[PATCH 0/5] Landlock: Test, comment and doc improvements

[PATCH 0/5] Landlock: Test, comment and doc improvements

[Tingmao Wang]

Hi,

This series contains various unrelated improvements I stashed while
working on pathname Unix socket scopes (I will send the series for that
tomorrow).  Only test/comment/doc changes.

I was planning to include this in the upcoming Unix socket scope series
but I thought maybe it would be better to send them separately, as they
would be unrelated to the main topic of that series.

Tingmao Wang (5):
  selftests/landlock: Fix typo in fs_test
  selftests/landlock: Fix missing semicolon
  Documentation/landlock: Fix missing case for ABI 6 in downgrade
    example
  selftests/landlock: Use scoped_base_variants.h for ptrace_test
  landlock: Improve the comment for domain_is_scoped

 Documentation/userspace-api/landlock.rst      |   6 +
 security/landlock/task.c                      |   9 +-
 tools/testing/selftests/landlock/fs_test.c    |   4 +-
 .../testing/selftests/landlock/ptrace_test.c  | 154 +-----------------
 .../landlock/scoped_abstract_unix_test.c      |   2 +-
 .../selftests/landlock/scoped_base_variants.h |   9 +-
 6 files changed, 26 insertions(+), 158 deletions(-)


base-commit: 161db1810f3625e97ab414908dbcf4b2ab73c309
-- 
2.52.0

[PATCH 1/5] selftests/landlock: Fix typo in fs_test

[Tingmao Wang]

Fixes: 316d06b01130 ("selftests/landlock: Add audit tests for filesystem")
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
 tools/testing/selftests/landlock/fs_test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index 76491ba54dce..37a5a3df712e 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -7069,8 +7069,8 @@ static int matches_log_fs_extra(struct __test_metadata *const _metadata,
 		return -E2BIG;
 
 	/*
-	 * It is assume that absolute_path does not contain control characters nor
-	 * spaces, see audit_string_contains_control().
+	 * It is assumed that absolute_path does not contain control
+	 * characters nor spaces, see audit_string_contains_control().
 	 */
 	absolute_path = realpath(path, NULL);
 	if (!absolute_path)
-- 
2.52.0

[PATCH 2/5] selftests/landlock: Fix missing semicolon

[Tingmao Wang]

Add missing semicolon after EXPECT_EQ(0, close(stream_server_child)) in
the scoped_vs_unscoped test.  I suspect currently it's just not executing
the close statement after the line, but this causes no observable
difference.

Fixes: fefcf0f7cf47 ("selftests/landlock: Test abstract UNIX socket scoping")
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
 tools/testing/selftests/landlock/scoped_abstract_unix_test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
index 2cdf1ba07016..72f97648d4a7 100644
--- a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
+++ b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
@@ -543,7 +543,7 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
 
 		ASSERT_EQ(1, write(pipe_child[1], ".", 1));
 		ASSERT_EQ(grand_child, waitpid(grand_child, &status, 0));
-		EXPECT_EQ(0, close(stream_server_child))
+		EXPECT_EQ(0, close(stream_server_child));
 		EXPECT_EQ(0, close(dgram_server_child));
 		return;
 	}
-- 
2.52.0

[PATCH 3/5] Documentation/landlock: Fix missing case for ABI 6 in downgrade example

[Tingmao Wang]

Note that this code is different from the one in sandboxer.c since
sandboxer won't ever add LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF.

Fixes: 12bfcda73ac2 ("landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags")
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
 Documentation/userspace-api/landlock.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 1d0c2c15c22e..903d2ad11852 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -127,6 +127,12 @@ version, and only use the available subset of access rights:
         /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
         ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
                                  LANDLOCK_SCOPE_SIGNAL);
+        __attribute__((fallthrough));
+    case 6:
+        /* Removes LANDLOCK_RESTRICT_SELF_LOG_* for ABI < 7 */
+        supported_restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
+                                      LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
+                                      LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
     }
 
 This enables the creation of an inclusive ruleset that will contain our rules.
-- 
2.52.0

[PATCH 4/5] selftests/landlock: Use scoped_base_variants.h for ptrace_test

[Tingmao Wang]

ptrace_test.c currently contains a duplicated version of the
scoped_domains fixture variants.  This patch removes that and make it use
the shared scoped_base_variants.h instead, like in
scoped_abstract_unix_test and scoped_signal_test.

