* [PATCH 10/13] ovl: change ovl_create_real() to get a new lock when re-opening created file.
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
When ovl_create_real() is used to create a file on the upper filesystem
it needs to return the resulting dentry - positive and hashed.
It is usually the case the that dentry passed to the create function
(e.g. vfs_create()) will be suitable but this is not guaranteed. The
filesystem may unhash that dentry forcing a repeat lookup next time the
name is wanted.
So ovl_create_real() must be (and is) aware of this and prepared to
perform that lookup to get a hash positive dentry.
This is currently done under that same directory lock that provided
exclusion for the create. Proposed changes to locking will make this
not possible - as the name, rather than the directory, will be locked.
The new APIs provided for lookup and locking do not and cannot support
this pattern.
The lock isn't needed. ovl_create_real() can drop the lock and then get
a new lock for the lookup - then check that the lookup returned the
correct inode. In a well-behaved configuration where the upper
filesystem is not being modified by a third party, this will always work
reliably, and if there are separate modification it will fail cleanly.
So change ovl_create_real() to drop the lock and call
ovl_start_creating_upper() to find the correct dentry. Note that
start_creating doesn't fail if the name already exists.
This removes the only remaining use of ovl_lookup_upper, so it is
removed.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/overlayfs/dir.c | 24 ++++++++++++++++++------
fs/overlayfs/overlayfs.h | 7 -------
2 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index ff3dbd1ca61f..ec08904d084d 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -219,21 +219,33 @@ struct dentry *ovl_create_real(struct ovl_fs *ofs, struct dentry *parent,
err = -EIO;
} else if (d_unhashed(newdentry)) {
struct dentry *d;
+ struct name_snapshot name;
/*
* Some filesystems (i.e. casefolded) may return an unhashed
- * negative dentry from the ovl_lookup_upper() call before
+ * negative dentry from the ovl_start_creating_upper() call before
* ovl_create_real().
* In that case, lookup again after making the newdentry
* positive, so ovl_create_upper() always returns a hashed
* positive dentry.
+ * As we have to drop the lock before the lookup a race
+ * could result in a lookup failure. In that case we return
+ * an error.
*/
- d = ovl_lookup_upper(ofs, newdentry->d_name.name, parent,
- newdentry->d_name.len);
- dput(newdentry);
- if (IS_ERR_OR_NULL(d))
+ take_dentry_name_snapshot(&name, newdentry);
+ end_creating_keep(newdentry);
+ d = ovl_start_creating_upper(ofs, parent, &name.name);
+ release_dentry_name_snapshot(&name);
+
+ if (IS_ERR_OR_NULL(d)) {
err = d ? PTR_ERR(d) : -ENOENT;
- else
+ } else if (d->d_inode != newdentry->d_inode) {
+ err = -EIO;
+ dput(newdentry);
+ } else {
+ dput(newdentry);
return d;
+ }
+ return ERR_PTR(err);
}
out:
if (err) {
diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h
index 315882a360ce..4fb4750a83e4 100644
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -406,13 +406,6 @@ static inline struct file *ovl_do_tmpfile(struct ovl_fs *ofs,
return file;
}
-static inline struct dentry *ovl_lookup_upper(struct ovl_fs *ofs,
- const char *name,
- struct dentry *base, int len)
-{
- return lookup_one(ovl_upper_mnt_idmap(ofs), &QSTR_LEN(name, len), base);
-}
-
static inline struct dentry *ovl_lookup_upper_unlocked(struct ovl_fs *ofs,
const char *name,
struct dentry *base,
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 09/13] cachefiles: change cachefiles_bury_object to use start_renaming_dentry()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
Rather then using lock_rename() and lookup_one() etc we can use
the new start_renaming_dentry(). This is part of centralising dir
locking and lookup so that locking rules can be changed.
Some error check are removed as not necessary. Checks for rep being a
non-dir or IS_DEADDIR and the check that ->graveyard is still a
directory only provide slightly more informative errors and have been
dropped.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/cachefiles/namei.c | 76 ++++++++-----------------------------------
1 file changed, 14 insertions(+), 62 deletions(-)
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
index e5ec90dccc27..3af42ec78411 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -270,7 +270,8 @@ int cachefiles_bury_object(struct cachefiles_cache *cache,
struct dentry *rep,
enum fscache_why_object_killed why)
{
- struct dentry *grave, *trap;
+ struct dentry *grave;
+ struct renamedata rd = {};
struct path path, path_to_graveyard;
char nbuffer[8 + 8 + 1];
int ret;
@@ -302,77 +303,36 @@ int cachefiles_bury_object(struct cachefiles_cache *cache,
(uint32_t) ktime_get_real_seconds(),
(uint32_t) atomic_inc_return(&cache->gravecounter));
- /* do the multiway lock magic */
- trap = lock_rename(cache->graveyard, dir);
- if (IS_ERR(trap))
- return PTR_ERR(trap);
-
- /* do some checks before getting the grave dentry */
- if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
- /* the entry was probably culled when we dropped the parent dir
- * lock */
- unlock_rename(cache->graveyard, dir);
- _leave(" = 0 [culled?]");
- return 0;
- }
-
- if (!d_can_lookup(cache->graveyard)) {
- unlock_rename(cache->graveyard, dir);
- cachefiles_io_error(cache, "Graveyard no longer a directory");
- return -EIO;
- }
-
- if (trap == rep) {
- unlock_rename(cache->graveyard, dir);
- cachefiles_io_error(cache, "May not make directory loop");
+ rd.mnt_idmap = &nop_mnt_idmap;
+ rd.old_parent = dir;
+ rd.new_parent = cache->graveyard;
+ rd.flags = 0;
+ ret = start_renaming_dentry(&rd, 0, rep, &QSTR(nbuffer));
+ if (ret) {
+ cachefiles_io_error(cache, "Cannot lock/lookup in graveyard");
return -EIO;
}
if (d_mountpoint(rep)) {
- unlock_rename(cache->graveyard, dir);
+ end_renaming(&rd);
cachefiles_io_error(cache, "Mountpoint in cache");
return -EIO;
}
- grave = lookup_one(&nop_mnt_idmap, &QSTR(nbuffer), cache->graveyard);
- if (IS_ERR(grave)) {
- unlock_rename(cache->graveyard, dir);
- trace_cachefiles_vfs_error(object, d_inode(cache->graveyard),
- PTR_ERR(grave),
- cachefiles_trace_lookup_error);
-
- if (PTR_ERR(grave) == -ENOMEM) {
- _leave(" = -ENOMEM");
- return -ENOMEM;
- }
-
- cachefiles_io_error(cache, "Lookup error %ld", PTR_ERR(grave));
- return -EIO;
- }
-
+ grave = rd.new_dentry;
if (d_is_positive(grave)) {
- unlock_rename(cache->graveyard, dir);
- dput(grave);
+ end_renaming(&rd);
grave = NULL;
cond_resched();
goto try_again;
}
if (d_mountpoint(grave)) {
- unlock_rename(cache->graveyard, dir);
- dput(grave);
+ end_renaming(&rd);
cachefiles_io_error(cache, "Mountpoint in graveyard");
return -EIO;
}
- /* target should not be an ancestor of source */
- if (trap == grave) {
- unlock_rename(cache->graveyard, dir);
- dput(grave);
- cachefiles_io_error(cache, "May not make directory loop");
- return -EIO;
- }
-
/* attempt the rename */
path.mnt = cache->mnt;
path.dentry = dir;
@@ -382,13 +342,6 @@ int cachefiles_bury_object(struct cachefiles_cache *cache,
if (ret < 0) {
cachefiles_io_error(cache, "Rename security error %d", ret);
} else {
- struct renamedata rd = {
- .mnt_idmap = &nop_mnt_idmap,
- .old_parent = dir,
- .old_dentry = rep,
- .new_parent = cache->graveyard,
- .new_dentry = grave,
- };
trace_cachefiles_rename(object, d_inode(rep)->i_ino, why);
ret = cachefiles_inject_read_error();
if (ret == 0)
@@ -402,8 +355,7 @@ int cachefiles_bury_object(struct cachefiles_cache *cache,
}
__cachefiles_unmark_inode_in_use(object, d_inode(rep));
- unlock_rename(cache->graveyard, dir);
- dput(grave);
+ end_renaming(&rd);
_leave(" = 0");
return 0;
}
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 08/13] ovl: Simplify ovl_lookup_real_one()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
The primary purpose of this patch is to remove the locking from
ovl_lookup_real_one() as part of centralising all locking of directories
for name operations.
The locking here isn't needed. By performing consistency tests after
the lookup we can be sure that the result of the lookup was valid at
least for a moment, which is all the original code promised.
lookup_noperm_unlocked() is used for the lookup and it will take the
lock if needed only where it is needed.
Also:
- don't take a reference to real->d_parent. The parent is
only use for a pointer comparison, and no reference is needed for
that.
- Several "if" statements have a "goto" followed by "else" - the
else isn't needed: the following statement can directly follow
the "if" as a new statement
- Use a consistent pattern of setting "err" before performing a test
and possibly going to "fail".
- remove the "out" label (now that we don't need to dput(parent) or
unlock) and simply return from fail:.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/overlayfs/export.c | 61 ++++++++++++++++++-------------------------
1 file changed, 26 insertions(+), 35 deletions(-)
diff --git a/fs/overlayfs/export.c b/fs/overlayfs/export.c
index 83f80fdb1567..dcd28ffc4705 100644
--- a/fs/overlayfs/export.c
+++ b/fs/overlayfs/export.c
@@ -359,59 +359,50 @@ static struct dentry *ovl_lookup_real_one(struct dentry *connected,
struct dentry *real,
const struct ovl_layer *layer)
{
- struct inode *dir = d_inode(connected);
- struct dentry *this, *parent = NULL;
+ struct dentry *this;
struct name_snapshot name;
int err;
/*
- * Lookup child overlay dentry by real name. The dir mutex protects us
- * from racing with overlay rename. If the overlay dentry that is above
- * real has already been moved to a parent that is not under the
- * connected overlay dir, we return -ECHILD and restart the lookup of
- * connected real path from the top.
+ * @connected is a directory in the overlay and @real is an object
+ * on @layer which is expected to be a child of @connected.
+ * The goal is to return a dentry from the overlay which corresponds
+ * to @real. This is done by looking up the name from @real in
+ * @connected and checking that the result meets expectations.
+ *
+ * Return %-ECHILD if the parent of @real no-longer corresponds to
+ * @connected, and %-ESTALE if the dentry found by lookup doesn't
+ * correspond to @real.
*/
- inode_lock_nested(dir, I_MUTEX_PARENT);
- err = -ECHILD;
- parent = dget_parent(real);
- if (ovl_dentry_real_at(connected, layer->idx) != parent)
- goto fail;
- /*
- * We also need to take a snapshot of real dentry name to protect us
- * from racing with underlying layer rename. In this case, we don't
- * care about returning ESTALE, only from dereferencing a free name
- * pointer because we hold no lock on the real dentry.
- */
take_dentry_name_snapshot(&name, real);
- /*
- * No idmap handling here: it's an internal lookup.
- */
- this = lookup_noperm(&name.name, connected);
+ this = lookup_noperm_unlocked(&name.name, connected);
release_dentry_name_snapshot(&name);
+
+ err = -ECHILD;
+ if (ovl_dentry_real_at(connected, layer->idx) != real->d_parent)
+ goto fail;
+
err = PTR_ERR(this);
- if (IS_ERR(this)) {
+ if (IS_ERR(this))
goto fail;
- } else if (!this || !this->d_inode) {
- dput(this);
- err = -ENOENT;
+
+ err = -ENOENT;
+ if (!this || !this->d_inode)
goto fail;
- } else if (ovl_dentry_real_at(this, layer->idx) != real) {
- dput(this);
- err = -ESTALE;
+
+ err = -ESTALE;
+ if (ovl_dentry_real_at(this, layer->idx) != real)
goto fail;
- }
-out:
- dput(parent);
- inode_unlock(dir);
return this;
fail:
pr_warn_ratelimited("failed to lookup one by real (%pd2, layer=%d, connected=%pd2, err=%i)\n",
real, layer->idx, connected, err);
- this = ERR_PTR(err);
- goto out;
+ if (!IS_ERR(this))
+ dput(this);
+ return ERR_PTR(err);
}
static struct dentry *ovl_lookup_real(struct super_block *sb,
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 07/13] VFS: make lookup_one_qstr_excl() static.
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
lookup_one_qstr_excl() is no longer used outside of namei.c, so
make it static.
Signed-off-by: NeilBrown <neil@brown.name>
---
Documentation/filesystems/porting.rst | 7 +++++++
fs/namei.c | 5 ++---
include/linux/namei.h | 3 ---
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/Documentation/filesystems/porting.rst b/Documentation/filesystems/porting.rst
index ed3ac56e3c76..ed86c95d9d01 100644
--- a/Documentation/filesystems/porting.rst
+++ b/Documentation/filesystems/porting.rst
@@ -1340,3 +1340,10 @@ The ->setlease() file_operation must now be explicitly set in order to provide
support for leases. When set to NULL, the kernel will now return -EINVAL to
attempts to set a lease. Filesystems that wish to use the kernel-internal lease
implementation should set it to generic_setlease().
+
+---
+
+**mandatory**
+
+lookup_one_qstr_excl() is no longer exported - use start_creating() or
+similar.
diff --git a/fs/namei.c b/fs/namei.c
index 40af78ddfb1b..307b4d0866b8 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1730,8 +1730,8 @@ static struct dentry *lookup_dcache(const struct qstr *name,
* Will return -ENOENT if name isn't found and LOOKUP_CREATE wasn't passed.
* Will return -EEXIST if name is found and LOOKUP_EXCL was passed.
*/
-struct dentry *lookup_one_qstr_excl(const struct qstr *name,
- struct dentry *base, unsigned int flags)
+static struct dentry *lookup_one_qstr_excl(const struct qstr *name,
+ struct dentry *base, unsigned int flags)
{
struct dentry *dentry;
struct dentry *old;
@@ -1768,7 +1768,6 @@ struct dentry *lookup_one_qstr_excl(const struct qstr *name,
}
return dentry;
}
-EXPORT_SYMBOL(lookup_one_qstr_excl);
/**
* lookup_fast - do fast lockless (but racy) lookup of a dentry
diff --git a/include/linux/namei.h b/include/linux/namei.h
index 58600cf234bc..c7a7288cdd25 100644
--- a/include/linux/namei.h
+++ b/include/linux/namei.h
@@ -54,9 +54,6 @@ extern int path_pts(struct path *path);
extern int user_path_at(int, const char __user *, unsigned, struct path *);
-struct dentry *lookup_one_qstr_excl(const struct qstr *name,
- struct dentry *base,
- unsigned int flags);
extern int kern_path(const char *, unsigned, struct path *);
struct dentry *kern_path_parent(const char *name, struct path *parent);
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 06/13] nfsd: switch purge_old() to use start_removing_noperm()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
Rather than explicit locking, use the start_removing_noperm() and
end_removing() wrappers.
This was not done with other start_removing changes due to conflicting
in-flight patches.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/nfsd/nfs4recover.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index 441dfbfe2d2b..52fbe723a3c8 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -351,16 +351,14 @@ purge_old(struct dentry *parent, char *cname, struct nfsd_net *nn)
if (nfs4_has_reclaimed_state(name, nn))
goto out_free;
- inode_lock_nested(d_inode(parent), I_MUTEX_PARENT);
- child = lookup_one(&nop_mnt_idmap, &QSTR(cname), parent);
+ child = start_removing_noperm(parent, &QSTR(cname));
if (!IS_ERR(child)) {
status = vfs_rmdir(&nop_mnt_idmap, d_inode(parent), child, NULL);
if (status)
printk("failed to remove client recovery directory %pd\n",
child);
- dput(child);
}
- inode_unlock(d_inode(parent));
+ end_removing(child);
out_free:
kfree(name.data);
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 05/13] selinux: Use simple_start_creating() / simple_done_creating()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
Instead of explicitly locking the parent and performing a lookup in
selinux, use simple_start_creating(), and then use
simple_done_creating() to unlock.
This extends the region that the directory is locked for, and also
performs a lookup.
The lock extension is of no real consequence.
The lookup uses simple_lookup() and so always succeeds. Thus when
d_make_persistent() is called the dentry will already be hashed.
d_make_persistent() handles this case.
Signed-off-by: NeilBrown <neil@brown.name>
---
security/selinux/selinuxfs.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 896acad1f5f7..97e02cd5a9dc 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1930,15 +1930,16 @@ static const struct inode_operations swapover_dir_inode_operations = {
static struct dentry *sel_make_swapover_dir(struct super_block *sb,
unsigned long *ino)
{
- struct dentry *dentry = d_alloc_name(sb->s_root, ".swapover");
+ struct dentry *dentry;
struct inode *inode;
- if (!dentry)
+ inode = sel_make_inode(sb, S_IFDIR);
+ if (!inode)
return ERR_PTR(-ENOMEM);
- inode = sel_make_inode(sb, S_IFDIR);
- if (!inode) {
- dput(dentry);
+ dentry = simple_start_creating(sb->s_root, ".swapover");
+ if (!dentry) {
+ iput(inode);
return ERR_PTR(-ENOMEM);
}
@@ -1946,11 +1947,9 @@ static struct dentry *sel_make_swapover_dir(struct super_block *sb,
inode->i_ino = ++(*ino);
/* directory inodes start off with i_nlink == 2 (for "." entry) */
inc_nlink(inode);
- inode_lock(sb->s_root->d_inode);
d_make_persistent(dentry, inode);
inc_nlink(sb->s_root->d_inode);
- inode_unlock(sb->s_root->d_inode);
- dput(dentry);
+ simple_done_creating(dentry);
return dentry; // borrowed
}
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 04/13] Apparmor: Use simple_start_creating() / simple_done_creating()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
Instead of explicitly locking the parent and performing a look up in
apparmor, use simple_start_creating(), and then simple_done_creating()
to unlock and drop the dentry.
