tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

landlock: Add backwards compatibility for restrict flags

Add backwards compatibility handling for the restrict flags introduced
in ABI version 7. This is shown as a separate code block (similar to
the ruleset_attr handling in the switch statement) because restrict flags
are passed to landlock_restrict_self() rather than being part of the
ruleset attributes.

Also fix misleading description of the /usr rule which incorrectly
stated it "only allow[s] reading" when the code actually allows both
reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
allowed_access).

Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20260128031814.2945394-2-samasth.norway.ananda@oracle.com
[mic: Rebased and fixed conflict]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Samasth Norway Ananda and committed by
Mickaël Salaün 6100f290 d90ba69e

+23 -9
+23 -9
Documentation/userspace-api/landlock.rst
··· 8 8 ===================================== 9 9 10 10 :Author: Mickaël Salaün 11 - :Date: November 2025 11 + :Date: January 2026 12 12 13 13 The goal of Landlock is to enable restriction of ambient rights (e.g. global 14 14 filesystem or network access) for a set of processes. Because Landlock ··· 142 142 } 143 143 144 144 We can now add a new rule to this ruleset thanks to the returned file 145 - descriptor referring to this ruleset. The rule will only allow reading the 146 - file hierarchy ``/usr``. Without another rule, write actions would then be 147 - denied by the ruleset. To add ``/usr`` to the ruleset, we open it with the 148 - ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file 149 - descriptor. 145 + descriptor referring to this ruleset. The rule will allow reading and 146 + executing the file hierarchy ``/usr``. Without another rule, write actions 147 + would then be denied by the ruleset. To add ``/usr`` to the ruleset, we open 148 + it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with 149 + this file descriptor. 150 150 151 151 .. code-block:: c 152 152 ··· 191 191 err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, 192 192 &net_port, 0); 193 193 194 + When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a 195 + similar backwards compatibility check is needed for the restrict flags 196 + (see sys_landlock_restrict_self() documentation for available flags): 197 + 198 + .. code-block:: c 199 + 200 + __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON; 201 + if (abi < 7) { 202 + /* Clear logging flags unsupported before ABI 7. */ 203 + restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF | 204 + LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON | 205 + LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF); 206 + } 207 + 194 208 The next step is to restrict the current thread from gaining more privileges 195 209 (e.g. through a SUID binary). We now have a ruleset with the first rule 196 - allowing read access to ``/usr`` while denying all other handled accesses for 197 - the filesystem, and a second rule allowing HTTPS connections. 210 + allowing read and execute access to ``/usr`` while denying all other handled 211 + accesses for the filesystem, and a second rule allowing HTTPS connections. 198 212 199 213 .. code-block:: c 200 214 ··· 222 208 223 209 .. code-block:: c 224 210 225 - if (landlock_restrict_self(ruleset_fd, 0)) { 211 + if (landlock_restrict_self(ruleset_fd, restrict_flags)) { 226 212 perror("Failed to enforce ruleset"); 227 213 close(ruleset_fd); 228 214 return 1;