Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0-rc7 2026-02-06T16:54:43+00:00 2026-02-06T16:54:43+00:00 Samasth Norway Ananda samasth.norway.ananda@oracle.com 2026-01-28T03:18:11+00:00 urn:sha1:fe72ce6710cba088b67e3279de87d7341fafc357 Add errata section with code examples for querying errata and a warning that most applications should not check errata. Use kernel-doc directives to include errata descriptions from the header files instead of manual links. Also enhance existing DOC sections in security/landlock/errata/abi-*.h files with Impact sections, and update the code comment in syscalls.c to remind developers to update errata documentation when applicable. This addresses the gap where the kernel implements errata tracking but provides no user-facing documentation on how to use it, while improving the existing technical documentation in-place rather than duplicating it. Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260128031814.2945394-3-samasth.norway.ananda@oracle.com [mic: Cosmetic fix] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-06T16:54:37+00:00 Günther Noack gnoack@google.com 2025-11-27T11:51:34+00:00 urn:sha1:42fc7e6543f6d17d2cf9ed3e5021f103a3d11182 Introduce the LANDLOCK_RESTRICT_SELF_TSYNC flag. With this flag, a given Landlock ruleset is applied to all threads of the calling process, instead of only the current one. Without this flag, multithreaded userspace programs currently resort to using the nptl(7)/libpsx hack for multithreaded policy enforcement, which is also used by libcap and for setuid(2). Using this userspace-based scheme, the threads of a process enforce the same Landlock policy, but the resulting Landlock domains are still separate. The domains being separate causes multiple problems: * When using Landlock's "scoped" access rights, the domain identity is used to determine whether an operation is permitted. As a result, when using LANLDOCK_SCOPE_SIGNAL, signaling between sibling threads stops working. This is a problem for programming languages and frameworks which are inherently multithreaded (e.g. Go). * In audit logging, the domains of separate threads in a process will get logged with different domain IDs, even when they are based on the same ruleset FD, which might confuse users. Cc: Andrew G. Morgan <morgan@kernel.org> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251127115136.3064948-2-gnoack@google.com [mic: Fix restrict_self_flags test, clean up Makefile, allign comments, reduce local variable scope, add missing includes] Closes: https://github.com/landlock-lsm/linux/issues/2 Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-06-17T22:03:57+00:00 Al Viro viro@zeniv.linux.org.uk 2025-05-28T02:39:51+00:00 urn:sha1:d1832e648d2be564e4b5e357f94d0f33156590dc Reviewed-by: Christian Brauner <brauner@kernel.org> Acked-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2025-05-12T09:38:53+00:00 Mickaël Salaün mic@digikod.net 2025-05-12T09:37:30+00:00 urn:sha1:3039ed432745f8fdf5cbb43fdc60b2e1aad624c1 Use the BIT() and BIT_ULL() macros in the new audit code instead of explicit shifts to improve readability. Use bitmask instead of modulo operation to simplify code. Add test_range1_rand15() and test_range2_rand15() KUnit tests to improve get_id_range() coverage. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20250512093732.1408485-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-04-17T09:09:10+00:00 Mickaël Salaün mic@digikod.net 2025-04-16T15:47:12+00:00 urn:sha1:25b1fc1cdc8931cf26e8d169f65ad07dfd653ca2 Fix, deduplicate, and improve rendering of landlock_restrict_self(2)'s flags documentation. The flags are now rendered like the syscall's parameters and description. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250416154716.1799902-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-04-17T09:09:07+00:00 Mickaël Salaün mic@digikod.net 2025-04-16T15:47:11+00:00 urn:sha1:50492f942c281af4a48f8028f8409d7b8f2655d9 Move and fix the flags documentation, and improve formatting. It makes more sense and it eases maintenance to document syscall flags in landlock.h, where they are defined. This is already the case for landlock_restrict_self(2)'s flags. The flags are now rendered like the syscall's parameters and description. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250416154716.1799902-1-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:43+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:07+00:00 urn:sha1:ead9079f75696a028aea8860787770c80eddb8f9 Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF for the case of sandboxer tools, init systems, or runtime containers launching programs sandboxing themselves in an inconsistent way. Setting this flag should only depends on runtime configuration (i.e. not hardcoded). We don't create a new ruleset's option because this should not be part of the security policy: only the task that enforces the policy (not the one that create it) knows if itself or its children may request denied actions. This is the first and only flag that can be set without actually restricting the caller (i.e. without providing a ruleset). Extend struct landlock_cred_security with a u8 log_subdomains_off. struct landlock_file_security is still 16 bytes. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Closes: https://github.com/landlock-lsm/linux/issues/3 Link: https://lore.kernel.org/r/20250320190717.2287696-19-mic@digikod.net [mic: Fix comment] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:42+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:06+00:00 urn:sha1:12bfcda73ac2cf3083c9d6d05724af92da3a4b4b Most of the time we want to log denied access because they should not happen and such information helps diagnose issues. However, when sandboxing processes that we know will try to access denied resources (e.g. unknown, bogus, or malicious binary), we might want to not log related access requests that might fill up logs. By default, denied requests are logged until the task call execve(2). If the LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF flag is set, denied requests will not be logged for the same executed file. If the LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flag is set, denied requests from after an execve(2) call will be logged. The rationale is that a program should know its own behavior, but not necessarily the behavior of other programs. Because LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF is set for a specific Landlock domain, it makes it possible to selectively mask some access requests that would be logged by a parent domain, which might be handy for unprivileged processes to limit logs. However, system administrators should still use the audit filtering mechanism. There is intentionally no audit nor sysctl configuration to re-enable these logs. This is delegated to the user space program. Increment the Landlock ABI version to reflect this interface change. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-18-mic@digikod.net [mic: Rename variables and fix __maybe_unused] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:37+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:06:57+00:00 urn:sha1:14f6c14e9fbde4a802c10c7e770b5ba63853ebc6 Extend struct landlock_cred_security with a domain_exec bitmask to identify which Landlock domain were created by the current task's bprm. The whole bitmask is reset on each execve(2) call. Cc: Günther Noack <gnoack@google.com> Cc: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-9-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-21T11:12:19+00:00 Mickaël Salaün mic@digikod.net 2025-03-18T16:14:37+00:00 urn:sha1:15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Some fixes may require user space to check if they are applied on the running kernel before using a specific feature. For instance, this applies when a restriction was previously too restrictive and is now getting relaxed (e.g. for compatibility reasons). However, non-visible changes for legitimate use (e.g. security fixes) do not require an erratum. Because fixes are backported down to a specific Landlock ABI, we need a way to avoid cherry-pick conflicts. The solution is to only update a file related to the lower ABI impacted by this issue. All the ABI files are then used to create a bitmask of fixes. The new errata interface is similar to the one used to get the supported Landlock ABI version, but it returns a bitmask instead because the order of fixes may not match the order of versions, and not all fixes may apply to all versions. The actual errata will come with dedicated commits. The description is not actually used in the code but serves as documentation. Create the landlock_abi_version symbol and use its value to check errata consistency. Update test_base's create_ruleset_checks_ordering tests and add errata tests. This commit is backportable down to the first version of Landlock. Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features") Cc: Günther Noack <gnoack@google.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net>