Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1-rc6 2026-04-07T16:51:07+00:00 2026-04-07T16:51:07+00:00 Günther Noack gnoack3000@gmail.com 2026-03-27T16:48:30+00:00 urn:sha1:a46e32db1fb7acac49a35773345d4bcf343847f5 The BUILD_BUG_ON check in domain_is_scoped() and unmask_scoped_access() should check that the loop that counts down client_layer finishes. We therefore check that the numbers LANDLOCK_MAX_NUM_LAYERS-1 and -1 are both representable by that integer. If they are representable, the numbers in between are representable too, and the loop finishes. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260327164838.38231-6-gnoack3000@gmail.com Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-04-07T16:51:04+00:00 Mickaël Salaün mic@digikod.net 2026-03-04T19:31:26+00:00 urn:sha1:fa20aeb95d72da9dd78a3c9b24e996b5d9219888 The canonical kernel-doc form is "Return:" (singular, without trailing "s"). Normalize all existing "Returns:" occurrences across the Landlock source tree to the canonical form. Also fix capitalization for consistency. Balance descriptions to describe all possible returned values. Consolidate bullet-point return descriptions into inline text for functions with simple two-value or three-value returns for consistency. Cc: Günther Noack <gnoack@google.com> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260304193134.250495-3-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-04-07T16:51:03+00:00 Mickaël Salaün mic@digikod.net 2026-03-04T19:31:25+00:00 urn:sha1:e89dea254dce44c629d98639c05fe5ca7add7241 The kernel-doc -Wreturn check warns about functions with documentation comments that lack a "Return:" section. Add "Return:" documentation to all functions missing it so that kernel-doc -Wreturn passes cleanly. Convert existing function descriptions into a formal "Return:" section. Also fix the inaccurate return documentation for landlock_merge_ruleset() which claimed to return @parent directly, and document the previously missing ERR_PTR() error return path. Document the ABI version and errata return paths for landlock_create_ruleset() which were previously only implied by the prose. Cc: Günther Noack <gnoack@google.com> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260304193134.250495-2-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-29T15:19:39+00:00 Tingmao Wang m@maowtm.org 2025-12-28T01:27:35+00:00 urn:sha1:ef4536f15224418b327a7b5d5cae07dab042760f Currently it is not obvious what "scoped" mean, and the fact that the function returns true when access should be denied is slightly surprising and in need of documentation. Cc: Tahera Fahimi <fahimitahera@gmail.com> Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/06393bc18aee5bc278df5ef31c64a05b742ebc10.1766885035.git.m@maowtm.org [mic: Fix formatting and improve consistency] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-26T19:39:01+00:00 Mickaël Salaün mic@digikod.net 2025-12-19T19:38:49+00:00 urn:sha1:aa9877d74c07045f712a4ec82105505e69cd5efe Make variable's scope minimal in hook_ptrace_access_check(). Cc: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20251219193855.825889-3-mic@digikod.net Reviewed-by: Günther Noack <gnoack3000@gmail.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:42+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:07:05+00:00 urn:sha1:1176a15b5ec02925ea89bae05b5c860ddcce1e2e Add audit support for unix_stream_connect, unix_may_send, task_kill, and file_send_sigiotask hooks. The related blockers are: - scope.abstract_unix_socket - scope.signal Audit event sample for abstract unix socket: type=LANDLOCK_DENY msg=audit(1729738800.268:30): domain=195ba459b blockers=scope.abstract_unix_socket path=00666F6F Audit event sample for signal: type=LANDLOCK_DENY msg=audit(1729738800.291:31): domain=195ba459b blockers=scope.signal opid=1 ocomm="systemd" Refactor and simplify error handling in LSM hooks. Extend struct landlock_file_security with fown_layer and use it to log the blocking domain. The struct aligned size is still 16 bytes. Cc: Günther Noack <gnoack@google.