Merge tag 'landlock-6.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux

	__u64 scoped;

};

/*

 * sys_landlock_create_ruleset() flags:

/**

 * DOC: landlock_create_ruleset_flags

 *

 * **Flags**

 *

 * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI

 *   version.

 * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.

 * %LANDLOCK_CREATE_RULESET_VERSION

 *     Get the highest supported Landlock ABI version (starting at 1).

 *

 * %LANDLOCK_CREATE_RULESET_ERRATA

 *     Get a bitmask of fixed issues for the current Landlock ABI version.

 */

/* clang-format off */

#define LANDLOCK_CREATE_RULESET_VERSION			(1U << 0)

#define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)

/* clang-format on */

/*

 * sys_landlock_restrict_self() flags:

 *

 * - %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF: Do not create any log related to the

 *   enforced restrictions.  This should only be set by tools launching unknown

 *   or untrusted programs (e.g. a sandbox tool, container runtime, system

 *   service manager).  Because programs sandboxing themselves should fix any

 *   denied access, they should not set this flag to be aware of potential

 *   issues reported by system's logs (i.e. audit).

 * - %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON: Explicitly ask to continue

 *   logging denied access requests even after an :manpage:`execve(2)` call.

 *   This flag should only be set if all the programs than can legitimately be

 *   executed will not try to request a denied access (which could spam audit

 *   logs).

 * - %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF: Do not create any log related

 *   to the enforced restrictions coming from future nested domains created by

 *   the caller or its descendants.  This should only be set according to a

 *   runtime configuration (i.e. not hardcoded) by programs launching other

 *   unknown or untrusted programs that may create their own Landlock domains

 *   and spam logs.  The main use case is for container runtimes to enable users

 *   to mute buggy sandboxed programs for a specific container image.  Other use

 *   cases include sandboxer tools and init systems.  Unlike

 *   %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF,

 *   %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF does not impact the requested

 *   restriction (if any) but only the future nested domains.

/**

 * DOC: landlock_restrict_self_flags

 *

 * **Flags**

 *

 * By default, denied accesses originating from programs that sandbox themselves

 * are logged via the audit subsystem. Such events typically indicate unexpected

 * behavior, such as bugs or exploitation attempts. However, to avoid excessive

 * logging, access requests denied by a domain not created by the originating

 * program are not logged by default. The rationale is that programs should know

 * their own behavior, but not necessarily the behavior of other programs.  This

 * default configuration is suitable for most programs that sandbox themselves.

 * For specific use cases, the following flags allow programs to modify this

 * default logging behavior.

 *

 * The %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and

 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON flags apply to the newly created

 * Landlock domain.

 *

 * %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF

 *     Disables logging of denied accesses originating from the thread creating

 *     the Landlock domain, as well as its children, as long as they continue

 *     running the same executable code (i.e., without an intervening

 *     :manpage:`execve(2)` call). This is intended for programs that execute

 *     unknown code without invoking :manpage:`execve(2)`, such as script

 *     interpreters. Programs that only sandbox themselves should not set this

 *     flag, so users can be notified of unauthorized access attempts via system

 *     logs.

 *

 * %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON

 *     Enables logging of denied accesses after an :manpage:`execve(2)` call,

 *     providing visibility into unauthorized access attempts by newly executed

 *     programs within the created Landlock domain. This flag is recommended

 *     only when all potential executables in the domain are expected to comply

 *     with the access restrictions, as excessive audit log entries could make

 *     it more difficult to identify critical events.

 *

 * %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF

 *     Disables logging of denied accesses originating from nested Landlock

 *     domains created by the caller or its descendants. This flag should be set

 *     according to runtime configuration, not hardcoded, to avoid suppressing

 *     important security events. It is useful for container runtimes or

 *     sandboxing tools that may launch programs which themselves create

 *     Landlock domains and could otherwise generate excessive logs. Unlike

 *     ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, this flag only affects

 *     future nested domains, not the one being created. It can also be used

 *     with a @ruleset_fd value of -1 to mute subdomain logs without creating a

 *     domain.