This removes the need to check for an existing entry (as
simple_start_creating() acts like an exclusive create and can return
-EEXIST), simplifies error paths, and keeps dir locking code
centralised.
Signed-off-by: NeilBrown <neil@brown.name>
---
security/apparmor/apparmorfs.c | 38 ++++++++--------------------------
1 file changed, 9 insertions(+), 29 deletions(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 907bd2667e28..7f78c36e6e50 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -282,32 +282,19 @@ static struct dentry *aafs_create(const char *name, umode_t mode,
dir = d_inode(parent);
- inode_lock(dir);
- dentry = lookup_noperm(&QSTR(name), parent);
+ dentry = simple_start_creating(parent, name);
if (IS_ERR(dentry)) {
error = PTR_ERR(dentry);
- goto fail_lock;
- }
-
- if (d_really_is_positive(dentry)) {
- error = -EEXIST;
- goto fail_dentry;
+ goto fail;
}
error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops);
+ simple_done_creating(dentry);
if (error)
- goto fail_dentry;
- inode_unlock(dir);
-
- return dentry;
-
-fail_dentry:
- dput(dentry);
-
-fail_lock:
- inode_unlock(dir);
+ goto fail;
+ return 0;
+fail:
simple_release_fs(&aafs_mnt, &aafs_count);
-
return ERR_PTR(error);
}
@@ -2572,8 +2559,7 @@ static int aa_mk_null_file(struct dentry *parent)
if (error)
return error;
- inode_lock(d_inode(parent));
- dentry = lookup_noperm(&QSTR(NULL_FILE_NAME), parent);
+ dentry = simple_start_creating(parent, NULL_FILE_NAME);
if (IS_ERR(dentry)) {
error = PTR_ERR(dentry);
goto out;
@@ -2581,7 +2567,7 @@ static int aa_mk_null_file(struct dentry *parent)
inode = new_inode(parent->d_inode->i_sb);
if (!inode) {
error = -ENOMEM;
- goto out1;
+ goto out;
}
inode->i_ino = get_next_ino();
@@ -2593,18 +2579,12 @@ static int aa_mk_null_file(struct dentry *parent)
aa_null.dentry = dget(dentry);
aa_null.mnt = mntget(mount);
- error = 0;
-
-out1:
- dput(dentry);
out:
- inode_unlock(d_inode(parent));
+ simple_done_creating(dentry);
simple_release_fs(&mount, &count);
return error;
}
-
-
static const char *policy_get_link(struct dentry *dentry,
struct inode *inode,
struct delayed_call *done)
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 03/13] libfs: change simple_done_creating() to use end_creating()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
simple_done_creating() and end_creating() are identical.
So change the former to use the latter. This further centralises
unlocking of directories.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/libfs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c
index f1860dff86f2..db18b53fc189 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -2318,7 +2318,6 @@ EXPORT_SYMBOL(simple_start_creating);
/* parent must have been held exclusive since simple_start_creating() */
void simple_done_creating(struct dentry *child)
{
- inode_unlock(child->d_parent->d_inode);
- dput(child);
+ end_creating(child);
}
EXPORT_SYMBOL(simple_done_creating);
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 02/13] VFS: move the start_dirop() kerndoc comment to before start_dirop()
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
This kerneldoc comment was always meant for start_dirop(), not for
__start_dirop() which is a static function and doesn't need
documentation.
It was in the wrong place and was then incorrectly renamed (instead of
moved) and useless "documentation" was added for "@state" was provided.
This patch reverts the name, removes the mention of @state, and moves
the comment to where it belongs.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/namei.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index b28ecb699f32..40af78ddfb1b 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2841,20 +2841,6 @@ static int filename_parentat(int dfd, struct filename *name,
return __filename_parentat(dfd, name, flags, parent, last, type, NULL);
}
-/**
- * __start_dirop - begin a create or remove dirop, performing locking and lookup
- * @parent: the dentry of the parent in which the operation will occur
- * @name: a qstr holding the name within that parent
- * @lookup_flags: intent and other lookup flags.
- * @state: task state bitmask
- *
- * The lookup is performed and necessary locks are taken so that, on success,
- * the returned dentry can be operated on safely.
- * The qstr must already have the hash value calculated.
- *
- * Returns: a locked dentry, or an error.
- *
- */
static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
unsigned int lookup_flags,
unsigned int state)
@@ -2876,6 +2862,19 @@ static struct dentry *__start_dirop(struct dentry *parent, struct qstr *name,
return dentry;
}
+/**
+ * start_dirop - begin a create or remove dirop, performing locking and lookup
+ * @parent: the dentry of the parent in which the operation will occur
+ * @name: a qstr holding the name within that parent
+ * @lookup_flags: intent and other lookup flags.
+ *
+ * The lookup is performed and necessary locks are taken so that, on success,
+ * the returned dentry can be operated on safely.
+ * The qstr must already have the hash value calculated.
+ *
+ * Returns: a locked dentry, or an error.
+ *
+ */
struct dentry *start_dirop(struct dentry *parent, struct qstr *name,
unsigned int lookup_flags)
{
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 01/13] fs/proc: Don't lock root inode when creating "self" and "thread-self"
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
In-Reply-To: <20260204050726.177283-1-neilb@ownmail.net>
From: NeilBrown <neil@brown.name>
proc_setup_self() and proc_setup_thread_self() are only called from
proc_fill_super() which is before the filesystem is "live". So there is
no need to lock the root directory when adding "self" and "thread-self".
This is clear from simple_fill_super() which provides similar
functionality for other filesystems and does not lock anything.
The locking is not harmful, except that it may be confusing to a reader.
As part of a an effort to centralise all locking for directories for
name-based operations (prior to changing some locking rules), it is
simplest to remove the locking here.
Signed-off-by: NeilBrown <neil@brown.name>
---
fs/proc/self.c | 3 ---
fs/proc/thread_self.c | 3 ---
2 files changed, 6 deletions(-)
diff --git a/fs/proc/self.c b/fs/proc/self.c
index 62d2c0cfe35c..56adf1c68f7a 100644
--- a/fs/proc/self.c
+++ b/fs/proc/self.c
@@ -35,11 +35,9 @@ unsigned self_inum __ro_after_init;
int proc_setup_self(struct super_block *s)
{
- struct inode *root_inode = d_inode(s->s_root);
struct dentry *self;
int ret = -ENOMEM;
- inode_lock(root_inode);
self = d_alloc_name(s->s_root, "self");
if (self) {
struct inode *inode = new_inode(s);
@@ -55,7 +53,6 @@ int proc_setup_self(struct super_block *s)
}
dput(self);
}
- inode_unlock(root_inode);
if (ret)
pr_err("proc_fill_super: can't allocate /proc/self\n");
diff --git a/fs/proc/thread_self.c b/fs/proc/thread_self.c
index d6113dbe58e0..61ac62c3fd9f 100644
--- a/fs/proc/thread_self.c
+++ b/fs/proc/thread_self.c
@@ -35,11 +35,9 @@ unsigned thread_self_inum __ro_after_init;
int proc_setup_thread_self(struct super_block *s)
{
- struct inode *root_inode = d_inode(s->s_root);
struct dentry *thread_self;
int ret = -ENOMEM;
- inode_lock(root_inode);
thread_self = d_alloc_name(s->s_root, "thread-self");
if (thread_self) {
struct inode *inode = new_inode(s);
@@ -55,7 +53,6 @@ int proc_setup_thread_self(struct super_block *s)
}
dput(thread_self);
}
- inode_unlock(root_inode);
if (ret)
pr_err("proc_fill_super: can't allocate /proc/thread-self\n");
--
2.50.0.107.gf914562f5916.dirty
^ permalink raw reply related
* [PATCH 00/13] Further centralising of directory locking for name ops.
From: NeilBrown @ 2026-02-04 4:57 UTC (permalink / raw)
To: Christian Brauner, Alexander Viro, David Howells, Jan Kara,
Chuck Lever, Jeff Layton, Miklos Szeredi, Amir Goldstein,
John Johansen, Paul Moore, James Morris, Serge E. Hallyn,
Stephen Smalley
Cc: linux-kernel, netfs, linux-fsdevel, linux-nfs, linux-unionfs,
apparmor, linux-security-module, selinux
I am working towards changing the locking rules for name-operations: locking
the name rather than the whole directory.
The current part of this process is centralising all the locking so that
it can be changed in one place.
Recently "start_creating", "start_removing", "start_renaming" and related
interaces were added which combine the locking and the lookup. At that time
many callers were changed to use the new interfaces. However there are still
an assortment of places out side of fs/namei.c where the directory is locked
explictly, whether with inode_lock() or lock_rename() or similar. These were
missed in the first pass for an assortment of uninteresting reasons.
This series addresses the remaining places where explicit locking is
used, and changes them to use the new interfaces, or otherwise removes
the explicit locking.
The biggest changes are in overlayfs. The other changes are quite
simple, though maybe the cachefiles changes is the least simple of those.
I'm running the --overlay tests in xfstests and nothing has popped yet.
I'll continue with this and run some NFS tests too.
Thanks for your review of these patches!
NeilBrown
[PATCH 01/13] fs/proc: Don't lock root inode when creating "self" and
[PATCH 02/13] VFS: move the start_dirop() kerndoc comment to before
[PATCH 03/13] libfs: change simple_done_creating() to use
[PATCH 04/13] Apparmor: Use simple_start_creating() /
[PATCH 05/13] selinux: Use simple_start_creating() /
[PATCH 06/13] nfsd: switch purge_old() to use start_removing_noperm()
[PATCH 07/13] VFS: make lookup_one_qstr_excl() static.
[PATCH 08/13] ovl: Simplify ovl_lookup_real_one()
[PATCH 09/13] cachefiles: change cachefiles_bury_object to use
[PATCH 10/13] ovl: change ovl_create_real() to get a new lock when
[PATCH 11/13] ovl: use is_subdir() for testing if one thing is a
[PATCH 12/13] ovl: remove ovl_lock_rename_workdir()
[PATCH 13/13] VFS: unexport lock_rename(), lock_rename_child(),
^ permalink raw reply
* [GIT PULL] lsm/lsm-pr-20260203
From: Paul Moore @ 2026-02-04 4:10 UTC (permalink / raw)
To: Linus Torvalds; +Cc: linux-security-module, linux-kernel
Linus,
This is a bit early, but due to some personal scheduling I'd rather send
this to you now, and you always mention you prefer to get pull requests
early (perhaps not this early?) so here is hoping this is a win-win.
Here are the highlights for the LSM changes queued for the Linux v7.0
merge window:
- Unify the security_inode_listsecurity() calls in NFSv4
While looking at security_inode_listsecurity() with an eye towards
improving the interface, we realized that the NFSv4 code was making
multiple calls to the LSM hook that could be consolidated into one. We
attempted to engage the NFS folks on this multiple times over several
months to get input, ACKs, etc. but never recieved any comments. While
this commit does touch NFS code exclusively, it is directly related to
the LSM hook, so I've gone and merged the commit into the LSM tree. It
has been in linux-next for almost a full month without any comments or
complaints from the NFS folks.
- Mark the LSM static branch keys as static
This helps resolve some sparse warnings.
- Add __rust_helper annotations to the LSM and cred wrapper functions.
- Remove the unsused set_security_override_from_ctx() function
- Minor fixes to some of the LSM kdoc comment blocks
Paul
--
The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8:
Linux 6.19-rc1 (2025-12-14 16:05:07 +1200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm.git
tags/lsm-pr-20260203
for you to fetch changes up to 472711068fa950642b9b471aaebcc82e9930eb8c:
lsm: make keys for static branch static (2026-01-06 20:57:55 -0500)
----------------------------------------------------------------
lsm/stable-7.0 PR 20260203
----------------------------------------------------------------
Alice Ryhl (2):
rust: cred: add __rust_helper to helpers
rust: security: add __rust_helper to helpers
Ben Dooks (1):
lsm: make keys for static branch static
Casey Schaufler (1):
cred: remove unused set_security_override_from_ctx()
Randy Dunlap (1):
lsm: fix kernel-doc struct member names
Stephen Smalley (1):
nfs: unify security_inode_listsecurity() calls
fs/nfs/nfs4proc.c | 38 +++-----------------------------------
include/linux/cred.h | 1 -
include/linux/lsm_hooks.h | 4 ++--
kernel/cred.c | 23 -----------------------
rust/helpers/cred.c | 4 ++--
rust/helpers/security.c | 26 +++++++++++++++-----------
security/security.c | 2 +-
7 files changed, 23 insertions(+), 75 deletions(-)
--
paul-moore.com
^ permalink raw reply
* [GIT PULL] selinux/selinux-pr-20260203
From: Paul Moore @ 2026-02-04 4:10 UTC (permalink / raw)
To: Linus Torvalds; +Cc: selinux, linux-security-module, linux-kernel
Linus,
This is a bit early, but due to some personal scheduling I'd rather send
this to you now, and you always mention you prefer to get pull requests
early (perhaps not this early?) so here is hoping this is a win-win.
Here are the highlights for the SELinux changes queued for the Linux v7.0
merge window:
- Add support for SELinux based access control of BPF tokens
We worked with the BPF devs to add the necessary LSM hooks when the BPF
token code was first introduced, but it took us a bit longer to add the
SELinux wiring and support. In order to preserve existing token-unaware
SELinux policies, the new code is gated by the new "bpf_token_perms"
policy capability.
Additional details regarding the new permissions, and behaviors can be
found in the associated commit.
- Remove a BUG() from the SELinux capability code
We now perform a similar check during compile time so we can safely
remove the BUG() call.
Paul
--
The following changes since commit 8f0b4cce4481fb22653697cced8d0d04027cb1e8:
Linux 6.19-rc1 (2025-12-14 16:05:07 +1200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
tags/selinux-pr-20260203
for you to fetch changes up to ea64aa57d596c4cbe518ffd043c52ef64089708d:
selinux: drop the BUG() in cred_has_capability()
(2026-01-14 16:26:21 -0500)
----------------------------------------------------------------
selinux/stable-7.0 PR 20260203
----------------------------------------------------------------
Eric Suen (1):
selinux: add support for BPF token access control
Paul Moore (3):
selinux: move the selinux_blob_sizes struct
selinux: fix a capabilities parsing typo in
selinux_bpf_token_capable()
selinux: drop the BUG() in cred_has_capability()
security/selinux/hooks.c | 163 +++++++++++++++++----
security/selinux/include/classmap.h | 2
security/selinux/include/objsec.h | 3
security/selinux/include/policycap.h | 1
security/selinux/include/policycap_names.h | 1
security/selinux/include/security.h | 6
6 files changed, 151 insertions(+), 25 deletions(-)
--
paul-moore.com
^ permalink raw reply
* [PATCH v3 6/6] selftests/landlock: Add pathname socket variants for more tests
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
In-Reply-To: <cover.1770160146.git.m@maowtm.org>
While this produces a lot of change, it does allow us to
"simultaneously" test both abstract and pathname UNIX sockets with
relatively little code duplication, since they are really similar.
Tests touched: scoped_vs_unscoped, outside_socket,
various_address_sockets, datagram_sockets, self_connect.
