Commit c0d35086 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'landlock-6.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux 

Pull landlock fixes from Mickaël Salaün:
 "Fixes to TCP socket identification, documentation, and tests"

* tag 'landlock-6.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
  selftests/landlock: Add binaries to .gitignore
  selftests/landlock: Test that MPTCP actions are not restricted
  selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP
  landlock: Fix non-TCP sockets restriction
  landlock: Minor typo and grammar fixes in IPC scoping documentation
  landlock: Fix grammar error
  selftests/landlock: Enable the new CONFIG_AF_UNIX_OOB
parents d62fdaf5 78332fdb

Documentation/userspace-api/landlock.rst

+3 −3
Original line number Diff line number Diff line
@@ -8,7 +8,7 @@ Landlock: unprivileged access control 
=====================================



:Author: Mickaël Salaün

:Date: October 2024

:Date: January 2025



The goal of Landlock is to enable restriction of ambient rights (e.g. global

filesystem or network access) for a set of processes.  Because Landlock
@@ -329,7 +329,7 @@ non-sandboxed process, we can specify this restriction with 
A sandboxed process can connect to a non-sandboxed process when its domain is

not scoped. If a process's domain is scoped, it can only connect to sockets

created by processes in the same scope.

Moreover, If a process is scoped to send signal to a non-scoped process, it can

Moreover, if a process is scoped to send signal to a non-scoped process, it can

only send signals to processes in the same scope.



A connected datagram socket behaves like a stream socket when its domain is

include/uapi/linux/landlock.h

+6 −2
Original line number Diff line number Diff line
@@ -268,7 +268,9 @@ struct landlock_net_port_attr { 
 * ~~~~~~~~~~~~~~~~

 *

 * These flags enable to restrict a sandboxed process to a set of network

 * actions. This is supported since the Landlock ABI version 4.

 * actions.

 *

 * This is supported since Landlock ABI version 4.

 *

 * The following access rights apply to TCP port numbers:

 *
@@ -291,11 +293,13 @@ struct landlock_net_port_attr { 
 * Setting a flag for a ruleset will isolate the Landlock domain to forbid

 * connections to resources outside the domain.

 *

 * This is supported since Landlock ABI version 6.

 *

 * Scopes:

 *

 * - %LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET: Restrict a sandboxed process from

 *   connecting to an abstract UNIX socket created by a process outside the

 *   related Landlock domain (e.g. a parent domain or a non-sandboxed process).

 *   related Landlock domain (e.g., a parent domain or a non-sandboxed process).

 * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal

 *   to another process outside the domain.

 */

security/landlock/net.c

+1 −2
Original line number Diff line number Diff line
@@ -63,8 +63,7 @@ static int current_check_access_socket(struct socket *const sock, 
	if (WARN_ON_ONCE(dom->num_layers < 1))

		return -EACCES;



	/* Checks if it's a (potential) TCP socket. */

	if (sock->type != SOCK_STREAM)

	if (!sk_is_tcp(sock->sk))

		return 0;



	/* Checks for minimal header length to safely read sa_family. */

security/landlock/ruleset.c

+1 −1
Original line number Diff line number Diff line
@@ -124,7 +124,7 @@ create_rule(const struct landlock_id id, 
		return ERR_PTR(-ENOMEM);

	RB_CLEAR_NODE(&new_rule->node);

	if (is_object_pointer(id.type)) {

		/* This should be catched by insert_rule(). */

		/* This should have been caught by insert_rule(). */

		WARN_ON_ONCE(!id.key.object);

		landlock_get_object(id.key.object);

	}

tools/testing/selftests/landlock/.gitignore

+2 −0
Original line number Diff line number Diff line 
/*_test

/sandbox-and-launch

/true

/wait-pipe