<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/security/landlock/limits.h, branch v7.2-rc2</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc2</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc2'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-14T18:17:18+00:00</updated>
<entry>
<title>landlock: Add a place for flags to layer rules</title>
<updated>2026-06-14T18:17:18+00:00</updated>
<author>
<name>Tingmao Wang</name>
<email>m@maowtm.org</email>
</author>
<published>2026-06-12T01:48:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=a260c0055665fc38804400b3dbdca165d5e0aa15'/>
<id>urn:sha1:a260c0055665fc38804400b3dbdca165d5e0aa15</id>
<content type='text'>
To avoid unnecessarily increasing the size of struct landlock_layer, we
make the layer level a u8 and use the space to store the flags struct.

struct layer_access_masks is renamed to struct layer_masks, and a new
field is added to track whether a quiet flag rule is seen for each
layer.  Through use of bitfields, this does not increase the size of the
struct.

Cc: Justin Suess &lt;utilityemal77@gmail.com&gt;
Assisted-by: GitHub-Copilot:claude-opus-4.8 copilot-review
Signed-off-by: Tingmao Wang &lt;m@maowtm.org&gt;
Co-developed-by: Justin Suess &lt;utilityemal77@gmail.com&gt;
Signed-off-by: Justin Suess &lt;utilityemal77@gmail.com&gt;
Tested-by: Justin Suess &lt;utilityemal77@gmail.com&gt;
Link: https://patch.msgid.link/be3fec3927bc9faaacd4ce0e7f0d1ff5474e2210.1781228815.git.m@maowtm.org
[mic: Fix comment formatting]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Add UDP send+connect access control</title>
<updated>2026-06-13T21:15:04+00:00</updated>
<author>
<name>Matthieu Buffet</name>
<email>matthieu@buffet.re</email>
</author>
<published>2026-06-11T16:21:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=e61247a2e694d17236149135b2d22f0f7d19578c'/>
<id>urn:sha1:e61247a2e694d17236149135b2d22f0f7d19578c</id>
<content type='text'>
Add support for a second fine-grained UDP access right.
LANDLOCK_ACCESS_NET_CONNECT_SEND_UDP controls the ability to set the
remote port of a socket (via connect()) and to specify an explicit
destination when sending a datagram, to override any remote peer set on
a UDP socket (e.g. in sendto() or sendmsg()).  It will be useful for
applications that send datagrams, and for some servers too (those
creating per-client sockets, which want to receive traffic only from a
specific address).

Similarly as for bind(), this access control is performed when
configuring sockets, not in hot code paths.

Add detection of when autobind is about to be required, and deny the
operation if the process would not be allowed to call bind(0)
explicitly. Autobind can only be performed in udp_lib_get_port() from
code paths already controlled by LSM hooks: when connect()ing, sending a
first datagram, and in some splice() EOF edge case which, afaiu, can
only happen after a remote peer has been set. This invariant needs to be
preserved to keep bind policies actually enforced.

Signed-off-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Link: https://patch.msgid.link/20260611162107.49278-3-matthieu@buffet.re
[mic: Add quick return for non-sandboxed tasks, fix sa_family
dereferencing, fix comment formatting]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Add UDP bind() access control</title>
<updated>2026-06-13T21:15:04+00:00</updated>
<author>
<name>Matthieu Buffet</name>
<email>matthieu@buffet.re</email>
</author>
<published>2026-06-11T16:21:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=9a8ed15ce22472fe0363e33738b4317d06b13c3a'/>
<id>urn:sha1:9a8ed15ce22472fe0363e33738b4317d06b13c3a</id>
<content type='text'>
Add support for a first fine-grained UDP access right.
LANDLOCK_ACCESS_NET_BIND_UDP controls the ability to set the local port
of a UDP socket (via bind()). It will be useful for servers (to start
receiving datagrams), and for some clients that need to use a specific
source port (e.g. mDNS requires to use port 5353)

For obvious performance concerns, access control is only enforced when
configuring sockets, not when using them for common send/recv
operations.

Bump ABI to allow userspace to detect and use this new right.