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
Changes in v3:
- Comment update, format
.../selftests/landlock/scoped_unix_test.c | 617 ++++++++++++------
1 file changed, 411 insertions(+), 206 deletions(-)
diff --git a/tools/testing/selftests/landlock/scoped_unix_test.c b/tools/testing/selftests/landlock/scoped_unix_test.c
index d117c85a2ca7..bc406c98f704 100644
--- a/tools/testing/selftests/landlock/scoped_unix_test.c
+++ b/tools/testing/selftests/landlock/scoped_unix_test.c
@@ -545,8 +545,12 @@ TEST_F(scoped_audit, connect_to_child)
FIXTURE(scoped_vs_unscoped)
{
- struct service_fixture parent_stream_address, parent_dgram_address,
- child_stream_address, child_dgram_address;
+ struct service_fixture parent_stream_address_abstract,
+ parent_dgram_address_abstract, child_stream_address_abstract,
+ child_dgram_address_abstract;
+ struct service_fixture parent_stream_address_pathname,
+ parent_dgram_address_pathname, child_stream_address_pathname,
+ child_dgram_address_pathname;
};
#include "scoped_multiple_domain_variants.h"
@@ -555,35 +559,79 @@ FIXTURE_SETUP(scoped_vs_unscoped)
{
drop_caps(_metadata);
- memset(&self->parent_stream_address, 0,
- sizeof(self->parent_stream_address));
- set_unix_address(&self->parent_stream_address, 0, true);
- memset(&self->parent_dgram_address, 0,
- sizeof(self->parent_dgram_address));
- set_unix_address(&self->parent_dgram_address, 1, true);
- memset(&self->child_stream_address, 0,
- sizeof(self->child_stream_address));
- set_unix_address(&self->child_stream_address, 2, true);
- memset(&self->child_dgram_address, 0,
- sizeof(self->child_dgram_address));
- set_unix_address(&self->child_dgram_address, 3, true);
+ ASSERT_EQ(0, mkdir(PATHNAME_UNIX_SOCK_DIR, 0700));
+
+ /* Abstract addresses. */
+ memset(&self->parent_stream_address_abstract, 0,
+ sizeof(self->parent_stream_address_abstract));
+ set_unix_address(&self->parent_stream_address_abstract, 0, true);
+ memset(&self->parent_dgram_address_abstract, 0,
+ sizeof(self->parent_dgram_address_abstract));
+ set_unix_address(&self->parent_dgram_address_abstract, 1, true);
+ memset(&self->child_stream_address_abstract, 0,
+ sizeof(self->child_stream_address_abstract));
+ set_unix_address(&self->child_stream_address_abstract, 2, true);
+ memset(&self->child_dgram_address_abstract, 0,
+ sizeof(self->child_dgram_address_abstract));
+ set_unix_address(&self->child_dgram_address_abstract, 3, true);
+
+ /* Pathname addresses. */
+ memset(&self->parent_stream_address_pathname, 0,
+ sizeof(self->parent_stream_address_pathname));
+ set_unix_address(&self->parent_stream_address_pathname, 4, false);
+ memset(&self->parent_dgram_address_pathname, 0,
+ sizeof(self->parent_dgram_address_pathname));
+ set_unix_address(&self->parent_dgram_address_pathname, 5, false);
+ memset(&self->child_stream_address_pathname, 0,
+ sizeof(self->child_stream_address_pathname));
+ set_unix_address(&self->child_stream_address_pathname, 6, false);
+ memset(&self->child_dgram_address_pathname, 0,
+ sizeof(self->child_dgram_address_pathname));
+ set_unix_address(&self->child_dgram_address_pathname, 7, false);
}
FIXTURE_TEARDOWN(scoped_vs_unscoped)
{
+ EXPECT_EQ(0, remove_path(self->parent_stream_address_pathname.unix_addr
+ .sun_path));
+ EXPECT_EQ(0, remove_path(self->parent_dgram_address_pathname.unix_addr
+ .sun_path));
+ EXPECT_EQ(0, remove_path(self->child_stream_address_pathname.unix_addr
+ .sun_path));
+ EXPECT_EQ(0, remove_path(self->child_dgram_address_pathname.unix_addr
+ .sun_path));
+ EXPECT_EQ(0, rmdir(PATHNAME_UNIX_SOCK_DIR));
}
/*
* Test unix_stream_connect and unix_may_send for parent, child and
* grand child processes when they can have scoped or non-scoped domains.
*/
-TEST_F(scoped_vs_unscoped, unix_scoping)
+static void test_scoped_vs_unscoped(struct __test_metadata *const _metadata,
+ FIXTURE_DATA(scoped_vs_unscoped) * self,
+ const FIXTURE_VARIANT(scoped_vs_unscoped) *
+ variant,
+ const bool abstract)
{
pid_t child;
int status;
bool can_connect_to_parent, can_connect_to_child;
int pipe_parent[2];
int stream_server_parent, dgram_server_parent;
+ const __u16 scope = abstract ? LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET :
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
+ const struct service_fixture *parent_stream_address =
+ abstract ? &self->parent_stream_address_abstract :
+ &self->parent_stream_address_pathname;
+ const struct service_fixture *parent_dgram_address =
+ abstract ? &self->parent_dgram_address_abstract :
+ &self->parent_dgram_address_pathname;
+ const struct service_fixture *child_stream_address =
+ abstract ? &self->child_stream_address_abstract :
+ &self->child_stream_address_pathname;
+ const struct service_fixture *child_dgram_address =
+ abstract ? &self->child_dgram_address_abstract :
+ &self->child_dgram_address_pathname;
can_connect_to_child = (variant->domain_grand_child != SCOPE_SANDBOX);
can_connect_to_parent = (can_connect_to_child &&
@@ -594,8 +642,7 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
if (variant->domain_all == OTHER_SANDBOX)
create_fs_domain(_metadata);
else if (variant->domain_all == SCOPE_SANDBOX)
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
child = fork();
ASSERT_LE(0, child);
@@ -609,8 +656,7 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
if (variant->domain_children == OTHER_SANDBOX)
create_fs_domain(_metadata);
else if (variant->domain_children == SCOPE_SANDBOX)
- create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
grand_child = fork();
ASSERT_LE(0, grand_child);
@@ -625,9 +671,7 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
if (variant->domain_grand_child == OTHER_SANDBOX)
create_fs_domain(_metadata);
else if (variant->domain_grand_child == SCOPE_SANDBOX)
- create_scoped_domain(
- _metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
stream_client = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_client);
@@ -636,14 +680,12 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
ASSERT_EQ(1, read(pipe_child[0], &buf, 1));
stream_err = connect(
- stream_client,
- &self->child_stream_address.unix_addr,
- self->child_stream_address.unix_addr_len);
+ stream_client, &child_stream_address->unix_addr,
+ child_stream_address->unix_addr_len);
stream_errno = errno;
- dgram_err = connect(
- dgram_client,
- &self->child_dgram_address.unix_addr,
- self->child_dgram_address.unix_addr_len);
+ dgram_err = connect(dgram_client,
+ &child_dgram_address->unix_addr,
+ child_dgram_address->unix_addr_len);
dgram_errno = errno;
if (can_connect_to_child) {
EXPECT_EQ(0, stream_err);
@@ -661,15 +703,14 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
/* Datagram sockets can "reconnect". */
ASSERT_EQ(1, read(pipe_parent[0], &buf, 1));
- stream_err = connect(
- stream_client,
- &self->parent_stream_address.unix_addr,
- self->parent_stream_address.unix_addr_len);
+ stream_err =
+ connect(stream_client,
+ &parent_stream_address->unix_addr,
+ parent_stream_address->unix_addr_len);
stream_errno = errno;
dgram_err = connect(
- dgram_client,
- &self->parent_dgram_address.unix_addr,
- self->parent_dgram_address.unix_addr_len);
+ dgram_client, &parent_dgram_address->unix_addr,
+ parent_dgram_address->unix_addr_len);
dgram_errno = errno;
if (can_connect_to_parent) {
EXPECT_EQ(0, stream_err);
@@ -690,8 +731,7 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
if (variant->domain_child == OTHER_SANDBOX)
create_fs_domain(_metadata);
else if (variant->domain_child == SCOPE_SANDBOX)
- create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
stream_server_child = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server_child);
@@ -699,11 +739,11 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
ASSERT_LE(0, dgram_server_child);
ASSERT_EQ(0, bind(stream_server_child,
- &self->child_stream_address.unix_addr,
- self->child_stream_address.unix_addr_len));
+ &child_stream_address->unix_addr,
+ child_stream_address->unix_addr_len));
ASSERT_EQ(0, bind(dgram_server_child,
- &self->child_dgram_address.unix_addr,
- self->child_dgram_address.unix_addr_len));
+ &child_dgram_address->unix_addr,
+ child_dgram_address->unix_addr_len));
ASSERT_EQ(0, listen(stream_server_child, backlog));
ASSERT_EQ(1, write(pipe_child[1], ".", 1));
@@ -717,19 +757,17 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
if (variant->domain_parent == OTHER_SANDBOX)
create_fs_domain(_metadata);
else if (variant->domain_parent == SCOPE_SANDBOX)
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
stream_server_parent = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server_parent);
dgram_server_parent = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_server_parent);
- ASSERT_EQ(0, bind(stream_server_parent,
- &self->parent_stream_address.unix_addr,
- self->parent_stream_address.unix_addr_len));
- ASSERT_EQ(0, bind(dgram_server_parent,
- &self->parent_dgram_address.unix_addr,
- self->parent_dgram_address.unix_addr_len));
+ ASSERT_EQ(0,
+ bind(stream_server_parent, &parent_stream_address->unix_addr,
+ parent_stream_address->unix_addr_len));
+ ASSERT_EQ(0, bind(dgram_server_parent, &parent_dgram_address->unix_addr,
+ parent_dgram_address->unix_addr_len));
ASSERT_EQ(0, listen(stream_server_parent, backlog));
@@ -743,57 +781,121 @@ TEST_F(scoped_vs_unscoped, unix_scoping)
_metadata->exit_code = KSFT_FAIL;
}
+TEST_F(scoped_vs_unscoped, unix_scoping_abstract)
+{
+ test_scoped_vs_unscoped(_metadata, self, variant, true);
+}
+
+TEST_F(scoped_vs_unscoped, unix_scoping_pathname)
+{
+ test_scoped_vs_unscoped(_metadata, self, variant, false);
+}
+
FIXTURE(outside_socket)
{
- struct service_fixture address, transit_address;
+ struct service_fixture address_abstract, transit_address_abstract;
+ struct service_fixture address_pathname, transit_address_pathname;
};
FIXTURE_VARIANT(outside_socket)
{
const bool child_socket;
const int type;
+ const bool abstract;
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(outside_socket, allow_dgram_child) {
+FIXTURE_VARIANT_ADD(outside_socket, abstract_allow_dgram_child) {
/* clang-format on */
.child_socket = true,
.type = SOCK_DGRAM,
+ .abstract = true,
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(outside_socket, deny_dgram_server) {
+FIXTURE_VARIANT_ADD(outside_socket, abstract_deny_dgram_server) {
/* clang-format on */
.child_socket = false,
.type = SOCK_DGRAM,
+ .abstract = true,
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(outside_socket, allow_stream_child) {
+FIXTURE_VARIANT_ADD(outside_socket, abstract_allow_stream_child) {
/* clang-format on */
.child_socket = true,
.type = SOCK_STREAM,
+ .abstract = true,
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(outside_socket, deny_stream_server) {
+FIXTURE_VARIANT_ADD(outside_socket, abstract_deny_stream_server) {
/* clang-format on */
.child_socket = false,
.type = SOCK_STREAM,
+ .abstract = true,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(outside_socket, pathname_allow_dgram_child) {
+ /* clang-format on */
+ .child_socket = true,
+ .type = SOCK_DGRAM,
+ .abstract = false,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(outside_socket, pathname_deny_dgram_server) {
+ /* clang-format on */
+ .child_socket = false,
+ .type = SOCK_DGRAM,
+ .abstract = false,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(outside_socket, pathname_allow_stream_child) {
+ /* clang-format on */
+ .child_socket = true,
+ .type = SOCK_STREAM,
+ .abstract = false,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(outside_socket, pathname_deny_stream_server) {
+ /* clang-format on */
+ .child_socket = false,
+ .type = SOCK_STREAM,
+ .abstract = false,
};
FIXTURE_SETUP(outside_socket)
{
drop_caps(_metadata);
- memset(&self->transit_address, 0, sizeof(self->transit_address));
- set_unix_address(&self->transit_address, 0, true);
- memset(&self->address, 0, sizeof(self->address));
- set_unix_address(&self->address, 1, true);
+ ASSERT_EQ(0, mkdir(PATHNAME_UNIX_SOCK_DIR, 0700));
+
+ /* Abstract addresses. */
+ memset(&self->transit_address_abstract, 0,
+ sizeof(self->transit_address_abstract));
+ set_unix_address(&self->transit_address_abstract, 0, true);
+ memset(&self->address_abstract, 0, sizeof(self->address_abstract));
+ set_unix_address(&self->address_abstract, 1, true);
+
+ /* Pathname addresses. */
+ memset(&self->transit_address_pathname, 0,
+ sizeof(self->transit_address_pathname));
+ set_unix_address(&self->transit_address_pathname, 2, false);
+ memset(&self->address_pathname, 0, sizeof(self->address_pathname));
+ set_unix_address(&self->address_pathname, 3, false);
}
FIXTURE_TEARDOWN(outside_socket)
{
+ EXPECT_EQ(
+ 0,
+ remove_path(self->transit_address_pathname.unix_addr.sun_path));
+ EXPECT_EQ(0, remove_path(self->address_pathname.unix_addr.sun_path));
+ EXPECT_EQ(0, rmdir(PATHNAME_UNIX_SOCK_DIR));
}
/*
@@ -807,6 +909,15 @@ TEST_F(outside_socket, socket_with_different_domain)
int pipe_child[2], pipe_parent[2];
char buf_parent;
int server_socket;
+ const __u16 scope = variant->abstract ?
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET :
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
+ const struct service_fixture *transit_address =
+ variant->abstract ? &self->transit_address_abstract :
+ &self->transit_address_pathname;
+ const struct service_fixture *address =
+ variant->abstract ? &self->address_abstract :
+ &self->address_pathname;
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
@@ -821,8 +932,7 @@ TEST_F(outside_socket, socket_with_different_domain)
EXPECT_EQ(0, close(pipe_child[0]));
/* Client always has a domain. */
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
if (variant->child_socket) {
int data_socket, passed_socket, stream_server;
@@ -832,8 +942,8 @@ TEST_F(outside_socket, socket_with_different_domain)
stream_server = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server);
ASSERT_EQ(0, bind(stream_server,
- &self->transit_address.unix_addr,
- self->transit_address.unix_addr_len));
+ &transit_address->unix_addr,
+ transit_address->unix_addr_len));
ASSERT_EQ(0, listen(stream_server, backlog));
ASSERT_EQ(1, write(pipe_child[1], ".", 1));
data_socket = accept(stream_server, NULL, NULL);
@@ -848,8 +958,8 @@ TEST_F(outside_socket, socket_with_different_domain)
/* Waits for parent signal for connection. */
ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
- err = connect(client_socket, &self->address.unix_addr,
- self->address.unix_addr_len);
+ err = connect(client_socket, &address->unix_addr,
+ address->unix_addr_len);
if (variant->child_socket) {
EXPECT_EQ(0, err);
} else {
@@ -868,9 +978,8 @@ TEST_F(outside_socket, socket_with_different_domain)
ASSERT_LE(0, client_child);
ASSERT_EQ(1, read(pipe_child[0], &buf_parent, 1));
- ASSERT_EQ(0, connect(client_child,
- &self->transit_address.unix_addr,
- self->transit_address.unix_addr_len));
+ ASSERT_EQ(0, connect(client_child, &transit_address->unix_addr,
+ transit_address->unix_addr_len));
server_socket = recv_fd(client_child);
EXPECT_EQ(0, close(client_child));
} else {
@@ -879,10 +988,10 @@ TEST_F(outside_socket, socket_with_different_domain)
ASSERT_LE(0, server_socket);
/* Server always has a domain. */
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
- ASSERT_EQ(0, bind(server_socket, &self->address.unix_addr,
- self->address.unix_addr_len));
+ ASSERT_EQ(0, bind(server_socket, &address->unix_addr,
+ address->unix_addr_len));
if (variant->type == SOCK_STREAM)
ASSERT_EQ(0, listen(server_socket, backlog));
@@ -897,52 +1006,90 @@ TEST_F(outside_socket, socket_with_different_domain)
_metadata->exit_code = KSFT_FAIL;
}
-static const char stream_path[] = TMP_DIR "/stream.sock";
-static const char dgram_path[] = TMP_DIR "/dgram.sock";
-
/* clang-format off */
-FIXTURE(various_address_sockets) {};
+FIXTURE(various_address_sockets) {
+ struct service_fixture stream_pathname_addr, dgram_pathname_addr;
+ struct service_fixture stream_abstract_addr, dgram_abstract_addr;
+};
/* clang-format on */
-FIXTURE_VARIANT(various_address_sockets)
-{
- const int domain;
+/*
+ * Test all 4 combinations of abstract and pathname socket scope bits,
+ * plus a case with no Landlock domain at all.
+ */
+/* clang-format off */
+FIXTURE_VARIANT(various_address_sockets) {
+ /* clang-format on */
+ const __u16 scope_bits;
+ const bool no_sandbox;
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(various_address_sockets, pathname_socket_scoped_domain) {
+FIXTURE_VARIANT_ADD(various_address_sockets, scope_abstract) {
/* clang-format on */
- .domain = SCOPE_SANDBOX,
+ .scope_bits = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(various_address_sockets, pathname_socket_other_domain) {
+FIXTURE_VARIANT_ADD(various_address_sockets, scope_pathname) {
/* clang-format on */
- .domain = OTHER_SANDBOX,
+ .scope_bits = LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET,
};
/* clang-format off */
-FIXTURE_VARIANT_ADD(various_address_sockets, pathname_socket_no_domain) {
+FIXTURE_VARIANT_ADD(various_address_sockets, scope_both) {
/* clang-format on */
- .domain = NO_SANDBOX,
+ .scope_bits = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(various_address_sockets, scope_none) {
+ /* clang-format on */
+ .scope_bits = 0,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(various_address_sockets, no_domain) {
+ /* clang-format on */
+ .no_sandbox = true,
};
FIXTURE_SETUP(various_address_sockets)
{
drop_caps(_metadata);
- umask(0077);
- ASSERT_EQ(0, mkdir(TMP_DIR, 0700));
+ ASSERT_EQ(0, mkdir(PATHNAME_UNIX_SOCK_DIR, 0700));
+
+ memset(&self->stream_pathname_addr, 0,
+ sizeof(self->stream_pathname_addr));
+ set_unix_address(&self->stream_pathname_addr, 0, false);
+ memset(&self->dgram_pathname_addr, 0,
+ sizeof(self->dgram_pathname_addr));
+ set_unix_address(&self->dgram_pathname_addr, 1, false);
+
+ memset(&self->stream_abstract_addr, 0,
+ sizeof(self->stream_abstract_addr));
+ set_unix_address(&self->stream_abstract_addr, 2, true);
+ memset(&self->dgram_abstract_addr, 0,
+ sizeof(self->dgram_abstract_addr));
+ set_unix_address(&self->dgram_abstract_addr, 3, true);
}
FIXTURE_TEARDOWN(various_address_sockets)
{
- EXPECT_EQ(0, unlink(stream_path));
- EXPECT_EQ(0, unlink(dgram_path));
- EXPECT_EQ(0, rmdir(TMP_DIR));
+ EXPECT_EQ(0,
+ remove_path(self->stream_pathname_addr.unix_addr.sun_path));
+ EXPECT_EQ(0, remove_path(self->dgram_pathname_addr.unix_addr.sun_path));
+ EXPECT_EQ(0, rmdir(PATHNAME_UNIX_SOCK_DIR));
}
-TEST_F(various_address_sockets, scoped_pathname_sockets)
+/*
+ * Test interaction of various scope flags (controlled by variant->domain)
+ * with pathname and abstract sockets when connecting from a sandboxed
+ * child.
