setown =3D=3D SANDBOX_BEFORE_SETOWN) - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 /* * Sets the child to receive SIGURG for MSG_OOB. This uncommon use is @@ -540,7 +549,8 @@ TEST_F(fown, sigurg_socket) ASSERT_EQ(0, fcntl(recv_socket, F_SETOWN, child)); =20 if (variant->sandbox_setown =3D=3D SANDBOX_AFTER_SETOWN) - create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL); + create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL, + default_scoped_domain_opts); =20 ASSERT_EQ(1, write(pipe_parent[1], ".", 1)); =20 --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f42.google.com (mail-yx1-f42.google.com [74.125.224.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA9AA37AA75 for ; Tue, 7 Apr 2026 20:02:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592142; cv=none; b=EzG9egXtRgcNboQFq+6iZ4GIRgjv05mcFTHnThbAXwMiu9PRjIZgt03aZbEmJdaBnXs/7jlx/Y3mCWgZkOhLQMqArZ4XN0qP8KGkzlBYzNgo1PojFiN7uEeYV1cY2UsEnM2VFkMJRe2zU0kb2HI0XZ5jTYYblJNviZwVObYDopY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592142; c=relaxed/simple; bh=T970uGi8fhSxDf5ZZOo6ka09fyjrPVUW8XM/9F6ScEo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HCGwLSt+lXQuEIfLhb9I5QwTi/nonMjUmhmbNYPeHfCPPHm5pVb3IMnZTlo9kQS/m2FiOLdzrNf9PPXpjEITEHcmu/Y7+8Tur/6XHSnyGHHWWAy2d7NgxOaHPo08ookrdy5yjHgoQ3VbpIuvfdEIgARYHa7RGIjjtkaPm/Rflmc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BRJNkLTe; arc=none smtp.client-ip=74.125.224.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BRJNkLTe" Received: by mail-yx1-f42.google.com with SMTP id 956f58d0204a3-6501418152cso5228888d50.0 for ; Tue, 07 Apr 2026 13:02:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592140; x=1776196940; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BuKJbhdjkkPHzvIeZz/hT1B94AyhjIeMJIbjPCMSPwA=; b=BRJNkLTetmGqdXoLKweuVtjNPWuUc+HKrpHUNM786kQobwUxW0WFyj/bhwQptJhsBW sdvuyZ6cM0h+42DR2lEJmVy0l0zhFYmsfRJKgH4dbIFnGph2bPsn97ev72Bq36fLns/j WzoPgDh1gIc93lt4SmslLTpnMK2ZewisWh2YPMgr1g+jyg9J8vGlDzt6tqeYE7ObWdc5 cohS4VLWmvswdoAO2VB21fhvaS+y3U+CQPtpVA4uyPq6/ZY6mFeAeZN634SPhYmxFGxP U33xLwUDdCLMCdcriiEeVonVOJbgQtkzBskdarKzAh3Zc9yLiQMqjeF62HTb2y66MQza na3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592140; x=1776196940; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BuKJbhdjkkPHzvIeZz/hT1B94AyhjIeMJIbjPCMSPwA=; b=LzjMkzd8Kv4C6HluL3H17e643N+Jk13dnr0cPV4RG/8A1fbV7pBRVW7x7XPzN/VZwU 3khj2Hbzb98tLYhFC91kyzKTvGAQ/yHmAao0Xul80qo+QPtXZVAfNQDBx55duvM90KRE LNP62sshn5J1x855RGPuGJiteIhcMy2M4rarqjwQsi9GMgyoLMkFfYirLpHil8S/m20T l8nQOofICkH7X4sBpgDCzu2tylqwoWQ7Cvd1u4pvpCiBsmW8Zsp2rJLuPYB8Qm/PW2YM 2SCEBJEVkVdi8JkPGOBuvn2FOl9oWHwZElKHFtJ4xw4RExeLpZuE8TQ29a7aC+xs4niX DKFw== X-Forwarded-Encrypted: i=1; AJvYcCUkVbXetcqhFu3v2eZlgob5wJ08m1nyS1V39FOjrhhMtmuGZ2dvR3XRzqx1U62c8XUSTQc1xWeDpgRRfVo=@vger.kernel.org X-Gm-Message-State: AOJu0Yxn2pJL2fICKtkMoQgu/A4gV4wILFakYgqW23zfsjAugz56bPTM HZ3LI6OmKUHPuQTcC9PiMbFh0/VX/+fY26piisQscjwONevtAeGX86wo X-Gm-Gg: AeBDievDMcCJmJ/uLYB+u4RiQOYHXVHUgDa3MWtMuWNPTzulSworRJZ33VkCU4jjiEC rq5iG2Ie8oA6Ed2hk/x+kVWZR7E6cPSCMqOuvrTxZGi4J19IvV9K5LLK2PjkGn1ZpgDjWhpwio+ 4Pqzl+0WM/mH/4NUcFSP940BLrllNJ953/dGFxYwYX9ZRz/Lz1dY7QN8RuyrrP7KyZINlGqNARI vkAMlwSTxuuPWyMF9gsTVshyJVAdsPfkhNUeluIZoH0n5KB6WASXRgiY9aQ1RjxO64KJZJTEdUj NCT1kH+sWvtfGLJe0+8ZeHU8SljmSvknM46AVc044PcGf7TL102c+0XCtAsTNmuZvkChpFivVj0 aG1IQHSjPL3KdpFAG2G3iT8mmz6jJk8+09M4+xYyJ9HnIOHpRyxjXViZ9zMe36zH7Gs8gnx3EEH YMwFoBID5alfusmyaqTipKV+mskiH9rSnG42zlzVZJukMJokAqiFwU2n+mFMYQY6+oiENP6Ljp X-Received: by 2002:a53:ad4c:0:b0:650:211f:1d4 with SMTP id 956f58d0204a3-6504886c5c4mr11830030d50.47.1775592139804; Tue, 07 Apr 2026 13:02:19 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:19 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 05/20] landlock: Make ruleset deferred free RCU safe Date: Tue, 7 Apr 2026 16:01:27 -0400 Message-ID: <20260407200157.3874806-6-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use INIT_RCU_WORK in the landlock deferred free function, ensuring that deferred ruleset freeing is also RCU safe. This is important for future consumers who may free a Landlock ruleset under RCU in subsequent patches. Signed-off-by: Justin Suess --- security/landlock/ruleset.c | 9 +++++---- security/landlock/ruleset.h | 6 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/security/landlock/ruleset.c b/security/landlock/ruleset.c index 4f0305796165..5845cdc58d0d 100644 --- a/security/landlock/ruleset.c +++ b/security/landlock/ruleset.c @@ -699,16 +699,17 @@ static void free_ruleset_work(struct work_struct *con= st work) { struct landlock_ruleset *ruleset; =20 - ruleset =3D container_of(work, struct landlock_ruleset, work_free); + ruleset =3D container_of(to_rcu_work(work), struct landlock_ruleset, + work_free); free_ruleset(ruleset); } =20 -/* Only called by hook_cred_free(). */ +/* Called by deferred ruleset owners that cannot free from their context. = */ void landlock_put_ruleset_deferred(struct landlock_ruleset *const ruleset) { if (ruleset && refcount_dec_and_test(&ruleset->usage)) { - INIT_WORK(&ruleset->work_free, free_ruleset_work); - schedule_work(&ruleset->work_free); + INIT_RCU_WORK(&ruleset->work_free, free_ruleset_work); + queue_rcu_work(system_wq, &ruleset->work_free); } } =20 diff --git a/security/landlock/ruleset.h b/security/landlock/ruleset.h index 0facc5cb6555..fbbd1b73476e 100644 --- a/security/landlock/ruleset.h +++ b/security/landlock/ruleset.h @@ -146,13 +146,13 @@ struct landlock_ruleset { struct landlock_hierarchy *hierarchy; union { /** - * @work_free: Enables to free a ruleset within a lockless - * section. This is only used by + * @work_free: Enables to free a ruleset after an RCU grace + * period from a sleepable context. This is only used by * landlock_put_ruleset_deferred() when @usage reaches zero. * The fields @lock, @usage, @num_rules, @num_layers and * @access_masks are then unused. */ - struct work_struct work_free; + struct rcu_work work_free; struct { /** * @lock: Protects against concurrent modifications of --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f51.google.com (mail-yx1-f51.google.com [74.125.224.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7808F37C0E4 for ; Tue, 7 Apr 2026 20:02:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592145; cv=none; b=c1FarpJZ0HVquskBRrrh83L/nSVkUr2ZI/Ol5KMwDbmqY50/SfzEivK9fQ2sl2DNXBaZEPt70f95eCHL3dOBhuw2HxngEGMHYDz/Uo1h9aVNFKnlFZh+AQSqdv/RKhEDzp62syhvM2iTxjHXVqmzgs5YhNrqB8v/prYYD3iWr7o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592145; c=relaxed/simple; bh=Vsih0b+o/jg8UkqUGlmWwwA82DsXh+PPInY0bCs+d9Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e/shMNke6G6i+LDNsBh0gbAbxnyKtQcMxT5vu1+gQMjYvLMXfqZfUbroA3T4wTN4dAMeiSIFl3PfzlBpo+SSwPgQGUZlHfRuXkdEy7uvyscfRVC0fPvXoqvqdI4+C2yb1TspSiREuGNLtqLI3mgEiW0ot+c+hc4IgPrs9x/xlws= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ld7ijPzN; arc=none smtp.client-ip=74.125.224.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ld7ijPzN" Received: by mail-yx1-f51.google.com with SMTP id 956f58d0204a3-65075c2ba66so1846950d50.1 for ; Tue, 07 Apr 2026 13:02:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592142; x=1776196942; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OdNRllWWd15mEvEF9vUAARg/W2nP/JkoUMdUtCOL1a0=; b=ld7ijPzN6UwZa317Y+pOrcJPZLHllDYofuCiEtkh2WGlXHu7+66DI74qz/bVwYWrlD 8xwxYBr94m9hNQTO0VWx/6r2zlI51BAXuiM4eBlH9exuAR/BKXnZuCtF2U7mWjJiCQ+u o9qBFlOyfJ5ZBHGQrxDlJhkXFlh8cZ6/J9psBZ9ODZAD1LAxy2Lm3gjFX3OWgTrJRufF Ke5MQt9E+srEUL1McBkZINq8vOZe2gUM16dABU31bK6VJQWOnUnZ7RNfq00jpUAjEmEh NrQr8M67os/5AKHOf22jEy1U0ImU6u2BBYm6t2D+qpejx4aPcvKxlzkbcBjMcOO/yBmm +RCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592142; x=1776196942; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=OdNRllWWd15mEvEF9vUAARg/W2nP/JkoUMdUtCOL1a0=; b=XZS95+iS2eDEjGuBDwUh8N2Th0uqqfmI8bSAW1ngLsUNBFA8nNTMFvNx15ldt9C3rx 87yFEXqRstxaYvPJ7Y0sGb3cQuPQb/l82xoNjsn3QAaDDUiRYcYjkbE7zxNA/Bsypjet tCqU1V/xjA127cE1m2JU43ZQ8TxU6FVCyHfvm7P15nEkb3kn/uLiNaf9QC7TBT7sXAyb VD0UhdGVJ1sTnyZ1i9kpYgUdgJUt53U5IJWLbLdIrNVTO+jIgrc2NgT5xaK2q1AYogJr htH1z2ZQ4HQThrAt6VTFLJuJg+ud2a35XcLe7m+BXOgkJU63mFrpoaZa4JaPRpzHXiiA hd0A== X-Forwarded-Encrypted: i=1; AJvYcCVCtdl3rsWvwl/z5Trak0OWuY/VFL/1XHs1ZWD1ZZOl4shRjAkKT52CgIYYTMkGtbXuvIa8M90aWgieOso=@vger.kernel.org X-Gm-Message-State: AOJu0YyApkKpD51pTJJlosneiX1mX7BtkttEJW3wFvkzPNk7k+AjCW2U htdh19mGlC9zAoBaxXbvcLaASScdpaeQM/9lWDtB+qa95GtzDGSFitAX X-Gm-Gg: AeBDieugQ8u6D/7uLKXqtZnqAecJ6RpUbxjq0fg4OWT8K4EW1zXcaYWg7/e8rGmh7zf jD5WYRJJoqesVjbHf2n3CSO8y6QVGHHKoidb9u0oxAqOVtZJnF6qg2fxpLkNo5y8MuA1FqEwOnu IDMCiiiVOzkBttbO8wBFxBDZGHypSDVZXJNWmJvqvheGDamXtX7xkbe+0/DTpZJMF5rFjcFTp+U dSVbMA1lJxBuAmRVP0B+p+5EuMnc7yfqmTrRWlJA2cVUJe7bulsV8WNPpOqeKrVglcyufze79J1 dJTwbzn3UmQinrTu1dit/5WuxI44WQpMd/SdY+39k84kzNj+N67Qa/4RE908MGnjceD7ZKhCXwa DyK5VTz3altMJQEDdLWfmO1C+FPHWlLVrjjbCHzbl/MiP3NIbb2lIiiETklFFpZq2MhP7ph2BEx MyCbh78R8bij6jp+r+sObxTUmQjYHYTQLMBxg4xYDQDcekvH1FEI7g8LCN0g5nXS1kR1ycJ4A8 X-Received: by 2002:a05:690e:1557:20b0:650:3a28:4359 with SMTP id 956f58d0204a3-65048745b32mr13895318d50.22.1775592142319; Tue, 07 Apr 2026 13:02:22 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:22 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 06/20] bpf: lsm: Add Landlock kfuncs Date: Tue, 7 Apr 2026 16:01:28 -0400 Message-ID: <20260407200157.3874806-7-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Create 2 kfuncs exposing control over Landlock functionality to BPF callers. Export an opaque struct bpf_landlock_ruleset preventing callers from accessing unstable internal Landlock fields. 1) bpf_landlock_put_ruleset releases a reference on a bpf_landlock_ruleset. This is properly passed to the verifier with the KF_RELEASE annotation. 2) bpf_landlock_restrict_binprm alters the pre-committed credentials in the linux_binprm struct, ensuring the program will start with the specified landlock ruleset. Normal domain inheritance, for existing and future domains apply as normal. To enable proper reference counting and destruction, a destructor is registered for the bpf_landlock_ruleset. Additionally, both kfuncs are restricted to LSM programs attached to bprm_creds_for_exec or bprm_creds_from_file, and only sleepable varients of these hooks. Landlock may block because a ruleset is protected by a lock, so both of the above kfuncs may sleep and are KF_SLEEPABLE. If RESTRICT_FLAGS_NO_NEW_PRIVS is set, and the task doesn't have CAP_SYS_ADMIN or is not already running with no_new_privs, we set the set_nnp_on_point_of_no_return to ensure that the next execution transition (but not the current one) will be subject to no_new_privs. Running task_set_no_new_privs directly is unsafe in this path, as a failed execution will result in a lingering side effect of no_new_privs being set on the original thread. Signed-off-by: Justin Suess --- include/linux/bpf_lsm.h | 15 +++++ kernel/bpf/bpf_lsm.c | 145 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+) diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h index 643809cc78c3..1fc019c0db44 100644 --- a/include/linux/bpf_lsm.h +++ b/include/linux/bpf_lsm.h @@ -31,6 +31,21 @@ int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog, bool bpf_lsm_is_sleepable_hook(u32 btf_id); bool bpf_lsm_is_trusted(const struct bpf_prog *prog); =20 +/* + * Opaque type for BPF landlock ruleset. This is used to prevent BPF prog= rams + * from directly accessing the landlock_ruleset structure, which is not de= signed + * for external use and may change in the future. + */ +struct bpf_landlock_ruleset {}; +BTF_ID_LIST_SINGLE(bpf_landlock_ruleset_btf_ids, struct, bpf_landlock_rule= set) +__bpf_kfunc void +bpf_landlock_put_ruleset(const struct bpf_landlock_ruleset *ruleset); +__bpf_kfunc int +bpf_landlock_restrict_binprm(struct linux_binprm *bprm, + const struct bpf_landlock_ruleset *ruleset, + u32 flags); +__bpf_kfunc void bpf_landlock_put_ruleset_dtor(void *ruleset); + static inline struct bpf_storage_blob *bpf_inode( const struct inode *inode) { diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index 0c4a0c8e6f70..5da9950aa555 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -16,6 +16,7 @@ #include #include #include +#include =20 /* For every LSM hook that allows attachment of BPF programs, declare a nop * function where a BPF program can be attached. Notably, we qualify each = with @@ -447,3 +448,147 @@ int bpf_lsm_get_retval_range(const struct bpf_prog *p= rog, } return 0; } + +BTF_SET_START(bpf_landlock_kfunc_hooks) +BTF_ID(func, bpf_lsm_bprm_creds_for_exec) +BTF_ID(func, bpf_lsm_bprm_creds_from_file) +BTF_SET_END(bpf_landlock_kfunc_hooks) + +BTF_KFUNCS_START(bpf_landlock_kfunc_btf_ids) +BTF_ID_FLAGS(func, bpf_landlock_put_ruleset, KF_RELEASE | KF_SLEEPABLE) +BTF_ID_FLAGS(func, bpf_landlock_restrict_binprm, KF_SLEEPABLE) +BTF_KFUNCS_END(bpf_landlock_kfunc_btf_ids) + +BTF_ID_LIST(bpf_landlock_dtor_ids) +BTF_ID(struct, bpf_landlock_ruleset) +BTF_ID(func, bpf_landlock_put_ruleset_dtor) + +static int bpf_landlock_kfunc_filter(const struct bpf_prog *prog, u32 kfun= c_id) +{ + if (!btf_id_set8_contains(&bpf_landlock_kfunc_btf_ids, kfunc_id)) + return 0; + + /* BPF_LSM_CGROUP programs run under classic RCU and cannot sleep. */ + if (prog->expected_attach_type =3D=3D BPF_LSM_CGROUP) + return -EACCES; + + if (!btf_id_set_contains(&bpf_landlock_kfunc_hooks, + prog->aux->attach_btf_id)) + return -EACCES; + + return 0; +} + +static const struct btf_kfunc_id_set bpf_landlock_kfunc_set =3D { + .owner =3D THIS_MODULE, + .set =3D &bpf_landlock_kfunc_btf_ids, + .filter =3D bpf_landlock_kfunc_filter, +}; + +static int __init bpf_landlock_kfunc_init(void) +{ + const struct btf_id_dtor_kfunc bpf_landlock_dtors[] =3D { + { + .btf_id =3D bpf_landlock_dtor_ids[0], + .kfunc_btf_id =3D bpf_landlock_dtor_ids[1], + }, + }; + int ret; + + ret =3D register_btf_kfunc_id_set(BPF_PROG_TYPE_LSM, + &bpf_landlock_kfunc_set); + if (ret) + return ret; + + return register_btf_id_dtor_kfuncs(bpf_landlock_dtors, + ARRAY_SIZE(bpf_landlock_dtors), + THIS_MODULE); +} + +late_initcall(bpf_landlock_kfunc_init); + +__bpf_kfunc_start_defs(); + +#if IS_ENABLED(CONFIG_SECURITY_LANDLOCK) + +/** + * bpf_landlock_put_ruleset - put a Landlock ruleset + * @ruleset: Landlock ruleset to put + */ +__bpf_kfunc void +bpf_landlock_put_ruleset(const struct bpf_landlock_ruleset *ruleset) +{ + landlock_put_ruleset((struct landlock_ruleset *)ruleset); +} + +/** + * bpf_landlock_restrict_binprm - enforce a Landlock ruleset on exec crede= ntials + * @bprm: execution context providing the prepared credentials to restrict + * @ruleset: Landlock ruleset to enforce, may be NULL only with + * LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF + * @flags: landlock_restrict_self() flags + * + * When @flags contains LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS, the request is + * staged through @bprm and committed only after exec reaches point-of-no-= return. + * This guarantees that the resulting task cannot gain more privileges thr= ough + * later exec transitions, including when called from bprm_creds_from_file. + * The current execution is unaffected, and may escalate as usual until th= e next + * exec. + */ +__bpf_kfunc int +bpf_landlock_restrict_binprm(struct linux_binprm *bprm, + const struct bpf_landlock_ruleset *ruleset, + u32 flags) +{ + int err =3D landlock_restrict_cred_precheck(flags, false); + + if (err) + return err; + + err =3D landlock_restrict_cred(bprm->cred, + (struct landlock_ruleset *)ruleset, + flags); + + if (err) + return err; + /* + * Stage no_new_privs through @bprm so exec can honor it without + * mutating the current task before point-of-no-return. + */ + if ((flags & LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS) + && !task_no_new_privs(current) + && !