Signed-off-by: Matthieu Buffet &lt;matthieu@buffet.re&gt;
Link: https://patch.msgid.link/20260611162107.49278-2-matthieu@buffet.re
[mic: Fix comment formatting]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Control pathname UNIX domain socket resolution by path</title>
<updated>2026-04-07T16:51:06+00:00</updated>
<author>
<name>Günther Noack</name>
<email>gnoack3000@gmail.com</email>
</author>
<published>2026-03-27T16:48:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ae97330d1bd6a97646c2842d117577236cb40913'/>
<id>urn:sha1:ae97330d1bd6a97646c2842d117577236cb40913</id>
<content type='text'>
* Add a new access right LANDLOCK_ACCESS_FS_RESOLVE_UNIX, which
  controls the lookup operations for named UNIX domain sockets.  The
  resolution happens during connect() and sendmsg() (depending on
  socket type).
* Change access_mask_t from u16 to u32 (see below)
* Hook into the path lookup in unix_find_bsd() in af_unix.c, using a
  LSM hook.  Make policy decisions based on the new access rights
* Increment the Landlock ABI version.
* Minor test adaptations to keep the tests working.
* Document the design rationale for scoped access rights,
  and cross-reference it from the header documentation.

With this access right, access is granted if either of the following
conditions is met:

* The target socket's filesystem path was allow-listed using a
  LANDLOCK_RULE_PATH_BENEATH rule, *or*:
* The target socket was created in the same Landlock domain in which
  LANDLOCK_ACCESS_FS_RESOLVE_UNIX was restricted.

In case of a denial, connect() and sendmsg() return EACCES, which is
the same error as it is returned if the user does not have the write
bit in the traditional UNIX file system permissions of that file.

The access_mask_t type grows from u16 to u32 to make space for the new
access right.  This also doubles the size of struct layer_access_masks
from 32 byte to 64 byte.  To avoid memory layout inconsistencies between
architectures (especially m68k), pack and align struct access_masks [2].

Document the (possible future) interaction between scoped flags and
other access rights in struct landlock_ruleset_attr, and summarize the
rationale, as discussed in code review leading up to [3].

This feature was created with substantial discussion and input from
Justin Suess, Tingmao Wang and Mickaël Salaün.

Cc: Tingmao Wang &lt;m@maowtm.org&gt;
Cc: Justin Suess &lt;utilityemal77@gmail.com&gt;
Cc: Kuniyuki Iwashima &lt;kuniyu@google.com&gt;
Suggested-by: Jann Horn &lt;jannh@google.com&gt;
Link[1]: https://github.com/landlock-lsm/linux/issues/36
Link[2]: https://lore.kernel.org/all/20260401.Re1Eesu1Yaij@digikod.net/
Link[3]: https://lore.kernel.org/all/20260205.8531e4005118@gnoack.org/
Signed-off-by: Günther Noack &lt;gnoack3000@gmail.com&gt;
Acked-by: Sebastian Andrzej Siewior &lt;bigeasy@linutronix.de&gt;
Link: https://lore.kernel.org/r/20260327164838.38231-5-gnoack3000@gmail.com
[mic: Fix kernel-doc formatting, pack and align access_masks]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Multithreading support for landlock_restrict_self()</title>
<updated>2026-02-06T16:54:37+00:00</updated>
<author>
<name>Günther Noack</name>
<email>gnoack@google.com</email>
</author>
<published>2025-11-27T11:51:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=42fc7e6543f6d17d2cf9ed3e5021f103a3d11182'/>
<id>urn:sha1:42fc7e6543f6d17d2cf9ed3e5021f103a3d11182</id>
<content type='text'>
Introduce the LANDLOCK_RESTRICT_SELF_TSYNC flag.  With this flag, a
given Landlock ruleset is applied to all threads of the calling
process, instead of only the current one.

Without this flag, multithreaded userspace programs currently resort
to using the nptl(7)/libpsx hack for multithreaded policy enforcement,
which is also used by libcap and for setuid(2).  Using this
userspace-based scheme, the threads of a process enforce the same
Landlock policy, but the resulting Landlock domains are still
separate.  The domains being separate causes multiple problems:

* When using Landlock's "scoped" access rights, the domain identity is
  used to determine whether an operation is permitted.  As a result,
  when using LANLDOCK_SCOPE_SIGNAL, signaling between sibling threads
  stops working.  This is a problem for programming languages and
  frameworks which are inherently multithreaded (e.g. Go).

