From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F1A3D1F8691
	for <linux-security-module@vger.kernel.org>; Sun,  7 Dec 2025 01:52:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.170
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765072329; cv=none; b=IojxIdyHPFvFJPYmC37DPR58gvxu6HLLFTd4/ItoS8LBpAKtLqkIE3JoeIral8cno4MSPiBLWaLZAZgdcbYDEn3K871vmIQiZpKgtH/OJCnJ0OHdwx7t0f7HnEmDPqpthtknpLRIiZ7XmZrp+dOXgDd5K5A6zU0//OGBecw+cO8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765072329; c=relaxed/simple;
	bh=EVTPKATZLCXKsTAruUjKlkVIXwUOhwakSACqDy8l+jc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=BnqOL0nor0wA5KvhT68Sh4ja2FlAvX+ZBUQRQK4RGNrR4Ma0hBy86UMhVLitBsk6vfU54VAjaprifjDpGNCjUxgIt6KmQiklC+v18sK6j4KpiqEHvfpwmrHzQWjxVlWQ45eSVKg506MLRdIqUPAU0MGRGEikkGY1qrhoMRJApGg=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mQYmP7tV; arc=none smtp.client-ip=209.85.128.170
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mQYmP7tV"
Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-7881b67da53so30276377b3.1
        for <linux-security-module@vger.kernel.org>; Sat, 06 Dec 2025 17:52:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1765072326; x=1765677126; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nsh2S5pjSwWTyMNv2vhNanmQBvhs8q1NhAlWwP7p5uQ=;
        b=mQYmP7tVgIqKvdqmIJqhHU2n5F6hUQWtTts/GOj00ihjXncuKWPkitNRD7EdCYyGCS
         yY4FXbnzvm3uznsbW5O+G7LLJPtUe4dANzrcS9jfU1HWrpqS2OGyZVacSJx9MEC5m8WB
         /l/Tsrss6BSW3xSJfvHZ6PxnbaVutU7Zumt5C6vGgxzJjZgtimUb/i7IHeg0dCCXxLTU
         vhaM92DpdE4U/DAsc3NII2L5QFCxbfzy+I5HvBLNoKiXiBenXywl93gNmtOmvBg4N0gw
         nREprbiVqvolSpkJSMl1Z+TK9INnvO8bl1qtg9yiKhMBVu2TMqMbIZ8m6c52QmWnmIXy
         3VrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765072326; x=1765677126;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=nsh2S5pjSwWTyMNv2vhNanmQBvhs8q1NhAlWwP7p5uQ=;
        b=Kw2832iuUFr35EQf4FrEfi6OsyTKSurLQLE48zV4yANloZ5w+RfruNODmZ6b6o8BOh
         2C69z1CMYabtZm66x8IRHQovN0b7oBc4nZojL2Wb9dq0rdpjktEQtxKax0FIR1Rr1n0K
         jQb4AIPg+9Pk0J7S5V/zmWDfD8ShRAHhEY6JEbFcUFxbwA6jonfuyLxkbDNaflrafO60
         slbcHWaLdELrLaikCbpmWjOv+YtweiGYGnSIGNmPaYzRs85cQHKLopVyn6YRXmD12DFM
         eV0yqcWCUVkbs4mk2VjSn1b+8/gY1saVC8NmX3AzVNlgtl2n8lk4sRWYQXhy52oytXAA
         ZlIQ==
X-Forwarded-Encrypted: i=1; AJvYcCWDQ/mir0Iekb1TXlzqKtIqCjA4qlaR95co30yatyQydbPCtfKXYVDcBzNrx1DxFYYt91QFnIu1QHru0Q/JtXzVarVcjck=@vger.kernel.org
X-Gm-Message-State: AOJu0YwqsudOpqh/ahEG2x711AGKIzllM7eCr98K+EtOlTMW0BIBILI6
	yj8f9mzAQeiPqv+b/fDZQ6/ynj8UmKU1ib/tjSx5Yu5xPFEE2BR7mtlc
X-Gm-Gg: ASbGncspx91rwdNHuzhmF1L953CSbK1yNJG1S4BFTZS97XVqhKc6ILrOaD//6CIZVrS
	tOKCCOlJeO74c1+5uk3NKBV9XZNLKDV4f5y+JCrDRgZtRL0aGd9bBvYFmI54GtdXIAX07eP6lpF
	02eTdS8RjmjF0JZqKjBKrKAV4jiiBf1OflnejG/dRzfBxvjLyTsvJAgU0wLNWglTn53lSh5nqcG
	Zf/wkNPvQdJYO4Qypl0HicIzj4Ov1wlFz/Iat9L0fSHjVbmVIxGOBRx9uYw8OoivWbdKxCsv88x
	cuSr3twVt2aR9Mnd0iBSWfqICEj+yUWvo92TV2teoeCp0MPBg5pMdodNSit1NviOnC7iRLU0y8L
	42F8+zfbpkXfz2NvnhJLE8CwJSBezpRjqfMgXstDG53sg5bndVkFvrm7z81ZiPGY5b/iYR9ZyKW
	FGQxukP7WRUyi1btdZ7RpxLKau5iGnvJ/BbkfofecCPzbd+H6pBUzzwjVswUgF
X-Google-Smtp-Source: AGHT+IHhVzQCkEuiFPOCTIda0P1FEZUJvimJ9gZNAKLvc2QG12APnwGTG5mYDOvhxjFHkipjxsG3kw==
X-Received: by 2002:a05:690c:610f:b0:786:6f81:eb21 with SMTP id 00721157ae682-78c33b69041mr33525707b3.21.1765072325864;
        Sat, 06 Dec 2025 17:52:05 -0800 (PST)
Received: from zenbox (71-132-185-69.lightspeed.tukrga.sbcglobal.net. [71.132.185.69])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-78c1b4ae534sm33158417b3.3.2025.12.06.17.52.05
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 06 Dec 2025 17:52:05 -0800 (PST)
From: Justin Suess <utilityemal77@gmail.com>
To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
Cc: Tingmao Wang <m@maowtm.org>,
	=?UTF-8?q?G=C3=BCnther=20Noack?= <gnoack@google.com>,
	Justin Suess <utilityemal77@gmail.com>,
	Jan Kara <jack@suse.cz>,
	Abhinav Saxena <xandfury@gmail.com>,
	linux-security-module@vger.kernel.org
Subject: [PATCH v4 3/5] samples/landlock: Add LANDLOCK_ADD_RULE_NO_INHERIT to landlock-sandboxer
Date: Sat,  6 Dec 2025 20:51:29 -0500
Message-ID: <20251207015132.800576-4-utilityemal77@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20251207015132.800576-1-utilityemal77@gmail.com>
References: <20251207015132.800576-1-utilityemal77@gmail.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Adds support to landlock-sandboxer with environment variable
LL_FS_NO_INHERIT, which can be tagged on any filesystem object to
suppress access right inheritance.