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN)) + bprm->set_nnp_on_point_of_no_return =3D 1; + + return err; +} + +/* We define stubs for these to allow ebpf programs using landlock kfuncs = to load + * even when CONFIG_SECURITY_LANDLOCK is not enabled. + */ +#else /* IS_ENABLED(CONFIG_SECURITY_LANDLOCK) */ + +__bpf_kfunc void +bpf_landlock_put_ruleset(const struct bpf_landlock_ruleset *ruleset) +{ +} + +__bpf_kfunc int +bpf_landlock_restrict_binprm(struct linux_binprm *bprm, + const struct bpf_landlock_ruleset *ruleset, + u32 flags) +{ + return -EOPNOTSUPP; +} + +#endif /* IS_ENABLED(CONFIG_SECURITY_LANDLOCK) */ + +/* Destructor does nothing when Landlock is not enabled */ +__bpf_kfunc void bpf_landlock_put_ruleset_dtor(void *ruleset) +{ + bpf_landlock_put_ruleset(ruleset); +} + +CFI_NOSEAL(bpf_landlock_put_ruleset_dtor); + +__bpf_kfunc_end_defs(); --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f54.google.com (mail-yx1-f54.google.com [74.125.224.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6542337C106 for ; Tue, 7 Apr 2026 20:02:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592147; cv=none; b=rvXok2OjWesBi0X4yf/AJ62TA7xeWLW9T9O2Bo/sZ8zbZPUBIpYmp5Gdyw7OR/Sp69Ugs1rbP6BxLpRCel6vJthqGhEWphXA6Fvhx34MDsV4qm/YQCaDeUiTpLU/k/wlixeXQ9wWWQn29PVOGodHcmh2fmGKIKZJR9aC7aYmzqk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592147; c=relaxed/simple; bh=2CMcW2gq2LmD6OBr8KShORwyqyftbdR5TuaGADyZZ7Y=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=k/3l4lZWiJu3W2vypeQl7JOTgm07L9JHerhaNHpWA0S93EIwJNLJKbKlYTFygJKmAtnVCSdSxx3pKElwcs1L9doL3uHlotJJ3PbR7ywOzVSNP96tvr+sBVpFu/cjkOtGuAzwdeVImH2QTscNEq+nYnP6T26JdB70ZJ1yBjejvP4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=enO869OX; arc=none smtp.client-ip=74.125.224.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="enO869OX" Received: by mail-yx1-f54.google.com with SMTP id 956f58d0204a3-6505ef94043so2944772d50.2 for ; Tue, 07 Apr 2026 13:02:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592145; x=1776196945; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V+Kz9KQLBOk2gZAk6F760LWdEiRy/BzHmk2mLo+ys2U=; b=enO869OX6+lKrCmPv3YMb9cY5TbheaTdV1u7lyE15BBCMX6+/kAW7K9mixbvUXkDOk Mosep08MeJflR2syvhe+4O/2FLii7ORtdQxHAafrfgnnGcly2EBeLZ+Za6bth08mGIBJ u7hT40BbJ5hnnkMsz7pBBCRmcP5a+//tdvHNZtznHKMKPqWXzOPl6qWDZQ0MmH0y+AnD Fp+xamww3eMWMeZ/mPXIkGkLoKupbX3ad3AwuUe2TBzWhQQ2GbraTTZjXkhwQrJB2FdO I1WMDga0aCrUD5X6hM4FnP6EE6kpUC7GYL6Ex7Ab6uO8qWAMmYI9Cdn1cGz3DSEiiKJP V7cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592145; x=1776196945; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=V+Kz9KQLBOk2gZAk6F760LWdEiRy/BzHmk2mLo+ys2U=; b=sbFbALEJRMPmQmDwsL7ZOKCmAriB+1Ao1T2b/5o7KL9IJYZgB2BGcKnA4tGHlSrHwE fYUKeKZRCbDiL9uLa81ejC6sD4IxwLl3WBPZGsPdrUdaDy3y2rTuqDnDlxtPiXuYYVVG ZAXH2epPpiGGaUZD0pJvTq7qEN5vuyHNikkVwDlFCKtK/xRYWAM7xB+n/Vl3qBs14HtU up7FnGpjP9qsHG4/d7QSkra1cOKb1z2zDYo9K6oHiSmD993GwH2ia9YZS93w7hkUEYOc VvafCFWeRlIaJkxhOTNwanbzaCxSOwCU4qtmuWWUFYDDcRbVq+7NIjhvhgX4XeOyjgU7 xsXQ== X-Forwarded-Encrypted: i=1; AJvYcCVTrhN3+iqnthPNLw4lZlROMe7RJv4OkhLH9IfXQ57uAN4I3WVQbk5ub27roFHM6395y+S40Zo24AD6Z0w=@vger.kernel.org X-Gm-Message-State: AOJu0YwPHf/LOhazTB8vwcD/oloEptCxEkH/wYKd5FBpA96wTzrVvd9k g6qJzpCzBAo49QxNABVE5vvBqqyvxU0GbjdqOHsxGx862pzRlnizqwTi X-Gm-Gg: AeBDievWG13oR9qlcymght7Q7lFmB6uac6qyqtINx5iF7z6w2ITDgdWjdfaawcbrDyc cZyQcdLggu2i0YMnpn+WgHWdemEB5QiaAH3LADNn1fj8GTvNDW7lKb5AuNbQ/yJsXLmzLU7HjMD MUffaVizqC/f1HMX6tbZnhibnjMwszxzyJ2VQTtjaWvB6VJ/KBBcs5XRe5uO3pi8ptzaJai/3DF WG955s9kM3bPPn3BwCXMwLx1E8qvs7OZmkutBX9uveadPLCMXkl+nFGFKYhjrBuC+7GQ+dtRFXO KLh8yPXc+uJC0rqJ1jP1Se0N31ctCN/OPWE066FcaIi2d/DGVfNQOxg6DEeKRJh62NdekAdp4/x adlRHSKqb3AFz7gBlWRKOl+XaXOgOIdoaLJ8LkrYUv7RTuyCbKAcz7hzZ7uvoSGMUK1tOvHJ3RR ckaWcmXi0OMoDNYLeXbwD2vAAxFZ6pIBrDv0DeKfXwXBE68CC/ySCyBcZYOj9W1MSiqCX++KqB X-Received: by 2002:a05:690e:ee3:b0:649:b31e:8f48 with SMTP id 956f58d0204a3-6504871787bmr13350525d50.22.1775592145445; Tue, 07 Apr 2026 13:02:25 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:25 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 07/20] bpf: arraymap: Implement Landlock ruleset map Date: Tue, 7 Apr 2026 16:01:29 -0400 Message-ID: <20260407200157.3874806-8-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Implement a new BPF map BPF_MAP_LANDLOCK_RULESET. This specialized map type is designed to store ruleset file descriptors, and uses the exposed Landlock helper functions to ensure that the ruleset isn't freed unexpectedly. This map type may only be inserted into from userspace, and only with a file descriptor referring to a valid Landlock ruleset. Updating a Landlock ruleset directly through a map is not supported, as there are no fields that can be changed, but you may add rules from userspace as long as the file descriptor is open, or replace the fd with another. Elements in a Landlock ruleset map may be deleted from BPF or userspace. Looking up an element is supported only in BPF, this is enforced with the map_lookup_elem_sys_only field in the map ops. Reuse the existing fd_array_map operations for inserting and deleting to avoid code duplication with existing FD maps. Signed-off-by: Justin Suess --- kernel/bpf/arraymap.c | 67 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index 33de68c95ad8..f0da17e0e23e 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #include #include @@ -1458,3 +1459,69 @@ const struct bpf_map_ops array_of_maps_map_ops =3D { .map_mem_usage =3D array_map_mem_usage, .map_btf_id =3D &array_map_btf_ids[0], }; + +static int landlock_ruleset_map_alloc_check(union bpf_attr *attr) +{ + if (!IS_ENABLED(CONFIG_SECURITY_LANDLOCK)) + return -EOPNOTSUPP; + + return fd_array_map_alloc_check(attr); +} + +static void landlock_ruleset_map_put_ptr(struct bpf_map *map, void *ptr, + bool need_defer) +{ + if (!ptr) + return; + + if (need_defer) + landlock_put_ruleset_deferred(ptr); + else + landlock_put_ruleset(ptr); +} + +static void *landlock_ruleset_map_get_ptr(struct bpf_map *map, + struct file *map_file, int fd) +{ + return landlock_get_ruleset_from_fd(fd, FMODE_CAN_READ); +} + +static void *landlock_ruleset_map_lookup_elem(struct bpf_map *map, void *k= ey) +{ + struct landlock_ruleset **elem, *ruleset; + + rcu_read_lock(); + + elem =3D array_map_lookup_elem(map, key); + if (!elem) { + rcu_read_unlock(); + return NULL; + } + ruleset =3D READ_ONCE(*elem); + if (!landlock_try_get_ruleset(ruleset)) + ruleset =3D NULL; + + rcu_read_unlock(); + + return ruleset; +} + +static void landlock_ruleset_array_free(struct bpf_map *map) +{ + bpf_fd_array_map_clear(map, false); + fd_array_map_free(map); +} + +const struct bpf_map_ops landlock_ruleset_map_ops =3D { + .map_alloc_check =3D landlock_ruleset_map_alloc_check, + .map_alloc =3D array_map_alloc, + .map_free =3D landlock_ruleset_array_free, + .map_get_next_key =3D bpf_array_get_next_key, + .map_lookup_elem_sys_only =3D fd_array_map_lookup_elem, + .map_lookup_elem =3D landlock_ruleset_map_lookup_elem, + .map_delete_elem =3D fd_array_map_delete_elem, + .map_fd_get_ptr =3D landlock_ruleset_map_get_ptr, + .map_fd_put_ptr =3D landlock_ruleset_map_put_ptr, + .map_mem_usage =3D array_map_mem_usage, + .map_btf_id =3D &array_map_btf_ids[0], +}; --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f52.google.com (mail-yx1-f52.google.com [74.125.224.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B01537CD52 for ; Tue, 7 Apr 2026 20:02:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592150; cv=none; b=S0CUogBwscucrnOEo60fvjQzCmFUEvpFL9jeHDQLq+YGxTKN4D1fkrkyEAXER7MZLTfQPTGz+F7ak9ViI0Nn/zjFOgyCnU51Q4ihk7qk2eLF2LdRauS2CBvuJYTVj1reNd992VAPw9Is7Jc3zLKoQUpCDywsDra31P5YYf/QbjU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592150; c=relaxed/simple; bh=bW9jz2Y0w7pnnRcWTatuVDGC9064zzuyQi3gRAondUM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F5LZAm36uwUcPWPsQGUB8x8uHQFbbZyzRqQ8d9mq8HM6RSXeVgcWrT344UG/VwJKoyM0M46aEMl6XlbrqE+Cjo7UpkJIYQX2OejGfO4Q9/iGp4aONj4dY/p2JVoTLj7LH2i3PO8F+PP/4ExKMo3I5y5W5gP0KM8LPMoKQ15vkeQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PJGmK7g2; arc=none smtp.client-ip=74.125.224.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PJGmK7g2" Received: by mail-yx1-f52.google.com with SMTP id 956f58d0204a3-650221149e2so5504195d50.0 for ; Tue, 07 Apr 2026 13:02:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592149; x=1776196949; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rbO5GYpy+e8XYWD7ulHkPHCIvEhrOf0qMakkPgadiYg=; b=PJGmK7g2HrZ1yMOzrIjRn57Z7PCpDvJDbrpQfLJ3A3pXWwmW0APKd3Anf8IPOew3jH BmOKUb2BtW0QivxjIAUSfg0Enl2dZRnAdnu0CgRPcbkCmgGdBQI7PQbZTb5jMjYnOXYa eLPUsdsRi2SsQSPSs16SRb7ynH8KHYl2FcQxTAjtv/kiyOIbZuMCu3wdrp2jyOx/eVpO FBZpbZxrRy5wHvICFDIor7BAhrkidG7mXod9DkpfzsiV4l35l5MSfAhU2DUM9iDN0ccF 4lpT0QBM8hozl1+VwmJB9GSY0DHjCudNV0W5zFEPJQrD1GLXj9gQd1Z2y20/u1uN0qpw 6CVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592149; x=1776196949; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=rbO5GYpy+e8XYWD7ulHkPHCIvEhrOf0qMakkPgadiYg=; b=Fk6oCJaup3RXh7cn1vkbO8ryG9hQ3+koY1vGDEFQLJPEw1BLtkt8sNwmoBAehHL5Jj WFGduSGthscqxjc4ZneALx3n9du8aW3cHwYiHB4uscYuBplldKrAT/04vFLoVsc95kQj gqSMiPm9TuAPZcgr+LZZhh416rAfbNDOcSAKLN67+WhYg9aiMFGm4mtL2M7KwrzrE2ay F9lxnXNw+Hzi55TEQlQeg4ftE9d23yCDGI2M2r1/Z1rpRlmCXacft+SKJciCT0cUSwuS msbhzxkg+sZXqjHLz8obVOHtnjIxZGlaOnatmxc1iKJhi18j5+0Gph3ZUGxUyL8R7015 +zeQ== X-Forwarded-Encrypted: i=1; AJvYcCVN1OcBlAmDuxZEVjkHgV3PjVGgLWV8Op+GMo/ys5y/Jv7FwQvAUr2qK/ioPaV+/kpi27HcQByZ9OXTwoU=@vger.kernel.org X-Gm-Message-State: AOJu0YyQ5cQbOpKZQzFrO7OQt1UFdEKQcDbAAnaNBh74Ufpp5DmxWVJV 1CH7+KG3aUudd6zQjXM6R7sXKK8AHTJpwLJwc+8kCIgA2QDdpouhpMZa X-Gm-Gg: AeBDiesSpzOpoa9wiqmED74srVivtCfzpzwbxjhlqJ75WlUiOQ+uSo56VQLdLC9EUyR bgo/wb8JiCfk1Cvgv5/5xbwvekyCdQlsE74ijBx4ZTysEkOh/gBJZPDpWZIc3LSwpMA3jaOdGRu 1pXRq8gfEAP9LYSdnlN2c2BVmWt2DgAKLbB9Tgj31+R924wj98HJX1tNxSqIBhnllfYeDuzAw78 Nvbn+XOKlXZkuU+hQ3nw6oVyP6P/ZPGDRurGrZk49IGKSfVEMsrGAJm+c247tJVsQb868HsfqZO ozYSkFzkHI/hS/mAjTsDt0mkmbuYrmfEL8CUFypnxTGQDcO+QYFPZrc2t9IkA4vqei013tdRPXT R2IW7k7+MiqkAF04EImWmWOuDkSdEohMmS7AbdHi3PApG8a8ILZuDoypD5pnpsO2EaVryfTRfR2 RG52yniLvz/qkcJ5dEv8BROVXF2DtN7lNncQCqnMn7IgvrpKwdZI/n/HH/BwjLTNK/MYTk/XmvI zqWe5U/Pnk= X-Received: by 2002:a05:690e:b89:b0:650:5316:171d with SMTP id 956f58d0204a3-65053162228mr13914052d50.40.1775592147694; Tue, 07 Apr 2026 13:02:27 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:27 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 08/20] bpf: Add Landlock ruleset map type Date: Tue, 7 Apr 2026 16:01:30 -0400 Message-ID: <20260407200157.3874806-9-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Expose the new BPF_MAP_TYPE_LANDLOCK_RULESET via headers, allowing programs to utilize the map. Signed-off-by: Justin Suess --- include/linux/bpf_types.h | 1 + include/uapi/linux/bpf.h | 1 + tools/include/uapi/linux/bpf.h | 1 + tools/lib/bpf/libbpf.c | 1 + tools/lib/bpf/libbpf_probes.c | 6 ++++++ 5 files changed, 10 insertions(+) diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h index b13de31e163f..0fa3b9031d90 100644 --- a/include/linux/bpf_types.h +++ b/include/linux/bpf_types.h @@ -134,6 +134,7 @@ BPF_MAP_TYPE(BPF_MAP_TYPE_BLOOM_FILTER, bloom_filter_ma= p_ops) BPF_MAP_TYPE(BPF_MAP_TYPE_USER_RINGBUF, user_ringbuf_map_ops) BPF_MAP_TYPE(BPF_MAP_TYPE_ARENA, arena_map_ops) BPF_MAP_TYPE(BPF_MAP_TYPE_INSN_ARRAY, insn_array_map_ops) +BPF_MAP_TYPE(BPF_MAP_TYPE_LANDLOCK_RULESET, landlock_ruleset_map_ops) =20 BPF_LINK_TYPE(BPF_LINK_TYPE_RAW_TRACEPOINT, raw_tracepoint) BPF_LINK_TYPE(BPF_LINK_TYPE_TRACING, tracing) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index c8d400b7680a..7e4478afa162 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -1046,6 +1046,7 @@ enum bpf_map_type { BPF_MAP_TYPE_CGRP_STORAGE, BPF_MAP_TYPE_ARENA, BPF_MAP_TYPE_INSN_ARRAY, + BPF_MAP_TYPE_LANDLOCK_RULESET, __MAX_BPF_MAP_TYPE }; =20 diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 5e38b4887de6..6dd7d70b198a 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1046,6 +1046,7 @@ enum bpf_map_type { BPF_MAP_TYPE_CGRP_STORAGE, BPF_MAP_TYPE_ARENA, BPF_MAP_TYPE_INSN_ARRAY, + BPF_MAP_TYPE_LANDLOCK_RULESET, __MAX_BPF_MAP_TYPE }; =20 diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c index 0be7017800fe..9ccd5df1ea6c 100644 --- a/tools/lib/bpf/libbpf.c +++ b/tools/lib/bpf/libbpf.c @@ -192,6 +192,7 @@ static const char * const map_type_name[] =3D { [BPF_MAP_TYPE_CGRP_STORAGE] =3D "cgrp_storage", [BPF_MAP_TYPE_ARENA] =3D "arena", [BPF_MAP_TYPE_INSN_ARRAY] =3D "insn_array", + [BPF_MAP_TYPE_LANDLOCK_RULESET] =3D "landlock_ruleset", }; =20 static const char * const prog_type_name[] =3D { diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c index bccf4bb747e1..1407d54aef67 100644 --- a/tools/lib/bpf/libbpf_probes.c +++ b/tools/lib/bpf/libbpf_probes.c @@ -367,6 +367,12 @@ static int probe_map_create(enum bpf_map_type map_type) case BPF_MAP_TYPE_INSN_ARRAY: key_size =3D sizeof(__u32); value_size =3D sizeof(struct bpf_insn_array_value); + max_entries =3D 1; + break; + case BPF_MAP_TYPE_LANDLOCK_RULESET: + key_size =3D sizeof(__u32); + value_size =3D sizeof(__u32); + max_entries =3D 1; break; case BPF_MAP_TYPE_UNSPEC: default: --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f53.google.com (mail-yx1-f53.google.com [74.125.224.