This required renaming the hierarchy fixture to scoped_domains, but the
test is otherwise the same.

Cc: Tahera Fahimi <fahimitahera@gmail.com>
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
 .../testing/selftests/landlock/ptrace_test.c  | 154 +-----------------
 .../selftests/landlock/scoped_base_variants.h |   9 +-
 2 files changed, 12 insertions(+), 151 deletions(-)

diff --git a/tools/testing/selftests/landlock/ptrace_test.c b/tools/testing/selftests/landlock/ptrace_test.c
index 4e356334ecb7..4f64c90583cd 100644
--- a/tools/testing/selftests/landlock/ptrace_test.c
+++ b/tools/testing/selftests/landlock/ptrace_test.c
@@ -86,16 +86,9 @@ static int get_yama_ptrace_scope(void)
 }
 
 /* clang-format off */
-FIXTURE(hierarchy) {};
+FIXTURE(scoped_domains) {};
 /* clang-format on */
 
-FIXTURE_VARIANT(hierarchy)
-{
-	const bool domain_both;
-	const bool domain_parent;
-	const bool domain_child;
-};
-
 /*
  * Test multiple tracing combinations between a parent process P1 and a child
  * process P2.
@@ -104,155 +97,18 @@ FIXTURE_VARIANT(hierarchy)
  * restriction is enforced in addition to any Landlock check, which means that
  * all P2 requests to trace P1 would be denied.
  */
+#include "scoped_base_variants.h"
 
-/*
- *        No domain
- *
- *   P1-.               P1 -> P2 : allow
- *       \              P2 -> P1 : allow
- *        'P2
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, allow_without_domain) {
-	/* clang-format on */
-	.domain_both = false,
-	.domain_parent = false,
-	.domain_child = false,
-};
-
-/*
- *        Child domain
- *
- *   P1--.              P1 -> P2 : allow
- *        \             P2 -> P1 : deny
- *        .'-----.
- *        |  P2  |
- *        '------'
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, allow_with_one_domain) {
-	/* clang-format on */
-	.domain_both = false,
-	.domain_parent = false,
-	.domain_child = true,
-};
-
-/*
- *        Parent domain
- * .------.
- * |  P1  --.           P1 -> P2 : deny
- * '------'  \          P2 -> P1 : allow
- *            '
- *            P2
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, deny_with_parent_domain) {
-	/* clang-format on */
-	.domain_both = false,
-	.domain_parent = true,
-	.domain_child = false,
-};
-
-/*
- *        Parent + child domain (siblings)
- * .------.
- * |  P1  ---.          P1 -> P2 : deny
- * '------'   \         P2 -> P1 : deny
- *         .---'--.
- *         |  P2  |
- *         '------'
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, deny_with_sibling_domain) {
-	/* clang-format on */
-	.domain_both = false,
-	.domain_parent = true,
-	.domain_child = true,
-};
-
-/*
- *         Same domain (inherited)
- * .-------------.
- * | P1----.     |      P1 -> P2 : allow
- * |        \    |      P2 -> P1 : allow
- * |         '   |
- * |         P2  |
- * '-------------'
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, allow_sibling_domain) {
-	/* clang-format on */
-	.domain_both = true,
-	.domain_parent = false,
-	.domain_child = false,
-};
-
-/*
- *         Inherited + child domain
- * .-----------------.
- * |  P1----.        |  P1 -> P2 : allow
- * |         \       |  P2 -> P1 : deny
- * |        .-'----. |
- * |        |  P2  | |
- * |        '------' |
- * '-----------------'
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, allow_with_nested_domain) {
-	/* clang-format on */
-	.domain_both = true,
-	.domain_parent = false,
-	.domain_child = true,
-};
-
-/*
- *         Inherited + parent domain
- * .-----------------.
- * |.------.         |  P1 -> P2 : deny
- * ||  P1  ----.     |  P2 -> P1 : allow
- * |'------'    \    |
- * |             '   |
- * |             P2  |
- * '-----------------'
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, deny_with_nested_and_parent_domain) {
-	/* clang-format on */
-	.domain_both = true,
-	.domain_parent = true,
-	.domain_child = false,
-};
-
-/*
- *         Inherited + parent and child domain (siblings)
- * .-----------------.
- * | .------.        |  P1 -> P2 : deny
- * | |  P1  .        |  P2 -> P1 : deny
- * | '------'\       |
- * |          \      |
- * |        .--'---. |
- * |        |  P2  | |
- * |        '------' |
- * '-----------------'
- */
-/* clang-format off */
-FIXTURE_VARIANT_ADD(hierarchy, deny_with_forked_domain) {
-	/* clang-format on */
-	.domain_both = true,
-	.domain_parent = true,
-	.domain_child = true,
-};
-
-FIXTURE_SETUP(hierarchy)
+FIXTURE_SETUP(scoped_domains)
 {
 }
 