v3..v4 changes:

  * Modified LL_FS_R(O/W)_NO_INHERIT variables to a single variable
    to allow access rule combination. (credit to Tingmao Wang)

v2..v3 changes:

  * Minor formatting fixes

Cc: Tingmao Wang <m@maowtm.org>
Signed-off-by: Justin Suess <utilityemal77@gmail.com>
---
 samples/landlock/sandboxer.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 07dc0013ff19..852ffa413c75 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -60,6 +60,7 @@ static inline int landlock_restrict_self(const int ruleset_fd,
 #define ENV_FS_RW_NAME "LL_FS_RW"
 #define ENV_FS_QUIET_NAME "LL_FS_QUIET"
 #define ENV_FS_QUIET_ACCESS_NAME "LL_FS_QUIET_ACCESS"
+#define ENV_FS_NO_INHERIT_NAME "LL_FS_NO_INHERIT"
 #define ENV_TCP_BIND_NAME "LL_TCP_BIND"
 #define ENV_TCP_CONNECT_NAME "LL_TCP_CONNECT"
 #define ENV_NET_QUIET_NAME "LL_NET_QUIET"
@@ -383,6 +384,7 @@ static const char help[] =
 	"but to test audit we can set " ENV_FORCE_LOG_NAME "=1\n"
 	ENV_FS_QUIET_NAME " and " ENV_NET_QUIET_NAME ", both optional, can then be used "
 	"to make access to some denied paths or network ports not trigger audit logging.\n"
+	ENV_FS_NO_INHERIT_NAME " can be used to suppress access right propagation (ABI >= 8).\n"
 	ENV_FS_QUIET_ACCESS_NAME " and " ENV_NET_QUIET_ACCESS_NAME " can be used to specify "
 	"which accesses should be quieted (defaults to all):\n"
 	"* " ENV_FS_QUIET_ACCESS_NAME ": file system accesses to quiet\n"
@@ -430,6 +432,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
 	};
 
 	bool quiet_supported = true;
+	bool no_inherit_supported = true;
 	int supported_restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
 	int set_restrict_flags = 0;
 
@@ -517,8 +520,9 @@ int main(const int argc, char *const argv[], char *const *const envp)
 			LANDLOCK_ABI_LAST, abi);
 		__attribute__((fallthrough));
 	case 7:
-		/* Don't add quiet flags for ABI < 8 later on. */
+		/* Don't add quiet/no_inherit flags for ABI < 8 later on. */
 		quiet_supported = false;
+		no_inherit_supported = false;
 
 		__attribute__((fallthrough));
 	case LANDLOCK_ABI_LAST:
@@ -605,6 +609,13 @@ int main(const int argc, char *const argv[], char *const *const envp)
 			goto err_close_ruleset;
 	}
 
+	/* Don't require this env to be present. */
+	if (no_inherit_supported && getenv(ENV_FS_NO_INHERIT_NAME)) {
+		if (populate_ruleset_fs(ENV_FS_NO_INHERIT_NAME, ruleset_fd, 0,
+					LANDLOCK_ADD_RULE_NO_INHERIT))
+			goto err_close_ruleset;
+	}
+
 	if (populate_ruleset_net(ENV_TCP_BIND_NAME, ruleset_fd,
 				 LANDLOCK_ACCESS_NET_BIND_TCP, 0)) {
 		goto err_close_ruleset;
-- 
2.51.0