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1D30B37CD53 for ; Tue, 7 Apr 2026 20:02:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592153; cv=none; b=Rjrkj2jITCXQLljyuWO5srjHv8el3uPgoEfPIi5283VPptEQgsm2PK1OISwVp889zL0rm8XLKH6FL0OGH8HXTK60zpOCdGqkArz/gz5rX1J/16DnGOHJZzW9+phRNzt/ubMru0ZIeq01fGeKOh9sW17LP8MxbokqXbEweDXDUxg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592153; c=relaxed/simple; bh=1YZm9Km2g/4He2abMJUbVPzWzEAy6t/GkzsPI6yRllo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Iwb7ic/6j9DGGJalBwEWRhvIizbADZBdpsnJiEYw6YvGtk9F/1Sn4ai4RQY/SGRS2JOeXrZl6bdy6jaeX4/CTNQrHgM0/aYGe3sz0i1INbzuc5pnbGbJNi27Ta5f3YHZTvq+rHjN/VTT0XSWZ63ls8Ts+/w68foyhjb18blYgYM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=A1hQoGnJ; arc=none smtp.client-ip=74.125.224.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="A1hQoGnJ" Received: by mail-yx1-f53.google.com with SMTP id 956f58d0204a3-64eaf8aa893so4743700d50.3 for ; Tue, 07 Apr 2026 13:02:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592151; x=1776196951; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mxZmDGuH+b1o7aqh0lLdFfHGJTB8lb/1qma6OWy6m8U=; b=A1hQoGnJAesUcu46FkkvREJrsSP0xdvxPZWVSTNQMtU+QBo2g2ipB80ZEfn6/DmDvM Ss8OT6KR/dFarp9R4VpnYk1MDCQRby5EdKwqmkbnci0tyJ600mg+ukUr+K24w9L88nvm z4h3xjBPycKhxntAnL64ShztpOeGpAkEoPcRCc849Quc2SjR5xSeGGJLA1tAYloTJdxT /+qFrAGOYNToFQH+Bq/8/d1HxyfLk3x36vGZNci1vjHYM7RnUVCc6AwIzpw1fgBs697Y X7EIO4TDmrtpFn27qsGAZAHkskmnnJeL2+nyISBp4XjW+NljueNapKnLdq197PFjf7aJ LIcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592151; x=1776196951; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=mxZmDGuH+b1o7aqh0lLdFfHGJTB8lb/1qma6OWy6m8U=; b=e6v/rl8s6MHy6aYuqXU1c9c0TtvaARTXb8JEHwk7EkYBQo9ssB1YU74ZdNo1s2GCn/ W+s4gtIXqveXizWpHt7Btp0JUbVFrVPk3vp2C5czgm8HVYH2PAKogfZESr0O5H8TaDrN l06e68k2vdO/FQu0k/nq6XW+50fzssDQTOhPd4ITI8ELU75WI77yosojc1xrXRDg8X/j pwVKUcNzv+VZY+pqTWN2u3VxKtMMeYRaU/1+FvPhVTXNIf1VKCVQN7gFQYA1oCUUKKhU Zzi+m2Q7gxc/DIkT2cuYFvWVeCMQbERkDENqaeJi5sgwfoA3/79ueymNdHY3gFB41syH zJ1Q== X-Forwarded-Encrypted: i=1; AJvYcCXTirIHyzUAYAN0Ue9yXWK5+WTcReYbiYzRUsMzLtY+LNBFajaoL6fot1mT47hNFzxMg5cdUcSNQ1jNo1s=@vger.kernel.org X-Gm-Message-State: AOJu0Yw3bqTemzxucn10lY2d+IuDXD53ekijK+uvdMmHyGac4Xy//75T 6i01aITyLnOZ/BS2aXIUiTnlQTX5JUIijH84tNRnXU8UUcpJLpAy67S9 X-Gm-Gg: AeBDieu3cY4UGb/HBc8/8lNWoiljMKLpJqJf9KlBN07bATol2ioyuweNvp8Ejxu+ssh NR4Oe4KiFSVU6MLydqa3by4CWl2lwb/icBRdHZSW0a+NupB73IzjfndtE1A0tvwd2zWd+R5kQ37 p301iG45ntHdxhChTKCXJj7MdDAzkoDvTXEAjT0CyzRj0YCKyNIICUx4bKE+nVDV0cMZqYPU7sB 7qmCXDmsMDx1LjtBPdRxaT3nyWW7t9N3VkepAIL2a88+ax4xu8ym7qTxXYiXV2D9GpbU//R2rC6 52jkf022bjgWKt+Z7gJHHq2JJvaJj3i06tks6ySLO0iLWNug2n9a34w46h8vmohnR6oOQaWWkuT f3zNivdKIJku9x8O3je19A/V4ipc5+db+FpThRM1aGFYCo+Yrwz6f78jn33WVJ4AzxDDGgCtRb6 txcOWeluciL9qaiNiIybYGfMBR8ZhX8odinKGD49saAEXpHQJJkp9EEUYfFwkle9bYQUdeLLRd X-Received: by 2002:a05:690e:c49:b0:650:77e5:84e5 with SMTP id 956f58d0204a3-65077e58678mr6105788d50.25.1775592150185; Tue, 07 Apr 2026 13:02:30 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:29 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 09/20] bpf: syscall: Handle Landlock ruleset maps Date: Tue, 7 Apr 2026 16:01:31 -0400 Message-ID: <20260407200157.3874806-10-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Allow userspace to create maps of type BPF_MAP_TYPE_LANDLOCK_RULESET via the bpf syscall. If CONFIG_SECURITY_LANDLOCK !=3D y, these programs will still be accepted by the verifier but return an error at runtime. Signed-off-by: Justin Suess --- kernel/bpf/syscall.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 274039e36465..e885451b64a0 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -48,7 +48,8 @@ =20 #define IS_FD_ARRAY(map) ((map)->map_type =3D=3D BPF_MAP_TYPE_PERF_EVENT_A= RRAY || \ (map)->map_type =3D=3D BPF_MAP_TYPE_CGROUP_ARRAY || \ - (map)->map_type =3D=3D BPF_MAP_TYPE_ARRAY_OF_MAPS) + (map)->map_type =3D=3D BPF_MAP_TYPE_ARRAY_OF_MAPS || \ + (map)->map_type =3D=3D BPF_MAP_TYPE_LANDLOCK_RULESET) #define IS_FD_PROG_ARRAY(map) ((map)->map_type =3D=3D BPF_MAP_TYPE_PROG_AR= RAY) #define IS_FD_HASH(map) ((map)->map_type =3D=3D BPF_MAP_TYPE_HASH_OF_MAPS) #define IS_FD_MAP(map) (IS_FD_ARRAY(map) || IS_FD_PROG_ARRAY(map) || \ @@ -1488,6 +1489,7 @@ static int map_create(union bpf_attr *attr, bpfptr_t = uattr) case BPF_MAP_TYPE_CPUMAP: case BPF_MAP_TYPE_ARENA: case BPF_MAP_TYPE_INSN_ARRAY: + case BPF_MAP_TYPE_LANDLOCK_RULESET: if (!bpf_token_capable(token, CAP_BPF)) goto put_token; break; --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f53.google.com (mail-yx1-f53.google.com [74.125.224.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 599FE37EFE0 for ; Tue, 7 Apr 2026 20:02:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592155; cv=none; b=gAPS1LJ75krd8UYIHn+8XP5QyVtWAtTrAm9XeQ/BZf/f/p5a9ocfPXk8ShTRk8z93aJFlsfK5W/6pTqent9FHzkHsku68jEWOEHo9bYQm8EhkEGfOs8ZkweCjlCjSpbKzc+RcvpwaKWXCnx2K54bJB6MsGSVjlbPm903AZLCpYE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592155; c=relaxed/simple; bh=oDGccJGbJlS5oEKY6wi1//U3cO/8pqhENd08XnBAFsE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G/a9uD0ub5PdPZ3Y/Zx6PxNJsypp5BaDtIWqMZBpjWOxF+PJ8/P1gJOM3eXbeGGcNhGxdZE7yik8K/HJ31juD8kzxRJ5o2VNdPaZiNzqSPYfMYyX34fFbVgbmOGYtq4LyxGNeG7dGCAr0fmGY0Vnx7NA4yEm3xavFogUM04t20U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fNUmlfUt; arc=none smtp.client-ip=74.125.224.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fNUmlfUt" Received: by mail-yx1-f53.google.com with SMTP id 956f58d0204a3-65006c99d38so5987129d50.3 for ; Tue, 07 Apr 2026 13:02:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592153; x=1776196953; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BVuog/6PNKtU3Y12cDCMa25hSzMRaoPl9mUO+ZR3Rs8=; b=fNUmlfUtnxmN4gTTLADjufGaCm4+GOc31J77fV5J2ypNLL1vvBwGxn7NQVPuxqyn0w QXGTeIZ5liEpgfBJ4x40sbzgEDAdS01bfjqK3L1CQgNJGVxe7jCwRQdEWmvLaZf1nyWN DDz38eCNW+moQFkTs+bqCVAcDcLgOF2lRKcq7IPSl3I5rurEhtAOfOJMNQaFBX6PIdZG 4d4DRyvFD8Bfpht+QDWXglueWqXXqAFMADy2kUf1r0bZOhSMI+igy8vS5duF3PawNkFf elc13+3+/8HFcau46tBbqp2j7Qg0ktw94r//Uwdc3POP1TExokx99OYfpwzboNP2N0qJ kgMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592153; x=1776196953; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=BVuog/6PNKtU3Y12cDCMa25hSzMRaoPl9mUO+ZR3Rs8=; b=eRsKWUriq+RIaNnMXggVOmoN2a8vD5HFlr2WRxC+wLYSRCnb32zj6dYwAUBWD6lRpH J7il8qeKYu5FXtrLTgsLHcuTHOh9z/yMKNSjPl/DBiYpiJ3x1YG06FTmaQLzs/qKdHHI zRbdmmwNEltI6x2eGTOBpa7HFtOqgZZfjnpdj+NV3Iq879AQMpkHSyeyQbKAB1JVpj5S bSvajzSwuDmLDhcvwgy1X0piO1aTmJZfYlDt61nftLK/2x+Es6qR0lyIdvNoZdCMf+ni 5K+pFB1IwXZRzDeMxvxCzFic9pJty5m8NG0/CQcbo4OdBEaBWUTAcO/SUrpoVWgkRak0 UWXg== X-Forwarded-Encrypted: i=1; AJvYcCXG5IHH8eBjAbjFqzJXFcjHioMZlPP0WR9XIAd2SU7c5bfxzZOVGk5I73w2nRtA4wePGzYyaXcd8n6jEqU=@vger.kernel.org X-Gm-Message-State: AOJu0YxnFOWyhiUi8GRACIDje8lFfhyMeEZN+vLYiqb2OLPAbInjofLh ioYT4d5Gg0jn4OCcvoYSy/Hgj3a9djFn+AdQdwWr3sTcI221VsHBD9Id X-Gm-Gg: AeBDieu5rUI+mHadZb/Rz6QMv9/7UviOmF/jSdhlrnFEULM2P3cOUS1FglLoF1uSY4d 2Iurp76ydpXV0kS2xB/1lJdGfo925NC6g6fV0pZfT5ihSiByGvzPfEO6fqIAHLQz1pfPtRTlEpt 0+v9ChVUEF6t8HXYJjQ/LhUzWUtt8DBhMl4KDQrRQ9BvsAZDdydnWxCNF/9ITXB5GogIzfLg1i7 SePqIyOzoQFXrpe6h16niI3+LQAt2oPnoZ+wOJojOnwdz50R5E9rerqoySU78+FDVpYUfjmf3be wLq/uJMRwzhwlXor0agwnKDtrnUyGGaQmIoYu23UPf+puwSbIUR0j4S2AYzq8KLfvjPFB3Mp5D8 hRIID12xmWA73xcASsjD2LGgGSvU0WE+AY2USKQJpEt9cU939dxzLEn4l/tti/pZFzLBRQI1s7j ZCwQr9NHbgl/LPFPC7xmotISCajRRw7hZzkT8ZAT59P9KsEzB+BQ6wMq4ktN03170bMTbfOtiy X-Received: by 2002:a05:690e:140b:b0:650:1aa5:8568 with SMTP id 956f58d0204a3-6504887abe9mr16658180d50.55.1775592153359; Tue, 07 Apr 2026 13:02:33 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:33 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 10/20] bpf: verifier: Add Landlock ruleset map support Date: Tue, 7 Apr 2026 16:01:32 -0400 Message-ID: <20260407200157.3874806-11-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add support for the BPF_MAP_TYPE_LANDLOCK_RULESET in the verifier. Mark the map as storing a trusted pointer to a BTF object. Specify the map as being usable from sleepable contexts. Signed-off-by: Justin Suess --- kernel/bpf/verifier.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f108c01ff6d0..52ba58536387 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -493,7 +493,8 @@ static bool is_acquire_function(enum bpf_func_id func_i= d, =20 if (func_id =3D=3D BPF_FUNC_map_lookup_elem && (map_type =3D=3D BPF_MAP_TYPE_SOCKMAP || - map_type =3D=3D BPF_MAP_TYPE_SOCKHASH)) + map_type =3D=3D BPF_MAP_TYPE_SOCKHASH || + map_type =3D=3D BPF_MAP_TYPE_LANDLOCK_RULESET)) return true; =20 return false; @@ -2269,6 +2270,10 @@ static void mark_ptr_not_null_reg(struct bpf_reg_sta= te *reg) } else if (map->map_type =3D=3D BPF_MAP_TYPE_SOCKMAP || map->map_type =3D=3D BPF_MAP_TYPE_SOCKHASH) { reg->type =3D PTR_TO_SOCKET; + } else if (map->map_type =3D=3D BPF_MAP_TYPE_LANDLOCK_RULESET) { + reg->type =3D PTR_TO_BTF_ID | PTR_TRUSTED; + reg->btf =3D btf_vmlinux; + reg->btf_id =3D *bpf_landlock_ruleset_btf_ids; } else { reg->type =3D PTR_TO_MAP_VALUE; } @@ -10238,6 +10243,13 @@ static int check_map_func_compatibility(struct bpf= _verifier_env *env, !may_update_sockmap(env, func_id)) goto error; break; + case BPF_MAP_TYPE_LANDLOCK_RULESET: + if (resolve_prog_type(env->prog) !=3D BPF_PROG_TYPE_LSM) + goto error; + if (func_id !=3D BPF_FUNC_map_lookup_elem && + func_id !=3D BPF_FUNC_map_delete_elem) + goto error; + break; case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY: if (func_id !=3D BPF_FUNC_sk_select_reuseport) goto error; @@ -21662,6 +21674,7 @@ static int check_map_prog_compatibility(struct bpf_= verifier_env *env, case BPF_MAP_TYPE_ARENA: case BPF_MAP_TYPE_INSN_ARRAY: case BPF_MAP_TYPE_PROG_ARRAY: + case BPF_MAP_TYPE_LANDLOCK_RULESET: break; default: verbose(env, --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f44.google.com (mail-yx1-f44.google.com [74.125.224.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 71ADF37F727 for ; Tue, 7 Apr 2026 20:02:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592157; cv=none; b=c1p58InnrNgE7+JdYlu4Bh3ujayqApuaBixLUZop0bAINz5y8cTJ81sU17nEkUlOFidDh+9j7lsjh6lUwNc9l2Q/veaiLuur3NWWrOa/ne8hZFWC064s0/gRrp46ksBZ4+pKbPYVPzeXphhwaVzI0dIgr/zpByDyQP1e85Tlxm0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592157; c=relaxed/simple; bh=969N04GJ63B6j3UvBpT8Xq+THHPJF5melGvVjbfv/jM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=koQnrbJ3HPlfI4rizqaL8fT1xVsG9+gCc/cGAccCCKSnFoJssGa20+k+Uod0Ne49qArVJ7KJyIEJyEf5ITui1OiaSOb8wunNcpDdzs7OlqLcXQZBX6HnSAF48fdW1onAf6g5wrkD4MAejve6AFvERkuuD/pTh2mLqKrkdS1KOKs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=spWqyiDj; arc=none smtp.client-ip=74.125.224.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="spWqyiDj" Received: by mail-yx1-f44.google.com with SMTP id 956f58d0204a3-6501725d888so4371330d50.0 for ; Tue, 07 Apr 2026 13:02:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592155; x=1776196955; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kh9HwIL+CvvpNMQ+fa0HjatniWcHatd9mVcMTjGbHyI=; b=spWqyiDjKcQ76GvS9Qi99Hn61LwzbS++wKhAPzlridqIFzKfA1ld25/YXV89n4mg22 xmzPYZf9KjaoFVvry1OHp0MjGXcgHO8L+9LGXczqji417tU5ebWeluzX1ao2Vi0Cmjuq 4t5WCv/a5mBZyjLy5jNzVvc5MLqUbsFRwWwF03E4g17tGkZpZGtSmxp48dw4dlROoE7y qtDwWJjaRnYVM6cKu5rgmCHRAlQfPtgPqpJ7Bku1ML4XOEqRh28YhG8qG2LF2b9UloOv esMDjao0zUfe41Dm27hlrCUL/cJhuh0Mk3RXdAzZYEIZneuK8xxcNmrgubNDox51uhfB RUUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592155; x=1776196955; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=kh9HwIL+CvvpNMQ+fa0HjatniWcHatd9mVcMTjGbHyI=; b=L4ZvTsGfek9YGmvrIg+FuW6NKDj831OsmA+p/qmDgsmKjGizQXs1wTN52C/6qP09Xu fg03KP2HnQXOzvSWo6M43My0Je0fYsKXJPmnP6lBEiljL1pjiPJy05hUDE9IY78+QSIg xV/XFTv7do4M5FgbENW+kAQS7Smdnj6RaFhnNrM1JuxssoJAqHo/Jp9dgga6B4OFpQHO cPURZqxWF3EqubeO+WF8gpZz+YQw2tTrDiF+ZXRgzIFsfk5MtTk2sFbhVDKsWyp9GX+v c6L9D5PVWpsW0+QPONtxWPo0JzHH6nhOqqNNYeKiUF863ZYwOdVvMdXkiW2PRJvBwL75 o+og== X-Forwarded-Encrypted: i=1; AJvYcCVgXGgPa7gFxDVFfR7DBDR6gDBWbSByPNbiuzHItAKfT+aHkLMk4RaYxF9KYzX1+qRuF7YZzqF2ckjtIXs=@vger.kernel.org X-Gm-Message-State: AOJu0YzFhh8gcNckmZdO9t07dMCatfOUbbqyAyI96CuJNbjWXiNF1iwo NXc9wlOuc4fd4dmkrZ1T2eO1b0ZuXtKcJdc0QUaGHl2xbmkzOamPV6el X-Gm-Gg: AeBDiet+lpYz5HfDDa/uz4VJ4qdegsdkeu4OX8Z3XdZ14pworgaUvhGzslZh17tRogn VPkL4iXQEJBZZbW8dlZwlQr+7OSvh8uhRhb3D3kyWLNFtpL+oSKeaLt8kye0/U0AgubZEOizktJ uwGyvCzDkIi1pUqnPOhdrUE/qroFfgDkRbWfXvZNrUtqm6kmz/pMATbCB/Zh2ddCW0KjM0uk43s 3J7//6dZQbQJxO9cgnUqZD+A3I/SY3g5iTNZ3VL+J2NcwtxKRfLySqlSUBBc5UsbyOMuikGV/Ve K8L2BXYyC3TmnOCHLKLhISXi+RMcRXzWF4k0UH+h+35iwm6LVhzjbVaQ1DbIQ85Nhm0jDWiucZ6 hkwdQ1zQ71D6X/6RY9y9ekWm3RcFFHN1KdFVXA4PsvvzHTO3CxsPrBv5Qq8E7drIWezdzDHg/7y +wGKd87sJ3xMX6+odphFpW9JYWUMBz/fFIIflAyO9R6Y3bGFrr1hqZ+nPf/mxY6l7ZLMsom/0P X-Received: by 2002:a05:690e:4812:b0:64e:c641:d06b with SMTP id 956f58d0204a3-6504869ce58mr13854064d50.6.1775592155586; Tue, 07 Apr 2026 13:02:35 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:35 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 11/20] selftests/bpf: Add Landlock kfunc declarations Date: Tue, 7 Apr 2026 16:01:33 -0400 Message-ID: <20260407200157.3874806-12-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Expose the Landlock kfuncs to the BPF selftests. Signed-off-by: Justin Suess --- tools/testing/selftests/bpf/bpf_kfuncs.