-FIXTURE_TEARDOWN(hierarchy)
+FIXTURE_TEARDOWN(scoped_domains)
 {
 }
 
 /* Test PTRACE_TRACEME and PTRACE_ATTACH for parent and child. */
-TEST_F(hierarchy, trace)
+TEST_F(scoped_domains, trace)
 {
 	pid_t child, parent;
 	int status, err_proc_read;
diff --git a/tools/testing/selftests/landlock/scoped_base_variants.h b/tools/testing/selftests/landlock/scoped_base_variants.h
index d3b1fa8a584e..7116728ebc68 100644
--- a/tools/testing/selftests/landlock/scoped_base_variants.h
+++ b/tools/testing/selftests/landlock/scoped_base_variants.h
@@ -1,8 +1,13 @@
 /* SPDX-License-Identifier: GPL-2.0 */
 /*
- * Landlock scoped_domains variants
+ * Landlock scoped_domains test variant definition.
  *
- * See the hierarchy variants from ptrace_test.c
+ * This file defines a fixture variant "scoped_domains" that has all
+ * permutations of parent/child process being in separate or shared
+ * Landlock domain, or not being in a Landlock domain at all.
+ *
+ * Scoped access tests can include this file to avoid repeating these
+ * combinations.
  *
  * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
  * Copyright © 2019-2020 ANSSI
-- 
2.52.0

[RFC PATCH 5/5] landlock: Improve the comment for domain_is_scoped

[Tingmao Wang]

Currently it is not obvious what "scoped" mean, and the fact that the
function returns true when access should be denied is slightly surprising
and in need of documentation.

Cc: Tahera Fahimi <fahimitahera@gmail.com>
Signed-off-by: Tingmao Wang <m@maowtm.org>
---

Open to discussion on whether this actually explains it better.

 security/landlock/task.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/landlock/task.c b/security/landlock/task.c
index bf4ed15a7f01..6dfcc1860d6e 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -166,15 +166,16 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
 }
 
 /**
- * domain_is_scoped - Checks if the client domain is scoped in the same
- *		      domain as the server.
+ * domain_is_scoped - Check if an interaction from a client/sender to a
+ *    server/receiver should be restricted based on scope controls.
  *
  * @client: IPC sender domain.
  * @server: IPC receiver domain.
  * @scope: The scope restriction criteria.
  *
- * Returns: True if the @client domain is scoped to access the @server,
- * unless the @server is also scoped in the same domain as @client.
+ * Returns: True if the @server is in a different domain from @client, and
+ *    the @client domain is scoped to access the @server (i.e. access
+ *    should be denied).
  */
 static bool domain_is_scoped(const struct landlock_ruleset *const client,
 			     const struct landlock_ruleset *const server,
-- 
2.52.0

Re: [PATCH 0/5] Landlock: Test, comment and doc improvements

[Mickaël Salaün]

On Sun, Dec 28, 2025 at 01:27:30AM +0000, Tingmao Wang wrote:
> Hi,
> 
> This series contains various unrelated improvements I stashed while
> working on pathname Unix socket scopes (I will send the series for that
> tomorrow).  Only test/comment/doc changes.

Thanks!

> 
> I was planning to include this in the upcoming Unix socket scope series
> but I thought maybe it would be better to send them separately, as they
> would be unrelated to the main topic of that series.

Yes, that's better.

> 
> Tingmao Wang (5):
>   selftests/landlock: Fix typo in fs_test

Applied

>   selftests/landlock: Fix missing semicolon

Applied

>   Documentation/landlock: Fix missing case for ABI 6 in downgrade
>     example

Not applied, see review.

