Merge tag 'landlock-6.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux (90a855e7) · Commits · git / linux-net

include/uapi/linux/landlock.h

+17 −20

Original line number	Diff line number	Diff line
		@@ -216,6 +216,23 @@ struct landlock_net_port_attr {
		* :manpage:`ftruncate(2)`, :manpage:`creat(2)`, or :manpage:`open(2)` with
		* ``O_TRUNC``. This access right is available since the third version of the
		* Landlock ABI.
		* - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened
		* character or block device.
		*
		* This access right applies to all `ioctl(2)` commands implemented by device
		* drivers. However, the following common IOCTL commands continue to be
		* invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right:
		*
		* * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),
		* * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),
		* * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
		* ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)
		* * Some IOCTL commands which do not make sense when used with devices, but
		* whose implementations are safe and return the right error codes
		* (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)
		*
		* This access right is available since the fifth version of the Landlock
		* ABI.
		*
		* Whether an opened file can be truncated with :manpage:`ftruncate(2)` or used
		* with `ioctl(2)` is determined during :manpage:`open(2)`, in the same way as
		@@ -275,26 +292,6 @@ struct landlock_net_port_attr {
		* If multiple requirements are not met, the ``EACCES`` error code takes
		* precedence over ``EXDEV``.
		*
		* The following access right applies both to files and directories:
		*
		* - %LANDLOCK_ACCESS_FS_IOCTL_DEV: Invoke :manpage:`ioctl(2)` commands on an opened
		* character or block device.
		*
		* This access right applies to all `ioctl(2)` commands implemented by device
		* drivers. However, the following common IOCTL commands continue to be
		* invokable independent of the %LANDLOCK_ACCESS_FS_IOCTL_DEV right:
		*
		* * IOCTL commands targeting file descriptors (``FIOCLEX``, ``FIONCLEX``),
		* * IOCTL commands targeting file descriptions (``FIONBIO``, ``FIOASYNC``),
		* * IOCTL commands targeting file systems (``FIFREEZE``, ``FITHAW``,
		* ``FIGETBSZ``, ``FS_IOC_GETFSUUID``, ``FS_IOC_GETFSSYSFSPATH``)
		* * Some IOCTL commands which do not make sense when used with devices, but
		* whose implementations are safe and return the right error codes
		* (``FS_IOC_FIEMAP``, ``FICLONE``, ``FICLONERANGE``, ``FIDEDUPERANGE``)
		*
		* This access right is available since the fifth version of the Landlock
		* ABI.
		*
		* .. warning::
		*
		* It is currently not possible to restrict some file-related actions

security/landlock/audit.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -191,7 +191,7 @@ static size_t get_denied_layer(const struct landlock_ruleset *const domain,
		long youngest_layer = -1;

		for_each_set_bit(access_bit, &access_req, layer_masks_size) {
		const access_mask_t mask = (*layer_masks)[access_bit];
		const layer_mask_t mask = (*layer_masks)[access_bit];
		long layer;

		if (!mask)

security/landlock/domain.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -97,7 +97,7 @@ struct landlock_hierarchy {
		*/
		atomic64_t num_denials;
		/**
		* @id: Landlock domain ID, sets once at domain creation time.
		* @id: Landlock domain ID, set once at domain creation time.
		*/
		u64 id;
		/**

security/landlock/errata/abi-6.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -9,7 +9,7 @@
		* This fix addresses an issue where signal scoping was overly restrictive,
		* preventing sandboxed threads from signaling other threads within the same
		* process if they belonged to different domains. Because threads are not
		* security boundaries, user space might assume that any thread within the same
		* security boundaries, user space might assume that all threads within the same
		* process can send signals between themselves (see :manpage:`nptl(7)` and
		* :manpage:`libpsx(3)`). Consistent with :manpage:`ptrace(2)` behavior, direct
		* interaction between threads of the same process should always be allowed.

security/landlock/fs.c

+11 −3

Original line number	Diff line number	Diff line
		@@ -939,7 +939,12 @@ static bool is_access_to_paths_allowed(
		}
		path_put(&walker_path);

		if (!allowed_parent1) {
		/*
		* Check CONFIG_AUDIT to enable elision of log_request_parent* and
		* associated caller's stack variables thanks to dead code elimination.
		*/
		#ifdef CONFIG_AUDIT
		if (!allowed_parent1 && log_request_parent1) {
		log_request_parent1->type = LANDLOCK_REQUEST_FS_ACCESS;
		log_request_parent1->audit.type = LSM_AUDIT_DATA_PATH;
		log_request_parent1->audit.u.path = *path;
		@@ -949,7 +954,7 @@ static bool is_access_to_paths_allowed(
		ARRAY_SIZE(*layer_masks_parent1);
		}

		if (!allowed_parent2) {
		if (!allowed_parent2 && log_request_parent2) {
		log_request_parent2->type = LANDLOCK_REQUEST_FS_ACCESS;
		log_request_parent2->audit.type = LSM_AUDIT_DATA_PATH;
		log_request_parent2->audit.u.path = *path;
		@@ -958,6 +963,8 @@ static bool is_access_to_paths_allowed(
		log_request_parent2->layer_masks_size =
		ARRAY_SIZE(*layer_masks_parent2);
		}
		#endif /* CONFIG_AUDIT */

		return allowed_parent1 && allowed_parent2;
		}

		@@ -1314,7 +1321,8 @@ static void hook_sb_delete(struct super_block *const sb)
		* second call to iput() for the same Landlock object. Also
		* checks I_NEW because such inode cannot be tied to an object.
		*/
		if (inode_state_read(inode) & (I_FREEING \| I_WILL_FREE \| I_NEW)) {
		if (inode_state_read(inode) &
		(I_FREEING \| I_WILL_FREE \| I_NEW)) {
		spin_unlock(&inode->i_lock);
		continue;
		}