* In audit logging, the domains of separate threads in a process will
  get logged with different domain IDs, even when they are based on
  the same ruleset FD, which might confuse users.

Cc: Andrew G. Morgan &lt;morgan@kernel.org&gt;
Cc: John Johansen &lt;john.johansen@canonical.com&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Suggested-by: Jann Horn &lt;jannh@google.com&gt;
Signed-off-by: Günther Noack &lt;gnoack@google.com&gt;
Link: https://lore.kernel.org/r/20251127115136.3064948-2-gnoack@google.com
[mic: Fix restrict_self_flags test, clean up Makefile, allign comments,
reduce local variable scope, add missing includes]
Closes: https://github.com/landlock-lsm/linux/issues/2
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF</title>
<updated>2025-03-26T12:59:43+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2025-03-20T19:07:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=ead9079f75696a028aea8860787770c80eddb8f9'/>
<id>urn:sha1:ead9079f75696a028aea8860787770c80eddb8f9</id>
<content type='text'>
Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF for the case of sandboxer
tools, init systems, or runtime containers launching programs sandboxing
themselves in an inconsistent way.  Setting this flag should only
depends on runtime configuration (i.e. not hardcoded).

We don't create a new ruleset's option because this should not be part
of the security policy: only the task that enforces the policy (not the
one that create it) knows if itself or its children may request denied
actions.

This is the first and only flag that can be set without actually
restricting the caller (i.e. without providing a ruleset).

Extend struct landlock_cred_security with a u8 log_subdomains_off.
struct landlock_file_security is still 16 bytes.

Cc: Günther Noack &lt;gnoack@google.com&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Closes: https://github.com/landlock-lsm/linux/issues/3
Link: https://lore.kernel.org/r/20250320190717.2287696-19-mic@digikod.net
[mic: Fix comment]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags</title>
<updated>2025-03-26T12:59:42+00:00</updated>
<author>
<name>Mickaël Salaün</name>
<email>mic@digikod.net</email>
</author>
<published>2025-03-20T19:07:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=12bfcda73ac2cf3083c9d6d05724af92da3a4b4b'/>
<id>urn:sha1:12bfcda73ac2cf3083c9d6d05724af92da3a4b4b</id>
<content type='text'>
Most of the time we want to log denied access because they should not
happen and such information helps diagnose issues.  However, when
sandboxing processes that we know will try to access denied resources
(e.g. unknown, bogus, or malicious binary), we might want to not log
related access requests that might fill up logs.

By default, denied requests are logged until the task call execve(2).

If the LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF flag is set, denied
requests will not be logged for the same executed file.

If the LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flag is set, denied
requests from after an execve(2) call will be logged.

The rationale is that a program should know its own behavior, but not
necessarily the behavior of other programs.

Because LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF is set for a specific
Landlock domain, it makes it possible to selectively mask some access
requests that would be logged by a parent domain, which might be handy
for unprivileged processes to limit logs.  However, system
administrators should still use the audit filtering mechanism.  There is
intentionally no audit nor sysctl configuration to re-enable these logs.
This is delegated to the user space program.

Increment the Landlock ABI version to reflect this interface change.

Cc: Günther Noack &lt;gnoack@google.com&gt;
Cc: Paul Moore &lt;paul@paul-moore.com&gt;
Link: https://lore.kernel.org/r/20250320190717.2287696-18-mic@digikod.net
[mic: Rename variables and fix __maybe_unused]
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Add signal scoping</title>
<updated>2024-09-16T21:50:52+00:00</updated>
<author>
<name>Tahera Fahimi</name>
<email>fahimitahera@gmail.com</email>
</author>
<published>2024-09-06T21:30:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=54a6e6bbf3bef25c8eb65619edde70af49bd3db0'/>
<id>urn:sha1:54a6e6bbf3bef25c8eb65619edde70af49bd3db0</id>
<content type='text'>
Currently, a sandbox process is not restricted to sending a signal (e.g.
SIGKILL) to a process outside the sandbox environment.  The ability to
send a signal for a sandboxed process should be scoped the same way
abstract UNIX sockets are scoped. Therefore, we extend the "scoped"
field in a ruleset with LANDLOCK_SCOPE_SIGNAL to specify that a ruleset
will deny sending any signal from within a sandbox process to its parent
(i.e. any parent sandbox or non-sandboxed processes).

