diff options
| author | Mark Brown <broonie@kernel.org> | 2026-05-30 00:25:53 +0100 |
|---|---|---|
| committer | Mark Brown <broonie@kernel.org> | 2026-05-30 00:25:53 +0100 |
| commit | cd9f27bc50e764e91f3014a851d97872a7fd6544 (patch) | |
| tree | b04afc6e4aa509a08c8918cac9017ce383dd6b95 /Documentation | |
| parent | faa2be6c7cb758bb167e23978bbf3f93a1740b8c (diff) | |
| parent | fe7832557561ed6312563368854d5f8df1fa55e3 (diff) | |
| download | linux-next-history-cd9f27bc50e764e91f3014a851d97872a7fd6544.tar.gz | |
Merge branch 'next' of https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/userspace-api/landlock.rst | 48 |
1 files changed, 27 insertions, 21 deletions
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index fd8b78c31f2fe..45861fa75685b 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: March 2026 +:Date: May 2026 The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock @@ -155,7 +155,7 @@ this file descriptor. .. code-block:: c - int err; + int err = 0; struct landlock_path_beneath_attr path_beneath = { .allowed_access = LANDLOCK_ACCESS_FS_EXECUTE | @@ -163,25 +163,29 @@ this file descriptor. LANDLOCK_ACCESS_FS_READ_DIR, }; - path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); - if (path_beneath.parent_fd < 0) { - perror("Failed to open file"); - close(ruleset_fd); - return 1; - } - err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, - &path_beneath, 0); - close(path_beneath.parent_fd); - if (err) { - perror("Failed to update ruleset"); - close(ruleset_fd); - return 1; + path_beneath.allowed_access &= ruleset_attr.handled_access_fs; + if (path_beneath.allowed_access) { + path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC); + if (path_beneath.parent_fd < 0) { + perror("Failed to open file"); + close(ruleset_fd); + return 1; + } + err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, + &path_beneath, 0); + close(path_beneath.parent_fd); + if (err) { + perror("Failed to update ruleset"); + close(ruleset_fd); + return 1; + } } -It may also be required to create rules following the same logic as explained -for the ruleset creation, by filtering access rights according to the Landlock -ABI version. In this example, this is not required because all of the requested -``allowed_access`` rights are already available in ABI 1. +As shown above, masking the rule's ``allowed_access`` against the ruleset's +``handled_access_*`` is the recommended best-effort pattern: rights the running +kernel does not support are dropped (the compatibility switch above already +cleared them in ``handled_access_*``), and the rule is skipped if no supported +right remains. For network access-control, we can add a set of rules that allow to use a port number for a specific action: HTTPS connections. @@ -193,8 +197,10 @@ number for a specific action: HTTPS connections. .port = 443, }; - err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, - &net_port, 0); + net_port.allowed_access &= ruleset_attr.handled_access_net; + if (net_port.allowed_access) + err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT, + &net_port, 0); When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a similar backwards compatibility check is needed for the restrict flags |