From nobody Sat Feb 7 21:24:37 2026 Received: from mail-qk1-f182.google.com (mail-qk1-f182.google.com [209.85.222.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D4EB2AE89 for ; Fri, 14 Nov 2025 03:23:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763090618; cv=none; b=Av9z5g+FKFD91nY0+a0iVQjNaGpsPGoIoyXjNRsXAeGyNa5kvpJSxatELY1AwwHTGpxxhUanpU5X/c2w2s2QlBD1oXAEVkvPfUbwArd7h8a0B9hIb/WrcupGphxmNm649OUBrCrcBPeuxpaOx7zpPnqZYH+kOtMazl+py1/Mbmk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763090618; c=relaxed/simple; bh=DzHro0xNr70EYxpIcz3rGjha7A8PYxBga61WygXmHSo=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=OR0h3XmX54kQwobsLyelrtIfUfnJEdEL6XTU4JPj+OwdrIwdXz4ePLQq1olmcH/n01mdwxc6hMhaZESfquBPTMC2Ol5RFmNuZ3yTCY5k9GxF3ZiiTebfBxyRpD5CdesecWAIlXJQk0Mge9u2V+GNm4ktUrPvFKQrY1lOsIbu7Ds= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NYry5gYt; arc=none smtp.client-ip=209.85.222.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NYry5gYt" Received: by mail-qk1-f182.google.com with SMTP id af79cd13be357-8b22b1d3e7fso150804585a.3 for ; Thu, 13 Nov 2025 19:23:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763090615; x=1763695415; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Dkrt4Bp2pLFUlX3oLFLTvUW3L5WSrct2SUsa+csZg28=; b=NYry5gYtYglUujRkAhrUWrMWnnP/7eiZ0O4ls8t2YiRpGP8OZ7N+ahwOBTqAex1V4n SSteFCmQTz+mf2e1KS338PQaxQHEcZjvHhLjd0wxZ2FX4rnoCl0Svoutb6NszbCcyDxG HwckL2+fz9iKBQmP989+H1kkLYhoyVxnbPG6Yqp1Or27Wp82F/bmEIuKDyLeequIs+5E okdKp0A+ugqVTI3Lgc8U8JxuYUVwHyAV7U2sqtid8MIGNL+CgHbUP00Y3OK+GkN4h3Jt 8rFaYYyJ5L1nhPSJfa1bBv4Ewa8kNjMZoIDSEFIUfdQhW2XjUn92HPwQDMksByhkmXGl /LfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763090615; x=1763695415; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Dkrt4Bp2pLFUlX3oLFLTvUW3L5WSrct2SUsa+csZg28=; b=lYO4q47kYFa6v2kGKJNI0sT8+mVwofRJ27SvsyyxfWabhMwQ/UQ+SghP+ijmlxhG6l pl2daCiCCz29TaKdojhA8yoY4snGOoYJwd9idUjevez3P9UpyPOtyIpIE3ac/QyR4kvK JEbi4zsuzvs4r+kBEsrmEndk12QraxQzxkig9K2KZCyiMz6Mvmg6juDuS3UZT9j02N0z 75SYSyA9NJGTMVh0Bxwap8OiQxvuAdzlGWWCUYYGfLIkiiTxJtWoeDMOVsP5hvLpCBC0 UdV7qhhol/SqWfxQZWXe5GPo670hyXcCYhqujyYF2j0mSk09WbePeg3NPNCvlsqk5Ro0 I5Aw== X-Forwarded-Encrypted: i=1; AJvYcCUS3X7vApcdLEZqOSepkg6sZSGy6J62UtSM0LVOKF1Lu8W+kGwMfFLJ6X0HVakrObH+Uo9vPW626jbRVkw=@vger.kernel.org X-Gm-Message-State: AOJu0YwI6nsN0Q6uclR2u/QNzEToTGtaybrQ5IPP/QT7X2KGNRyLBJ4i gOHLi8dqpwAozbmpsBL8Qkymxl8o4iYBG/x/wZrM2zIqXFo3q/eNfT5L X-Gm-Gg: ASbGnctKCa1iD/OUn04HmVEEM+TDrISgJOryNJhb20qyRDGIEpFb3fywxSTCVMnhexz j8RNc5R8kdEbXQIQISuV4xWH7CZ2lVmOrJ0y1dUpvaBG7h1jBXoipG9NARB7/HSyeGjshdUSMdT QKV5rFn6wdZluVwfRGE8eF0srv/Izr5pdKCr3IcXHseCUFUXkMPi8YVdqw0KPzIgBlpmxMAWXYl Af4GUUPVKCZsjX8Yh9NGXW9QmMqVKKWblu4DEtFG4s4He9xz0SustDhuFlckzHAiXQhBbMrJPGR kGae8LDrVvSwwR2T8ppzUpx2ow/3SdkLaitR+Sb+tLE31Sz0O7SyLmDwl6Y7sMgK5zKtyVI6FEi GyTGvMgE2Nysfvye/JqEeeWFFEwj4/sbszGBwJAbXKocXroXi68t7ba7dmFKUPKz4RzBYoI56C7 S6DIP8AgLV0D9LGdmZO9MZYS5kfgGLves2G0hwW59Kgw== X-Google-Smtp-Source: AGHT+IEhzW74eEXDN9g1FsomVeWPM45zEIV9qmeDeJunqbQlSnHfTFM8xcIvOUkjO5PR0oosEcfAIg== X-Received: by 2002:a05:620a:f0c:b0:8b2:6eba:c460 with SMTP id af79cd13be357-8b2c3168f46mr224652985a.28.1763090615594; Thu, 13 Nov 2025 19:23:35 -0800 (PST) Received: from daniel-desktop3.localnet ([204.48.78.99]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b2af062fd9sm256134785a.51.2025.11.13.19.23.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Nov 2025 19:23:35 -0800 (PST) From: Daniel Tang To: linux-security-module@vger.kernel.org Cc: =?UTF-8?B?R8O8bnRoZXI=?= Noack , Paul Moore , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-kernel@vger.kernel.org Subject: [PATCH] landlock: Document fexecve sadly reopening files Date: Thu, 13 Nov 2025 22:23:32 -0500 Message-ID: <2240250.GUtdWV9SEq@daniel-desktop3> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Relying on "Files or directories opened before the sandboxing are not subject to these restrictions," I tried to modify `setpriv` to allow `--landlock-access fs:execute busybox --help`. Sadly, support for this use case is absent in fs/exec.c. Signed-off-by: Daniel Tang --- include/uapi/linux/landlock.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index f030adc462ee..a69e9fef703c 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -206,7 +206,7 @@ struct landlock_net_port_attr { * * The following access rights apply only to files: * - * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. + * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. Note fexecve(2) reopens = it. * - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When * opening files for writing, you will often additionally need the * %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls --=20 2.51.0