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tools/testing/selftests/bpf/bpf_kfuncs.h b/tools/testing/selft= ests/bpf/bpf_kfuncs.h index 7dad01439391..00f2b337a232 100644 --- a/tools/testing/selftests/bpf/bpf_kfuncs.h +++ b/tools/testing/selftests/bpf/bpf_kfuncs.h @@ -79,6 +79,26 @@ extern int bpf_verify_pkcs7_signature(struct bpf_dynptr = *data_ptr, struct bpf_dynptr *sig_ptr, struct bpf_key *trusted_keyring) __ksym; =20 +struct bpf_landlock_ruleset; +/* + * Description + * Put a Landlock ruleset obtained from a Landlock ruleset map lookup. + */ + +void bpf_landlock_put_ruleset(const struct bpf_landlock_ruleset *ruleset) + __ksym __weak; +/* + * Description + * Modifies the credential of the passed binary parameters to enforce the + * provided landlock ruleset on the new credentials. The ruleset should + * have been obtained from a Landlock ruleset map lookup. + * Returns + * Error code same as those returned by landlock_restrict_self + */ +int bpf_landlock_restrict_binprm(struct linux_binprm *bprm, + const struct bpf_landlock_ruleset *ruleset, + __u32 flags) __ksym __weak; + struct dentry; /* Description * Returns xattr of a dentry --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CAE337F8D7 for ; Tue, 7 Apr 2026 20:02:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592160; cv=none; b=iLTpB+pjoamKPLnHg7IUcInv7IWtQNQ4T0nGLg2Q7NtWpMBP/9LhgcVok2E00lIa1H5QfPuKNrj9s4hS2/xkCLZ7hNa1Wbhiruuk44vmUG+IyDVxCofk4KTjS12g4nz+gJXO2GEe40DwxHy2ylGKzpMU46Jh/sI7cJtvOyqDXTI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592160; c=relaxed/simple; bh=DSsKfaRQj+ShpEKq89cF9lIvHEqhwKCyBQzodRo3jho=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tHncmvaXv1Zdck4wOyiqmpbcJTT99IEXRX+6x4Q7Po4XEOyTaM0dwl6bcNOBXIHBZ+Fuecc+p2dCb5BVdhLxFltR6cZ8jPQGODj74iQw9y4L+9M+zI9xTmcm53LubErHhADF+4HyTHZQvvZyV2E4Eb15fbHvevayTMYQo0H4kXo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oCpQj2Xi; arc=none smtp.client-ip=209.85.128.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oCpQj2Xi" Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-79ea87af213so4903497b3.0 for ; Tue, 07 Apr 2026 13:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592158; x=1776196958; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=c3XHVr6+kc4SXGPEMnRFsQFJ4AUqQQgTn3Nba0UO5oM=; b=oCpQj2Xi3v4alHXJsI1HQrrty0UzVqEmuZ0wIqm93xb1W4aPpT2LWn3eUtNgEzzGet rhu2QM5O2F6UF+OKdlNxbELnnJrhkvIp+X9Zzp9aUDGcvSiJcoa4urp18MWf3N6w0Of/ 2r5pfkEsNpAi3VywbmcqBh+2XL/HdxtYgYoELjQIOMqcE2oZGeji1qfp4k2hmXYVhWIQ B/6AbN0U8DwrJFDzmkYcH8KKc8/lZQnKrK6sy0pE1M0vRsJ3PLwaldeTySlFuH1NxzX8 JjfyhZSkYDRAF6sbcVf2n24KOkQTEjqapxYfDRV9VlZVzZJa9XOXkXdQ7ovKGKjloPam aX4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592158; x=1776196958; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=c3XHVr6+kc4SXGPEMnRFsQFJ4AUqQQgTn3Nba0UO5oM=; b=Aec9YboOanl6Rfy7jIlKZLJXtSPzBBfkTZ4z+9/fsBZIuSbgYgRE6pHc6ckOoFkIMm tW+/ZdN79qR5OLHPdKAIJVb581bUlxygl/u9ysgQ5JemcU2Udut/opjxVanpnk7u9k/J EryUoPMy5UAOwpgjEHP7gGRQ9TcrEAzUXClvoOL89hmZUIl83Dpom2ODDnIq9Kq8DS1W HIkI6vUBrUBfjle0z99uyjvwLaJrM+uut0vv/7BIdq1Nk1IR7g0dZlrDmvnlg6vCKvmT 4eeacFIBdisda+82sUJogPINQf3As8HoZO00m8pUa0wVZk4q/gmsNg1S1590KkAlmq1g Fw0g== X-Forwarded-Encrypted: i=1; AJvYcCX7Hc477evFKjnts8t6G0JMo3lNCurOHvouBn6vG5AWYa5xUB31jZryOr6y/PCfeQ0uCZg6VDY1UXJ1XDM=@vger.kernel.org X-Gm-Message-State: AOJu0YxnBNmjp5IZBkK6w3YkcFeb/Rs2WGJqka8YeUPPPGhBRQsEYqlE w/ZPff0gpqT4c8dt82x7Yy9cRAbIBy47/+4RRvrBtzFXN3zMgeBAGtF8 X-Gm-Gg: AeBDietjrgoLy0OJelzNfXupYXmx3B3F900Xt68+w55dEWRZ258cQnxL+Oiiopz3i2i 4H5OKrzV78z2+9XeQECSkOqECybz4dRwOdpNX9G3+o1Edc48MrKv5dfPqtZ5LNzBSlg23uY+KEV blj1dnULCscPZUxj+8YZoQb7GFnYIvZkaHyK0+TWCkfy+xDb6BQUVxfEbY7BXABtZHzpha5dqpw xIbpIe02fB8wZPCSem4J7ErnZrkQ1z0EpiHUeCYIZ4CMcAdoDBiV8qC8FnFqYirRnq5xySG3l55 IulYpFgLqGkMeLNAhw9mqd8qbqWiRn3iU+ramrXDVQlgcHsRUV7bqSAgXbM8J8tVgSx1rDhfx/b tqO3/UXb3LzEkhcgqtubjd+xyvhopI47aO0/HMl4yDgMNlxcSkSYsj2cJvZuHmvB/R6p0ioaPlr zcXSXlPWlxNK6bBBPCiCF0qlczijQQvbAGRBfxFhBagN4IUGzjTYeMZwTh68T7eK7VBuJvicH8 X-Received: by 2002:a05:690e:bc6:b0:64f:48ad:891 with SMTP id 956f58d0204a3-6503d735b3dmr17314508d50.10.1775592158131; Tue, 07 Apr 2026 13:02:38 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:37 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 12/20] selftests/landlock: Rename gettid wrapper for BPF reuse Date: Tue, 7 Apr 2026 16:01:34 -0400 Message-ID: <20260407200157.3874806-13-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Prevent a name conflict when importing the Landlock wrappers header from the Landlock selftests into the bpf selftests by renaming the gettid syscall wrapper. Signed-off-by: Justin Suess --- tools/testing/selftests/landlock/common.h | 4 ++-- tools/testing/selftests/landlock/wrappers.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/self= tests/landlock/common.h index f6d6a6a99c52..5fe0158885e5 100644 --- a/tools/testing/selftests/landlock/common.h +++ b/tools/testing/selftests/landlock/common.h @@ -262,8 +262,8 @@ static void __maybe_unused set_unix_address(struct serv= ice_fixture *const srv, { srv->unix_addr.sun_family =3D AF_UNIX; sprintf(srv->unix_addr.sun_path, - "_selftests-landlock-abstract-unix-tid%d-index%d", sys_gettid(), - index); + "_selftests-landlock-abstract-unix-tid%d-index%d", + landlock_gettid(), index); srv->unix_addr_len =3D SUN_LEN(&srv->unix_addr); srv->unix_addr.sun_path[0] =3D '\0'; } diff --git a/tools/testing/selftests/landlock/wrappers.h b/tools/testing/se= lftests/landlock/wrappers.h index 65548323e45d..114b8c60630d 100644 --- a/tools/testing/selftests/landlock/wrappers.h +++ b/tools/testing/selftests/landlock/wrappers.h @@ -41,7 +41,7 @@ static inline int landlock_restrict_self(const int rulese= t_fd, } #endif =20 -static inline pid_t sys_gettid(void) +static inline pid_t landlock_gettid(void) { return syscall(__NR_gettid); } --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f47.google.com (mail-yx1-f47.google.com [74.125.224.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2380B3803D1 for ; Tue, 7 Apr 2026 20:02:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592162; cv=none; b=R43ZMLNJpU9YZXWL6T0uitvYrAhQU5I2/IkKlXQTj+C3kdWMrEkCe8VtHxnl5RAu6o6dTp7zBIBVuRwzK/XvKLgjR9GR6PfgSwvpeL79KIWEhy5bq6Np+Bv4q3JCzy7VYxXhPHhZwlMEyxqhHRoPjM1lClGp5qbEwW0yD5+Lv34= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592162; c=relaxed/simple; bh=gVNxQNlmrNpqLDCY5JDdEWaKN3Ea1LpqggVDjFURMJs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WQDEx++X2sV8AcMRln7KXsdngWfqdNHsOYFmgqBgjls7IDXnLN3yGXDyZI3CXg7lIB05XAMzLOS+H8cSsUD0frMa8yxkLCFbyXlWDRaZpI/NkfVBzblRzzrzgIOwtHECnBeKFqTS4azqUT+xA/LngG5KZ1yNjXmox1qZN65ewdk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lhSyMzX/; arc=none smtp.client-ip=74.125.224.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lhSyMzX/" Received: by mail-yx1-f47.google.com with SMTP id 956f58d0204a3-6505ef94043so2945023d50.2 for ; Tue, 07 Apr 2026 13:02:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592160; x=1776196960; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M9ku3GPB6bFwaemZLbl5e5kdGQm1EBbT7DCrdV6VHPw=; b=lhSyMzX/BypT3IkLcz4XtxywAllYQmzqo9y2QsKEVqfCqLiK2MklYX4qK274TMMQgj nwOhTAA5F+/+MpwN67rg6MxrixumoP/4wMZEq67wKDd8VkoJoZ6K27rZFOTpqCIKHjFd AWIfZzK9CU30nqebPKFIHGO3zYZ5GJl33nFJfqcQzoH5FehlsLE9vxhcDUR7Sp2U1utV MzMRoBlUs+ouuV9ToXfp36+eNax2j+JnWe41yfunxNGoN9dvFlufT9LEURYYlS0HdNZw /VE/2zUJgF2tZU+p2DGgBhFQoiv5fbKJKTfYFcoqR5S6K/sAZK9IXyL8yEkUcx237At0 AGWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592160; x=1776196960; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=M9ku3GPB6bFwaemZLbl5e5kdGQm1EBbT7DCrdV6VHPw=; b=NcZQd/vVm94HZuVaqGuQe3tT+rvQoG3awLGt9ZsWu1zYHacCOJudbGxrDW3vEwfPue 7bXwtsoFREfDdVCywRW3+ViZCSIeJJ9W4PPxP2sLyzZTlP9gM0Ut6fuegzhH9OVj/JKy Sm1KEFY+aEIR15TUA3FdI9VoFvAMdQ7XzwdYT3A4W7JxA7ombmPD3bivcLhrEbkgrSlh kzohcm6uaoik+Nii0JZQrizOVrUI737wVXmTM5USzbpvUfQTJ4/zJmML72y/MiDwpIaH fnOYfH5UztVVbBmdS1fOEgMMt24MUAyHd2BqlHt0Mps0+vvkUMOpJtLOTLOse+j2mgiB R1YA== X-Forwarded-Encrypted: i=1; AJvYcCU5+1RPsEw6uux4v5emPA9t7ouY1TbD90JSpbq6KxtjK0guhBwAw7ykxozkn2hKocAhKI3JESj9elBjJYs=@vger.kernel.org X-Gm-Message-State: AOJu0YyOcUE4p8TmBK25ICv3JAq6gWaaNidVUKR7BkVkTs+IhQJotFXW kjrDlDPP5WJJE9/oWV6YiHjxvnqMxhlLxJb2bpgD6n0S31bpELFkdFJL X-Gm-Gg: AeBDieuqMs16D8LaySmMazytrILs/5Vfy6hJ2kPW+c6JiT2FqhFEPkHQ7G8n8mqEdx3 dEsxxwL3VW/+ezfZOOjceIqP9k0w3VuJfhXKVdOLaxao+YKgWnbSKzGeQKZ9B8jbJEitxn1ydz1 qQk54wYU4AWMqtecuZnyEn1AogFRuS96YFfQKZ3ONVgSJKI52VFKLUhC0VO0efRpb3CPyE7FzwR UKieHJzj+G0Ayf+xqjb00QHpGSslyiioGW3cs2+d4bgimgMrz4toBBQe2RY0Q35433i698kTHwj avLdpDH4+c+4noGfivYJ+dNdxLEDEv/+VC9zaOIBGUDrAh1cg/WKqTJQl4L5u9AdUaqqwbDP3yh WqKlR1tY3J3jtL0Uhu1JM9skelsnBPp5qeXEwdTKoVtSxoWp3ca2IzsTM76eT3jSoOeYi6QsYdI 46Ip1TvDf/KIBTraRVMCJaeu3kdFYPo+EMvLYKGewpKE70Vq6CtYGXXxvzoYBtUCwPT5X6nhBr X-Received: by 2002:a05:690e:484e:b0:64e:8a5f:2f1c with SMTP id 956f58d0204a3-650486bf970mr13046607d50.12.1775592160273; Tue, 07 Apr 2026 13:02:40 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:40 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 13/20] selftests/bpf: Enable Landlock in selftests kernel. Date: Tue, 7 Apr 2026 16:01:35 -0400 Message-ID: <20260407200157.3874806-14-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Enable the BPF selftests to build the kernel with Landlock built into the kernel and enabled at boottime. Existing LSMs (SELinux,BPF,integrity) were moved from x86_64 specific config to be built into all architectures. Signed-off-by: Justin Suess --- tools/testing/selftests/bpf/config | 5 +++++ tools/testing/selftests/bpf/config.x86_64 | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/config b/tools/testing/selftests/b= pf/config index 24855381290d..8eca3773e968 100644 --- a/tools/testing/selftests/bpf/config +++ b/tools/testing/selftests/bpf/config @@ -115,6 +115,11 @@ CONFIG_RC_CORE=3Dy CONFIG_SAMPLES=3Dy CONFIG_SAMPLE_LIVEPATCH=3Dm CONFIG_SECURITY=3Dy +CONFIG_SECURITY_LANDLOCK=3Dy +CONFIG_SECURITY_NETWORK=3Dy +CONFIG_SECURITY_SELINUX=3Dy +CONFIG_SECURITY_PATH=3Dy +CONFIG_LSM=3D"selinux,bpf,integrity,landlock" CONFIG_SECURITYFS=3Dy CONFIG_SYN_COOKIES=3Dy CONFIG_TEST_BPF=3Dm diff --git a/tools/testing/selftests/bpf/config.x86_64 b/tools/testing/self= tests/bpf/config.x86_64 index 42ad817b00ae..8a6d2af3805c 100644 --- a/tools/testing/selftests/bpf/config.x86_64 +++ b/tools/testing/selftests/bpf/config.x86_64 @@ -126,7 +126,6 @@ CONFIG_LEGACY_VSYSCALL_NONE=3Dy CONFIG_LOG_BUF_SHIFT=3D21 CONFIG_LOG_CPU_MAX_BUF_SHIFT=3D0 CONFIG_LOGO=3Dy -CONFIG_LSM=3D"selinux,bpf,integrity" CONFIG_MAC_PARTITION=3Dy CONFIG_MAGIC_SYSRQ=3Dy CONFIG_MCORE2=3Dy --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f43.google.com (mail-yx1-f43.google.com [74.125.224.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7CC513815EF for ; Tue, 7 Apr 2026 20:02:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592165; cv=none; b=tVQPtqRBYe1/YPkM700hVE6Cymz+JdA2AJXKSua4BxD+/BmD6ZzpzxkuEbV6RyCkS1BZfzCGpOgX+0cZd2xfj9qh2giZC4PLCUc+gs6VFONINVoJxFE+sZAlyFIK9NAqhZn2V5be+TWFN2VPeQiyPUVuwyP3kWXLCYsAoXsAq98= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592165; c=relaxed/simple; bh=Bhmr5gWqL+JDPgJaISRrzYD37Nv62i3zLzurNCt0yxY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FuQsZiZfFIQw/Br0sDq8jPIaNnriPCXG+Ho7NIaCZDOFND01e4LFjmaTMDwQi2AoCpK/ifd3P2Gf+10zaIwkZfnDPa8KaiVqEqnSSclJy7ar054f1T1O2hCGhAUtHhHf1uGMqfx0QJ2DZrXANIfs7LkrXoAlpmPVC+oAL+8tpnE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ijS0Id8f; arc=none smtp.client-ip=74.125.224.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ijS0Id8f" Received: by mail-yx1-f43.google.com with SMTP id 956f58d0204a3-64ee82e853cso4209102d50.3 for ; Tue, 07 Apr 2026 13:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592162; x=1776196962; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=38OElJLF47wRKkPx0WVIhanOIa+XzcnkE/4SXvVPtEA=; b=ijS0Id8febaPlK43v81mrI12BHpt5y0AWX5ByjnZupyOHBQvdX8YQ7r0tUSdqDwnWh BE22Qok6cAdmXP9icBnyfxgE7mawvcjfwggeCcQmaqg+Nwv78BA1J71HbqyF2eZHp/0L cVZF+oBNeuzu7X01o1q5AyP20FyEnTDTnV9xm03ZaZ5oeypaph0Lju87NDQbC5eqaRK+ 4vo41YLlylN8nZRahlK6pkpejor6Txm+nb/6mYBKgPvv+vKk9TiKqaGCWjl8E6GYySgT hEybW/TIbFPDPf1jc6sTP3QEw8/Oe7VomDGUX+bl5QVl6b5+n2ADK1GsqFrsQIqPYsmd RczA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592162; x=1776196962; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=38OElJLF47wRKkPx0WVIhanOIa+XzcnkE/4SXvVPtEA=; b=ArjLaOwqT7yuC5PV5OKI2YlF+k/scDUm10FHTnL/g7BUD1FE2fgR9v541enhbpO/b8 hp3WC+zliGno6zEm7r0UyHnq2V4aPrurZCO3dwCOXTR+Chbdibp2I7vy7f9ss93VzknI wLaUIfELRNMibHbSYuj6XzfEftPM1htBHKw2mZElR7MP+UpkJrEDtaUMF9Bxb8W/nIR3 9h3/U2SLzb7kLUhCWJ4Hs/FGESgpzoWesUaIzDY2oEQnY7uM/8wed8oW4GYOfcutFnth aDiPHeaq5ioE3C29KbUPsnzRI2krHvPhZ8YLCBBWgh9lwKEjIzqbHM/u82QWqgKyFMcL L39g== X-Forwarded-Encrypted: i=1; AJvYcCW3KCBtr+zLlzJwd2bPY14Lx+AH87HOPVxL+nA/wRZ14cRUEVaXw0mYiFy56E4hyygC0uJ3cRtzE/EqR6o=@vger.kernel.org X-Gm-Message-State: AOJu0Yyx2dZ62NnSusgG2mZCmT0YVimZIXJX2OEqfY/RA58MNNUeh9ML oJkPBibsnJ/32bHZWTXA5fZAfRzPG0zC03eR7iHzmLOkBNMREQuKHNQYN4+TUjel X-Gm-Gg: AeBDiesw1RvTh9FFqo1FsAUVuAcEjtoOPOTISBs7/1FwooRcjpQ1OmN+IE4LilNsQ8m CEOVhe7cnHMUQqArFXLTcH7El5u30YqUGhcgpVFQGprNZS60bewzZasHHesafJqsF7GeK5HT0Y5 ErvgF2EcsY0Hu6D4KLkT2v3Myv9hs1wJxfXUCo8WYX6Ca9/zKIZkHRjDY+38wY9FdYImzKvD5rA jr5N6wRKz7rImxGR4R98RVWydoNRZNWaZO7hb/IAoX3Wuvmi3fT08smsZrifiEKdAXmRHC4m4/d ANZN9IrmbCJfvf74Pq5CowJnNiIhM2+8dfScico6NGz/VQ+QFdy5zCoVMmwGyJ090izTt1uamJ9 kv8ebLc2N0D8dKP3UbLnRAUvT7O+HFAQyiKBRYrHUoIUmRH52P4OXGrt66Yx7dLxWUuqC2aHKyO MPK6G7s2q5GsORznSYCbLI0lrZkuzFTpOJYr6zVnB4rXe7jJkhD4H73n9kj46aA4lCHPCj17wn X-Received: by 2002:a05:690e:1588:10b0:650:dbb:e79c with SMTP id 956f58d0204a3-6504882858bmr13141127d50.40.1775592162345; Tue, 07 Apr 2026 13:02:42 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:42 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 14/20] selftests/bpf: Add Landlock kfunc test program Date: Tue, 7 Apr 2026 16:01:36 -0400 Message-ID: <20260407200157.3874806-15-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a BPF program that enforces a Landlock ruleset at exec time for the purposes of selftests. The program receives a PID and a Landlock ruleset from userspace, and calls bpf_landlock_restrict_binprm to apply the domain to the specified process. The program then calls bpf_landlock_put_ruleset in order to release the ruleset. Global counters are tracked to ensure proper execution via the test harness. Signed-off-by: Justin Suess --- .../selftests/bpf/progs/landlock_kfuncs.c | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/landlock_kfuncs.c diff --git a/tools/testing/selftests/bpf/progs/landlock_kfuncs.c b/tools/te= sting/selftests/bpf/progs/landlock_kfuncs.c new file mode 100644 index 000000000000..7ca089716356 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/landlock_kfuncs.c @@ -0,0 +1,92 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include "vmlinux.h" +#include +#include +#include "bpf_kfuncs.h" + +u32 target_pid; +bool enable_bprm_creds_for_exec; +bool enable_bprm_creds_from_file; +u32 restrict_flags; + +int matched_pid; +int bprm_creds_for_exec_hits; +int bprm_creds_from_file_hits; +int lookup_calls; +int lookup_failed; +int restrict_calls; +int restrict_ret; +int put_calls; + +struct { + __uint(type, BPF_MAP_TYPE_LANDLOCK_RULESET); + __uint(max_entries, 1); + __type(key, __u32); + __type(value, __u32); +} ruleset_map SEC(".maps"); + +char _license[] SEC("license") =3D "GPL"; + +static __always_inline bool is_target_exec(void) +{ + u32 pid; + + if (!target_pid) + return false; + + pid =3D bpf_get_current_pid_tgid() >> 32; + if (pid !