git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Mickaël Salaün <mic@digikod.net>
	Wed, 13 May 2026 18:03:08 +0000 (20:03 +0200)
committer	Mickaël Salaün <mic@digikod.net>
	Sat, 13 Jun 2026 21:14:58 +0000 (23:14 +0200)
commit	b232bd12789fa57405b5092f28788be97aae9999
tree	97e44f8251686a90504b1f8afa9c08063c5e8ef1	tree \| snapshot
parent	d936e1a9170f9cadaa5f37586b1dfe6f20f98799	commit \| diff

landlock: Account all audit data allocations to user space

Mark the kzalloc_flex() of struct landlock_details with
GFP_KERNEL_ACCOUNT so the allocation is charged to the calling task,
like the other Landlock per-domain allocations which have used
GFP_KERNEL_ACCOUNT forever.

Every property of landlock_details is caller-attributable: allocated by
landlock_restrict_self(2), owned by the caller's landlock_hierarchy,
contents are the caller's pid, uid, comm, and exe_path, lifetime bounded
by the caller's domain. While the caller may not know nor control the
size of this allocation (i.e. exe_path), this data should still be
accounted for it.

The deciding factor is whether userspace can trigger the allocation, not
whether the size of the data is known nor controlled by the caller.
This aligns with the kmemcg accounting policy established by commit
5d097056c9a0 ("kmemcg: account certain kmem allocations to memcg").

No new failure modes: the hierarchy and ruleset are allocated before
details and are already accounted, so landlock_restrict_self(2) already
returns -ENOMEM under memcg pressure. This change widens that existing
failure window slightly; it does not introduce a new error code.

Cc: Günther Noack <gnoack@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: stable@vger.kernel.org
Fixes: 1d636984e088 ("landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status")
Link: https://patch.msgid.link/20260513180309.165840-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

security/landlock/domain.c		diff \| blob \| blame \| history
security/landlock/domain.h		diff \| blob \| blame \| history