Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.10.8 2024-05-13T04:58:33+00:00 2024-05-13T04:58:33+00:00 Günther Noack gnoack@google.com 2024-04-19T16:11:19+00:00 urn:sha1:cd13738d44c9863ce54243fdcc2d228233f23355 Add IOCTL support to the Landlock sample tool. The IOCTL right is grouped with the read-write rights in the sample tool, as some IOCTL requests provide features that mutate state. Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240419161122.2023765-9-gnoack@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-13T04:58:26+00:00 Ivanov Mikhail ivanov.mikhail1@huawei-partners.com 2024-03-26T09:56:25+00:00 urn:sha1:42212936d9d811c7cf6efc4804747a6c417aafd4 Pointer env_port_name changes after strsep(). Memory allocated via strdup() will not be freed if landlock_add_rule() returns non-zero value. Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions") Signed-off-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Reviewed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20240326095625.3576164-1-ivanov.mikhail1@huawei-partners.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-03-08T17:22:18+00:00 Mickaël Salaün mic@digikod.net 2024-03-07T14:38:49+00:00 urn:sha1:a17c60e533f5cd832e77e0d194e2e0bb663371b6 Instead of creating a hard error and aborting the sandbox creation, accept file path not usable in the LL_FS_RO and LL_FS_RW environment variables but only print a warning. This makes it easier to test, for instance with LL_FS_RO="${PATH}:/usr/lib:/lib" Print that we are going to execute the command in the sandbox before doing so. Rename "launch" to "execute", and improve header description. Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240307143849.1517218-1-mic@digikod.net [mic: Improve header description as suggested by Günther] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2023-10-26T19:07:17+00:00 Konstantin Meskhidze konstantin.meskhidze@huawei.com 2023-10-26T01:47:50+00:00 urn:sha1:5e990dcef12eebf683d209bac5e14591308dc216 Add TCP restrictions to the sandboxer demo. It's possible to allow a sandboxer to bind/connect to a list of specified ports restricting network actions to the rest of them. This is controlled with the new LL_TCP_BIND and LL_TCP_CONNECT environment variables. Rename ENV_PATH_TOKEN to ENV_DELIMITER. Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231026014751.414649-12-konstantin.meskhidze@huawei.com [mic: Extend commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2022-11-07T19:49:50+00:00 Günther Noack gnoack3000@gmail.com 2022-11-07T18:16:51+00:00 urn:sha1:f6e53fb2d7bd70547ba53232415976cb70ad6d97 Add a comment to clarify how to handle best-effort backwards compatibility for LANDLOCK_ACCESS_FS_REFER. The "refer" access is special because these operations are always forbidden in ABI 1, unlike most other operations, which are permitted when using Landlock ABI levels where they are not supported yet. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221107181651.4555-1-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2022-10-19T07:01:47+00:00 Günther Noack gnoack3000@gmail.com 2022-10-18T18:22:15+00:00 urn:sha1:faeb9197669c23d983f6485d278b20f0194432f4 Update the sandboxer sample to restrict truncate actions. This is automatically enabled by default if the running kernel supports LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the LL_FS_RW environment variable. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20221018182216.301684-11-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2022-09-29T16:43:01+00:00 Mickaël Salaün mic@digikod.net 2022-09-23T15:42:05+00:00 urn:sha1:903cfe8a7aa8894ae60ef47a9c011e551d7bafef Extend the help with the latest Landlock ABI version supported by the sandboxer. Inform users about the sandboxer or the kernel not being up-to-date. Make the version check code easier to update and harder to misuse. Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20220923154207.3311629-2-mic@digikod.net 2022-05-23T11:28:00+00:00 Mickaël Salaün mic@digikod.net 2022-05-06T16:10:59+00:00 urn:sha1:76b902f874ff4de9c1078489d4c7678a64105ea6 Add LANDLOCK_ACCESS_FS_REFER to the "roughly write" access rights and leverage the Landlock ABI version to only try to enforce it if it is supported by the running kernel. Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-10-mic@digikod.net 2022-05-23T11:27:46+00:00 Mickaël Salaün mic@digikod.net 2022-05-06T16:05:13+00:00 urn:sha1:81709f3dccacf4104a4bc2daa80bdd767a9c4c54 Let's follow a consistent and documented coding style. Everything may not be to our liking but it is better than tacit knowledge. Moreover, this will help maintain style consistency between different developers. This contains only whitespace changes. Automatically formatted with: clang-format-14 -i samples/landlock/*.[ch] Link: https://lore.kernel.org/r/20220506160513.523257-8-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net> 2022-05-23T11:27:46+00:00 Mickaël Salaün mic@digikod.net 2022-05-06T16:05:12+00:00 urn:sha1:9805a722db071e1772b80e6e0ff33f35355639ac In preparation to a following commit, add clang-format on and clang-format off stanzas around constant definitions. This enables to keep aligned values, which is much more readable than packed definitions. Link: https://lore.kernel.org/r/20220506160513.523257-7-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by: Mickaël Salaün <mic@digikod.net>