+ */
+TEST_F(various_address_sockets, scoped_sockets)
{
pid_t child;
int status;
@@ -951,25 +1098,10 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
int unnamed_sockets[2];
int stream_pathname_socket, dgram_pathname_socket,
stream_abstract_socket, dgram_abstract_socket, data_socket;
- struct service_fixture stream_abstract_addr, dgram_abstract_addr;
- struct sockaddr_un stream_pathname_addr = {
- .sun_family = AF_UNIX,
- };
- struct sockaddr_un dgram_pathname_addr = {
- .sun_family = AF_UNIX,
- };
-
- /* Pathname address. */
- snprintf(stream_pathname_addr.sun_path,
- sizeof(stream_pathname_addr.sun_path), "%s", stream_path);
- snprintf(dgram_pathname_addr.sun_path,
- sizeof(dgram_pathname_addr.sun_path), "%s", dgram_path);
-
- /* Abstract address. */
- memset(&stream_abstract_addr, 0, sizeof(stream_abstract_addr));
- set_unix_address(&stream_abstract_addr, 0, true);
- memset(&dgram_abstract_addr, 0, sizeof(dgram_abstract_addr));
- set_unix_address(&dgram_abstract_addr, 1, true);
+ bool pathname_restricted =
+ (variant->scope_bits & LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET);
+ bool abstract_restricted =
+ (variant->scope_bits & LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
/* Unnamed address for datagram socket. */
ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_DGRAM, 0, unnamed_sockets));
@@ -984,82 +1116,103 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
EXPECT_EQ(0, close(pipe_parent[1]));
EXPECT_EQ(0, close(unnamed_sockets[1]));
- if (variant->domain == SCOPE_SANDBOX)
- create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
- else if (variant->domain == OTHER_SANDBOX)
+ /* Create domain based on variant. */
+ if (variant->scope_bits)
+ create_scoped_domain(_metadata, variant->scope_bits);
+ else if (!variant->no_sandbox)
create_fs_domain(_metadata);
/* Waits for parent to listen. */
ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
EXPECT_EQ(0, close(pipe_parent[0]));
- /* Checks that we can send data through a datagram socket. */
+ /* Checks that we can send data through an unnamed socket. */
ASSERT_EQ(1, write(unnamed_sockets[0], "a", 1));
EXPECT_EQ(0, close(unnamed_sockets[0]));
/* Connects with pathname sockets. */
stream_pathname_socket = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_pathname_socket);
- ASSERT_EQ(0,
- connect(stream_pathname_socket, &stream_pathname_addr,
- sizeof(stream_pathname_addr)));
- ASSERT_EQ(1, write(stream_pathname_socket, "b", 1));
+ err = connect(stream_pathname_socket,
+ &self->stream_pathname_addr.unix_addr,
+ self->stream_pathname_addr.unix_addr_len);
+ if (pathname_restricted) {
+ EXPECT_EQ(-1, err);
+ EXPECT_EQ(EPERM, errno);
+ } else {
+ EXPECT_EQ(0, err);
+ ASSERT_EQ(1, write(stream_pathname_socket, "b", 1));
+ }
EXPECT_EQ(0, close(stream_pathname_socket));
- /* Sends without connection. */
+ /* Sends without connection (pathname). */
dgram_pathname_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_pathname_socket);
err = sendto(dgram_pathname_socket, "c", 1, 0,
- &dgram_pathname_addr, sizeof(dgram_pathname_addr));
- EXPECT_EQ(1, err);
-
- /* Sends with connection. */
- ASSERT_EQ(0,
- connect(dgram_pathname_socket, &dgram_pathname_addr,
- sizeof(dgram_pathname_addr)));
- ASSERT_EQ(1, write(dgram_pathname_socket, "d", 1));
+ &self->dgram_pathname_addr.unix_addr,
+ self->dgram_pathname_addr.unix_addr_len);
+ if (pathname_restricted) {
+ EXPECT_EQ(-1, err);
+ EXPECT_EQ(EPERM, errno);
+ } else {
+ EXPECT_EQ(1, err);
+ }
+
+ /* Sends with connection (pathname). */
+ err = connect(dgram_pathname_socket,
+ &self->dgram_pathname_addr.unix_addr,
+ self->dgram_pathname_addr.unix_addr_len);
+ if (pathname_restricted) {
+ EXPECT_EQ(-1, err);
+ EXPECT_EQ(EPERM, errno);
+ } else {
+ EXPECT_EQ(0, err);
+ ASSERT_EQ(1, write(dgram_pathname_socket, "d", 1));
+ }
+
EXPECT_EQ(0, close(dgram_pathname_socket));
/* Connects with abstract sockets. */
stream_abstract_socket = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_abstract_socket);
err = connect(stream_abstract_socket,
- &stream_abstract_addr.unix_addr,
- stream_abstract_addr.unix_addr_len);
- if (variant->domain == SCOPE_SANDBOX) {
+ &self->stream_abstract_addr.unix_addr,
+ self->stream_abstract_addr.unix_addr_len);
+ if (abstract_restricted) {
EXPECT_EQ(-1, err);
EXPECT_EQ(EPERM, errno);
} else {
EXPECT_EQ(0, err);
ASSERT_EQ(1, write(stream_abstract_socket, "e", 1));
}
+
EXPECT_EQ(0, close(stream_abstract_socket));
- /* Sends without connection. */
+ /* Sends without connection (abstract). */
dgram_abstract_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_abstract_socket);
err = sendto(dgram_abstract_socket, "f", 1, 0,
- &dgram_abstract_addr.unix_addr,
- dgram_abstract_addr.unix_addr_len);
- if (variant->domain == SCOPE_SANDBOX) {
+ &self->dgram_abstract_addr.unix_addr,
+ self->dgram_abstract_addr.unix_addr_len);
+ if (abstract_restricted) {
EXPECT_EQ(-1, err);
EXPECT_EQ(EPERM, errno);
} else {
EXPECT_EQ(1, err);
}
- /* Sends with connection. */
+ /* Sends with connection (abstract). */
err = connect(dgram_abstract_socket,
- &dgram_abstract_addr.unix_addr,
- dgram_abstract_addr.unix_addr_len);
- if (variant->domain == SCOPE_SANDBOX) {
+ &self->dgram_abstract_addr.unix_addr,
+ self->dgram_abstract_addr.unix_addr_len);
+ if (abstract_restricted) {
EXPECT_EQ(-1, err);
EXPECT_EQ(EPERM, errno);
} else {
EXPECT_EQ(0, err);
ASSERT_EQ(1, write(dgram_abstract_socket, "g", 1));
}
+
EXPECT_EQ(0, close(dgram_abstract_socket));
_exit(_metadata->exit_code);
@@ -1071,27 +1224,30 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
/* Sets up pathname servers. */
stream_pathname_socket = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_pathname_socket);
- ASSERT_EQ(0, bind(stream_pathname_socket, &stream_pathname_addr,
- sizeof(stream_pathname_addr)));
+ ASSERT_EQ(0, bind(stream_pathname_socket,
+ &self->stream_pathname_addr.unix_addr,
+ self->stream_pathname_addr.unix_addr_len));
ASSERT_EQ(0, listen(stream_pathname_socket, backlog));
dgram_pathname_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_pathname_socket);
- ASSERT_EQ(0, bind(dgram_pathname_socket, &dgram_pathname_addr,
- sizeof(dgram_pathname_addr)));
+ ASSERT_EQ(0, bind(dgram_pathname_socket,
+ &self->dgram_pathname_addr.unix_addr,
+ self->dgram_pathname_addr.unix_addr_len));
/* Sets up abstract servers. */
stream_abstract_socket = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_abstract_socket);
- ASSERT_EQ(0,
- bind(stream_abstract_socket, &stream_abstract_addr.unix_addr,
- stream_abstract_addr.unix_addr_len));
+ ASSERT_EQ(0, bind(stream_abstract_socket,
+ &self->stream_abstract_addr.unix_addr,
+ self->stream_abstract_addr.unix_addr_len));
+ ASSERT_EQ(0, listen(stream_abstract_socket, backlog));
dgram_abstract_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_abstract_socket);
- ASSERT_EQ(0, bind(dgram_abstract_socket, &dgram_abstract_addr.unix_addr,
- dgram_abstract_addr.unix_addr_len));
- ASSERT_EQ(0, listen(stream_abstract_socket, backlog));
+ ASSERT_EQ(0, bind(dgram_abstract_socket,
+ &self->dgram_abstract_addr.unix_addr,
+ self->dgram_abstract_addr.unix_addr_len));
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
EXPECT_EQ(0, close(pipe_parent[1]));
@@ -1101,24 +1257,31 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
ASSERT_EQ('a', buf_parent);
EXPECT_LE(0, close(unnamed_sockets[1]));
- /* Reads from pathname sockets. */
- data_socket = accept(stream_pathname_socket, NULL, NULL);
- ASSERT_LE(0, data_socket);
- ASSERT_EQ(1, read(data_socket, &buf_parent, sizeof(buf_parent)));
- ASSERT_EQ('b', buf_parent);
- EXPECT_EQ(0, close(data_socket));
- EXPECT_EQ(0, close(stream_pathname_socket));
+ if (!pathname_restricted) {
+ /*
+ * Reads from pathname sockets if we expect child to be able to
+ * send.
+ */
+ data_socket = accept(stream_pathname_socket, NULL, NULL);
+ ASSERT_LE(0, data_socket);
+ ASSERT_EQ(1,
+ read(data_socket, &buf_parent, sizeof(buf_parent)));
+ ASSERT_EQ('b', buf_parent);
+ EXPECT_EQ(0, close(data_socket));
- ASSERT_EQ(1,
- read(dgram_pathname_socket, &buf_parent, sizeof(buf_parent)));
- ASSERT_EQ('c', buf_parent);
- ASSERT_EQ(1,
- read(dgram_pathname_socket, &buf_parent, sizeof(buf_parent)));
- ASSERT_EQ('d', buf_parent);
- EXPECT_EQ(0, close(dgram_pathname_socket));
+ ASSERT_EQ(1, read(dgram_pathname_socket, &buf_parent,
+ sizeof(buf_parent)));
+ ASSERT_EQ('c', buf_parent);
+ ASSERT_EQ(1, read(dgram_pathname_socket, &buf_parent,
+ sizeof(buf_parent)));
+ ASSERT_EQ('d', buf_parent);
+ }
- if (variant->domain != SCOPE_SANDBOX) {
- /* Reads from abstract sockets if allowed to send. */
+ if (!abstract_restricted) {
+ /*
+ * Reads from abstract sockets if we expect child to be able to
+ * send.
+ */
data_socket = accept(stream_abstract_socket, NULL, NULL);
ASSERT_LE(0, data_socket);
ASSERT_EQ(1,
@@ -1134,30 +1297,76 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
ASSERT_EQ('g', buf_parent);
}
- /* Waits for all abstract socket tests. */
+ /* Waits for child to complete, and only close the socket afterwards. */
ASSERT_EQ(child, waitpid(child, &status, 0));
EXPECT_EQ(0, close(stream_abstract_socket));
EXPECT_EQ(0, close(dgram_abstract_socket));
+ EXPECT_EQ(0, close(stream_pathname_socket));
+ EXPECT_EQ(0, close(dgram_pathname_socket));
if (WIFSIGNALED(status) || !WIFEXITED(status) ||
WEXITSTATUS(status) != EXIT_SUCCESS)
_metadata->exit_code = KSFT_FAIL;
}
-TEST(datagram_sockets)
+/* Fixture for datagram_sockets and self_connect tests */
+FIXTURE(socket_type_test)
{
struct service_fixture connected_addr, non_connected_addr;
+};
+
+FIXTURE_VARIANT(socket_type_test)
+{
+ const bool abstract;
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(socket_type_test, abstract) {
+ /* clang-format on */
+ .abstract = true,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(socket_type_test, pathname) {
+ /* clang-format on */
+ .abstract = false,
+};
+
+FIXTURE_SETUP(socket_type_test)
+{
+ drop_caps(_metadata);
+
+ if (!variant->abstract)
+ ASSERT_EQ(0, mkdir(PATHNAME_UNIX_SOCK_DIR, 0700));
+
+ memset(&self->connected_addr, 0, sizeof(self->connected_addr));
+ set_unix_address(&self->connected_addr, 0, variant->abstract);
+ memset(&self->non_connected_addr, 0, sizeof(self->non_connected_addr));
+ set_unix_address(&self->non_connected_addr, 1, variant->abstract);
+}
+
+FIXTURE_TEARDOWN(socket_type_test)
+{
+ if (!variant->abstract) {
+ EXPECT_EQ(0,
+ remove_path(self->connected_addr.unix_addr.sun_path));
+ EXPECT_EQ(0,
+ remove_path(
+ self->non_connected_addr.unix_addr.sun_path));
+ EXPECT_EQ(0, rmdir(PATHNAME_UNIX_SOCK_DIR));
+ }
+}
+
+TEST_F(socket_type_test, datagram_sockets)
+{
int server_conn_socket, server_unconn_socket;
int pipe_parent[2], pipe_child[2];
int status;
char buf;
pid_t child;
-
- drop_caps(_metadata);
- memset(&connected_addr, 0, sizeof(connected_addr));
- set_unix_address(&connected_addr, 0, true);
- memset(&non_connected_addr, 0, sizeof(non_connected_addr));
- set_unix_address(&non_connected_addr, 1, true);
+ const __u16 scope = variant->abstract ?
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET :
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
@@ -1177,9 +1386,9 @@ TEST(datagram_sockets)
/* Waits for parent to listen. */
ASSERT_EQ(1, read(pipe_parent[0], &buf, 1));
- ASSERT_EQ(0,
- connect(client_conn_socket, &connected_addr.unix_addr,
- connected_addr.unix_addr_len));
+ ASSERT_EQ(0, connect(client_conn_socket,
+ &self->connected_addr.unix_addr,
+ self->connected_addr.unix_addr_len));
/*
* Both connected and non-connected sockets can send data when
@@ -1187,13 +1396,12 @@ TEST(datagram_sockets)
*/
ASSERT_EQ(1, send(client_conn_socket, ".", 1, 0));
ASSERT_EQ(1, sendto(client_unconn_socket, ".", 1, 0,
- &non_connected_addr.unix_addr,
- non_connected_addr.unix_addr_len));
+ &self->non_connected_addr.unix_addr,
+ self->non_connected_addr.unix_addr_len));
ASSERT_EQ(1, write(pipe_child[1], ".", 1));
/* Scopes the domain. */
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
/*
* Connected socket sends data to the receiver, but the
@@ -1201,8 +1409,8 @@ TEST(datagram_sockets)
*/
ASSERT_EQ(1, send(client_conn_socket, ".", 1, 0));
ASSERT_EQ(-1, sendto(client_unconn_socket, ".", 1, 0,
- &non_connected_addr.unix_addr,
- non_connected_addr.unix_addr_len));
+ &self->non_connected_addr.unix_addr,
+ self->non_connected_addr.unix_addr_len));
ASSERT_EQ(EPERM, errno);
ASSERT_EQ(1, write(pipe_child[1], ".", 1));
@@ -1219,10 +1427,11 @@ TEST(datagram_sockets)
ASSERT_LE(0, server_conn_socket);
ASSERT_LE(0, server_unconn_socket);
- ASSERT_EQ(0, bind(server_conn_socket, &connected_addr.unix_addr,
- connected_addr.unix_addr_len));
- ASSERT_EQ(0, bind(server_unconn_socket, &non_connected_addr.unix_addr,
- non_connected_addr.unix_addr_len));
+ ASSERT_EQ(0, bind(server_conn_socket, &self->connected_addr.unix_addr,
+ self->connected_addr.unix_addr_len));
+ ASSERT_EQ(0, bind(server_unconn_socket,
+ &self->non_connected_addr.unix_addr,
+ self->non_connected_addr.unix_addr_len));
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
/* Waits for child to test. */
@@ -1247,52 +1456,48 @@ TEST(datagram_sockets)
_metadata->exit_code = KSFT_FAIL;
}
-TEST(self_connect)
+TEST_F(socket_type_test, self_connect)
{
- struct service_fixture connected_addr, non_connected_addr;
int connected_socket, non_connected_socket, status;
pid_t child;
-
- drop_caps(_metadata);
- memset(&connected_addr, 0, sizeof(connected_addr));
- set_unix_address(&connected_addr, 0, true);
- memset(&non_connected_addr, 0, sizeof(non_connected_addr));
- set_unix_address(&non_connected_addr, 1, true);
+ const __u16 scope = variant->abstract ?
