Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2025-02-08T08:57:11+00:00 2025-02-08T08:57:11+00:00 Zichen Xie zichenxie0106@gmail.com 2024-11-28T03:29:56+00:00 urn:sha1:5816a934cf1bf2d294d618806df4a6b23b5cec43 [ Upstream commit 078bf9438a31567e2c0587159ccefde835fb1ced ] malloc() may return NULL, leading to NULL dereference. Add a NULL check. Fixes: ba84b0bf5a16 ("samples/landlock: Add a sandbox manager example") Signed-off-by: Zichen Xie <zichenxie0106@gmail.com> Link: https://lore.kernel.org/r/20241128032955.11711-1-zichenxie0106@gmail.com [mic: Simplify fix] Signed-off-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Sasha Levin <sashal@kernel.org> 2024-10-22T18:43:43+00:00 Matthieu Buffet matthieu@buffet.re 2024-10-19T15:15:34+00:00 urn:sha1:53b9d789df983790015ef04b0283ac5a33917cad Clarify the distinction between filesystem variables (mandatory) and all others (optional). For optional variables, explain the difference between unset variables (no access check performed) and empty variables (nothing allowed for lists of allowed paths/ports, or no effect for lists of scopes). List the known LL_SCOPED values and their effect. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20241019151534.1400605-4-matthieu@buffet.re [mic: Add a missing colon] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-10-22T18:43:43+00:00 Matthieu Buffet matthieu@buffet.re 2024-10-19T15:15:33+00:00 urn:sha1:f51e55a0892bd2030c847d4583c12498bb93f812 Help message is getting larger with each new supported feature (scopes, and soon UDP). Also the large number of calls to fprintf with environment variables make it hard to read. Refactor it away into a single simpler constant format string. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20241019151534.1400605-3-matthieu@buffet.re [mic: Move the small cleanups in the next commit] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-10-22T18:43:41+00:00 Matthieu Buffet matthieu@buffet.re 2024-10-19T15:15:32+00:00 urn:sha1:387285530d1d4bdba8c5dff5aeabd8d71638173f If you want to specify that no port can be bind()ed, you would think (looking quickly at both help message and code) that setting LL_TCP_BIND="" would do it. However the code splits on ":" then applies atoi(), which does not allow checking for errors. Passing an empty string returns 0, which is interpreted as "allow bind(0)", which means bind to any ephemeral port. This bug occurs whenever passing an empty string or when leaving a trailing/leading colon, making it impossible to completely deny bind(). To reproduce: export LL_FS_RO="/" LL_FS_RW="" LL_TCP_BIND="" ./sandboxer strace -e bind nc -n -vvv -l -p 0 Executing the sandboxed command... bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 Listening on 0.0.0.0 37629 Use strtoull(3) instead, which allows error checking. Check that the entire string has been parsed correctly without overflows/underflows, but not that the __u64 (the type of struct landlock_net_port_attr.port) is a valid __u16 port: that is already done by the kernel. Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions") Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20241019151534.1400605-2-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-09-16T21:50:54+00:00 Tahera Fahimi fahimitahera@gmail.com 2024-09-06T21:30:07+00:00 urn:sha1:f490e205bcbada6eb6dca8b75a2511685e6bd0f0 The sandboxer can receive the character "s" as input from the environment variable LL_SCOPE to restrict sandboxed processes from sending signals to processes outside of the sandbox. Example ======= Create a sandboxed shell and pass the character "s" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="s" ./sandboxer /bin/bash Try to send a SIGTRAP to a process with process ID <PID> through: kill -SIGTRAP <PID> The sandboxed process should not be able to send the signal. Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/1f3f1992b2abeb8e5d7aa61b854e1b0721978b9a.1725657728.git.fahimitahera@gmail.com [mic: Improve commit message, simplify code, rebase on previous sample change] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-09-16T21:50:51+00:00 Tahera Fahimi fahimitahera@gmail.com 2024-09-05T00:14:01+00:00 urn:sha1:369b48b43a09f995876bb2e88d78845eb2a80212 The sandboxer can receive the character "a" as input from the environment variable LL_SCOPE to restrict sandboxed processes from connecting to an abstract UNIX socket created by a process outside of the sandbox. Example ======= Create an abstract UNIX socket to listen with socat(1): socat abstract-listen:mysocket - Create a sandboxed shell and pass the character "a" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash Note that any other form of input (e.g. "a:a", "aa", etc) is not acceptable. If the sandboxed process tries to connect to the listening socket, the connection will fail: socat - abstract-connect:mysocket Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/d8af908f00b77415caa3eb0f4de631c3794e4909.1725494372.git.fahimitahera@gmail.com [mic: Improve commit message, simplify check_ruleset_scope() with inverted error code and only one scoped change, always unset environment variable] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-13T04:58:33+00:00 Günther Noack gnoack@google.com 2024-04-19T16:11:19+00:00 urn:sha1:cd13738d44c9863ce54243fdcc2d228233f23355 Add IOCTL support to the Landlock sample tool. The IOCTL right is grouped with the read-write rights in the sample tool, as some IOCTL requests provide features that mutate state. Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240419161122.2023765-9-gnoack@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-13T04:58:26+00:00 Ivanov Mikhail ivanov.mikhail1@huawei-partners.com 2024-03-26T09:56:25+00:00 urn:sha1:42212936d9d811c7cf6efc4804747a6c417aafd4 Pointer env_port_name changes after strsep(). Memory allocated via strdup() will not be freed if landlock_add_rule() returns non-zero value. Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions") Signed-off-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Reviewed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20240326095625.3576164-1-ivanov.mikhail1@huawei-partners.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-03-08T17:22:18+00:00 Mickaël Salaün mic@digikod.net 2024-03-07T14:38:49+00:00 urn:sha1:a17c60e533f5cd832e77e0d194e2e0bb663371b6 Instead of creating a hard error and aborting the sandbox creation, accept file path not usable in the LL_FS_RO and LL_FS_RW environment variables but only print a warning. This makes it easier to test, for instance with LL_FS_RO="${PATH}:/usr/lib:/lib" Print that we are going to execute the command in the sandbox before doing so. Rename "launch" to "execute", and improve header description. Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240307143849.1517218-1-mic@digikod.net [mic: Improve header description as suggested by Günther] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2023-10-26T19:07:17+00:00 Konstantin Meskhidze konstantin.meskhidze@huawei.com 2023-10-26T01:47:50+00:00 urn:sha1:5e990dcef12eebf683d209bac5e14591308dc216 Add TCP restrictions to the sandboxer demo. It's possible to allow a sandboxer to bind/connect to a list of specified ports restricting network actions to the rest of them. This is controlled with the new LL_TCP_BIND and LL_TCP_CONNECT environment variables. Rename ENV_PATH_TOKEN to ENV_DELIMITER. Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20231026014751.414649-12-konstantin.meskhidze@huawei.com [mic: Extend commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net>