 */

/* clang-format off */

#define LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF		(1U << 0)

#include <linux/path.h>

#include <linux/pid.h>

#include <linux/sched.h>

#include <linux/signal.h>

#include <linux/uidgid.h>

#include "access.h"

		return ERR_PTR(-ENOMEM);

	memcpy(details->exe_path, path_str, path_size);

	WARN_ON_ONCE(current_cred() != current_real_cred());

	details->pid = get_pid(task_pid(current));

	details->pid = get_pid(task_tgid(current));

	details->uid = from_kuid(&init_user_ns, current_uid());

	get_task_comm(details->comm, current);

	return details;

static inline void

landlock_free_hierarchy_details(struct landlock_hierarchy *const hierarchy)

{

	if (WARN_ON_ONCE(!hierarchy || !hierarchy->details))

	if (!hierarchy || !hierarchy->details)

		return;

	put_pid(hierarchy->details->pid);

 *        the new ruleset.

 * @size: Size of the pointed &struct landlock_ruleset_attr (needed for

 *        backward and forward compatibility).

 * @flags: Supported value:

 * @flags: Supported values:

 *

 *         - %LANDLOCK_CREATE_RULESET_VERSION

 *         - %LANDLOCK_CREATE_RULESET_ERRATA

 *

 * This system call enables to create a new Landlock ruleset, and returns the

 * related file descriptor on success.

 *

 * If @flags is %LANDLOCK_CREATE_RULESET_VERSION and @attr is NULL and @size is

 * 0, then the returned value is the highest supported Landlock ABI version

 * (starting at 1).

 *

 * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is

 * 0, then the returned value is a bitmask of fixed issues for the current

 * Landlock ABI version.

 * If %LANDLOCK_CREATE_RULESET_VERSION or %LANDLOCK_CREATE_RULESET_ERRATA is

 * set, then @attr must be NULL and @size must be 0.

 *

 * Possible returned errors are:

 *

 * - %E2BIG: @attr or @size inconsistencies;

 * - %EFAULT: @attr or @size inconsistencies;

 * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.

 *

 * .. kernel-doc:: include/uapi/linux/landlock.h

 *     :identifiers: landlock_create_ruleset_flags

 */

SYSCALL_DEFINE3(landlock_create_ruleset,

		const struct landlock_ruleset_attr __user *const, attr,

 * namespace or is running with no_new_privs.  This avoids scenarios where

 * unprivileged tasks can affect the behavior of privileged children.

 *

 * It is allowed to only pass the %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF

 * flag with a @ruleset_fd value of -1.

 *

 * Possible returned errors are:

 *

 * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;

 *   %CAP_SYS_ADMIN in its namespace.

 * - %E2BIG: The maximum number of stacked rulesets is reached for the current

 *   thread.

 *

 * .. kernel-doc:: include/uapi/linux/landlock.h

 *     :identifiers: landlock_restrict_self_flags

 */

SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,

		flags)

	return err;

}

static int __maybe_unused matches_log_domain_allocated(int audit_fd,

static int __maybe_unused matches_log_domain_allocated(int audit_fd, pid_t pid,

						       __u64 *domain_id)

{

	return audit_match_record(

		audit_fd, AUDIT_LANDLOCK_DOMAIN,

		REGEX_LANDLOCK_PREFIX

		" status=allocated mode=enforcing pid=[0-9]\\+ uid=[0-9]\\+"

		" exe=\"[^\"]\\+\" comm=\".*_test\"$",

	static const char log_template[] = REGEX_LANDLOCK_PREFIX

		" status=allocated mode=enforcing pid=%d uid=[0-9]\\+"

		" exe=\"[^\"]\\+\" comm=\".*_test\"$";

	char log_match[sizeof(log_template) + 10];

	int log_match_len;

	log_match_len =

		snprintf(log_match, sizeof(log_match), log_template, pid);

	if (log_match_len > sizeof(log_match))

		return -E2BIG;

	return audit_match_record(audit_fd, AUDIT_LANDLOCK_DOMAIN, log_match,

				  domain_id);

}