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET :
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
connected_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
non_connected_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, connected_socket);
ASSERT_LE(0, non_connected_socket);
- ASSERT_EQ(0, bind(connected_socket, &connected_addr.unix_addr,
- connected_addr.unix_addr_len));
- ASSERT_EQ(0, bind(non_connected_socket, &non_connected_addr.unix_addr,
- non_connected_addr.unix_addr_len));
+ ASSERT_EQ(0, bind(connected_socket, &self->connected_addr.unix_addr,
+ self->connected_addr.unix_addr_len));
+ ASSERT_EQ(0, bind(non_connected_socket,
+ &self->non_connected_addr.unix_addr,
+ self->non_connected_addr.unix_addr_len));
child = fork();
ASSERT_LE(0, child);
if (child == 0) {
/* Child's domain is scoped. */
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
/*
* The child inherits the sockets, and cannot connect or
* send data to them.
*/
- ASSERT_EQ(-1,
- connect(connected_socket, &connected_addr.unix_addr,
- connected_addr.unix_addr_len));
+ ASSERT_EQ(-1, connect(connected_socket,
+ &self->connected_addr.unix_addr,
+ self->connected_addr.unix_addr_len));
ASSERT_EQ(EPERM, errno);
ASSERT_EQ(-1, sendto(connected_socket, ".", 1, 0,
- &connected_addr.unix_addr,
- connected_addr.unix_addr_len));
+ &self->connected_addr.unix_addr,
+ self->connected_addr.unix_addr_len));
ASSERT_EQ(EPERM, errno);
ASSERT_EQ(-1, sendto(non_connected_socket, ".", 1, 0,
- &non_connected_addr.unix_addr,
- non_connected_addr.unix_addr_len));
+ &self->non_connected_addr.unix_addr,
+ self->non_connected_addr.unix_addr_len));
ASSERT_EQ(EPERM, errno);
EXPECT_EQ(0, close(connected_socket));
--
2.52.0
^ permalink raw reply related
* [PATCH v3 5/6] selftests/landlock: Repurpose scoped_abstract_unix_test.c for pathname sockets too
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
In-Reply-To: <cover.1770160146.git.m@maowtm.org>
Since there is very little difference between abstract and pathname
sockets in terms of testing of the scoped access checks (the only
difference is in which scope bit control which form of socket), it makes
sense to reuse the existing test for both type of sockets. Therefore,
we rename scoped_abstract_unix_test.c to scoped_unix_test.c and extend
the scoped_domains test to test pathname (i.e. non-abstract) sockets
too.
Since we can't change the variant data of scoped_domains (as it is
defined in the shared .h file), we do this by extracting the actual test
code into a function, and call it from different test cases.
Also extend scoped_audit (this time we can use variants) to test both
abstract and pathname sockets. For pathname sockets, audit_log_lsm_data
will produce path="..." (or hex if path contains control characters)
with absolute paths from the dentry, so we need to construct the escaped
regex for the real path like in fs_test.
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
Changes in v3:
- Fix comment, style, formatting, and reflow the above message
- Update definition of log_match_remaining
...bstract_unix_test.c => scoped_unix_test.c} | 269 ++++++++++++++----
1 file changed, 217 insertions(+), 52 deletions(-)
rename tools/testing/selftests/landlock/{scoped_abstract_unix_test.c => scoped_unix_test.c} (80%)
diff --git a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c b/tools/testing/selftests/landlock/scoped_unix_test.c
similarity index 80%
rename from tools/testing/selftests/landlock/scoped_abstract_unix_test.c
rename to tools/testing/selftests/landlock/scoped_unix_test.c
index 4a790e2d387d..d117c85a2ca7 100644
--- a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
+++ b/tools/testing/selftests/landlock/scoped_unix_test.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
/*
- * Landlock tests - Abstract UNIX socket
+ * Landlock tests - Scoped access checks for UNIX socket (abstract and
+ * pathname)
*
* Copyright © 2024 Tahera Fahimi <fahimitahera@gmail.com>
*/
@@ -19,6 +20,7 @@
#include <sys/un.h>
#include <sys/wait.h>
#include <unistd.h>
+#include <stdlib.h>
#include "audit.h"
#include "common.h"
@@ -47,7 +49,8 @@ static void create_fs_domain(struct __test_metadata *const _metadata)
FIXTURE(scoped_domains)
{
- struct service_fixture stream_address, dgram_address;
+ struct service_fixture stream_address_abstract, dgram_address_abstract,
+ stream_address_pathname, dgram_address_pathname;
};
#include "scoped_base_variants.h"
@@ -56,27 +59,64 @@ FIXTURE_SETUP(scoped_domains)
{
drop_caps(_metadata);
- memset(&self->stream_address, 0, sizeof(self->stream_address));
- memset(&self->dgram_address, 0, sizeof(self->dgram_address));
- set_unix_address(&self->stream_address, 0, true);
- set_unix_address(&self->dgram_address, 1, true);
+ ASSERT_EQ(0, mkdir(PATHNAME_UNIX_SOCK_DIR, 0700));
+
+ memset(&self->stream_address_abstract, 0,
+ sizeof(self->stream_address_abstract));
+ memset(&self->dgram_address_abstract, 0,
+ sizeof(self->dgram_address_abstract));
+ memset(&self->stream_address_pathname, 0,
+ sizeof(self->stream_address_pathname));
+ memset(&self->dgram_address_pathname, 0,
+ sizeof(self->dgram_address_pathname));
+ set_unix_address(&self->stream_address_abstract, 0, true);
+ set_unix_address(&self->dgram_address_abstract, 1, true);
+ set_unix_address(&self->stream_address_pathname, 0, false);
+ set_unix_address(&self->dgram_address_pathname, 1, false);
+}
+
+/* Remove @path if it exists */
+int remove_path(const char *path)
+{
+ if (unlink(path) == -1) {
+ if (errno != ENOENT)
+ return -errno;
+ }
+ return 0;
}
FIXTURE_TEARDOWN(scoped_domains)
{
+ EXPECT_EQ(0, remove_path(
+ self->stream_address_pathname.unix_addr.sun_path));
+ EXPECT_EQ(0,
+ remove_path(self->dgram_address_pathname.unix_addr.sun_path));
+ EXPECT_EQ(0, rmdir(PATHNAME_UNIX_SOCK_DIR));
}
/*
* Test unix_stream_connect() and unix_may_send() for a child connecting to its
* parent, when they have scoped domain or no domain.
*/
-TEST_F(scoped_domains, connect_to_parent)
+static void test_connect_to_parent(struct __test_metadata *const _metadata,
+ FIXTURE_DATA(scoped_domains) * self,
+ const FIXTURE_VARIANT(scoped_domains) *
+ variant,
+ const bool abstract)
{
pid_t child;
bool can_connect_to_parent;
int status;
int pipe_parent[2];
int stream_server, dgram_server;
+ const __u16 scope = abstract ? LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET :
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
+ const struct service_fixture *stream_address =
+ abstract ? &self->stream_address_abstract :
+ &self->stream_address_pathname;
+ const struct service_fixture *dgram_address =
+ abstract ? &self->dgram_address_abstract :
+ &self->dgram_address_pathname;
/*
* can_connect_to_parent is true if a child process can connect to its
@@ -87,8 +127,7 @@ TEST_F(scoped_domains, connect_to_parent)
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
if (variant->domain_both) {
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
if (!__test_passed(_metadata))
return;
}
@@ -102,8 +141,7 @@ TEST_F(scoped_domains, connect_to_parent)
EXPECT_EQ(0, close(pipe_parent[1]));
if (variant->domain_child)
- create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
stream_client = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_client);
@@ -113,8 +151,8 @@ TEST_F(scoped_domains, connect_to_parent)
/* Waits for the server. */
ASSERT_EQ(1, read(pipe_parent[0], &buf_child, 1));
- err = connect(stream_client, &self->stream_address.unix_addr,
- self->stream_address.unix_addr_len);
+ err = connect(stream_client, &stream_address->unix_addr,
+ stream_address->unix_addr_len);
if (can_connect_to_parent) {
EXPECT_EQ(0, err);
} else {
@@ -123,8 +161,8 @@ TEST_F(scoped_domains, connect_to_parent)
}
EXPECT_EQ(0, close(stream_client));
- err = connect(dgram_client, &self->dgram_address.unix_addr,
- self->dgram_address.unix_addr_len);
+ err = connect(dgram_client, &dgram_address->unix_addr,
+ dgram_address->unix_addr_len);
if (can_connect_to_parent) {
EXPECT_EQ(0, err);
} else {
@@ -137,17 +175,16 @@ TEST_F(scoped_domains, connect_to_parent)
}
EXPECT_EQ(0, close(pipe_parent[0]));
if (variant->domain_parent)
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
stream_server = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, stream_server);
dgram_server = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_server);
- ASSERT_EQ(0, bind(stream_server, &self->stream_address.unix_addr,
- self->stream_address.unix_addr_len));
- ASSERT_EQ(0, bind(dgram_server, &self->dgram_address.unix_addr,
- self->dgram_address.unix_addr_len));
+ ASSERT_EQ(0, bind(stream_server, &stream_address->unix_addr,
+ stream_address->unix_addr_len));
+ ASSERT_EQ(0, bind(dgram_server, &dgram_address->unix_addr,
+ dgram_address->unix_addr_len));
ASSERT_EQ(0, listen(stream_server, backlog));
/* Signals to child that the parent is listening. */
@@ -166,7 +203,11 @@ TEST_F(scoped_domains, connect_to_parent)
* Test unix_stream_connect() and unix_may_send() for a parent connecting to
* its child, when they have scoped domain or no domain.
*/
-TEST_F(scoped_domains, connect_to_child)
+static void test_connect_to_child(struct __test_metadata *const _metadata,
+ FIXTURE_DATA(scoped_domains) * self,
+ const FIXTURE_VARIANT(scoped_domains) *
+ variant,
+ const bool abstract)
{
pid_t child;
bool can_connect_to_child;
@@ -174,6 +215,14 @@ TEST_F(scoped_domains, connect_to_child)
int pipe_child[2], pipe_parent[2];
char buf;
int stream_client, dgram_client;
+ const __u16 scope = abstract ? LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET :
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
+ const struct service_fixture *stream_address =
+ abstract ? &self->stream_address_abstract :
+ &self->stream_address_pathname;
+ const struct service_fixture *dgram_address =
+ abstract ? &self->dgram_address_abstract :
+ &self->dgram_address_pathname;
/*
* can_connect_to_child is true if a parent process can connect to its
@@ -185,8 +234,7 @@ TEST_F(scoped_domains, connect_to_child)
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
if (variant->domain_both) {
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
if (!__test_passed(_metadata))
return;
}
@@ -199,8 +247,7 @@ TEST_F(scoped_domains, connect_to_child)
EXPECT_EQ(0, close(pipe_parent[1]));
EXPECT_EQ(0, close(pipe_child[0]));
if (variant->domain_child)
- create_scoped_domain(
- _metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
/* Waits for the parent to be in a domain, if any. */
ASSERT_EQ(1, read(pipe_parent[0], &buf, 1));
@@ -209,11 +256,10 @@ TEST_F(scoped_domains, connect_to_child)
ASSERT_LE(0, stream_server);
dgram_server = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_server);
- ASSERT_EQ(0,
- bind(stream_server, &self->stream_address.unix_addr,
- self->stream_address.unix_addr_len));
- ASSERT_EQ(0, bind(dgram_server, &self->dgram_address.unix_addr,
- self->dgram_address.unix_addr_len));
+ ASSERT_EQ(0, bind(stream_server, &stream_address->unix_addr,
+ stream_address->unix_addr_len));
+ ASSERT_EQ(0, bind(dgram_server, &dgram_address->unix_addr,
+ dgram_address->unix_addr_len));
ASSERT_EQ(0, listen(stream_server, backlog));
/* Signals to the parent that child is listening. */
@@ -230,8 +276,7 @@ TEST_F(scoped_domains, connect_to_child)
EXPECT_EQ(0, close(pipe_parent[0]));
if (variant->domain_parent)
- create_scoped_domain(_metadata,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata, scope);
/* Signals that the parent is in a domain, if any. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
@@ -243,11 +288,11 @@ TEST_F(scoped_domains, connect_to_child)
/* Waits for the child to listen */
ASSERT_EQ(1, read(pipe_child[0], &buf, 1));
- err_stream = connect(stream_client, &self->stream_address.unix_addr,
- self->stream_address.unix_addr_len);
+ err_stream = connect(stream_client, &stream_address->unix_addr,
+ stream_address->unix_addr_len);
errno_stream = errno;
- err_dgram = connect(dgram_client, &self->dgram_address.unix_addr,
- self->dgram_address.unix_addr_len);
+ err_dgram = connect(dgram_client, &dgram_address->unix_addr,
+ dgram_address->unix_addr_len);
errno_dgram = errno;
if (can_connect_to_child) {
EXPECT_EQ(0, err_stream);
@@ -268,19 +313,79 @@ TEST_F(scoped_domains, connect_to_child)
_metadata->exit_code = KSFT_FAIL;
}
+/*
+ * Test unix_stream_connect() and unix_may_send() for a child connecting to its
+ * parent, when they have scoped domain or no domain.
+ */
+TEST_F(scoped_domains, abstract_connect_to_parent)
+{
+ test_connect_to_parent(_metadata, self, variant, true);
+}
+
+/*
+ * Test unix_stream_connect() and unix_may_send() for a parent connecting to
+ * its child, when they have scoped domain or no domain.
+ */
+TEST_F(scoped_domains, abstract_connect_to_child)
+{
+ test_connect_to_child(_metadata, self, variant, true);
+}
+
+/*
+ * Test unix_stream_connect() and unix_may_send() for a child connecting to its
+ * parent with pathname sockets.
+ */
+TEST_F(scoped_domains, pathname_connect_to_parent)
+{
+ test_connect_to_parent(_metadata, self, variant, false);
+}
+
+/*
+ * Test unix_stream_connect() and unix_may_send() for a parent connecting to
+ * its child with pathname sockets.
+ */
+TEST_F(scoped_domains, pathname_connect_to_child)
+{
+ test_connect_to_child(_metadata, self, variant, false);
+}
+
FIXTURE(scoped_audit)
{
- struct service_fixture dgram_address;
+ struct service_fixture dgram_address_abstract, dgram_address_pathname;
struct audit_filter audit_filter;
int audit_fd;
};
+FIXTURE_VARIANT(scoped_audit)
+{
+ const bool abstract_socket;
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoped_audit, abstract_socket)
+{
+ /* clang-format on */
+ .abstract_socket = true,
+};
+
+/* clang-format off */
+FIXTURE_VARIANT_ADD(scoped_audit, pathname_socket)
+{
+ /* clang-format on */
+ .abstract_socket = false,
+};
+
FIXTURE_SETUP(scoped_audit)
{
disable_caps(_metadata);
- memset(&self->dgram_address, 0, sizeof(self->dgram_address));
- set_unix_address(&self->dgram_address, 1, true);
+ ASSERT_EQ(0, mkdir(PATHNAME_UNIX_SOCK_DIR, 0700));
+ memset(&self->dgram_address_abstract, 0,
+ sizeof(self->dgram_address_abstract));
+ memset(&self->dgram_address_pathname, 0,
+ sizeof(self->dgram_address_pathname));
+ set_unix_address(&self->dgram_address_abstract, 1, true);
+ set_unix_address(&self->dgram_address_pathname, 1, false);
set_cap(_metadata, CAP_AUDIT_CONTROL);
self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
@@ -291,6 +396,9 @@ FIXTURE_SETUP(scoped_audit)
FIXTURE_TEARDOWN_PARENT(scoped_audit)
{
EXPECT_EQ(0, audit_cleanup(-1, NULL));
+ EXPECT_EQ(0,
+ remove_path(self->dgram_address_pathname.unix_addr.sun_path));
+ EXPECT_EQ(0, rmdir(PATHNAME_UNIX_SOCK_DIR));
}
/* python -c 'print(b"\0selftests-landlock-abstract-unix-".hex().upper())' */
@@ -308,6 +416,22 @@ TEST_F(scoped_audit, connect_to_child)
char buf;
int dgram_client;
struct audit_records records;
+ struct service_fixture *const dgram_address =
+ variant->abstract_socket ? &self->dgram_address_abstract :
+ &self->dgram_address_pathname;
+ static const char abstract_log_regex[] = REGEX_LANDLOCK_PREFIX
+ " blockers=scope\\.abstract_unix_socket path=" ABSTRACT_SOCKET_PATH_PREFIX
+ "[0-9A-F]\\+$";
+ static const char pathname_log_template[] = REGEX_LANDLOCK_PREFIX
+ " blockers=scope\\.pathname_unix_socket path=\"%s\"$";
+ size_t log_match_remaining =
+ sizeof(abstract_log_regex) + PATH_MAX * 2 + 1;
+ char log_match[log_match_remaining];
+ char *log_match_cursor = log_match;
+
+ /* Make sure log_match_remaining calculation is correct */
+ static_assert(sizeof(pathname_log_template) <
+ sizeof(abstract_log_regex));
/* Makes sure there is no superfluous logged records. */
EXPECT_EQ(0, audit_count_records(self->audit_fd, &records));
@@ -330,8 +454,8 @@ TEST_F(scoped_audit, connect_to_child)
dgram_server = socket(AF_UNIX, SOCK_DGRAM, 0);
ASSERT_LE(0, dgram_server);
- ASSERT_EQ(0, bind(dgram_server, &self->dgram_address.unix_addr,
- self->dgram_address.unix_addr_len));
+ ASSERT_EQ(0, bind(dgram_server, &dgram_address->unix_addr,
+ dgram_address->unix_addr_len));
/* Signals to the parent that child is listening. */
ASSERT_EQ(1, write(pipe_child[1], ".", 1));
@@ -345,7 +469,9 @@ TEST_F(scoped_audit, connect_to_child)
EXPECT_EQ(0, close(pipe_child[1]));
EXPECT_EQ(0, close(pipe_parent[0]));
- create_scoped_domain(_metadata, LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ create_scoped_domain(_metadata,
+ LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET);
/* Signals that the parent is in a domain, if any. */
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
@@ -355,19 +481,58 @@ TEST_F(scoped_audit, connect_to_child)
/* Waits for the child to listen */
ASSERT_EQ(1, read(pipe_child[0], &buf, 1));
- err_dgram = connect(dgram_client, &self->dgram_address.unix_addr,
- self->dgram_address.unix_addr_len);
+ err_dgram = connect(dgram_client, &dgram_address->unix_addr,
+ dgram_address->unix_addr_len);
EXPECT_EQ(-1, err_dgram);
EXPECT_EQ(EPERM, errno);
- EXPECT_EQ(
- 0,
- audit_match_record(
- self->audit_fd, AUDIT_LANDLOCK_ACCESS,
+ if (variant->abstract_socket) {
+ log_match_cursor = stpncpy(log_match, abstract_log_regex,
+ log_match_remaining);
+ log_match_remaining =
+ sizeof(log_match) - (log_match_cursor - log_match);
+ ASSERT_NE(0, log_match_remaining);
+ } else {
+ /*
+ * It is assumed that absolute_path does not contain control
+ * characters nor spaces, see audit_string_contains_control().