=3D target_pid) + return false; + + matched_pid =3D 1; + return true; +} + +static __always_inline int apply_landlock_ruleset(struct linux_binprm *bpr= m, + int *hook_hits) +{ + const struct bpf_landlock_ruleset *ruleset; + __u32 key =3D 0; + + if (!is_target_exec()) + return 0; + + (*hook_hits)++; + + lookup_calls++; + ruleset =3D bpf_map_lookup_elem(&ruleset_map, &key); + if (!ruleset) { + lookup_failed++; + return 0; + } + + restrict_calls++; + restrict_ret =3D + bpf_landlock_restrict_binprm(bprm, ruleset, restrict_flags); + put_calls++; + bpf_landlock_put_ruleset(ruleset); + + return 0; +} + +SEC("lsm.s/bprm_creds_for_exec") +int BPF_PROG(bprm_creds_for_exec, struct linux_binprm *bprm) +{ + if (!enable_bprm_creds_for_exec) + return 0; + + return apply_landlock_ruleset(bprm, &bprm_creds_for_exec_hits); +} + +SEC("lsm.s/bprm_creds_from_file") +int BPF_PROG(bprm_creds_from_file, struct linux_binprm *bprm, + const struct file *file) +{ + (void)file; + + if (!enable_bprm_creds_from_file) + return 0; + + return apply_landlock_ruleset(bprm, &bprm_creds_from_file_hits); +} --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f47.google.com (mail-yx1-f47.google.com [74.125.224.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 539D73803DB for ; Tue, 7 Apr 2026 20:02:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592167; cv=none; b=RWr3BLy2HqMKRqYvkDdXs5pVZtzjy6w4iEg9Nh0vocJeXL3Yg4C10xMNX2EuO47Qy87Trn5w0lWsnLF6vUfwJ8LlEzFRUEiHGHLDECDfmBzM33S+hVOTgGKPsQoD0hp9BBgfWyyfLelK52DlPlAeKaR59aW5+Ds0Td3hq9+vZFs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592167; c=relaxed/simple; bh=ADfjPKYtul6AxZfXeotH/sQzr7G8VBZoAUMqHdbUnDY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=V4m2n9QUVUapdh/GIOl223Xckolefj1XQBAhzdP2tsvVjKTqj/rOlWk1RMA3LK9NoB60sebJGo7nWsVvhgYEhoYXulpx3ijJeH3UuLuvWAtUAGS2jaDELbm+Y6bkPLqweGrvuhQKN07OvzeQvUAiiaLSE9PTgdySFJRbwSMsJxY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PAXMgNM1; arc=none smtp.client-ip=74.125.224.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PAXMgNM1" Received: by mail-yx1-f47.google.com with SMTP id 956f58d0204a3-6501c9903edso5526268d50.1 for ; Tue, 07 Apr 2026 13:02:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592164; x=1776196964; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V+tWCOUaD88Gl+7U3/IhIfD+F7ejPPugL1d7Q4iQykY=; b=PAXMgNM1So9Ew4T4N07Q/Ypp1Rd1y5Fk2RnZakcSj8pE6gPT/8+vsvhbFmWFDSJZ+G AiPJrz4/Hrp60mqFNf8dO/us9TFxfZwcYNT0H/I/dLvMO3NuOKHR3nbcCE8oREY2dA1S xrRWmj+S2IpPcf2LoE82VMxxGsRGfm44O8E8I2c967BbidKsOHIy5juoPYijaIYWCwnd YERAImY2mB5Mv+PZobl4N8lGupGsVB7rdWSBAakQPh+KwWpWrG8Qoea8Wy6e6cFVjb8d LlvEWk6es5DPsmqvF0SxRqi2OoZ/E/wY5KyWJvb8Yka+SDG7yjwdHmJxT7jOs+Hr+vxO scmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592164; x=1776196964; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=V+tWCOUaD88Gl+7U3/IhIfD+F7ejPPugL1d7Q4iQykY=; b=iiMBoOD7b1q4zMeLtIG3yuCRlYahm4fP7nm5Gdfkj154wu1ycCoImf/sTNNHgBztNO f4PpnWCVmJnNLsUtg+q0Ug+oiWOKMEV/ZmXOqj9P2QlGty9N4NSSfKQn30haVOk2KNWi 4yhljDc742O34a7ImJoUYD4XdYCt5swoSLji/BZD9C50FAbx1tu3d3mr7aQhAtuOJZRl WQL4Bm9D/dy+ghaV9GBfR2X/kBRaJq4rvxpiUfcoRx1pKo7HsEsRowecHBECazirzXVQ gMpGV78zrsWPPuw5v98N+KhG8Vvit+7nErzWz5x5Br9dre3PvcvB96DnWo2DjsSIQ7t0 zh6Q== X-Forwarded-Encrypted: i=1; AJvYcCX5GdVug2SA/1Elp8vAStcdDbosuWcYvcju8BaBnY5aTwJbtfURaJXxGyfvsUQhrhZZgR7Lg1yj7OHA0A4=@vger.kernel.org X-Gm-Message-State: AOJu0YxUuwpc1MyMHfNR2mpIuN4tc9ap8pzsIbSX0BSDnhwBOu3goWV3 RSgJlLnPr7VLPezq8UlGctYp82E8b6H825IaVhEK8hfRCpsL9c7NSaAR X-Gm-Gg: AeBDies2hh+sTJ3W8QqNBSFxTox29MRdKn1AcC8XnZLi8YIA4Ku+X+v6u2EMCwD271t NwTNmbQTSfHzMSq4NUBPY2SWfk9NEtq2XLrjtoA7vVX+t9+T/uSmtejJAZC3z3/TfEvdKM3ruDn HCzx2tTGHi5/tcrA6FtXfpO06MaK+HpEuXFBcPD2R+hF2b4bE95UPI/ZXLOurGfu3Sa2CCszx0l 4UWmqnWKkQNATINL8CzfdRA6u7g+jRI4JUVhgKHiOLi+zctTwI8/S1cgPP6Jm6vN+Lej0b9KBYz L2Wy2yxYdVjhDt4r1rz9JKNUEaJsle79EzkfJi1xxTDCUsn+8cbZii37a1uWS7j2QvDfLUU6K2v JqrMHCjfhgeT8Xhn7OSV1Aju7JPf+9zmTbuNnUmL1Y5Ai3vDaqlh8dBgpaRgVqmPVqiZ+w7dVEb UOBTgJUZQ8C/EEG9N7sBg3ByvJKWcPbPClcc6ptKvDgKdYNW9O+1M7yHf+mqNHFgitX3Qt6j5P X-Received: by 2002:a05:690e:1919:b0:650:7344:90f0 with SMTP id 956f58d0204a3-65073449e85mr6947552d50.37.1775592164269; Tue, 07 Apr 2026 13:02:44 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:44 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 15/20] selftests/bpf: Add Landlock kfunc test runner Date: Tue, 7 Apr 2026 16:01:37 -0400 Message-ID: <20260407200157.3874806-16-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a selftest program that loads the Landlock BPF program. The program creates Landlock rulesets under two topologies (with and without parent domain). It tests proper enforcement of Landlock rulesets by forking and executing a child process while a ruleset is enforced by BPF. The result of the operation is checked and the BPF program counters are verified to ensure proper execution. Assisted-by: OpenAI:GPT-5.4 Signed-off-by: Justin Suess --- .../bpf/prog_tests/landlock_kfuncs.c | 733 ++++++++++++++++++ 1 file changed, 733 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/landlock_kfuncs.c diff --git a/tools/testing/selftests/bpf/prog_tests/landlock_kfuncs.c b/too= ls/testing/selftests/bpf/prog_tests/landlock_kfuncs.c new file mode 100644 index 000000000000..a2f2a067b911 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/landlock_kfuncs.c @@ -0,0 +1,733 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include "../../../../../usr/include/linux/landlock.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "landlock_kfuncs.skel.h" +#include "../../landlock/wrappers.h" + +#ifndef BIT +#define BIT(nr) (1U << (nr)) +#endif + +#ifndef LANDLOCK_RESTRICT_SELF_TSYNC +#define LANDLOCK_RESTRICT_SELF_TSYNC BIT(3) +#endif + +#ifndef LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS +#define LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS BIT(4) +#endif + +#define LANDLOCK_EXEC_PATH "/bin/sh" +#define MNT_TMP_DATA "size=3D4m,mode=3D700" + +enum previous_domain_kind { + PREV_DOMAIN_NONE, + PREV_DOMAIN_NESTED, +}; + +enum operation_kind { + OPERATION_READ, + OPERATION_WRITE, + OPERATION_CREATE, +}; + +struct hook_variant { + const char *name; + bool enable_bprm_creds_for_exec; + bool enable_bprm_creds_from_file; +}; + +struct restrict_variant { + const char *name; + enum previous_domain_kind previous_domain; + __u32 restrict_flags; + int expected_restrict_ret; + bool expect_enforced; +}; + +struct operation_case { + const char *name; + enum operation_kind kind; + __u64 handled_access_fs; + __u64 allowed_access_fs; +}; + +struct landlock_test_env { + char base_dir[PATH_MAX]; + char allowed_dir[PATH_MAX]; + char restricted_dir[PATH_MAX]; + char allowed_file[PATH_MAX]; + char restricted_file[PATH_MAX]; + char created_file[PATH_MAX]; +}; + +static const struct hook_variant hook_variants[] =3D { + { + .name =3D "bprm_creds_for_exec", + .enable_bprm_creds_for_exec =3D true, + }, + { + .name =3D "bprm_creds_from_file", + .enable_bprm_creds_from_file =3D true, + }, +}; + +static const struct restrict_variant domain_variants[] =3D { + { + .name =3D "no_previous_domain", + .previous_domain =3D PREV_DOMAIN_NONE, + .expect_enforced =3D true, + }, + { + .name =3D "nested_previous_domain", + .previous_domain =3D PREV_DOMAIN_NESTED, + .expect_enforced =3D true, + }, +}; + +static const struct restrict_variant flag_variants[] =3D { + { + .name =3D "flag_no_new_privs", + .previous_domain =3D PREV_DOMAIN_NONE, + .restrict_flags =3D LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS, + .expect_enforced =3D true, + }, + { + .name =3D "flag_log_same_exec_off", + .previous_domain =3D PREV_DOMAIN_NONE, + .restrict_flags =3D LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF, + .expect_enforced =3D true, + }, + { + .name =3D "flag_log_new_exec_on", + .previous_domain =3D PREV_DOMAIN_NONE, + .restrict_flags =3D LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON, + .expect_enforced =3D true, + }, + { + .name =3D "flag_log_subdomains_off", + .previous_domain =3D PREV_DOMAIN_NONE, + .restrict_flags =3D LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF, + .expect_enforced =3D true, + }, + { + .name =3D "flag_tsync_rejected", + .previous_domain =3D PREV_DOMAIN_NONE, + .restrict_flags =3D LANDLOCK_RESTRICT_SELF_TSYNC, + .expected_restrict_ret =3D -EINVAL, + .expect_enforced =3D false, + }, +}; + +static const struct operation_case operation_cases[] =3D { + { + .name =3D "read_file", + .kind =3D OPERATION_READ, + .handled_access_fs =3D LANDLOCK_ACCESS_FS_READ_FILE, + .allowed_access_fs =3D LANDLOCK_ACCESS_FS_READ_FILE, + }, + { + .name =3D "write_file", + .kind =3D OPERATION_WRITE, + .handled_access_fs =3D LANDLOCK_ACCESS_FS_WRITE_FILE, + .allowed_access_fs =3D LANDLOCK_ACCESS_FS_WRITE_FILE, + }, + { + .name =3D "make_reg", + .kind =3D OPERATION_CREATE, + .handled_access_fs =3D LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_WRITE_FILE, + .allowed_access_fs =3D LANDLOCK_ACCESS_FS_MAKE_REG | + LANDLOCK_ACCESS_FS_WRITE_FILE, + }, +}; + +static int landlock_version(void) +{ + return landlock_create_ruleset(NULL, 0, + LANDLOCK_CREATE_RULESET_VERSION); +} + +static int write_all(int fd, const char *buf, size_t len) +{ + while (len > 0) { + ssize_t written; + + written =3D write(fd, buf, len); + if (written < 0) { + if (errno =3D=3D EINTR) + continue; + return -errno; + } + buf +=3D written; + len -=3D written; + } + + return 0; +} + +static int write_text_file(const char *path, const char *contents) +{ + int err; + int fd; + + fd =3D open(path, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0600); + if (fd < 0) + return -errno; + + err =3D write_all(fd, contents, strlen(contents)); + close(fd); + return err; +} + +static int read_text_file(const char *path, char *buf, size_t len) +{ + ssize_t bytes; + int fd; + + fd =3D open(path, O_RDONLY | O_CLOEXEC); + if (fd < 0) + return -errno; + + bytes =3D read(fd, buf, len - 1); + close(fd); + if (bytes < 0) + return -errno; + + buf[bytes] =3D '\0'; + return 0; +} + +static bool path_exists(const char *path) +{ + return access(path, F_OK) =3D=3D 0; +} + +static int delete_ruleset_map_elem(struct landlock_kfuncs *skel) +{ + __u32 key =3D 0; + int err; + + err =3D bpf_map_delete_elem(bpf_map__fd(skel->maps.ruleset_map), &key); + if (!err || errno =3D=3D ENOENT) + return 0; + return -errno; +} + +static int update_ruleset_map(struct landlock_kfuncs *skel, int ruleset_fd) +{ + __u32 key =3D 0; + + if (bpf_map_update_elem(bpf_map__fd(skel->maps.ruleset_map), &key, + &ruleset_fd, BPF_ANY)) + return -errno; + + return 0; +} + +static void reset_bss(struct landlock_kfuncs *skel) +{ + skel->bss->target_pid =3D 0; + skel->bss->enable_bprm_creds_for_exec =3D false; + skel->bss->enable_bprm_creds_from_file =3D false; + skel->bss->restrict_flags =3D 0; + + skel->bss->matched_pid =3D 0; + skel->bss->bprm_creds_for_exec_hits =3D 0; + skel->bss->bprm_creds_from_file_hits =3D 0; + skel->bss->lookup_calls =3D 0; + skel->bss->lookup_failed =3D 0; + skel->bss->restrict_calls =3D 0; + skel->bss->restrict_ret =3D 0; + skel->bss->put_calls =3D 0; +} + +static int add_path_rule(int ruleset_fd, const char *path, __u64 access) +{ + struct landlock_path_beneath_attr path_beneath =3D { + .allowed_access =3D access, + }; + int err; + int parent_fd; + + parent_fd =3D open(path, O_PATH | O_CLOEXEC | O_DIRECTORY); + if (parent_fd < 0) + return -errno; + + path_beneath.parent_fd =3D parent_fd; + err =3D landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath, 0); + err =3D err ? -errno : 0; + close(parent_fd); + return err; +} + +static int create_exec_ruleset(const struct landlock_test_env *env, + const struct operation_case *op) +{ + struct landlock_ruleset_attr attr =3D { + .handled_access_fs =3D op->handled_access_fs, + }; + int err; + int ruleset_fd; + + ruleset_fd =3D landlock_create_ruleset(&attr, sizeof(attr), 0); + if (ruleset_fd < 0) + return -errno; + + err =3D add_path_rule(ruleset_fd, env->allowed_dir, + op->allowed_access_fs); + if (err) { + close(ruleset_fd); + return err; + } + + return ruleset_fd; +} + +static int create_and_apply_previous_domain(const struct landlock_test_env= *env, + enum previous_domain_kind kind, + __u64 handled_access_fs) +{ + struct landlock_ruleset_attr attr =3D {}; + int err; + int ruleset_fd; + + if (kind =3D=3D PREV_DOMAIN_NONE) + return 0; + + attr.handled_access_fs =3D handled_access_fs; + + ruleset_fd =3D landlock_create_ruleset(&attr, sizeof(attr), 0); + if (ruleset_fd < 0) + return -errno; + + if (kind =3D=3D PREV_DOMAIN_NESTED) { + err =3D add_path_rule(ruleset_fd, env->base_dir, + handled_access_fs); + if (err) { + close(ruleset_fd); + return err; + } + } + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) + return -errno; + + err =3D landlock_restrict_self(ruleset_fd, 0); + err =3D err ? -errno : 0; + close(ruleset_fd); + return err; +} + +static int prepare_layout(struct landlock_test_env *env) +{ + char template[] =3D "/tmp/landlock_kfuncsXXXXXX"; + int err; + + if (!mkdtemp(template)) + return -errno; + + err =3D snprintf(env->base_dir, sizeof(env->base_dir), "%s", template); + if (err < 0 || err >=3D (int)sizeof(env->base_dir)) + return -ENAMETOOLONG; + + if (unshare(CLONE_NEWNS)) + return -errno; + + if (mount("tmpfs", env->base_dir, "tmpfs", 0, MNT_TMP_DATA)) + return -errno; + + if (mount(NULL, env->base_dir, NULL, MS_PRIVATE | MS_REC, NULL)) + return -errno; + + err =3D snprintf(env->allowed_dir, sizeof(env->allowed_dir), "%s/allowed", + env->base_dir); + if (err < 0 || err >=3D (int)sizeof(env->allowed_dir)) + return -ENAMETOOLONG; + + err =3D snprintf(env->restricted_dir, sizeof(env->restricted_dir), + "%s/restricted", env->base_dir); + if (err < 0 || err >=3D (int)sizeof(env->restricted_dir)) + return -ENAMETOOLONG; + + err =3D snprintf(env->allowed_file, sizeof(env->allowed_file), "%s/file", + env->allowed_dir); + if (err < 0 || err >=3D (int)sizeof(env->allowed_file)) + return -ENAMETOOLONG; + + err =3D snprintf(env->restricted_file, sizeof(env->restricted_file), + "%s/file", env->restricted_dir); + if (err < 0 || err >=3D (int)sizeof(env->restricted_file)) + return -ENAMETOOLONG; + + err =3D snprintf(env->created_file, sizeof(env->created_file), + "%s/created", env->restricted_dir); + if (err < 0 || err >=3D (int)sizeof(env->created_file)) + return -ENAMETOOLONG; + + if (mkdir(env->allowed_dir, 0700)) + return -errno; + if (mkdir(env->restricted_dir, 0700)) + return -errno; + + err =3D write_text_file(env->allowed_file, "allowed\n"); + if (err) + return err; + + err =3D write_text_file(env->restricted_file, "restricted\n"); + if (err) + return err; + + return 0; +} + +static void cleanup_layout(const struct landlock_test_env *env) +{ + umount(env->base_dir); + rmdir(env->base_dir); +} + +static int seed_operation_state(const struct landlock_test_env *env, + const struct operation_case *op) +{ + int err; + + err =3D write_text_file(env->allowed_file, "allowed\n"); + if (err) + return err; + + err =3D write_text_file(env->restricted_file, "restricted\n"); + if (err) + return err; + + if (op->kind =3D=3D OPERATION_CREATE && unlink(env->created_file) && + errno !=3D ENOENT) + return -errno; + + return 0; +} + +static int build_command(char *buf, size_t len, + const struct landlock_test_env *env, + const struct operation_case *op) +{ + switch (op->kind) { + case OPERATION_READ: + return snprintf(buf, len, "cat '%s' >/dev/null", + env->restricted_file); + case OPERATION_WRITE: + return snprintf(buf, len, "printf 'written\\n' >> '%s'", + env->restricted_file); + case OPERATION_CREATE: + return snprintf(buf, len, "printf 'created\\n' > '%s'", + env->created_file); + } + + return -EINVAL; +} + +static int run_exec_attempt(struct landlock_kfuncs *skel, + const struct landlock_test_env *env, + const struct operation_case *op, + const struct hook_variant *hook, + const struct restrict_variant *variant, + bool enable_bpf, int ruleset_fd, int *child_status) +{ + char command[PATH_MAX * 2]; + char signal_byte =3D 1; + pid_t child; + pid_t target_pid; + int go_pipe[2]; + int err; + + err =3D build_command(command, sizeof(command), env, op); + if (err < 0 || err >=3D (int)sizeof(command)) + return -ENAMETOOLONG; + + if (pipe(go_pipe)) + return -errno; + + child =3D fork(); + if (child < 0) { + err =3D -errno; + goto out_close_pipe; + } + target_pid =3D child; + + if (child =3D=3D 0) { + close(go_pipe[1]); + + err =3D create_and_apply_previous_domain(env, + variant->previous_domain, + op->handled_access_fs); + if (err) + _exit(-err); + + if (read(go_pipe[0], &signal_byte, sizeof(signal_byte)) !=3D + sizeof(signal_byte)) + _exit(200); + + execl(LANDLOCK_EXEC_PATH, "sh", "-ec", command, NULL); + _exit(errno); + } + + close(go_pipe[0]); + reset_bss(skel); + + if (enable_bpf) { + skel->bss->target_pid =3D target_pid; + skel->bss->enable_bprm_creds_for_exec =3D + hook->enable_bprm_creds_for_exec; + skel->bss->enable_bprm_creds_from_file =3D + hook->enable_bprm_creds_from_file; + skel->bss->restrict_flags =3D variant->restrict_flags; + + err =3D update_ruleset_map(skel, ruleset_fd); + if (err) + goto out_kill_child; + } + + if (write(go_pipe[1], &signal_byte, sizeof(signal_byte)) !=3D + sizeof(signal_byte)) { + err =3D -errno; + goto out_kill_child; + } + close(go_pipe[1]); + + if (waitpid(child, child_status, 0) !=3D child) + return -errno; + + return 0; + +out_kill_child: + close(go_pipe[1]); + kill(child, SIGKILL); + waitpid(child, NULL, 0); + return err; + +out_close_pipe: + close(go_pipe[0]); + close(go_pipe[1]); + return err; +} + +static void assert_operation_outcome(const struct landlock_test_env *env, + const struct operation_case *op, + bool expect_success, int child_status) +{ + char contents[256]; + + ASSERT_TRUE(WIFEXITED(child_status), "child_exited"); + if (expect_success) + ASSERT_EQ(WEXITSTATUS(child_status), 0, "child_exit_code"); + else + ASSERT_NEQ(WEXITSTATUS(child_status), 0, "child_exit_code"); + + switch (op->kind) { + case OPERATION_READ: + ASSERT_OK(read_text_file(env->restricted_file, contents, + sizeof(contents)), + "read_restricted_file"); + ASSERT_STREQ(contents, "restricted\n", "restricted_contents"); + break; + case OPERATION_WRITE: + ASSERT_OK(read_text_file(env->restricted_file, contents, + sizeof(contents)), + "read_restricted_file"); + if (expect_success) { + ASSERT_STREQ(contents, "restricted\nwritten\n", + "restricted_contents"); + } else { + ASSERT_STREQ(contents, "restricted\n", + "restricted_contents"); + } + break; + case OPERATION_CREATE: + if (expect_success) { + ASSERT_TRUE(path_exists(env->created_file), + "created_file_exists"); + ASSERT_OK(read_text_file(env->created_file, contents, + sizeof(contents)), + "read_created_file"); + ASSERT_STREQ(contents, "created\n", "created_contents"); + } else { + ASSERT_FALSE(path_exists(env->created_file), + "created_file_exists"); + } + break; + } +} + +static void assert_bpf_state(const struct landlock_kfuncs *skel, + const struct hook_variant *hook, bool expect_bpf, + int expected_restrict_ret) +{ + if (!expect_bpf) { + ASSERT_EQ(skel->bss->matched_pid, 0, "matched_pid"); + ASSERT_EQ(skel->bss->bprm_creds_for_exec_hits, 0, + "bprm_creds_for_exec_hits"); + ASSERT_EQ(skel->bss->bprm_creds_from_file_hits, 0, + "bprm_creds_from_file_hits"); + ASSERT_EQ(skel->bss->lookup_calls, 0, "lookup_calls"); + ASSERT_EQ(skel->bss->lookup_failed, 0, "lookup_failed"); + ASSERT_EQ(skel->bss->restrict_calls, 0, "restrict_calls"); + ASSERT_EQ(skel->bss->put_calls, 0, "put_calls"); + return; + } + + ASSERT_EQ(skel->bss->matched_pid, 1, "matched_pid"); + ASSERT_EQ(skel->bss->lookup_calls, 1, "lookup_calls"); + ASSERT_EQ(skel->bss->lookup_failed, 0, "lookup_failed"); + ASSERT_EQ(skel->bss->restrict_calls, 1, "restrict_calls"); + ASSERT_EQ(skel->bss->restrict_ret, expected_restrict_ret, + "restrict_ret"); + ASSERT_EQ(skel->bss->put_calls, 1, "put_calls"); + + if (hook->enable_bprm_creds_for_exec) { + ASSERT_EQ(skel->bss->bprm_creds_for_exec_hits, 1, + "bprm_creds_for_exec_hits"); + ASSERT_EQ(skel->bss->bprm_creds_from_file_hits, 0, + "bprm_creds_from_file_hits"); + } else { + ASSERT_EQ(skel->bss->bprm_creds_for_exec_hits, 0, + "bprm_creds_for_exec_hits"); + ASSERT_EQ(skel->bss->bprm_creds_from_file_hits, 1, + "bprm_creds_from_file_hits"); + } +} + +static void +run_case(struct landlock_kfuncs *skel, const struct landlock_test_env *env, + const struct hook_variant *hook, const struct operation_case *op, + const struct restrict_variant *variant, const char *subtest_name) +{ + int child_status; + int err; + int ruleset_fd; + + if (!test__start_subtest(subtest_name)) + return; + + err =3D seed_operation_state(env, op); + if (!ASSERT_OK(err, "seed_baseline")) + return; + + err =3D run_exec_attempt(skel, env, op, hook, variant, false, -1, + &child_status); + if (!ASSERT_OK(err, "baseline_exec")) + return; + assert_operation_outcome(env, op, true, child_status); + assert_bpf_state(skel, hook, false, 0); + + err =3D seed_operation_state(env, op); + if (!ASSERT_OK(err, "seed_enforced")) + return; + + ruleset_fd =3D create_exec_ruleset(env, op); + if (!ASSERT_GE(ruleset_fd, 0, "create_ruleset")) + return; + + err =3D run_exec_attempt(skel, env, op, hook, variant, true, ruleset_fd, + &child_status); + close(ruleset_fd); + if (!ASSERT_OK(err, "enforced_exec")) + return; + + assert_operation_outcome(env, op, !variant->expect_enforced, + child_status); + assert_bpf_state(skel, hook, true, variant->expected_restrict_ret); + ASSERT_OK(delete_ruleset_map_elem(skel), "delete_ruleset_map_elem"); +} + +void test_landlock_kfuncs(void) +{ + struct landlock_test_env env =3D {}; + struct landlock_kfuncs *skel =3D NULL; + int err; + int version; + size_t i; + size_t j; + + version =3D landlock_version(); + if (version < 1) { + test__skip(); + return; + } + + skel =3D landlock_kfuncs__open_and_load(); + if (!ASSERT_OK_PTR(skel, "open_and_load")) + return; + + err =3D landlock_kfuncs__attach(skel); + if (!ASSERT_OK(err, "attach")) + goto out; + + err =3D prepare_layout(&env); + if (!ASSERT_OK(err, "prepare_layout")) + goto out; + + ASSERT_OK(delete_ruleset_map_elem(skel), "delete_ruleset_map_elem"); + reset_bss(skel); + + for (i =3D 0; i < ARRAY_SIZE(hook_variants); i++) { + for (j =3D 0; j < ARRAY_SIZE(operation_cases); j++) { + char name[128]; + + ASSERT_LT(snprintf(name, sizeof(name), + "%s/%s/no_previous_domain", + hook_variants[i].name, + operation_cases[j].name), + (int)sizeof(name), "subtest_name_len"); + run_case(skel, &env, &hook_variants[i], + &operation_cases[j], &domain_variants[0], + name); + } + + for (j =3D 0; j < ARRAY_SIZE(domain_variants); j++) { + char name[128]; + + ASSERT_LT(snprintf(name, sizeof(name), + "%s/write_file/%s", + hook_variants[i].name, + domain_variants[j].name), + (int)sizeof(name), "subtest_name_len"); + run_case(skel, &env, &hook_variants[i], + &operation_cases[1], &domain_variants[j], + name); + } + + for (j =3D 0; j < ARRAY_SIZE(flag_variants); j++) { + char name[128]; + + ASSERT_LT(snprintf(name, sizeof(name), + "%s/write_file/%s", + hook_variants[i].name, + flag_variants[j].name), + (int)sizeof(name), "subtest_name_len"); + run_case(skel, &env, &hook_variants[i], + &operation_cases[1], &flag_variants[j], name); + } + } + +out: + if (env.base_dir[0]) + cleanup_layout(&env); + landlock_kfuncs__destroy(skel); +} --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f54.google.com (mail-yx1-f54.google.com [74.125.224.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6098E382392 for ; Tue, 7 Apr 2026 20:02:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592168; cv=none; b=Tf02C9mPUMCNseQYwmAHPFpc6CtJQ26ZjHxDUP2+4xW3TdBE2f+nL9FU08/StaYkY3C6D/mQjUWK7aufTFwFTOQvy3/iHwd6ptFfBOZpEdfS+0sM7yvj9xbP1DaPi/e+vN3elOyUDQRzQPtQsyXrKNSg0QEzlhUAn3bk8UaZQ/8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592168; c=relaxed/simple; bh=YF5J4wceyOoLcHwxWVLkNkzbdQNVU+WfWpCxranP3Ws=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iR00E54SU8vkaP2wgCFJtqVbaXz9yYdTBWBY7jXgbq3FJ6/I5ewqaj732U7nAhrRor7EbSY0F+PfRg24m1BMOfSbACeBgpr/tlyCx9JHuprgDDGfAcTr21Gx6mVAlJZhE9V05VrTEyGz6FlQM+BgsvzlNv1tmCJ4belmL/60rcM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jHT2h50Q; arc=none smtp.client-ip=74.125.224.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jHT2h50Q" Received: by mail-yx1-f54.google.com with SMTP id 956f58d0204a3-6501725d888so4371543d50.0 for ; Tue, 07 Apr 2026 13:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592166; x=1776196966; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gosc7vTE+s0I2lYg7cK7taBHrkIOJO6I43/Qe9FE/Uo=; b=jHT2h50QZ71zW1VlkSDxFHhByD1ZPvSaYi0hntnpyt405FuRXUnYjI7ZaCMrbqyqY7 9H0AxP0A6qYAxNYEVui4b3Cv5kYvs4Wn06JvMdoRMcfm+RfGuvAPwjrZSoqzIvdFqrSg AohFzCQ4Mb+W8jXaDY36cdm34szgvGRm0jjMQwPfnXkdMPQtHpNrxtmx22UBB7zHe7wn b6mh4rNWwLIaHiK3etEhpeoZVIfCQ96is9CBDRCtOkyCpMFJdf56d0VBH7VW1KcYC+7I FgLbXEgnuHiZvNkA3y3KRc3Z4VU8tu3xKJObDgxw+AdtMqMv/CSC1POmQ8LYDoY8f0Ss 4cLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592166; x=1776196966; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gosc7vTE+s0I2lYg7cK7taBHrkIOJO6I43/Qe9FE/Uo=; b=VbR1RvWqDgtQOqxurqpeIyBCXMUIlDzo/QPeE+b8j0DBuVvtLW0pBifLZ+5sDSt3kn BmQ4k1lcGtS0gJVLQjBGCAPt44dpLioG7Z1/3eoZlT2pifs9C66WPaBaN3wsptPERgSp SW8h/BYEjYCk5rvcT9B/o1+WkvaJ4HdglMi0cpo/iaLmxLBGNv6yvnBQMzw0SnqKI80H gUR+bj3KtxDhvqOc5S2iT2J2FuQnQyJCfe/VhmeEnmZg1/EyFSTDLtyC1h1sbE2Z+bp0 zigmRsEm5L+q5cHWP91FaQ9PqKFw9k4V8bspy540SHwm5dEIG2CbE2WA8rneC5cBtgk4 NA0g== X-Forwarded-Encrypted: i=1; AJvYcCWBPNrYFkP860AT1GUoIoudIjUU9V+VV6rgKMKmFHU95fhKCxOunGLTJ7C3r4zfhatmyWodKp+HbxyETws=@vger.kernel.org X-Gm-Message-State: AOJu0YxecP+NHAlAgwxFRYHWNNWPs9oGaZ2pbfx1nBuYpj6y8q6WViEu S2p/cKBn9uvS2TMKu/oQUT1WKTPO7rxIvZQqOLC8hvZ/kqVHCJ4uZ80N X-Gm-Gg: AeBDieuUx+ZYpmlpn3klgGW5fw37P6ccsx96426r6izBLeus5fJmPRyircwQa2ORXVe GMfVtlgQ4qCBTaEY+dYUftkEtjJxkRUiigHsnvtnPmQWqlbSO4IPFK41ZdwfkGj01OeGKeOCUwi mDdN0zcAsNoH0FEsNdQBg113zZEyuyWbewXHiQpZ0AuGdNGhh8WfSdtZs3sMCAyNItk7TVuTgGH ABAB7ewu9OFGUHq1GbvM/AojaOBXVk2SjA9G0qA6DWNWAvAWwgJfFOxh7PWpnRU+BoXrgTipk4p xlNvvpvn4S5/Ja7AfauXysfehkeRqvujlnUOW76/nbzvsqnEN778HKpFSaPhAtkjCldATyquDA3 LgpTOQA7Cpl96y2GWN9zqlcrN2rsCdvJtRlFoz1p1pWpIGMp3IoOpTOtDRBSwp2bl1bJBl4BJFz hJQWwblqg0U7UYxWLrENiQKjAzE/prJN4Jx7C76aQ2UTo0oULlWfX31Q97M6b6TE6hmAhSczerl 51rQu56kx0= X-Received: by 2002:a05:690e:130c:b0:643:1a5f:aaec with SMTP id 956f58d0204a3-65048814920mr17609725d50.47.1775592166553; Tue, 07 Apr 2026 13:02:46 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:46 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 16/20] landlock: Bump ABI version Date: Tue, 7 Apr 2026 16:01:38 -0400 Message-ID: <20260407200157.3874806-17-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Bump the ABI version in the kernel for the new RESTRICT_SELF_NO_NEW_PRIVS flag. Signed-off-by: Justin Suess --- samples/landlock/sandboxer.c | 7 ++++++- security/landlock/syscalls.c | 2 +- tools/testing/selftests/landlock/base_test.c | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c index 66e56ae275c6..53bd77e55855 100644 --- a/samples/landlock/sandboxer.c +++ b/samples/landlock/sandboxer.c @@ -301,7 +301,7 @@ static bool check_ruleset_scope(const char *const env_v= ar, =20 /* clang-format on */ =20 -#define LANDLOCK_ABI_LAST 9 +#define LANDLOCK_ABI_LAST 10 =20 #define XSTR(s) #s #define STR(s) XSTR(s) @@ -444,6 +444,11 @@ int main(const int argc, char *const argv[], char *con= st *const envp) /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */ ruleset_attr.handled_access_fs &=3D ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX; + __attribute__((fallthrough)); + case 9: + /* Removes LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS for ABI < 10 */ + supported_restrict_flags &=3D + ~LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS; /* Must be printed for any ABI < LANDLOCK_ABI_LAST. */ fprintf(stderr, "Hint: You should update the running kernel " diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c index 6723806723d5..790ac046542f 100644 --- a/security/landlock/syscalls.c +++ b/security/landlock/syscalls.c @@ -130,7 +130,7 @@ static void build_check_abi(void) * If the change involves a fix that requires userspace awareness, also up= date * the errata documentation in Documentation/userspace-api/landlock.rst . */ -const int landlock_abi_version =3D 9; +const int landlock_abi_version =3D 10; =20 /** * sys_landlock_create_ruleset - Create a new ruleset diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/s= elftests/landlock/base_test.c index a4c38541de70..51c72064c190 100644 --- a/tools/testing/selftests/landlock/base_test.c +++ b/tools/testing/selftests/landlock/base_test.c @@ -76,7 +76,7 @@ TEST(abi_version) const struct landlock_ruleset_attr ruleset_attr =3D { .handled_access_fs =3D LANDLOCK_ACCESS_FS_READ_FILE, }; - ASSERT_EQ(9, landlock_create_ruleset(NULL, 0, + ASSERT_EQ(10, landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_VERSION)); =20 ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f53.google.com (mail-yx1-f53.google.com [74.125.224.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CC9738654D for ; Tue, 7 Apr 2026 20:02:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592172; cv=none; b=Vlw6+xYQBAo/5pxBdIkRkQ1RvhlO31+Zv44dn9tQ6VIVARmtrmVCyGJ5Ifba1T4zf23dtg1FJUz7A4dpCKM19Le512HFE68vFp/1xVX1F5gwg6fHX4nCPjLaJsBpF3MWfUMI3J3EOvtxTaMLfSo5ZwrTa6oCRjXJtRFslSeT5/o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592172; c=relaxed/simple; bh=XHuhaYzURLOJm9gSsZkdpKJOAK5ycNWjARx3XgxPE/8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MHLhth4k120PsuCClccSjA1j3FxsuvyWIrz+wYVq9xQcxyyx7+IiWtorLebnpq15+pfG/4olSSBG+6gQx1QfXTH9Bz7gOEJa7MpUgpX3CG1Bn9BVTBiUeCfEJFzuKtueZMLyKw6X9KC987D9a76mpYSUduxrbvgEzEkgRAIMxuw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=rmaOt22z; arc=none smtp.client-ip=74.125.224.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="rmaOt22z" Received: by mail-yx1-f53.google.com with SMTP id 956f58d0204a3-6501725d888so4371596d50.0 for ; Tue, 07 Apr 2026 13:02:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592170; x=1776196970; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mN3rsYPwNB7hPZYQqrXuOahpMQZ8TstAANGpzM3WXKE=; b=rmaOt22zeE9CbIilAHym9/X5Te8R/qxYL6w7nQlOQkmvBjRLN0w5xZ8iFCSdtD/n/x nNKdupK/g1PGuxTXvzJQM29vchPaIsn9b4Cc0G8tovyTKj9kG+tPEMI87kPNbTRk1roa JJ2lttoUpU3lsQjverDyNwwxfYG57nWK5YrbKeHeZ9SQTTWPimzXsrDP8dzfeKGgx5Vq me1nZeH6u3OAsT4fL1XIvHbxnvsbKpl6MZkcS7BYqQQyrE8u/PPOS8CUUSIztPmv1xCT OU9/T+hLbO5OopzhEyZpC5CZGjr+Q5RnTvkLpYuKnXiuX6/1nniNnePSvZoJ5guo578k 4lGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592170; x=1776196970; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=mN3rsYPwNB7hPZYQqrXuOahpMQZ8TstAANGpzM3WXKE=; b=a+ddD54I8Wq/X+85g743mrC54SW6NexBZm8d1Z1LeuVYLSO4ZTCBw+ukKDuBt2LpNs ZZe7t5TS3ZvPtLB48/GP/TIG3+soN6VCiYQMb0atRsHNOxRX/y1AXUD/JR5SYieXHbNy v7Qz9SaUN3CgNL0DgN9D+o70qzmAjDFj7Jf4tfSAtPSfr9xr/kyhBKmB1kNyBUfmmG6+ 2jTIaAaA9WcuNCgd1AKPPB31nrRQJzfLO1II3WwdM3hWUsoNcqKoJmlPBEoUhDElv+tN VVS7xZCiiajLvAC7JBXCK8W+awRA6K98jb6MDPpH8e/dVRZRZKvHhaXiq8+pJVCSHzDG 9y1w== X-Forwarded-Encrypted: i=1; AJvYcCWNDXlAtPSqUJ99nrO5avYj9louinA0m0F0oM6beUvCbZ6xLQNyLXIoNzWtu93Lyu0jW/FNbQ7NnFOv0cI=@vger.kernel.org X-Gm-Message-State: AOJu0YxMVEH0wjnr0SBoJm6kEUaQuszmiWoNwi82se0ECTRwcr/Kz98Y b8STZaMrkM/isxSsAJVI6ByE1KqXfTlwMn9SAEE55RUwpLTWNrj/B/t2 X-Gm-Gg: AeBDieuFTSYkdzG3qA8O9YZPfVl2bkNK6+VxByd5NlAZaux7Cr0OKHkjzBAI5uD7CF2 RQ9fqExNhyK0BGY3a7oJgV+Y0vdSbqUhiS44+A+h7R3NWtHsbvN5uQ9KSVo5sXkLYMcO0vC8CmX pxusnqCeRJVnP0vzHbZE2eDHeumIj3cMf4/fUb9bWN61Sas71K9Pw1XmxO8S7e1LOVCq+teSNdZ WrA5fbKMzIUtEM9M02prqs6IGppyPXS80gg6p0NyZ14ccEFc/qweNnMDx6gP4rVsa3d/TfWBK/0 Tahbn4fjG1264TsAo6b05UmI/TwtuEey8wGO8s2Qi7z7lZmjH+HWNv6aG5zQnZE4VJNktKTxhpJ 2vxTUFduRJImXwt/NfbwM+FhMwswwshtHWG0ZJDi3GDz3F0tK4KcuMnl7MckmofhYOyrMr1VrTF i7q1FeQB7X7Gt7pRnS6FYCvJABDwZ2yepdCGOKNvRqimX+caajBOU1/6dmZknQWG7v5BtlpwxS X-Received: by 2002:a05:690e:1409:b0:650:8923:5640 with SMTP id 956f58d0204a3-65089235e7amr877472d50.64.1775592169697; Tue, 07 Apr 2026 13:02:49 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:49 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 17/20] tools: bpftool: Add documentation for landlock_ruleset Date: Tue, 7 Apr 2026 16:01:39 -0400 Message-ID: <20260407200157.3874806-18-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add BPF_MAP_TYPE_LANDLOCK_RULESET to bpftool listing. Signed-off-by: Justin Suess --- tools/bpf/bpftool/Documentation/bpftool-map.rst | 2 +- tools/bpf/bpftool/map.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/bpf/bpftool/Documentation/bpftool-map.rst b/tools/bpf/bp= ftool/Documentation/bpftool-map.rst index 1af3305ea2b2..48bf6ee36fa4 100644 --- a/tools/bpf/bpftool/Documentation/bpftool-map.rst +++ b/tools/bpf/bpftool/Documentation/bpftool-map.rst @@ -56,7 +56,7 @@ MAP COMMANDS | | **cgroup_storage** | **reuseport_sockarray** | **percpu_cgroup_sto= rage** | | **queue** | **stack** | **sk_storage** | **struct_ops** | **ringbu= f** | **inode_storage** | | **task_storage** | **bloom_filter** | **user_ringbuf** | **cgrp_st= orage** | **arena** -| | **insn_array** } +| | **landlock_ruleset** | **insn_array** } =20 DESCRIPTION =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c index 7ebf7dbcfba4..0fe391a3ce73 100644 --- a/tools/bpf/bpftool/map.c +++ b/tools/bpf/bpftool/map.c @@ -1478,7 +1478,7 @@ static int do_help(int argc, char **argv) " cgroup_storage | reuseport_sockarray | percpu_cgroup_s= torage |\n" " queue | stack | sk_storage | struct_ops | ringbuf | in= ode_storage |\n" " task_storage | bloom_filter | user_ringbuf | cgrp_stor= age | arena |\n" - " insn_array }\n" + " insn_array | landlock_ruleset }\n" " " HELP_SPEC_OPTIONS " |\n" " {-f|--bpffs} | {-n|--nomount} }\n" "", --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f41.google.com (mail-yx1-f41.google.com [74.125.224.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80793387343 for ; Tue, 7 Apr 2026 20:02:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592175; cv=none; b=eXGzlSDMotBD2w2YVx1/wRjg/MRNf6OWKS/NGKpLFKTwMRn5gZsHSmqEKF+VtctUHYyyqhGU7qz7BTk2CDRrirxy+zGaOT2kVaBwfRRACe7RarJHDucma5NW/vaMG6ZDqHSBURt9+U9piks8H6/fkQ6mWh+21HM7ORKWRZ2l9J0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592175; c=relaxed/simple; bh=vi5FjNFei0DMVU6UndsLw5X+Sug4/lpzBigVH5ACDgI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=g0AdJPRj8qulzUGRNAZsBz5WOnNh4T/yvAYnMSAAnbE1mS+P24fbfOEMYOMBSRIEM1C0WNIml7QV32Tr+KLyPqQ9QK3/Yoo8LP+zR7wP8ULKMNYu7grm6kF7jKsQEk+b1ySJLy13SkRTZbv4Q5/6EHZrrSoAeBaasMKGDTuZyHY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FQD5IOG2; arc=none smtp.client-ip=74.125.224.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FQD5IOG2" Received: by mail-yx1-f41.google.com with SMTP id 956f58d0204a3-650789b22e3so1728158d50.1 for ; Tue, 07 Apr 2026 13:02:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592173; x=1776196973; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=67+cKnsUxsC8cUauaFfSWyXKAlrlKdFCay5MrA604yk=; b=FQD5IOG2tWX0D59HiO4K9pEDlYxhmVP4MpXfrNIQSwpTgJpi90+YdCCZixnUArZKcU L3wnhMNmFMRXeP+eMdZIimpxKcqGN7Za6dzqbYagzhJLsxNkkzN8Sq0qzpXA093l6Rmz 5H5A6p1AgkNRnUMO0K1NhxEJl8LsFvmbILHHXH3LKTSJEl/jXjM+LS3cep+M+xtsDPzZ gfJEMffOVL0QVhSHcChaNnTKEF3SiDtCMugA2zOz6LxGvRRFIaFSE+C0+HMFfWWbX2K0 e/B5aZeSOFOOREdPWldZSjSrSr5ICMbWE3KKG2qmR++ITiu/mZCA5hKiaYc2dzL3x32l QAkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592173; x=1776196973; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=67+cKnsUxsC8cUauaFfSWyXKAlrlKdFCay5MrA604yk=; b=U1r8yv2NdNxMchKRhHvmOfeaQFISXvbL46QuzzlhC+jl/0nFj2RYYkuBnSNvI8ONo2 +gI5FNPZXHJXrTlp5F7T9sIessjnP3jmwjE0Fkcf397aSkrA72E9HBQfv4Te/ehGrXHx KrkIl2knYo5PqKsfvHqDEST/m6v6Aiyc/l2yqn3gjzQsCiJ/xLN4rp6G3Y+8k5wUqmJf yXkZs7xzLNZbN8kUOeF1Xn/KFTs2UPWVqfHVr1YibVnDN64Rp954eXkgParlYSEHE0A+ 578LodLcSRiAlsewDWbi00Cc0emN/n+Bykg8+JM+5e2Dlo3s0tQ6nUAe78QEvuxYq2sQ Y+sg== X-Forwarded-Encrypted: i=1; AJvYcCXO/HSGVExy+eLDjSbnSrNTrFFkWdcg0jvd8WJqMtT4Qn9epT6pj2l3M+axyq9Bw22wurMfQ4ox2hUE78w=@vger.kernel.org X-Gm-Message-State: AOJu0Yws2LYkChKKImAoGUbDNeBjlsPmmjDITNEL/QyAYn46xHNILjr/ OafMH51Hq7Bz3RszFuhRnojRDRZ8/xhvIApxzkxRfVt3lqxEFRJQ2UST X-Gm-Gg: AeBDiesApnApxlOp7lCiJrqIfRS1flE1/g5N3OcKO0w6r3vGEZjKKcTgBDscO4yML0q CD3Mi4v4tMSAydWwmPWahhjR82kOD75dLGuXS8SkfQk4j72udFxvYkgOceeOlIW+QHUFIbvD/SF q+eNOIMzyovr1jgbCchOYle+4AAxYIKEIXHX757q4Z3xVdB0TN89cvq3fCzakSqQI6C08ZMWr38 8gZBmjvbfON+n0G1gbgU67jqT1ZCpfyhBsjBSxLDXLxKfq+deIJ3oH07we4r29CZS1F++IzkkMx kzmsGGmzieFJQFivjvvh1Ysa96DvbkTkPbNPKHKR63hpwKo6WDFwHaAGVPJc2UhMPqvzthibiqV XF2OVJfJZE01yFvmgl7OehSVceAeWuufFFZBtDdCAZUuZd1v+JNBJELLaYm0sEXyXsov5hsc5hy m++nhXtwE7dICT+K1SyeqLcPPVGWiVWpqK0KGFywbMTCYZCvmBYqwHY13LWYW/8nbl0Q31uLyC X-Received: by 2002:a05:690e:11ca:b0:650:891d:e1a6 with SMTP id 956f58d0204a3-650891de307mr938379d50.51.1775592172595; Tue, 07 Apr 2026 13:02:52 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:52 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 18/20] landlock: Document LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS Date: Tue, 7 Apr 2026 16:01:40 -0400 Message-ID: <20260407200157.3874806-19-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Document the new LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS flag, and explain how its designed primarily for BPF-side use cases for Landlock. Signed-off-by: Justin Suess --- Documentation/userspace-api/landlock.rst | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/users= pace-api/landlock.rst index fd8b78c31f2f..82c88d75ef21 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -204,7 +204,8 @@ similar backwards compatibility check is needed for the= restrict flags =20 __u32 restrict_flags =3D LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON | - LANDLOCK_RESTRICT_SELF_TSYNC; + LANDLOCK_RESTRICT_SELF_TSYNC | + LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS; switch (abi) { case 1 ... 6: /* Removes logging flags for ABI < 7 */ @@ -223,10 +224,18 @@ similar backwards compatibility check is needed for t= he restrict flags * children (and not for all threads, including parents and siblin= gs). */ restrict_flags &=3D ~LANDLOCK_RESTRICT_SELF_TSYNC; + __attribute__((fallthrough)); + case 8: + case 9: + /* Removes no_new_privs convenience flag for ABI < 10 */ + restrict_flags &=3D ~LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS; } =20 The next step is to restrict the current thread from gaining more privileg= es -(e.g. through a SUID binary). We now have a ruleset with the first rule +(e.g. through a SUID binary). When supported, this can be folded into +``landlock_restrict_self()`` with ``LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS``; +otherwise, user space must still call :manpage:`prctl(2)` explicitly. We = now +have a ruleset with the first rule allowing read and execute access to ``/usr`` while denying all other handl= ed accesses for the filesystem, and a second rule allowing HTTPS connections. =20 @@ -716,6 +725,15 @@ Starting with the Landlock ABI version 9, it is possib= le to restrict connections to pathname UNIX domain sockets (:manpage:`unix(7)`) using the new ``LANDLOCK_ACCESS_FS_RESOLVE_UNIX`` right. =20 +No New Privs flag (ABI < 10) +---------------------------------------- + +Starting with the Landlock ABI version 10, it is possible to request +``no_new_privs`` as part of ``landlock_restrict_self()`` by passing the +``LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS`` flag. This lets user space request +the prerequisite from the Landlock API itself, which is especially useful = when +the restriction is applied from an external context such as BPF. + .. _kernel_support: =20 Kernel support --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f44.google.com (mail-yx1-f44.google.com [74.125.224.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E45563890FF for ; Tue, 7 Apr 2026 20:02:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592177; cv=none; b=tT49Cw4sPj6lleGM8iAcNHVVUEvTVsdNM36vKzu36sptIrws2rzTyQu5kGKaqyQzXr6XDGsCr5OOez8QFxgaNwy+2fcrjeLVzAJwTy62uD6ODKHRQvG8qMEBWBtaG81KoEriFWGS9E6qKGIkiB5WYgKQun1rXSVZZfcUfr7FPA0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592177; c=relaxed/simple; bh=CmtKHOc332qKALJYWCWgXBnvrRYVAERnFXRVui+qI44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VLPho7HlTvKGO4fQuqI00PWyRHMgYDZiG5eDcAD82pHer5oU3abxW8i1kEPbOcGVh11EFDNPFnmCVWMxS1xH4sCZFjYAhPvnRSjToqauz6ISvPgi+csBh2cPOgCnRRKkkGR1BaqR1PJ09/pdUpVnvr7CeKqDI5PciU+l+k2X+B8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OvRx75UH; arc=none smtp.client-ip=74.125.224.