Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2025-07-01T19:42:39+00:00 2025-07-01T19:42:39+00:00 Brahmajit Das listout@listout.xyz 2025-06-30T20:32:48+00:00 urn:sha1:970f8a17c9c86eff390252e13bb9a08a3fb5a098 Building with make allyesconfig on musl results in the following In file included from samples/landlock/sandboxer.c:22: /usr/include/sys/prctl.h:88:8: error: redefinition of 'struct prctl_mm_map' 88 | struct prctl_mm_map { | ^~~~~~~~~~~~ In file included from samples/landlock/sandboxer.c:16: usr/include/linux/prctl.h:134:8: note: originally defined here 134 | struct prctl_mm_map { | ^~~~~~~~~~~~ This is mainly due to difference in the sys/prctl.h between glibc and musl. The struct prctl_mm_map is defined in sys/prctl.h in musl. Signed-off-by: Brahmajit Das <listout@listout.xyz> [mic: Move down the if/include/endif block] Link: https://lore.kernel.org/r/20250630203248.16273-1-listout@listout.xyz Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:44+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:08+00:00 urn:sha1:ec2798d85b1c29f4549849f1332555a0fd09686f By default, denials from within the sandbox are not logged. Indeed, the sandboxer's security policy might not be fitted to the set of sandboxed processes that could be spawned (e.g. from a shell). For test purpose, parse the LL_FORCE_LOG environment variable to log every sandbox denials, including after launching the initial sandboxed program thanks to LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-20-mic@digikod.net [mic: Remove inappropriate hunk] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-01-10T11:12:40+00:00 Zichen Xie zichenxie0106@gmail.com 2024-11-28T03:29:56+00:00 urn:sha1:078bf9438a31567e2c0587159ccefde835fb1ced malloc() may return NULL, leading to NULL dereference. Add a NULL check. Fixes: ba84b0bf5a16 ("samples/landlock: Add a sandbox manager example") Signed-off-by: Zichen Xie <zichenxie0106@gmail.com> Link: https://lore.kernel.org/r/20241128032955.11711-1-zichenxie0106@gmail.com [mic: Simplify fix] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-10-22T18:43:43+00:00 Matthieu Buffet matthieu@buffet.re 2024-10-19T15:15:34+00:00 urn:sha1:53b9d789df983790015ef04b0283ac5a33917cad Clarify the distinction between filesystem variables (mandatory) and all others (optional). For optional variables, explain the difference between unset variables (no access check performed) and empty variables (nothing allowed for lists of allowed paths/ports, or no effect for lists of scopes). List the known LL_SCOPED values and their effect. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20241019151534.1400605-4-matthieu@buffet.re [mic: Add a missing colon] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-10-22T18:43:43+00:00 Matthieu Buffet matthieu@buffet.re 2024-10-19T15:15:33+00:00 urn:sha1:f51e55a0892bd2030c847d4583c12498bb93f812 Help message is getting larger with each new supported feature (scopes, and soon UDP). Also the large number of calls to fprintf with environment variables make it hard to read. Refactor it away into a single simpler constant format string. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20241019151534.1400605-3-matthieu@buffet.re [mic: Move the small cleanups in the next commit] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-10-22T18:43:41+00:00 Matthieu Buffet matthieu@buffet.re 2024-10-19T15:15:32+00:00 urn:sha1:387285530d1d4bdba8c5dff5aeabd8d71638173f If you want to specify that no port can be bind()ed, you would think (looking quickly at both help message and code) that setting LL_TCP_BIND="" would do it. However the code splits on ":" then applies atoi(), which does not allow checking for errors. Passing an empty string returns 0, which is interpreted as "allow bind(0)", which means bind to any ephemeral port. This bug occurs whenever passing an empty string or when leaving a trailing/leading colon, making it impossible to completely deny bind(). To reproduce: export LL_FS_RO="/" LL_FS_RW="" LL_TCP_BIND="" ./sandboxer strace -e bind nc -n -vvv -l -p 0 Executing the sandboxed command... bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 Listening on 0.0.0.0 37629 Use strtoull(3) instead, which allows error checking. Check that the entire string has been parsed correctly without overflows/underflows, but not that the __u64 (the type of struct landlock_net_port_attr.port) is a valid __u16 port: that is already done by the kernel. Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions") Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20241019151534.1400605-2-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-09-16T21:50:54+00:00 Tahera Fahimi fahimitahera@gmail.com 2024-09-06T21:30:07+00:00 urn:sha1:f490e205bcbada6eb6dca8b75a2511685e6bd0f0 The sandboxer can receive the character "s" as input from the environment variable LL_SCOPE to restrict sandboxed processes from sending signals to processes outside of the sandbox. Example ======= Create a sandboxed shell and pass the character "s" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="s" ./sandboxer /bin/bash Try to send a SIGTRAP to a process with process ID <PID> through: kill -SIGTRAP <PID> The sandboxed process should not be able to send the signal. Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/1f3f1992b2abeb8e5d7aa61b854e1b0721978b9a.1725657728.git.fahimitahera@gmail.com [mic: Improve commit message, simplify code, rebase on previous sample change] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-09-16T21:50:51+00:00 Tahera Fahimi fahimitahera@gmail.com 2024-09-05T00:14:01+00:00 urn:sha1:369b48b43a09f995876bb2e88d78845eb2a80212 The sandboxer can receive the character "a" as input from the environment variable LL_SCOPE to restrict sandboxed processes from connecting to an abstract UNIX socket created by a process outside of the sandbox. Example ======= Create an abstract UNIX socket to listen with socat(1): socat abstract-listen:mysocket - Create a sandboxed shell and pass the character "a" to LL_SCOPED: LL_FS_RO=/ LL_FS_RW=. LL_SCOPED="a" ./sandboxer /bin/bash Note that any other form of input (e.g. "a:a", "aa", etc) is not acceptable. If the sandboxed process tries to connect to the listening socket, the connection will fail: socat - abstract-connect:mysocket Signed-off-by: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/d8af908f00b77415caa3eb0f4de631c3794e4909.1725494372.git.fahimitahera@gmail.com [mic: Improve commit message, simplify check_ruleset_scope() with inverted error code and only one scoped change, always unset environment variable] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-13T04:58:33+00:00 Günther Noack gnoack@google.com 2024-04-19T16:11:19+00:00 urn:sha1:cd13738d44c9863ce54243fdcc2d228233f23355 Add IOCTL support to the Landlock sample tool. The IOCTL right is grouped with the read-write rights in the sample tool, as some IOCTL requests provide features that mutate state. Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20240419161122.2023765-9-gnoack@google.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2024-05-13T04:58:26+00:00 Ivanov Mikhail ivanov.mikhail1@huawei-partners.com 2024-03-26T09:56:25+00:00 urn:sha1:42212936d9d811c7cf6efc4804747a6c417aafd4 Pointer env_port_name changes after strsep(). Memory allocated via strdup() will not be freed if landlock_add_rule() returns non-zero value. Fixes: 5e990dcef12e ("samples/landlock: Support TCP restrictions") Signed-off-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Reviewed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Link: https://lore.kernel.org/r/20240326095625.3576164-1-ivanov.mikhail1@huawei-partners.com Signed-off-by: Mickaël Salaün <mic@digikod.net>