+ */
+ char *const absolute_path =
+ realpath(dgram_address->unix_addr.sun_path, NULL);
+
+ EXPECT_NE(NULL, absolute_path)
+ {
+ TH_LOG("realpath() failed: %s", strerror(errno));
+ return;
+ }
+
+ log_match_cursor = stpncpy(
+ log_match,
REGEX_LANDLOCK_PREFIX
- " blockers=scope\\.abstract_unix_socket path=" ABSTRACT_SOCKET_PATH_PREFIX
- "[0-9A-F]\\+$",
- NULL));
+ " blockers=scope\\.pathname_unix_socket path=\"",
+ log_match_remaining);
+ log_match_remaining =
+ sizeof(log_match) - (log_match_cursor - log_match);
+ ASSERT_NE(0, log_match_remaining);
+ log_match_cursor = regex_escape(absolute_path, log_match_cursor,
+ log_match_remaining);
+ free(absolute_path);
+ if (log_match_cursor < 0) {
+ TH_LOG("regex_escape() failed (buffer too small)");
+ return;
+ }
+ log_match_remaining =
+ sizeof(log_match) - (log_match_cursor - log_match);
+ ASSERT_NE(0, log_match_remaining);
+ log_match_cursor =
+ stpncpy(log_match_cursor, "\"$", log_match_remaining);
+ log_match_remaining =
+ sizeof(log_match) - (log_match_cursor - log_match);
+ ASSERT_NE(0, log_match_remaining);
+ }
+
+ EXPECT_EQ(0, audit_match_record(self->audit_fd, AUDIT_LANDLOCK_ACCESS,
+ log_match, NULL));
ASSERT_EQ(1, write(pipe_parent[1], ".", 1));
EXPECT_EQ(0, close(dgram_client));
--
2.52.0
^ permalink raw reply related
* [PATCH v3 4/6] selftests/landlock: Support pathname socket path in set_unix_address
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
In-Reply-To: <cover.1770160146.git.m@maowtm.org>
To prepare for extending the socket tests to do non-abstract sockets too,
extend set_unix_address() to also be able to populate a non-abstract
socket path under TMP_DIR. Also use snprintf for good measure.
This also changes existing callers to pass true for the abstract argument.
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
tools/testing/selftests/landlock/common.h | 33 +++++++++++++++----
tools/testing/selftests/landlock/net_test.c | 2 +-
.../landlock/scoped_abstract_unix_test.c | 30 ++++++++---------
.../selftests/landlock/scoped_signal_test.c | 2 +-
4 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
index 90551650299c..c55c11434e27 100644
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -241,13 +241,34 @@ struct service_fixture {
};
};
+#define PATHNAME_UNIX_SOCK_DIR TMP_DIR
+
+/**
+ * set_unix_address - Set up srv->unix_addr and srv->unix_addr_len.
+ * @srv: Service fixture containing the socket address to initialize
+ * @index: Index to include in socket names
+ * @abstract: If true, creates an abstract socket address (sun_path[0] ==
+ * '\0') with the given name. If false, creates a pathname socket
+ * address with the given path.
+ */
static void __maybe_unused set_unix_address(struct service_fixture *const srv,
- const unsigned short index)
+ const unsigned short index,
+ const bool abstract)
{
srv->unix_addr.sun_family = AF_UNIX;
- sprintf(srv->unix_addr.sun_path,
- "_selftests-landlock-abstract-unix-tid%d-index%d", sys_gettid(),
- index);
- srv->unix_addr_len = SUN_LEN(&srv->unix_addr);
- srv->unix_addr.sun_path[0] = '\0';
+ if (abstract) {
+ snprintf(srv->unix_addr.sun_path,
+ sizeof(srv->unix_addr.sun_path),
+ "_selftests-landlock-abstract-unix-tid%d-index%d",
+ sys_gettid(), index);
+ srv->unix_addr_len = SUN_LEN(&srv->unix_addr);
+ srv->unix_addr.sun_path[0] = '\0';
+ } else {
+ snprintf(srv->unix_addr.sun_path,
+ sizeof(srv->unix_addr.sun_path),
+ PATHNAME_UNIX_SOCK_DIR
+ "/pathname-unix-tid%d-index%d.sock",
+ sys_gettid(), index);
+ srv->unix_addr_len = sizeof(srv->unix_addr);
+ }
}
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index b34b139b3f89..fd3fe51ce92f 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -69,7 +69,7 @@ static int set_service(struct service_fixture *const srv,
return 0;
case AF_UNIX:
- set_unix_address(srv, index);
+ set_unix_address(srv, index, true);
return 0;
}
return 1;
diff --git a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
index 72f97648d4a7..4a790e2d387d 100644
--- a/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
+++ b/tools/testing/selftests/landlock/scoped_abstract_unix_test.c
@@ -58,8 +58,8 @@ FIXTURE_SETUP(scoped_domains)
memset(&self->stream_address, 0, sizeof(self->stream_address));
memset(&self->dgram_address, 0, sizeof(self->dgram_address));
- set_unix_address(&self->stream_address, 0);
- set_unix_address(&self->dgram_address, 1);
+ set_unix_address(&self->stream_address, 0, true);
+ set_unix_address(&self->dgram_address, 1, true);
}
FIXTURE_TEARDOWN(scoped_domains)
@@ -280,7 +280,7 @@ FIXTURE_SETUP(scoped_audit)
disable_caps(_metadata);
memset(&self->dgram_address, 0, sizeof(self->dgram_address));
- set_unix_address(&self->dgram_address, 1);
+ set_unix_address(&self->dgram_address, 1, true);
set_cap(_metadata, CAP_AUDIT_CONTROL);
self->audit_fd = audit_init_with_exe_filter(&self->audit_filter);
@@ -392,16 +392,16 @@ FIXTURE_SETUP(scoped_vs_unscoped)
memset(&self->parent_stream_address, 0,
sizeof(self->parent_stream_address));
- set_unix_address(&self->parent_stream_address, 0);
+ set_unix_address(&self->parent_stream_address, 0, true);
memset(&self->parent_dgram_address, 0,
sizeof(self->parent_dgram_address));
- set_unix_address(&self->parent_dgram_address, 1);
+ set_unix_address(&self->parent_dgram_address, 1, true);
memset(&self->child_stream_address, 0,
sizeof(self->child_stream_address));
- set_unix_address(&self->child_stream_address, 2);
+ set_unix_address(&self->child_stream_address, 2, true);
memset(&self->child_dgram_address, 0,
sizeof(self->child_dgram_address));
- set_unix_address(&self->child_dgram_address, 3);
+ set_unix_address(&self->child_dgram_address, 3, true);
}
FIXTURE_TEARDOWN(scoped_vs_unscoped)
@@ -622,9 +622,9 @@ FIXTURE_SETUP(outside_socket)
drop_caps(_metadata);
memset(&self->transit_address, 0, sizeof(self->transit_address));
- set_unix_address(&self->transit_address, 0);
+ set_unix_address(&self->transit_address, 0, true);
memset(&self->address, 0, sizeof(self->address));
- set_unix_address(&self->address, 1);
+ set_unix_address(&self->address, 1, true);
}
FIXTURE_TEARDOWN(outside_socket)
@@ -802,9 +802,9 @@ TEST_F(various_address_sockets, scoped_pathname_sockets)
/* Abstract address. */
memset(&stream_abstract_addr, 0, sizeof(stream_abstract_addr));
- set_unix_address(&stream_abstract_addr, 0);
+ set_unix_address(&stream_abstract_addr, 0, true);
memset(&dgram_abstract_addr, 0, sizeof(dgram_abstract_addr));
- set_unix_address(&dgram_abstract_addr, 1);
+ set_unix_address(&dgram_abstract_addr, 1, true);
/* Unnamed address for datagram socket. */
ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_DGRAM, 0, unnamed_sockets));
@@ -990,9 +990,9 @@ TEST(datagram_sockets)
drop_caps(_metadata);
memset(&connected_addr, 0, sizeof(connected_addr));
- set_unix_address(&connected_addr, 0);
+ set_unix_address(&connected_addr, 0, true);
memset(&non_connected_addr, 0, sizeof(non_connected_addr));
- set_unix_address(&non_connected_addr, 1);
+ set_unix_address(&non_connected_addr, 1, true);
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
@@ -1090,9 +1090,9 @@ TEST(self_connect)
drop_caps(_metadata);
memset(&connected_addr, 0, sizeof(connected_addr));
- set_unix_address(&connected_addr, 0);
+ set_unix_address(&connected_addr, 0, true);
memset(&non_connected_addr, 0, sizeof(non_connected_addr));
- set_unix_address(&non_connected_addr, 1);
+ set_unix_address(&non_connected_addr, 1, true);
connected_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
non_connected_socket = socket(AF_UNIX, SOCK_DGRAM, 0);
diff --git a/tools/testing/selftests/landlock/scoped_signal_test.c b/tools/testing/selftests/landlock/scoped_signal_test.c
index d8bf33417619..8d1e1dc89c43 100644
--- a/tools/testing/selftests/landlock/scoped_signal_test.c
+++ b/tools/testing/selftests/landlock/scoped_signal_test.c
@@ -463,7 +463,7 @@ TEST_F(fown, sigurg_socket)
pid_t child;
memset(&server_address, 0, sizeof(server_address));
- set_unix_address(&server_address, 0);
+ set_unix_address(&server_address, 0, true);
ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
ASSERT_EQ(0, pipe2(pipe_child, O_CLOEXEC));
--
2.52.0
^ permalink raw reply related
* [PATCH v3 3/6] samples/landlock: Support LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
In-Reply-To: <cover.1770160146.git.m@maowtm.org>
Add support for this new scope bit to the sandboxer via LL_SCOPED=u
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
Changes in v3:
- Add message
samples/landlock/sandboxer.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index e7af02f98208..2de14e1c787d 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -234,14 +234,16 @@ static bool check_ruleset_scope(const char *const env_var,
bool error = false;
bool abstract_scoping = false;
bool signal_scoping = false;
+ bool named_scoping = false;
/* Scoping is not supported by Landlock ABI */
if (!(ruleset_attr->scoped &
- (LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL)))
+ (LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET | LANDLOCK_SCOPE_SIGNAL |
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET)))
goto out_unset;
env_type_scope = getenv(env_var);
- /* Scoping is not supported by the user */
+ /* Scoping is not requested by the user */
if (!env_type_scope || strcmp("", env_type_scope) == 0)
goto out_unset;
@@ -254,6 +256,9 @@ static bool check_ruleset_scope(const char *const env_var,
} else if (strcmp("s", ipc_scoping_name) == 0 &&
!signal_scoping) {
signal_scoping = true;
+ } else if (strcmp("u", ipc_scoping_name) == 0 &&
+ !named_scoping) {
+ named_scoping = true;
} else {
fprintf(stderr, "Unknown or duplicate scope \"%s\"\n",
ipc_scoping_name);
@@ -270,6 +275,8 @@ static bool check_ruleset_scope(const char *const env_var,
ruleset_attr->scoped &= ~LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET;
if (!signal_scoping)
ruleset_attr->scoped &= ~LANDLOCK_SCOPE_SIGNAL;
+ if (!named_scoping)
+ ruleset_attr->scoped &= ~LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
unsetenv(env_var);
return error;
@@ -299,7 +306,7 @@ static bool check_ruleset_scope(const char *const env_var,
/* clang-format on */
-#define LANDLOCK_ABI_LAST 7
+#define LANDLOCK_ABI_LAST 8
#define XSTR(s) #s
#define STR(s) XSTR(s)
@@ -325,6 +332,7 @@ static const char help[] =
"* " ENV_SCOPED_NAME ": actions denied on the outside of the landlock domain\n"
" - \"a\" to restrict opening abstract unix sockets\n"
" - \"s\" to restrict sending signals\n"
+ " - \"u\" to restrict opening pathname (non-abstract) unix sockets\n"
"\n"
"A sandboxer should not log denied access requests to avoid spamming logs, "
"but to test audit we can set " ENV_FORCE_LOG_NAME "=1\n"
@@ -334,7 +342,7 @@ static const char help[] =
ENV_FS_RW_NAME "=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
ENV_TCP_BIND_NAME "=\"9418\" "
ENV_TCP_CONNECT_NAME "=\"80:443\" "
- ENV_SCOPED_NAME "=\"a:s\" "
+ ENV_SCOPED_NAME "=\"a:s:u\" "
"%1$s bash -i\n"
"\n"
"This sandboxer can use Landlock features up to ABI version "
@@ -356,7 +364,8 @@ int main(const int argc, char *const argv[], char *const *const envp)
.handled_access_net = LANDLOCK_ACCESS_NET_BIND_TCP |
LANDLOCK_ACCESS_NET_CONNECT_TCP,
.scoped = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
- LANDLOCK_SCOPE_SIGNAL,
+ LANDLOCK_SCOPE_SIGNAL |
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET,
};
int supported_restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
int set_restrict_flags = 0;
@@ -436,6 +445,10 @@ int main(const int argc, char *const argv[], char *const *const envp)
/* Removes LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON for ABI < 7 */
supported_restrict_flags &=
~LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
+ __attribute__((fallthrough));
+ case 7:
+ /* Removes LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET for ABI < 8 */
+ ruleset_attr.scoped &= ~LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
/* Must be printed for any ABI < LANDLOCK_ABI_LAST. */
fprintf(stderr,
--
2.52.0
^ permalink raw reply related
* [PATCH v3 2/6] landlock: Implement LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
In-Reply-To: <cover.1770160146.git.m@maowtm.org>
Extend the existing abstract UNIX socket scoping to pathname sockets as
well. Basically all of the logic is reused between the two types, just
that pathname sockets scoping are controlled by another bit, and has its
own audit request type (since the current one is named
"abstract_unix_socket").
Closes: https://github.com/landlock-lsm/linux/issues/51
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
Changes in v3:
- missing dot in comment
- More accurate comment on check_socket_access
- Unix -> UNIX
Changes in v2:
- Factor out common code in hook_unix_stream_connect and
hook_unix_may_send into check_socket_access(), and inline
is_abstract_socket().
security/landlock/audit.c | 4 ++
security/landlock/audit.h | 1 +
security/landlock/task.c | 113 ++++++++++++++++++++++----------------
3 files changed, 71 insertions(+), 47 deletions(-)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index 650bd7f5cb6b..97f0f503a836 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -75,6 +75,10 @@ get_blocker(const enum landlock_request_type type,
WARN_ON_ONCE(access_bit != -1);
return "scope.abstract_unix_socket";
+ case LANDLOCK_REQUEST_SCOPE_PATHNAME_UNIX_SOCKET:
+ WARN_ON_ONCE(access_bit != -1);
+ return "scope.pathname_unix_socket";
+
case LANDLOCK_REQUEST_SCOPE_SIGNAL:
WARN_ON_ONCE(access_bit != -1);
return "scope.signal";
diff --git a/security/landlock/audit.h b/security/landlock/audit.h
index 104472060ef5..0e40fed17f21 100644
--- a/security/landlock/audit.h
+++ b/security/landlock/audit.h
@@ -21,6 +21,7 @@ enum landlock_request_type {
LANDLOCK_REQUEST_NET_ACCESS,
LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
LANDLOCK_REQUEST_SCOPE_SIGNAL,
+ LANDLOCK_REQUEST_SCOPE_PATHNAME_UNIX_SOCKET,
};
/*
diff --git a/security/landlock/task.c b/security/landlock/task.c
index 833bc0cfe5c9..973de1efc08a 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -232,35 +232,85 @@ static bool domain_is_scoped(const struct landlock_ruleset *const client,
return false;
}
+/**
+ * sock_is_scoped - Check if socket connect or send should be restricted
+ * based on scope controls.
+ *
+ * @other: The server socket.
+ * @domain: The client domain.
+ * @scope: The relevant scope bit to check (i.e. pathname or abstract).
+ *
+ * Returns: True if connect should be restricted, false otherwise.