>   selftests/landlock: Use scoped_base_variants.h for ptrace_test

Applied

>   landlock: Improve the comment for domain_is_scoped

Applied with cosmetic changes.

> 
>  Documentation/userspace-api/landlock.rst      |   6 +
>  security/landlock/task.c                      |   9 +-
>  tools/testing/selftests/landlock/fs_test.c    |   4 +-
>  .../testing/selftests/landlock/ptrace_test.c  | 154 +-----------------
>  .../landlock/scoped_abstract_unix_test.c      |   2 +-
>  .../selftests/landlock/scoped_base_variants.h |   9 +-
>  6 files changed, 26 insertions(+), 158 deletions(-)
> 
> 
> base-commit: 161db1810f3625e97ab414908dbcf4b2ab73c309
> -- 
> 2.52.0
> 
> 

Re: [PATCH 3/5] Documentation/landlock: Fix missing case for ABI 6 in downgrade example

[Mickaël Salaün]

The subject for documentation should just start with "landlock: "

On Sun, Dec 28, 2025 at 01:27:33AM +0000, Tingmao Wang wrote:
> Note that this code is different from the one in sandboxer.c since
> sandboxer won't ever add LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and
> LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF.

A more complet patch was sent a few days ago:
https://lore.kernel.org/r/3e21551d-24c3-459f-8cee-4d85c97c0120@oracle.com

> 
> Fixes: 12bfcda73ac2 ("landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags")

Unless required by other parts of the patch, there is no need to
backport documentation changes, so there should not be any Fixes tag.

> Signed-off-by: Tingmao Wang <m@maowtm.org>
> ---
>  Documentation/userspace-api/landlock.rst | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 1d0c2c15c22e..903d2ad11852 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -127,6 +127,12 @@ version, and only use the available subset of access rights:
>          /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
>          ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
>                                   LANDLOCK_SCOPE_SIGNAL);
> +        __attribute__((fallthrough));
> +    case 6:
> +        /* Removes LANDLOCK_RESTRICT_SELF_LOG_* for ABI < 7 */
> +        supported_restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> +                                      LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> +                                      LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);

As Günther pointed out, this switch/case might not be needed for this
part of the documentation.

>      }
>  
>  This enables the creation of an inclusive ruleset that will contain our rules.
> -- 
> 2.52.0
> 
> 

Re: [RFC PATCH 5/5] landlock: Improve the comment for domain_is_scoped

[Mickaël Salaün]

On Sun, Dec 28, 2025 at 01:27:35AM +0000, Tingmao Wang wrote:
> Currently it is not obvious what "scoped" mean, and the fact that the
> function returns true when access should be denied is slightly surprising
> and in need of documentation.
> 
> Cc: Tahera Fahimi <fahimitahera@gmail.com>
> Signed-off-by: Tingmao Wang <m@maowtm.org>
> ---
> 
> Open to discussion on whether this actually explains it better.
> 
>  security/landlock/task.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/security/landlock/task.c b/security/landlock/task.c
> index bf4ed15a7f01..6dfcc1860d6e 100644
> --- a/security/landlock/task.c
> +++ b/security/landlock/task.c
> @@ -166,15 +166,16 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
>  }
>  
>  /**
> - * domain_is_scoped - Checks if the client domain is scoped in the same
> - *		      domain as the server.
> + * domain_is_scoped - Check if an interaction from a client/sender to a
> + *    server/receiver should be restricted based on scope controls.
>   *
>   * @client: IPC sender domain.
>   * @server: IPC receiver domain.
>   * @scope: The scope restriction criteria.
>   *
> - * Returns: True if the @client domain is scoped to access the @server,
> - * unless the @server is also scoped in the same domain as @client.
> + * Returns: True if the @server is in a different domain from @client, and
> + *    the @client domain is scoped to access the @server (i.e. access
> + *    should be denied).

I removed the "the" and the heading spaces:

  *
- * Returns: True if the @client domain is scoped to access the @server,
- * unless the @server is also scoped in the same domain as @client.
+ * Returns: True if @server is in a different domain from @client, and @client
+ * is scoped to access @server (i.e. access should be denied).
  */


>   */
>  static bool domain_is_scoped(const struct landlock_ruleset *const client,
>  			     const struct landlock_ruleset *const server,
> -- 
> 2.52.0
>