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OvRx75UH" Received: by mail-yx1-f44.google.com with SMTP id 956f58d0204a3-64fc6b21789so4075048d50.3 for ; Tue, 07 Apr 2026 13:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592175; x=1776196975; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cMKVwFWhx9p/bEmXNWYwd3ePZhFhwvaKwwQ8qBoxvaM=; b=OvRx75UHfpBZZXZyBICCoXtAnF6tUkJpi66vOk/+BVVg27EvOn7C6o/cFjxwtCV9jV 91mNr3r8xmZns5taDG/hxzbLqACblWgu/FSx0tpVSFdGUYGZONAB4NFexRUYMFFcs12C TDsFZWvMD/+T+cU6wMrw9I5l7PZoeAI2zo/ReJwE4ZLBcH1pOpe7+C01CGmn104blOk7 e/sLsPhXtGIkFFnVi3JTnrtonZ3DDke6QwPMiqZ83asCCjpvkLtKCX5WbPXYhA6zNdCS 9A82DqkuQgRV5tgeB582j+AbwPJKRg13dDIHEM7IciVSm3oZYCcNFs2yG8+8Pfcczn0l 9keA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592175; x=1776196975; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cMKVwFWhx9p/bEmXNWYwd3ePZhFhwvaKwwQ8qBoxvaM=; b=j3aiB/t9mVxMNOmLcIjBa7Twdpe3n2HHg3fZ65QKBMHw0JBhSI+3TuWTNdXBy8ipnw 2Wlk7CSZL20/29L/QRyRWZwJnaam6KRdhPDbx4IPv5dDAiFPcsHVplsV67hT/KIIwx8Z t2Bk+sFrDaNhIGNGb4HU0tIlA8QIO8lZ3Fv/GS/vhouG3Om/e8UwdrJSujy4mwOlaYjw iBeNBDwo8fLEDG1aspUWHLxhD+P/9RpQGdwC7reVZKGHwDOdCzuvb11OIJhn3IwoV46X hFDvUYeYiv2dNtmpdzSXtEplA8vOXIk2lZ+k3d705Dnd838p44K4OkbDWc/0rEfAL9zx 9RHQ== X-Forwarded-Encrypted: i=1; AJvYcCW0TrCBoaOhXbVKhWIq5hP1OU34wicERK0frIRahbaSC6A+FuBdpDEovkTKOPYrm9MpGjiKH+6m05zAUZs=@vger.kernel.org X-Gm-Message-State: AOJu0YyT2W7bphKUZlDeuY39HYlAuVUGds2UMKAh/QIAZ628aAwSlI+7 WHXfSdE0l0DjMru8zO1q6afOAIMNzPsDwvhtpcZpiUOXVOsb6d0DIyFy X-Gm-Gg: AeBDieu4Zsg73WgbztPdMzhAa0t1jdc8SIKsSBfobtH9dn+zI+AJ8zq4RmDaCngGzpm tVyr/+6JOEOlltBVExIsTViOOnNNxhAbAmZY9CVdgqjd4lvrqA5wPQDD7ZM1wELhVih/CzUC2zW vMaryC7eGmknoqzgr3cn+b+kKvWX/dAO1NgGigLR+8U3uag4/IxW49RLizAWKIcN6jt4Bq1Pcmc kd22ViGIW2CIxUf4bHvI58SisPM8vg89h8f5FKUTLSjAD63VPFZklKO5oW1SBO1cgGNrFWfqjRX LoifrgLT6aUTm1X2pBTWZFGFiOT4yVdYIDCU7PYriBPSc09svaJqTwzsfKpqFcoiU2W1rSRhpLZ B64i4nqhXGqlmKudgU4exMaVpAm3LUe623lIg5hfjMd10SLHvRf/TI1D57ZfMWcu0rA1d9XQEe1 DeT9unCzDDg9fNaRsIv51RIHU8zdNZNZ/MlupIlBK5YzqSDrpilNq4XEXYMEp3ncWWKoj4S28B X-Received: by 2002:a53:c709:0:b0:650:4a4:e0fe with SMTP id 956f58d0204a3-650488904fbmr12715781d50.66.1775592174870; Tue, 07 Apr 2026 13:02:54 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:54 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 19/20] bpf: Document BPF_MAP_TYPE_LANDLOCK_RULESET Date: Tue, 7 Apr 2026 16:01:41 -0400 Message-ID: <20260407200157.3874806-20-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Document the BPF_MAP_TYPE_LANDLOCK_RULESET map type and explain the kfuncs it is associated with. Signed-off-by: Justin Suess --- Documentation/bpf/map_landlock_ruleset.rst | 181 +++++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 Documentation/bpf/map_landlock_ruleset.rst diff --git a/Documentation/bpf/map_landlock_ruleset.rst b/Documentation/bpf= /map_landlock_ruleset.rst new file mode 100644 index 000000000000..90f3141a829b --- /dev/null +++ b/Documentation/bpf/map_landlock_ruleset.rst @@ -0,0 +1,181 @@ +.. SPDX-License-Identifier: GPL-2.0-only + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D +BPF_MAP_TYPE_LANDLOCK_RULESET +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D + +``BPF_MAP_TYPE_LANDLOCK_RULESET`` is a specialized, array-backed map for +holding references to Landlock rulesets that were created from userspace. +It is meant to bridge BPF LSM policy selection with Landlock policy +enforcement: userspace creates a normal Landlock ruleset, inserts its file +descriptor into the map, and a BPF LSM program later looks up that ruleset= and +applies it with a Landlock kfunc during ``execve()`` preparation. + +BPF programs cannot create, inspect, or modify Landlock policy through this +map. The looked-up object is exposed only as an opaque +``struct bpf_landlock_ruleset`` reference. + +The map uses ``__u32`` keys as array indexes and stores one ruleset refere= nce +per slot. Like other array maps, its size is fixed at creation time and i= ts +elements are preallocated. + +Usage +=3D=3D=3D=3D=3D + +Kernel BPF +---------- + +.. note:: + This map type is only supported for BPF LSM programs. In practice, it = is + useful for sleepable BPF LSM programs attached to + ``bprm_creds_for_exec`` or ``bprm_creds_from_file``, because those are = the + hooks where the associated Landlock kfuncs are available. + +bpf_map_lookup_elem() +~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: c + + void *bpf_map_lookup_elem(struct bpf_map *map, const void *key) + +Lookup returns a trusted pointer to an opaque ``struct bpf_landlock_rulese= t``. +The verifier treats the result as a referenced BTF object, not as a pointe= r to +the raw ``__u32`` map value declared in the map definition. + +Each successful lookup acquires a ruleset reference. The BPF program must +release that reference with ``bpf_landlock_put_ruleset()`` on all paths af= ter +the lookup succeeds. + +The returned pointer is intended to be passed to +``bpf_landlock_restrict_binprm()``. It is opaque and cannot be dereferenc= ed +or inspected from BPF. + +bpf_map_delete_elem() +~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: c + + long bpf_map_delete_elem(struct bpf_map *map, const void *key) + +Delete removes the ruleset reference stored in the selected slot and drops= the +map's own reference to that ruleset. + +Landlock kfuncs +--------------- + +The map contains objects designed to work with the following Landlock kfun= cs: + +.. code-block:: c + + void bpf_landlock_put_ruleset(const struct bpf_landlock_ruleset *rulese= t) + +.. code-block:: c + + int bpf_landlock_restrict_binprm(struct linux_binprm *bprm, + const struct bpf_landlock_ruleset *rul= eset, + __u32 flags) + +``bpf_landlock_restrict_binprm()`` applies the looked-up ruleset to the new +program credentials that are being prepared for ``execve()``. The ``flags= `` +argument uses the same Landlock restriction flags as +``landlock_restrict_self()``, including ``LANDLOCK_RESTRICT_SELF_NO_NEW_PR= IVS``. +When this flag is used from BPF, ``no_new_privs`` is staged through the ex= ec +context and committed only after exec reaches point-of-no-return. This av= oids +side effects on failed executions or ``AT_EXECVE_CHECK`` while ensuring th= at +the resulting task cannot gain more privileges through later exec transiti= ons. + +Userspace +--------- + +bpf_map_update_elem() +~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: c + + int bpf_map_update_elem(int fd, const void *key, const void *value, __u= 64 flags) + +Userspace populates the map by writing a Landlock ruleset file descriptor = into +the selected slot. The map uses FD-array update semantics: + +- ``key`` points to a ``__u32`` array index. +- ``value`` points to a ``__u32`` containing the ruleset file descriptor. +- ``flags`` must be ``BPF_ANY``. + +The supplied file descriptor must refer to a valid Landlock ruleset. + +Userspace lookup of map contents is not supported for this map type. + +Example +=3D=3D=3D=3D=3D=3D=3D + +Kernel BPF +---------- + +The following snippet shows a sleepable BPF LSM program that looks up a +ruleset, applies it during exec credential preparation, and releases the +lookup reference. + +.. code-block:: c + + struct { + __uint(type, BPF_MAP_TYPE_LANDLOCK_RULESET); + __uint(max_entries, 1); + __type(key, __u32); + __type(value, __u32); + } ruleset_map SEC(".maps"); + + SEC("lsm.s/bprm_creds_for_exec") + int BPF_PROG(apply_ruleset, struct linux_binprm *bprm) + { + const struct bpf_landlock_ruleset *ruleset; + __u32 key =3D 0; + + ruleset =3D bpf_map_lookup_elem(&ruleset_map, &key); + if (!ruleset) + return 0; + + bpf_landlock_restrict_binprm( + bprm, ruleset, LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS); + bpf_landlock_put_ruleset(ruleset); + return 0; + } + +Userspace +--------- + +The following snippet shows how to insert a previously created Landlock +ruleset into the map. + +.. code-block:: c + + int populate_ruleset_map(int map_fd, int ruleset_fd) + { + __u32 key =3D 0; + __u32 value =3D ruleset_fd; + + return bpf_map_update_elem(map_fd, &key, &value, BPF_ANY); + } + +Semantics +=3D=3D=3D=3D=3D=3D=3D=3D=3D + +- Map creation requires ``CONFIG_SECURITY_LANDLOCK``. Otherwise, + ``BPF_MAP_CREATE`` for this type fails with ``-EOPNOTSUPP``. +- Map definitions use ``sizeof(__u32)`` for both keys and values because + userspace writes ruleset file descriptors into the map. +- From BPF, only ``bpf_map_lookup_elem()`` and ``bpf_map_delete_elem()`` a= re + supported for this map type. +- From userspace, insertion is done with ``bpf_map_update_elem()`` using a + Landlock ruleset FD. +- The looked-up value is an opaque, trusted BTF object reference, so BPF m= ust + treat it as a handle and release it with ``bpf_landlock_put_ruleset()``. +- ``LANDLOCK_RESTRICT_SELF_NO_NEW_PRIVS`` on the BPF path pins the resulti= ng + task with ``no_new_privs`` after exec is committed. When used from + ``bprm_creds_from_file``, this does not retroactively suppress privileg= e gain + for the current exec transition itself. +- If Landlock support is disabled in the running kernel, programs using the + associated Landlock kfuncs may still load, but the kfunc call returns + ``-EOPNOTSUPP`` at runtime. + +See ``tools/testing/selftests/bpf/progs/landlock_kfuncs.c`` for a complete +example. --=20 2.53.0 From nobody Mon Jun 15 03:52:56 2026 Received: from mail-yx1-f50.google.com (mail-yx1-f50.google.com [74.125.224.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05992389119 for ; Tue, 7 Apr 2026 20:02:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592179; cv=none; b=CdKwyHftuciTq1b5AB5eAiuJg+u9G4jkG8ipRxUgp7c894Ad49Fh3pl29IUHwqokQHC0oOb22cnz177d8SGKst7RZnsWJSTyFy2DhimT06EEkFMuKDVOZDXMsQTCYlL0oZwi0WCtD5aFxCr0q3VJx/5A0SevL0wIWO2s5TERwQg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775592179; c=relaxed/simple; bh=CQEDiS2TgsP2GNu6TF8JkrnFYM0eCP/VH66tqdE1J8A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Skuk9lII+CMqxXZSgUYWk6xsO+A7//vt+v5+a5yTsHMgF8b5eEe7N3/7CIxZ+wOmcFl0q1DUCYCTYsfcv3k7OH2YTOmVC/CwYe/W1TcJkO5z/ytwyRVr2AnUszOQwzXk0RwhI9+x3+lSXQU5ylUPUKpLrSCKx5GaAfhBgNl9e0c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lm/oF6qO; arc=none smtp.client-ip=74.125.224.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lm/oF6qO" Received: by mail-yx1-f50.google.com with SMTP id 956f58d0204a3-65032e9cf01so5209891d50.3 for ; Tue, 07 Apr 2026 13:02:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775592177; x=1776196977; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=LyM2suN7bPTp8NTdaz9bJElLdCWwHCAj6iPO64WmYnE=; b=lm/oF6qOeSt/15txSjsWr2gkJjUBKhdnHWOqVt/srE2EK/JVMQ27Y9GGzBoQ0qn8Ck MlGIgXprHTTUYJlDQf8V/yteTUnOFuXs/Pz9DDBeJYKgw3lyeI0KBkcVqynFUpu+cIj4 +a4LXik4KkHSC+FrXnR0/Wzm968DEYqXrsZzG0YIO3Mgk7kjpXdxTMkJOW5VThzP5pOX ww1ELGearTZAOgR+xP5Of7ZMDHpez/ai66oFTgeTxWE8Ag3akHrp0+Rfq05deA9PyJKf nXbPAenQlLFjQQheFYqahD6Eqq9roDFWqzGyob0Nrs0OV9xyb/HcB1aalpOSyMkgeT0e ZNiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775592177; x=1776196977; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=LyM2suN7bPTp8NTdaz9bJElLdCWwHCAj6iPO64WmYnE=; b=M0P6+GfjLHT9X266m+jtfbWUoy40Bygjl6fQAtJh3Fi3OJaD/3qiNmsD8JOKHocuUY /9aPCYNqYQ1qURoWtn7Dzt97zl9D2giM9typqIrubAFP/e2nt5Cal7dzAR1sBpcahdD6 CUqUn50fbE6I50bjTc29wT9A1cuPKDCH8EZlLrdBJJets15W5VYk+vosKT9Q2Piiuodf exJue3OEYmcgkNIXcs52fgc3e7mwcTUGVhOUjkWqO0GvGqD4OyOzdqd62qVxQSmekFBm rE6Hv3VE1VSax/c+BXQN+r9yn1Nzvn3djuB2KHXZ8bGC+k0GFmGiDJK6CChIq4xtrHJU XhwA== X-Forwarded-Encrypted: i=1; AJvYcCXsziX1IBqxm9AdCyfHkj0HPZL1cQuHwlT/7llBAvzXTTAvga7SvC+e1YPVMtfmTNrLFUyEiLt/jBV4N+I=@vger.kernel.org X-Gm-Message-State: AOJu0Yzh7pVmRIIDbT5UnxETQFJfGeBAtaIlr3hksu1xrRn5djXs9iGC fLMD7eDjonG2IUwtw9WA5JvAv+X4qM5kz/sE8ByOk1+OC07fdYxT8MJ9 X-Gm-Gg: AeBDiesLX+DwAY9EUcxElA81xlcmp6jY5W/mat/beEN/YY4trgiQobAoGatUV/LbRMP 4VDzeRFQ85VSPasQg4LLxP6wXaVe+h7/dKkFoJPSbZnNKD2XFggR06Bo75EmKOSAIjZEOCexV2j BSnhenliyBfEGVakId+NAmqazq/iJsb+SqPHYCECyPkcp/0XU7UAhxD4gdEEm/MJNcR0BDRw6q2 B7CuF9tOOs9wQVQH+BBSsp6xmZrZoU4yvn6yy2VgiKQSdkmaahJHgCdjDugaf9BEidwnWkC/f4j t/vyZk1qZ8WfUyQo9kegn9oEXOsV3aXMzcRr6NerlE+mA0PfrtM7/MHkQxix9E2yTZvhEc4uPm5 +ANSvAxgpyHLyHIymyplyWoKuUQ6nGWxVxWt6EVjP6AEa1CpPCJZF4Sp2oTx1upi9Ki/Cs7l6M/ wpm1FJLfwyDWuRCjGIPIP1l5XiULag2lm8gZRqxgBAxTYBswgsQLb1KpPjthPR5CT2UkBK/mE5 X-Received: by 2002:a05:690e:bc9:b0:650:7846:f326 with SMTP id 956f58d0204a3-6507846f3bamr5830968d50.51.1775592177087; Tue, 07 Apr 2026 13:02:57 -0700 (PDT) Received: from zenbox.prizrak.me ([2600:1700:18fb:6011:92f8:8594:e84e:1d9a]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a828f3csm8354078d50.3.2026.04.07.13.02.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 13:02:56 -0700 (PDT) From: Justin Suess To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, kpsingh@kernel.org, paul@paul-moore.com, mic@digikod.net, viro@zeniv.linux.org.uk, brauner@kernel.org, kees@kernel.org Cc: gnoack@google.com, jack@suse.cz, jmorris@namei.org, serge@hallyn.com, song@kernel.org, yonghong.song@linux.dev, martin.lau@linux.dev, m@maowtm.org, eddyz87@gmail.com, john.fastabend@gmail.com, sdf@fomichev.me, skhan@linuxfoundation.org, bpf@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Justin Suess Subject: [RFC PATCH 20/20] MAINTAINERS: update entry for the Landlock subsystem Date: Tue, 7 Apr 2026 16:01:42 -0400 Message-ID: <20260407200157.3874806-21-utilityemal77@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260407200157.3874806-1-utilityemal77@gmail.com> References: <20260407200157.3874806-1-utilityemal77@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Update the maintainers file to reflect the new selftest files, cross-subsystem, documentation, and kernel-internal Landlock headers. Signed-off-by: Justin Suess --- MAINTAINERS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index c3fe46d7c4bc..e9ad2ed1237a 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -14386,12 +14386,16 @@ S: Supported W: https://landlock.io T: git https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git F: Documentation/admin-guide/LSM/landlock.rst +F: Documentation/bpf/map_landlock_ruleset.rst F: Documentation/security/landlock.rst F: Documentation/userspace-api/landlock.rst F: fs/ioctl.c +F: include/linux/landlock.h F: include/uapi/linux/landlock.h F: samples/landlock/ F: security/landlock/ +F: tools/testing/selftests/bpf/prog_tests/landlock_kfuncs.c +F: tools/testing/selftests/bpf/progs/landlock_kfuncs.c F: tools/testing/selftests/landlock/ K: landlock K: LANDLOCK --=20 2.53.0