This patch adds file_set_fowner and file_free_security hooks to set and
release a pointer to the file owner's domain. This pointer, fown_domain
in landlock_file_security will be used in file_send_sigiotask to check
if the process can send a signal.

The ruleset_with_unknown_scope test is updated to support
LANDLOCK_SCOPE_SIGNAL.

This depends on two new changes:
- commit 1934b212615d ("file: reclaim 24 bytes from f_owner"): replace
  container_of(fown, struct file, f_owner) with fown-&gt;file .
- commit 26f204380a3c ("fs: Fix file_set_fowner LSM hook
  inconsistencies"): lock before calling the hook.

Signed-off-by: Tahera Fahimi &lt;fahimitahera@gmail.com&gt;
Closes: https://github.com/landlock-lsm/linux/issues/8
Link: https://lore.kernel.org/r/df2b4f880a2ed3042992689a793ea0951f6798a5.1725657727.git.fahimitahera@gmail.com
[mic: Update landlock_get_current_domain()'s return type, improve and
fix locking in hook_file_set_fowner(), simplify and fix sleepable call
and locking issue in hook_file_send_sigiotask() and rebase on the latest
VFS tree, simplify hook_task_kill() and quickly return when not
sandboxed, improve comments, rename LANDLOCK_SCOPED_SIGNAL]
Co-developed-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Add abstract UNIX socket scoping</title>
<updated>2024-09-16T21:50:45+00:00</updated>
<author>
<name>Tahera Fahimi</name>
<email>fahimitahera@gmail.com</email>
</author>
<published>2024-09-05T00:13:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=21d52e295ad2afc76bbd105da82a003b96f6ac77'/>
<id>urn:sha1:21d52e295ad2afc76bbd105da82a003b96f6ac77</id>
<content type='text'>
Introduce a new "scoped" member to landlock_ruleset_attr that can
specify LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET to restrict connection to
abstract UNIX sockets from a process outside of the socket's domain.

Two hooks are implemented to enforce these restrictions:
unix_stream_connect and unix_may_send.

Closes: https://github.com/landlock-lsm/linux/issues/7
Signed-off-by: Tahera Fahimi &lt;fahimitahera@gmail.com&gt;
Link: https://lore.kernel.org/r/5f7ad85243b78427242275b93481cfc7c127764b.1725494372.git.fahimitahera@gmail.com
[mic: Fix commit message formatting, improve documentation, simplify
hook_unix_may_send(), and cosmetic fixes including rename of
LANDLOCK_SCOPED_ABSTRACT_UNIX_SOCKET]
Co-developed-by: Mickaël Salaün &lt;mic@digikod.net&gt;
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
<entry>
<title>landlock: Use bit-fields for storing handled layer access masks</title>
<updated>2024-07-08T08:51:10+00:00</updated>
<author>
<name>Günther Noack</name>
<email>gnoack@google.com</email>
</author>
<published>2024-06-10T08:21:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=395a02d04ed4d9b9ae2d7cadfd9b14a64fe240b5'/>
<id>urn:sha1:395a02d04ed4d9b9ae2d7cadfd9b14a64fe240b5</id>
<content type='text'>
When defined using bit-fields, the compiler takes care of packing the
bits in a memory-efficient way and frees us from defining
LANDLOCK_SHIFT_ACCESS_* by hand.  The exact memory layout does not
matter in our use case.

The manual definition of LANDLOCK_SHIFT_ACCESS_* has resulted in bugs in
at least two recent patch sets [1] [2] where new kinds of handled access
rights were introduced.

Cc: Mikhail Ivanov &lt;ivanov.mikhail1@huawei-partners.com&gt;
Cc: Tahera Fahimi &lt;fahimitahera@gmail.com&gt;
Link: https://lore.kernel.org/r/ebd680cc-25d6-ee14-4856-310f5e5e28e4@huawei-partners.com [1]
Link: https://lore.kernel.org/r/ZmLEoBfHyUR3nKAV@google.com [2]
Signed-off-by: Günther Noack &lt;gnoack@google.com&gt;
Link: https://lore.kernel.org/r/20240610082115.1693267-1-gnoack@google.com
Signed-off-by: Mickaël Salaün &lt;mic@digikod.net&gt;
</content>
</entry>
</feed>