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Link: https://lore.kernel.org/r/20250320190717.2287696-17-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:38+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:06:58+00:00 urn:sha1:33e65b0d3add6bdc731e9298995cbbc979349f51 Add a new AUDIT_LANDLOCK_ACCESS record type dedicated to an access request denied by a Landlock domain. AUDIT_LANDLOCK_ACCESS indicates that something unexpected happened. For now, only denied access are logged, which means that any AUDIT_LANDLOCK_ACCESS record is always followed by a SYSCALL record with "success=no". However, log parsers should check this syscall property because this is the only sign that a request was denied. Indeed, we could have "success=yes" if Landlock would support a "permissive" mode. We could also add a new field to AUDIT_LANDLOCK_DOMAIN for this mode (see following commit). By default, the only logged access requests are those coming from the same executed program that enforced the Landlock restriction on itself. In other words, no audit record are created for a task after it called execve(2). This is required to avoid log spam because programs may only be aware of their own restrictions, but not the inherited ones. Following commits will allow to conditionally generate AUDIT_LANDLOCK_ACCESS records according to dedicated landlock_restrict_self(2)'s flags. The AUDIT_LANDLOCK_ACCESS message contains: - the "domain" ID restricting the action on an object, - the "blockers" that are missing to allow the requested access, - a set of fields identifying the related object (e.g. task identified with "opid" and "ocomm"). The blockers are implicit restrictions (e.g. ptrace), or explicit access rights (e.g. filesystem), or explicit scopes (e.g. signal). This field contains a list of at least one element, each separated with a comma. The initial blocker is "ptrace", which describe all implicit Landlock restrictions related to ptrace (e.g. deny tracing of tasks outside a sandbox). Add audit support to ptrace_access_check and ptrace_traceme hooks. For the ptrace_access_check case, we log the current/parent domain and the child task. For the ptrace_traceme case, we log the parent domain and the current/child task. Indeed, the requester and the target are the current task, but the action would be performed by the parent task. Audit event sample: type=LANDLOCK_ACCESS msg=audit(1729738800.349:44): domain=195ba459b blockers=ptrace opid=1 ocomm="systemd" type=SYSCALL msg=audit(1729738800.349:44): arch=c000003e syscall=101 success=no [...] pid=300 auid=0 A following commit adds user documentation. Add KUnit tests to check reading of domain ID relative to layer level. The quick return for non-landlocked tasks is moved from task_ptrace() to each LSM hooks. It is not useful to inline the audit_enabled check because other computation are performed by landlock_log_denial(). Use scoped guards for RCU read-side critical sections. Cc: Günther Noack <gnoack@google.com> Acked-by: Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20250320190717.2287696-10-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:37+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:06:56+00:00 urn:sha1:79625f1b3a3df63d3289a0781fdf121bc42966f7 This cosmetic change is needed for audit support, specifically to be able to filter according to cross-execution boundaries. struct landlock_file_security's size stay the same for now but it will increase with struct landlock_cred_security's size. Only save Landlock domain in hook_file_set_fowner() if the current domain has LANDLOCK_SCOPE_SIGNAL, which was previously done for each hook_file_send_sigiotask() calls. This should improve a bit performance. Replace hardcoded LANDLOCK_SCOPE_SIGNAL with the signal_scope.scope variable. Use scoped guards for RCU read-side critical sections. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-8-mic@digikod.net Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:36+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:06:55+00:00 urn:sha1:8d20efa9dc6cb471b71fd388923753f767ab13ce This cosmetic change that is needed for audit support, specifically to be able to filter according to cross-execution boundaries. Replace hardcoded LANDLOCK_SCOPE_SIGNAL with the signal_scope.scope variable. Use scoped guards for RCU read-side critical sections. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-7-mic@digikod.net [mic: Update headers] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-03-26T12:59:34+00:00 Mickaël Salaün mic@digikod.net 2025-03-20T19:06:52+00:00 urn:sha1:5b95b329befaf18020a0d3cd0223a90bd230eeb9 Create a new domain.h file containing the struct landlock_hierarchy definition and helpers. This type will grow with audit support. This also prepares for a new domain type. Cc: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20250320190717.2287696-4-mic@digikod.net Reviewed-by: Günther Noack <gnoack3000@gmail.com> Signed-off-by: Mickaël Salaün <mic@digikod.net>