+ */
static bool sock_is_scoped(struct sock *const other,
- const struct landlock_ruleset *const domain)
+ const struct landlock_ruleset *const domain,
+ access_mask_t scope)
{
const struct landlock_ruleset *dom_other;
/* The credentials will not change. */
lockdep_assert_held(&unix_sk(other)->lock);
dom_other = landlock_cred(other->sk_socket->file->f_cred)->domain;
- return domain_is_scoped(domain, dom_other,
- LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET);
+ return domain_is_scoped(domain, dom_other, scope);
}
-static bool is_abstract_socket(struct sock *const sock)
+/*
+ * Allow us to quickly test if the current domain scopes any form of
+ * socket.
+ */
+static const struct access_masks unix_scope = {
+ .scope = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET,
+};
+
+/*
+ * UNIX sockets can have three types of addresses: pathname (a filesystem path),
+ * unnamed (not bound to an address), and abstract (sun_path[0] is '\0').
+ * Unnamed sockets include those created with socketpair() and unbound sockets.
+ * We do not restrict unnamed sockets since they cannot be used to reach a
+ * new peer.
+ */
+static int
+check_socket_access(struct sock *const other,
+ const struct landlock_cred_security *const subject,
+ const size_t handle_layer)
{
- struct unix_address *addr = unix_sk(sock)->addr;
+ const struct unix_address *addr = unix_sk(other)->addr;
+ access_mask_t scope;
+ enum landlock_request_type request_type;
+ /* Unnamed sockets are not restricted. */
if (!addr)
- return false;
+ return 0;
+ /*
+ * Abstract and pathname UNIX sockets have separate scope and audit
+ * request type.
+ */
if (addr->len >= offsetof(struct sockaddr_un, sun_path) + 1 &&
- addr->name->sun_path[0] == '\0')
- return true;
+ addr->name->sun_path[0] == '\0') {
+ scope = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET;
+ request_type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET;
+ } else {
+ scope = LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
+ request_type = LANDLOCK_REQUEST_SCOPE_PATHNAME_UNIX_SOCKET;
+ }
- return false;
-}
+ if (!sock_is_scoped(other, subject->domain, scope))
+ return 0;
-static const struct access_masks unix_scope = {
- .scope = LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET,
-};
+ landlock_log_denial(subject, &(struct landlock_request) {
+ .type = request_type,
+ .audit = {
+ .type = LSM_AUDIT_DATA_NET,
+ .u.net = &(struct lsm_network_audit) {
+ .sk = other,
+ },
+ },
+ .layer_plus_one = handle_layer + 1,
+ });
+ return -EPERM;
+}
static int hook_unix_stream_connect(struct sock *const sock,
struct sock *const other,
@@ -275,23 +325,7 @@ static int hook_unix_stream_connect(struct sock *const sock,
if (!subject)
return 0;
- if (!is_abstract_socket(other))
- return 0;
-
- if (!sock_is_scoped(other, subject->domain))
- return 0;
-
- landlock_log_denial(subject, &(struct landlock_request) {
- .type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
- .audit = {
- .type = LSM_AUDIT_DATA_NET,
- .u.net = &(struct lsm_network_audit) {
- .sk = other,
- },
- },
- .layer_plus_one = handle_layer + 1,
- });
- return -EPERM;
+ return check_socket_access(other, subject, handle_layer);
}
static int hook_unix_may_send(struct socket *const sock,
@@ -302,6 +336,7 @@ static int hook_unix_may_send(struct socket *const sock,
landlock_get_applicable_subject(current_cred(), unix_scope,
&handle_layer);
+ /* Quick return for non-landlocked tasks. */
if (!subject)
return 0;
@@ -312,23 +347,7 @@ static int hook_unix_may_send(struct socket *const sock,
if (unix_peer(sock->sk) == other->sk)
return 0;
- if (!is_abstract_socket(other->sk))
- return 0;
-
- if (!sock_is_scoped(other->sk, subject->domain))
- return 0;
-
- landlock_log_denial(subject, &(struct landlock_request) {
- .type = LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET,
- .audit = {
- .type = LSM_AUDIT_DATA_NET,
- .u.net = &(struct lsm_network_audit) {
- .sk = other->sk,
- },
- },
- .layer_plus_one = handle_layer + 1,
- });
- return -EPERM;
+ return check_socket_access(other->sk, subject, handle_layer);
}
static const struct access_masks signal_scope = {
--
2.52.0
^ permalink raw reply related
* [PATCH v3 1/6] landlock: Add LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET scope bit to uAPI
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
In-Reply-To: <cover.1770160146.git.m@maowtm.org>
Add the new scope bit to the uAPI header, add documentation, and bump
ABI version to 8.
This documentation edit specifically calls out the security implications
of not restricting UNIX sockets.
Fix some minor cosmetic issue in landlock.h around the changed lines as
well.
Signed-off-by: Tingmao Wang <m@maowtm.org>
---
Changes in v3:
- Doc edit from review, update date
Changes in v2:
- Fix grammar
Note that in the code block in "Defining and enforcing a security policy"
the switch case currently jumps from 5 to 7. This should be fixed by
https://lore.kernel.org/all/20251216210248.4150777-1-samasth.norway.ananda@oracle.com/
Documentation/userspace-api/landlock.rst | 37 ++++++++++++++++---
include/uapi/linux/landlock.h | 8 +++-
security/landlock/limits.h | 2 +-
security/landlock/syscalls.c | 2 +-
tools/testing/selftests/landlock/base_test.c | 2 +-
.../testing/selftests/landlock/scoped_test.c | 2 +-
6 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 1d0c2c15c22e..b0d07051633b 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -8,7 +8,7 @@ Landlock: unprivileged access control
=====================================
:Author: Mickaël Salaün
-:Date: March 2025
+:Date: December 2025
The goal of Landlock is to enable restriction of ambient rights (e.g. global
filesystem or network access) for a set of processes. Because Landlock
@@ -83,7 +83,8 @@ to be explicit about the denied-by-default access rights.
LANDLOCK_ACCESS_NET_CONNECT_TCP,
.scoped =
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
- LANDLOCK_SCOPE_SIGNAL,
+ LANDLOCK_SCOPE_SIGNAL |
+ LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET,
};
Because we may not know which kernel version an application will be executed
@@ -127,6 +128,10 @@ version, and only use the available subset of access rights:
/* Removes LANDLOCK_SCOPE_* for ABI < 6 */
ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
LANDLOCK_SCOPE_SIGNAL);
+ __attribute__((fallthrough));
+ case 7:
+ /* Removes LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET for ABI < 8 */
+ ruleset_attr.scoped &= ~LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET;
}
This enables the creation of an inclusive ruleset that will contain our rules.
@@ -328,10 +333,13 @@ The operations which can be scoped are:
This limits the sending of signals to target processes which run within the
same or a nested Landlock domain.
-``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET``
- This limits the set of abstract :manpage:`unix(7)` sockets to which we can
- :manpage:`connect(2)` to socket addresses which were created by a process in
- the same or a nested Landlock domain.
+``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` and ``LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET``
+ This limits the set of :manpage:`unix(7)` sockets to which we can
+ :manpage:`connect(2)` to socket addresses which were created by a
+ process in the same or a nested Landlock domain.
+ ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` applies to abstract sockets,
+ and ``LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET`` applies to pathname
+ sockets.
A :manpage:`sendto(2)` on a non-connected datagram socket is treated as if
it were doing an implicit :manpage:`connect(2)` and will be blocked if the
@@ -604,6 +612,23 @@ Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``,
sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst
for more details on audit.
+Pathname UNIX socket (ABI < 8)
+------------------------------
+
+Starting with the Landlock ABI version 8, it is possible to restrict
+connections to a pathname (non-abstract) :manpage:`unix(7)` socket by
+setting ``LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET`` to the ``scoped`` ruleset
+attribute. This works the same way as the abstract socket scoping.
+
+This allows sandboxing applications using only Landlock to protect against
+bypasses relying on connecting to Unix sockets of other services running
+under the same user. These services typically assume that any process
+capable of connecting to a local Unix socket, or connecting with the
+expected user credentials, is trusted. Without this protection, sandbox
+escapes may be possible, especially when running in a standard desktop
+environment, such as by using systemd-run, or sockets exposed by other
+common applications.
+
.. _kernel_support:
Kernel support
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index 75fd7f5e6cc3..7fa0e6c1a931 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -361,10 +361,14 @@ struct landlock_net_port_attr {
* related Landlock domain (e.g., a parent domain or a non-sandboxed process).
* - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal
* to another process outside the domain.
+ * - %LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET: Restrict a sandboxed process from
+ * connecting to a pathname UNIX socket created by a process outside the
+ * related Landlock domain.
*/
/* clang-format off */
#define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0)
-#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
-/* clang-format on*/
+#define LANDLOCK_SCOPE_SIGNAL (1ULL << 1)
+#define LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET (1ULL << 2)
+/* clang-format on */
#endif /* _UAPI_LINUX_LANDLOCK_H */
diff --git a/security/landlock/limits.h b/security/landlock/limits.h
index 65b5ff051674..d653e14dba10 100644
--- a/security/landlock/limits.h
+++ b/security/landlock/limits.h
@@ -27,7 +27,7 @@
#define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1)
#define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET)
-#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_SIGNAL
+#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
#define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1)
#define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE)
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 0116e9f93ffe..66fd196be85a 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -161,7 +161,7 @@ static const struct file_operations ruleset_fops = {
* Documentation/userspace-api/landlock.rst should be updated to reflect the
* UAPI change.
*/
-const int landlock_abi_version = 7;
+const int landlock_abi_version = 8;
/**
* sys_landlock_create_ruleset - Create a new ruleset
diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
index 7b69002239d7..f4b1a275d8d9 100644
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -76,7 +76,7 @@ TEST(abi_version)
const struct landlock_ruleset_attr ruleset_attr = {
.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
};
- ASSERT_EQ(7, landlock_create_ruleset(NULL, 0,
+ ASSERT_EQ(8, landlock_create_ruleset(NULL, 0,
LANDLOCK_CREATE_RULESET_VERSION));
ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
diff --git a/tools/testing/selftests/landlock/scoped_test.c b/tools/testing/selftests/landlock/scoped_test.c
index b90f76ed0d9c..7f83512a328d 100644
--- a/tools/testing/selftests/landlock/scoped_test.c
+++ b/tools/testing/selftests/landlock/scoped_test.c
@@ -12,7 +12,7 @@
#include "common.h"
-#define ACCESS_LAST LANDLOCK_SCOPE_SIGNAL
+#define ACCESS_LAST LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
TEST(ruleset_with_unknown_scope)
{
--
2.52.0
^ permalink raw reply related
* [PATCH v3 0/6] Landlock: Implement scope control for pathname Unix sockets
From: Tingmao Wang @ 2026-02-03 23:12 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Tingmao Wang, Günther Noack, Demi Marie Obenour, Alyssa Ross,
Jann Horn, Tahera Fahimi, Justin Suess, linux-security-module
This version contains some minor update based on feedback from Mickaël.
(Sending this anyway for completeness despite discussion in
https://lore.kernel.org/all/e6b6b069-384c-4c45-a56b-fa54b26bc72a@maowtm.org/ )
The rest is the same as the v2 cover letter:
Changes in v2:
Fix grammar in doc, rebased on mic/next, and extracted common code from
hook_unix_stream_connect and hook_unix_may_send into a separate
function.
The rest is the same as the v1 cover letter:
This patch series extend the existing abstract Unix socket scoping to
pathname (i.e. normal file-based) sockets as well, by adding a new scope
bit LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET that works the same as
LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET, except that restricts pathname Unix
sockets. This means that a sandboxed process with this scope enabled will
not be able to connect to Unix sockets created outside the sandbox via the
filesystem.
There is a future plan [1] for allowing specific sockets based on FS
hierarchy, but this series is only determining access based on domain
parent-child relationship. There is currently no way to allow specific
(outside the Landlock domain) Unix sockets, and none of the existing
Landlock filesystem controls apply to socket connect().
With this series, we can now properly protect against things like the the
following while only relying on Landlock:
(running under tmux)
root@6-19-0-rc1-dev-00023-g68f0b276cbeb ~# LL_FS_RO=/ LL_FS_RW= ./sandboxer bash
Executing the sandboxed command...
root@6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
cat: /tmp/hi: No such file or directory
root@6-19-0-rc1-dev-00023-g68f0b276cbeb:/# tmux new-window 'echo hi > /tmp/hi'
root@6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
hi
The above but with Unix socket scoping enabled (both pathname and abstract
sockets) - the sandboxed shell can now no longer talk to tmux due to the
socket being created from outside the Landlock sandbox:
(running under tmux)
root@6-19-0-rc1-dev-00023-g68f0b276cbeb ~# LL_FS_RO=/ LL_FS_RW= LL_SCOPED=u:a ./sandboxer bash
Executing the sandboxed command...
root@6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
cat: /tmp/hi: No such file or directory
root@6-19-0-rc1-dev-00023-g68f0b276cbeb:/# tmux new-window 'echo hi > /tmp/hi'
error connecting to /tmp/tmux-0/default (Operation not permitted)
root@6-19-0-rc1-dev-00023-g68f0b276cbeb:/# cat /tmp/hi
cat: /tmp/hi: No such file or directory
Tmux is just one example. In a standard systemd session, `systemd-run
--user` can also be used (--user will run the command in the user's
session, without requiring any root privileges), and likely a lot more if
running in a desktop environment with many popular applications. This
change therefore makes it possible to create sandboxes without relying on
additional mechanisms like seccomp to protect against such issues.
These kind of issues was originally discussed on here (I took the idea for
systemd-run from Demi):
https://spectrum-os.org/lists/archives/spectrum-devel/00256266-26db-40cf-8f5b-f7c7064084c2@gmail.com/
Demo with socat + sandboxer:
Outside:
socat unix-listen:/foo.sock,fork -
Sandbox with pathname socket scope bit:
root@6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED=u /sandboxer socat -d2 unix:/foo.sock -
Executing the sandboxed command...
2025/12/27 20:28:54 socat[1227] E UNIX-CLIENT: /foo.sock: Operation not permitted
2025/12/27 20:28:54 socat[1227] N exit(1)
Sandbox without pathname socket scope bit:
root@6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED= /sandboxer socat -d2 unix:/foo.sock -
Executing the sandboxed command...
2025/12/27 20:29:22 socat[1250] N successfully connected from local address AF=1 "(7\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xB0\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xAE\xC3\xAE\xAE\xAE\xAE"
...
Sandbox with only abstract socket scope bit:
root@6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED=a /sandboxer socat -d2 unix:/foo.sock -
Executing the sandboxed command...
2025/12/27 20:29:26 socat[1259] N successfully connected from local address AF=1 "\0\0\0\0\0\0\0\0\0"
...
Sendmsg/recvmsg - outside:
socat unix-recvfrom:/datagram.sock -
Sandbox with pathname socket scope bit:
root@6-19-0-rc1-dev-00023-g0994a10d6512 ~# LL_FS_RW=/ LL_FS_RO= LL_SCOPED=u /sandboxer socat -d2 unix-sendto:/datagram.sock -
Executing the sandboxed command...
...
2025/12/27 20:33:04 socat[1446] N starting data transfer loop with FDs [5,5] and [0,1]
123
2025/12/27 20:33:05 socat[1446] E sendto(5, 0x55d260d8f000, 4, 0, AF=1 "/datagram.sock", 16): Operation not permitted
2025/12/27 20:33:05 socat[1446] N exit(1)
[1]: https://github.com/landlock-lsm/linux/issues/36
Closes: https://github.com/landlock-lsm/linux/issues/51
Tingmao Wang (6):
landlock: Add LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET scope bit to uAPI
landlock: Implement LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
samples/landlock: Support LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
selftests/landlock: Support pathname socket path in set_unix_address
selftests/landlock: Repurpose scoped_abstract_unix_test.c for pathname
sockets too
selftests/landlock: Add pathname socket variants for more tests
Documentation/userspace-api/landlock.rst | 37 +-
include/uapi/linux/landlock.h | 8 +-
samples/landlock/sandboxer.c | 23 +-
security/landlock/audit.c | 4 +
security/landlock/audit.h | 1 +
security/landlock/limits.h | 2 +-
security/landlock/syscalls.c | 2 +-
security/landlock/task.c | 113 ++-
tools/testing/selftests/landlock/base_test.c | 2 +-
tools/testing/selftests/landlock/common.h | 33 +-
tools/testing/selftests/landlock/net_test.c | 2 +-
.../selftests/landlock/scoped_signal_test.c | 2 +-
.../testing/selftests/landlock/scoped_test.c | 2 +-
...bstract_unix_test.c => scoped_unix_test.c} | 886 +++++++++++++-----
14 files changed, 787 insertions(+), 330 deletions(-)
rename tools/testing/selftests/landlock/{scoped_abstract_unix_test.c => scoped_unix_test.c} (50%)
base-commit: 24d479d26b25bce5faea3ddd9fa8f3a6c3129ea7
prerequisite-patch-id: 5f3ab4d7ae2173abb98b510534b2eabc575944ed # https://lore.kernel.org/all/20251230103917.10549-3-gnoack3000@gmail.com/
prerequisite-patch-id: 0002366468db0afd2e68f4ee4f6cfb0d8e7ed315
--
2.52.0
^ permalink raw reply
* Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check()
From: Paul Moore @ 2026-02-03 22:40 UTC (permalink / raw)
To: Tetsuo Handa
Cc: SELinux, linux-security-module, Steffen Klassert, Herbert Xu,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, Network Development
In-Reply-To: <f9b88268-03dc-4356-8b31-0bab73cc9b1e@I-love.SAKURA.ne.jp>
On Mon, Feb 2, 2026 at 10:48 PM Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> On 2026/02/02 13:07, Paul Moore wrote:
> > I'm asking you to verify that we have the LSM xfrm hooks in all of the
> > necessary locations to ensure that we are safely and comprehensively
> > gating all of the operations that result in removal of SPD and SAD
> > entries.
