Merge tag 'landlock-6.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

any process, including unprivileged ones, to securely restrict themselves.

We can quickly make sure that Landlock is enabled in the running system by

looking for "landlock: Up and running" in kernel logs (as root): ``dmesg | grep

landlock || journalctl -kg landlock`` .  Developers can also easily check for

Landlock support with a :ref:`related system call <landlock_abi_versions>`.  If

Landlock is not currently supported, we need to :ref:`configure the kernel

appropriately <kernel_support>`.

looking for "landlock: Up and running" in kernel logs (as root):

``dmesg | grep landlock || journalctl -kb -g landlock`` .

Developers can also easily check for Landlock support with a

:ref:`related system call <landlock_abi_versions>`.

If Landlock is not currently supported, we need to

:ref:`configure the kernel appropriately <kernel_support>`.

Landlock rules

==============

Kernel support

==============

Build time configuration

------------------------

Landlock was first introduced in Linux 5.13 but it must be configured at build

time with ``CONFIG_SECURITY_LANDLOCK=y``.  Landlock must also be enabled at boot

time as the other security modules.  The list of security modules enabled by

potentially useful security modules for the running system (see the

``CONFIG_LSM`` help).

Boot time configuration

-----------------------

If the running kernel does not have ``landlock`` in ``CONFIG_LSM``, then we can

still enable it by adding ``lsm=landlock,[...]`` to

Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader

enable Landlock by adding ``lsm=landlock,[...]`` to

Documentation/admin-guide/kernel-parameters.rst in the boot loader

configuration.

For example, if the current built-in configuration is:

.. code-block:: console

    $ zgrep -h "^CONFIG_LSM=" "/boot/config-$(uname -r)" /proc/config.gz 2>/dev/null

    CONFIG_LSM="lockdown,yama,integrity,apparmor"

...and if the cmdline doesn't contain ``landlock`` either:

.. code-block:: console

    $ sed -n 's/.*\(\<lsm=\S\+\).*/\1/p' /proc/cmdline

    lsm=lockdown,yama,integrity,apparmor

...we should configure the boot loader to set a cmdline extending the ``lsm``

list with the ``landlock,`` prefix::

  lsm=landlock,lockdown,yama,integrity,apparmor

After a reboot, we can check that Landlock is up and running by looking at

kernel logs:

.. code-block:: console

    # dmesg | grep landlock || journalctl -kb -g landlock

    [    0.000000] Command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor

    [    0.000000] Kernel command line: [...] lsm=landlock,lockdown,yama,integrity,apparmor

    [    0.000000] LSM: initializing lsm=lockdown,capability,landlock,yama,integrity,apparmor

    [    0.000000] landlock: Up and running.

The kernel may be configured at build time to always load the ``lockdown`` and

``capability`` LSMs.  In that case, these LSMs will appear at the beginning of

the ``LSM: initializing`` log line as well, even if they are not configured in

the boot loader.

Network support

---------------

To be able to explicitly allow TCP operations (e.g., adding a network rule with

``LANDLOCK_ACCESS_NET_BIND_TCP``), the kernel must support TCP

(``CONFIG_INET=y``).  Otherwise, sys_landlock_add_rule() returns an

// SPDX-License-Identifier: BSD-3-Clause

/*

 * Simple Landlock sandbox manager able to launch a process restricted by a

 * user-defined filesystem access control policy.

 * Simple Landlock sandbox manager able to execute a process restricted by

 * user-defined file system and network access control policies.

 *

 * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>

 * Copyright © 2020 ANSSI

		if (path_beneath.parent_fd < 0) {

			fprintf(stderr, "Failed to open \"%s\": %s\n",

				path_list[i], strerror(errno));

			goto out_free_name;

			continue;

		}

		if (fstat(path_beneath.parent_fd, &statbuf)) {

			fprintf(stderr, "Failed to stat \"%s\": %s\n",

				path_list[i], strerror(errno));

			close(path_beneath.parent_fd);

			goto out_free_name;

		}

			ENV_FS_RO_NAME, ENV_FS_RW_NAME, ENV_TCP_BIND_NAME,

			ENV_TCP_CONNECT_NAME, argv[0]);

		fprintf(stderr,

			"Launch a command in a restricted environment.\n\n");

			"Execute a command in a restricted environment.\n\n");

		fprintf(stderr,

			"Environment variables containing paths and ports "

			"each separated by a colon:\n");

			ENV_TCP_CONNECT_NAME);

		fprintf(stderr,

			"\nexample:\n"

			"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "

			"%s=\"${PATH}:/lib:/usr:/proc:/etc:/dev/urandom\" "

			"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "

			"%s=\"9418\" "

			"%s=\"80:443\" "

	cmd_path = argv[1];

	cmd_argv = argv + 1;

	fprintf(stderr, "Executing the sandboxed command...\n");

	execvpe(cmd_path, cmd_argv, envp);

	fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,

		strerror(errno));

CONFIG_KUNIT=y

CONFIG_SECURITY=y

CONFIG_SECURITY_LANDLOCK=y

CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y

	  If you are unsure how to answer this question, answer N.  Otherwise,

	  you should also prepend "landlock," to the content of CONFIG_LSM to

	  enable Landlock at boot time.

config SECURITY_LANDLOCK_KUNIT_TEST

	bool "KUnit tests for Landlock" if !KUNIT_ALL_TESTS

	depends on KUNIT=y

	depends on SECURITY_LANDLOCK

	default KUNIT_ALL_TESTS

	help

	  Build KUnit tests for Landlock.

	  See the KUnit documentation in Documentation/dev-tools/kunit

	  Run all KUnit tests for Landlock with:

	  ./tools/testing/kunit/kunit.py run --kunitconfig security/landlock

	  If you are unsure how to answer this question, answer N.

obj-$(CONFIG_SECURITY_LANDLOCK) := landlock.o

landlock-y := setup.o syscalls.o object.o ruleset.o \

	cred.o ptrace.o fs.o

	cred.o task.o fs.o

landlock-$(CONFIG_INET) += net.o