From 6100f2904e0ea1f2c832ab6e93573fae47d3b13e Mon Sep 17 00:00:00 2001 From: Samasth Norway Ananda Date: Tue, 27 Jan 2026 19:18:10 -0800 Subject: [PATCH] landlock: Add backwards compatibility for restrict flags MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Add backwards compatibility handling for the restrict flags introduced in ABI version 7. This is shown as a separate code block (similar to the ruleset_attr handling in the switch statement) because restrict flags are passed to landlock_restrict_self() rather than being part of the ruleset attributes. Also fix misleading description of the /usr rule which incorrectly stated it "only allow[s] reading" when the code actually allows both reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in allowed_access). Signed-off-by: Samasth Norway Ananda Reviewed-by: Günther Noack Link: https://lore.kernel.org/r/20260128031814.2945394-2-samasth.norway.ananda@oracle.com [mic: Rebased and fixed conflict] Signed-off-by: Mickaël Salaün --- Documentation/userspace-api/landlock.rst | 32 +++++++++++++++++------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 90bb0778666d..2c1af0c930d4 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: November 2025 +:Date: January 2026 The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock @@ -142,11 +142,11 @@ This enables the creation of an inclusive ruleset that will contain our rules. } We can now add a new rule to this ruleset thanks to the returned file -descriptor referring to this ruleset. The rule will only allow reading the -file hierarchy ``/usr``. Without another rule, write actions would then be -denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the -``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file -descriptor. +descriptor referring to this ruleset. The rule will allow reading and +executing the file hierarchy ``/usr``. Without another rule, write actions +would then be denied by the ruleset. To add ``/usr`` to the ruleset, we open +it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with +this file descriptor. .. code-block:: c @@ -191,10 +191,24 @@ number for a specific action: HTTPS connections. err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, &net_port, 0); +When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a +similar backwards compatibility check is needed for the restrict flags +(see sys_landlock_restrict_self() documentation for available flags): + +.. code-block:: c + + __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; + if (abi < 7) { + /* Clear logging flags unsupported before ABI 7. */ + restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF | + LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON | + LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF); + } + The next step is to restrict the current thread from gaining more privileges (e.g. through a SUID binary). We now have a ruleset with the first rule -allowing read access to ``/usr`` while denying all other handled accesses for -the filesystem, and a second rule allowing HTTPS connections. +allowing read and execute access to ``/usr`` while denying all other handled +accesses for the filesystem, and a second rule allowing HTTPS connections. .. code-block:: c @@ -208,7 +222,7 @@ The current thread is now ready to sandbox itself with the ruleset. .. code-block:: c - if (landlock_restrict_self(ruleset_fd, 0)) { + if (landlock_restrict_self(ruleset_fd, restrict_flags)) { perror("Failed to enforce ruleset"); close(ruleset_fd); return 1; -- 2.47.3