>
> That is impossible. We can't have the LSM xfrm hooks in all locations
> that result in removal of SPD and SAD entries.
It's a good thing that isn't what I said. I said "... LSM xfrm hooks
in all of the
necessary locations to ensure that we are safely and COMPREHENSIVELY
GATING all of the operations that result in removal of SPD and SAD
entries." I used the capitalization to emphasize the idea that the
goal is a comprehensive gating of the operations, not necessarily a
placement of LSM hooks in all of the functions. It can be a subtle
difference, but it is an important one as I think you can understand.
> It is your role (not my role) to verify that we have the LSM xfrm hooks in all
> of the necessary locations, for it is you who is wishing to ensure that we are
> safely and comprehensively gating all of the operations that result in removal
> of SPD and SAD entries.
All of us who contribute upstream have a responsibility to ensure the
proper operation and maintenance of the upstream Linux kernel, this is
especially true for individuals such as yourself who have accepted a
maintainer role.
You have identified what appear to be issues with the upstream kernel,
and have proposed changes to address that. While reviewing those
changes I asked you to verify that the LSM hooks associated with your
proposed change were still working as expected, since it was not clear
from the discussion, or the patch, that an investigation had taken
place. This is not an unusual request for such a proposed change, and
is something that I would expect a LSM maintainer to do without much
hesitation. If you are unwilling to investigate this, can you explain
why?
--
paul-moore.com
^ permalink raw reply
* Re: [PATCH net-next v2 0/4] net: uapi: Provide an UAPI definition of 'struct sockaddr'
From: Jakub Kicinski @ 2026-02-03 22:40 UTC (permalink / raw)
To: Thomas Weißschuh
Cc: Eric Dumazet, Kuniyuki Iwashima, Paolo Abeni, Willem de Bruijn,
David S. Miller, Simon Horman, Shuah Khan, Matthieu Baerts,
Mat Martineau, Geliang Tang, Mickaël Salaün,
Günther Noack, Alexei Starovoitov, Daniel Borkmann,
Jesper Dangaard Brouer, John Fastabend, Stanislav Fomichev,
Andrii Nakryiko, Martin KaFai Lau, Eduard Zingerman, Song Liu,
Yonghong Song, KP Singh, Hao Luo, Jiri Olsa, netdev, linux-kernel,
linux-api, Arnd Bergmann, linux-kselftest, mptcp,
linux-security-module, bpf, libc-alpha, Carlos O'Donell,
Adhemerval Zanella, Rich Felker, klibc, Florian Weimer
In-Reply-To: <20260203122715-eeb304f9-4b42-4fc6-a527-658182a92ba5@linutronix.de>
On Tue, 3 Feb 2026 12:42:22 +0100 Thomas Weißschuh wrote:
> > FWIW the typelimits change broke compilation of ethtool, we'll see if
> > anyone "outside kernel community itself" complains.
>
> Can you point me to that breakage? I was unable to find it.
Not reported on the ML, and it's kinda annoying to repro because
the uAPI header sync script isn't committed :/ You have to check
this out
https://git.kernel.org/pub/scm/network/ethtool/ethtool.git/
and run a script like this to sync headers from the kernel (then build):
#!/bin/bash -e
sn="${0##*/}"
export ARCH="x86_64"
if [ ! -d "$LINUX_GIT" ]; then
echo "${sn}: LINUX_GIT not set" >&2
exit 1
fi
pushd "$LINUX_GIT"
if [ -n "$1" ]; then
git checkout "$1"
fi
desc=$(git describe --exact-match 2>/dev/null \
|| git show -s --abbrev=12 --pretty='commit %h')
kobj=$(mktemp -d)
make -j16 O="$kobj" allmodconfig
make -j16 O="$kobj" prepare
make -j16 O="$kobj" INSTALL_HDR_PATH="${kobj}/hdr" headers_install
popd
pushd uapi
find . -type f -name '*.h' -exec cp -v "${kobj}/hdr/include/{}" {} \;
popd
rm -rf "$kobj"
git add uapi
git commit -s -F - <<EOT
update UAPI header copies
Update to kernel ${desc}.
EOT
^ permalink raw reply
* Re: [PATCH v2 0/6] Landlock: Implement scope control for pathname Unix sockets
From: Tingmao Wang @ 2026-02-03 21:53 UTC (permalink / raw)
To: Günther Noack, Justin Suess, Mickaël Salaün
Cc: Günther Noack, Demi Marie Obenour, Alyssa Ross, Jann Horn,
Tahera Fahimi, linux-security-module
In-Reply-To: <aYI2OQhPMgdMAOiz@google.com>
On 2/3/26 17:54, Günther Noack wrote:
> On Tue, Feb 03, 2026 at 01:26:31AM +0000, Tingmao Wang wrote:
>> On 2/2/26 22:03, Justin Suess wrote:
>>> Regardless if you merge the patch series now in 7.0 or a later version, I think there is something to be said
>>> about having the filesystem and scoped unix access right merged in the same ABI version / merge window.
>>>
>>> As you pointed out earlier, the combination of the two flags is much flexible and useful to userspace
>>> consumers than one or the other, and if the features were merged separately, there would be an
>>> awkward middle ABI where user space consumers may have to make compromises or changes to
>>> sandbox between different versions or change application behavior.
>>> [...]
>>
>> Given that the scope bit and RESOLVE_UNIX access right are in some sense
>> part of the same system (they interact in an OR manner, after all), there
>> is some positive for having them introduced in the same version, but on
>> the other hand, with my above reasoning, I don't think these two
>> mechanisms (scope bit and RESOLVE_UNIX access) being in different ABI
>> versions would be too much of a problem. In either case, for applications
>> which require access to more "privileged" sockets, when running on a
>> kernel without the RESOLVE_UNIX access right support, no pathname socket
>> restrictions can be applied (i.e. it won't use the scope bit either, there
>> isn't much "compromise" it can make here). On the other hand, if
>> RESOLVE_UNIX is supported, then it knows that the scope bit is also
>> supported, and can just use it.
>
> Yes, but that does require additional subtle backwards compatibility
> logic in userspace libraries, to implement the "best effort" fallbacks.
>
> Assuming the scoped bit is added in v8 and the FS_RESOLVE_UNIX right in v9,
> if a user does this (in Go-landlock syntax):
>
> // restrict both scoped bit and FS RESOLVE_UNIX right, if possible
> landlock.V9.BestEffort().RestrictPaths(
> landlock.ResolveUnix("/tmp/socket"), // allow to connect to /tmp/socket
> )
>
> then if the system only supports ABI v8, it will have to clear both
> bits so that connections to /tmp/socket work,
> even though the scoped bit is technically supported on v8.
>
> **This requires additional logic in client libraries**,
> similar to our "refer" semantics (which users often get wrong):
>
> if (there is a rule that allows connections by path name)
> clear_the_scoped_bit_as_well();
> // even though the path name rule normally only affects a different bit
>
>
> In contrast, if both the scoped bit and FS_RESOLVE_UNIX were added in
> the same ABI version, then if a user does the above call, we are
> either equal-or-above that ABI version, in which case it works, or we
> are below that ABI version, in which case the two bits already get
> cleared from the landlock_ruleset_attr through the existing backwards
> compatibility mechanism.
>
> **In my mind, Justin is right that we should ideally introduce these
> together.** We have seen users implementing the "Refer" special case
> wrongly very often, it will likely happen here too, if we require
> extra logic in userspace libraries.
Ok, this makes sense to me. I will send the patch's next version as-is
anyway for completeness since it's basically done but I recognize that we
might change the plan based on this discussion.
>
>
> BTW, regarding the implementation: To have *OR* semantics for "within
> scope" and "allow-listed path", the implementation will be
> non-trivial, and I suspect we won't hit the merge window if we try to
> get them both in for 7.0. But in my mind, a simple UAPI is more
> important than trying to make it in time for the next merge window.
>
> (The implementation is difficult because the path-based and
> scope-based check currently happen in different LSM hooks, and none of
> the two hooks has enough information to make the decision alone. The
> second hook only gets called if the first returns 0. It'll require
> some further discussion to make it work together.)
Right. In that case, would it make sense to pass sk into the new
security_unix_find() hook, perhaps with the new argument named `struct
sock *other`? Then we can use this hook for the scope check as well by
using landlock_cred(other->sk_socket->file->f_cred)->domain etc.
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 227467236930..db9d279b3883 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1223,24 +1223,24 @@ static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
err = -ECONNREFUSED;
inode = d_backing_inode(path.dentry);
if (!S_ISSOCK(inode->i_mode))
goto path_put;
+ err = -ECONNREFUSED;
+ sk = unix_find_socket_byinode(inode);
+ if (!sk)
+ goto path_put;
+
/*
* We call the hook because we know that the inode is a socket
* and we hold a valid reference to it via the path.
*/
- err = security_unix_find(&path, type, flags);
+ err = security_unix_find(&path, sk, flags);
if (err)
- goto path_put;
-
- err = -ECONNREFUSED;
- sk = unix_find_socket_byinode(inode);
- if (!sk)
- goto path_put;
+ goto sock_put;
err = -EPROTOTYPE;
if (sk->sk_type == type)
touch_atime(&path);
else
goto sock_put;
By doing this we won't even need to pass `type` separately anymore. The
only change would be that now one can determine if a socket is bound or
not even without being allowed RESOLVE_UNIX access. I'm not sure how much
of an issue this is, but we could also call the hook anyway with a NULL in
place of the new argument, if unix_find_socket_byinode() fails. Other
LSMs can then decide what to do in that case (either return -ECONNREFUSED
or -EPERM).
>
>
>> Furthermore, an application / Landlock config etc can always opt to not
>> use the scope bit at all, if it "knows" all the locations where the
>> application's sockets would be placed, and just use RESOLVE_UNIX access
>> right (or nothing if it is not supported).
>>
>> (The following is a bit of a side note, not terribly relevant if we're
>> deciding to go with the patch as is.)
>>
>>>> [...]
>>>> Another way to put it is that, if FS-based and scope-based controls
>>>> interacts in the above proposed way, both mechanisms feel like "poking
>>>> holes" in the other. But as Mickaël said, one can think of the two
>>>> mechanisms not as independent controls, but rather as two interfaces for
>>>> the same control. The socket access control is "enabled" if either the
>>>> LANDLOCK_ACCESS_FS_RESOLVE_UNIX access is handled, or the scope bit
>>>> proposed in this patch is enabled.
>>>>
>>>> With that said, I can think of some alternative ways that might make this
>>>> API look "better" (from a subjective point of view, feedback welcome),
>>>> however it does mean more delays, and specifically, these will depend on
>>>> LANDLOCK_ACCESS_FS_RESOLVE_UNIX:
>>>>
>>>> One possibility is to simply always allow a Landlock domain to connect to
>>>> its own sockets (in the case where LANDLOCK_ACCESS_FS_RESOLVE_UNIX is
>>>> handled, otherwise all sockets are allowed). This might be reasonable, as
>>>> one can only connect to a socket it creates if it has the permission to
>>>> create it in the first place, which is already controlled by
>>>> LANDLOCK_ACCESS_FS_MAKE_SOCK, so we don't really lose any policy
>>>> flexibility here - if for some reason the sandboxer don't want to allow
>>>> access to any (pathname) sockets, even the sandboxed app's own ones, it
>>>> can just not allow LANDLOCK_ACCESS_FS_MAKE_SOCK anywhere.
>>>
>>> LANDLOCK_ACCESS_FS_MAKE_SOCK is only required to bind/listen to a
>>> socket, not to connect. I guess you was thinking about
>>> LANDLOCK_ACCESS_FS_RESOLVE_UNIX in this case?
>>
>> In this "allow same-scope connect unconditionally" proposal, the
>> application would still be able to (bind to and) connect to its own
>> sockets, even if LANDLOCK_ACCESS_FS_RESOLVE_UNIX is handled and nothing is
>> allowed to have LANDLOCK_ACCESS_FS_RESOLVE_UNIX access. But a sandboxer
>> which for whatever reason doesn't want this "allow same scope" default can
>> still prevent the use of (pathname) sockets by restricting
>> LANDLOCK_ACCESS_FS_MAKE_SOCK, because if an app can't connect to any
>> sockets it doesn't own, and can't create any sockets itself either, then
>> it effectively can't connect to any sockets at all.
>>
>> (Although on second thought, I guess there could be a case where an app
>> first creates some socket files before doing landlock_restrict_self(),
>> then it might still be able to bind to these even without
>> LANDLOCK_ACCESS_FS_MAKE_SOCK?)
>
> FWIW, I also really liked Tingmao's first of the two listed
> possibilities in [1], where she proposed to introduce both rights
> together. In my understanding, the arguments we have discussed so far
> for that are:
>
> IN FAVOR:
>
> (pro1) Connecting to a UNIX socket in the same scope is always safe,
> and it makes it possible to use named UNIX sockets between the
> processes within a Landlock domains. (Mickaël convinced me in
> discussion at FOSDEM that this is true.)
>
> If someone absolutely does not want that, they can restrict
> LANDLOCK_ACCESS_FS_MAKE_SOCK and achieve the same effect (as
> Tingmao said above).
>
> (pro2) The implementation of this is simpler.
>
> (I attempted to understand how the "or" semantics would be
> implemented, and I found it non-trivial when you try to do it
> for all layers at once. (Kernighan's Law applies, IMHO))
I think the logic would basically be:
1. if any layers deny the access due to handled RESOLVE_UNIX but does not
have the scope bit set, then we will deny rightaway, without calling
domain_is_scoped().
2. Call domain_is_scoped() with a bitmask of "rules_covered" layers where
there are RESOLVE_UNIX rules covering the socket being accessed, and
essentially ignore those layers in the scope violation check.
I definitely agree that it is tricky, but making same-scope access be
allowed (i.e. the suggested idea above) would only get rid of step 1,
which I think is the "simpler" bit. The extra logic in step 2 is still
needed.
I definitely agree with pro1 tho.
>
> AGAINST:
>
> (con1) It would work differently than the other scoped access rights
> that we already have.
>
> A speculative feature that could potentially be built with the
> scoped access rights is that we could add a rule to permit IPC
> to other Landlock scopes, e.g. introducing a new rule type
>
> struct landlock_scope_attr {
> __u64 allowed_access; /* for "scoped" bits */
> /* some way to identify domains */
> }
>
> so that we could make IPC access to other Landlock domains
> configurable.
>
> If the scoped bit and the FS RESOLVE_UNIX bit were both
> conflated in RESOLVE_UNIX, it would not be possible to make
> UNIX connections configurable in such a way.
This exact API would no longer work, but if we give up the equivalence
between scope bits and the landlock_scope_attr struct, then we can do
something like:
struct landlock_scope_attr {
__u64 ptrace:1; /* Note that this is not a (user controllable) scope bit! */
__u64 abstract_unix_socket:1;
__u64 pathname_unix_socket:1;
/* ... */
__u64 allowed_signals;
/*
* some way to identify domains, maybe we could use the audit domain
* ID, with 0 denoting "allow access to non-Landlocked processes?
*/
}
>
> (con2) Consistent behaviour between scoped flags and their
> interactions with other access rights:
>
> The existing scoped access rights (signal, abstract sockets)
> could hypothetically be extended with a related access right of
> another type. For instance, there could be an access right type
>
> __u64 handled_signal_number;
>
> and then you could add a rule to permit the use of certain
> signal numbers. The interaction between the scoped flags and
> other access rights should work the same.
>
>
> Constructive Proposal for consideration: Why not both?
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will think about the following a bit more but I'm afraid that I feel
like it might get slightly confusing. With this, the only reason for
having LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET is for API consistency when we
later enable allowing access to other domains (if I understood correctly),
in which case I personally feel like the suggestion on landlock_scope_attr
above, where we essentially accept that it is decoupled with the scope
bits in the ruleset, might be simpler...?
>
> Why not do both what Tingmao proposed in [1] **and** reserve the
> option to add the matching "scoped flag" later?
>
> * Introduce LANDLOCK_ACCESS_FS_RESOLVE_UNIX.
>
> If it is handled, UNIX connections are allowed either:
>
> (1) if the connection is to a service in the same scope, or
> (2) if the path was allow-listed with a "path beneath" rule.
>
> * Add LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET later, if needed.
>
>
> Let's go through the arguments again:
>
> We have observed that it is harmless to allow connections to services
> in the same scope (1), and that if users absolutely don't want that,
> they can actually prohibit it through LANDLOCK_ACCESS_FS_MAKE_SOCK
> (pro1).
>
> (con1): Can we still implement the feature idea where we poke a hole
> to get UNIX-connect() access to other Landlock domains?
>
> I think the answer is yes. The implementation strategy is:
>
> * Add the scoped bit LANDLOCK_SCOPE_PATHNAME_UNIX_SOCKET
> * The scoped bit can now be used to allow-list connections to
> other Landlock domains.
>
> For users, just setting the scoped bit on its own does the same as
> handling LANDLOCK_ACCESS_FS_RESOLVE_UNIX. That way, the kernel-side
> implementation can also stay simple. The only reason why the scoped
> bit is needed is because it makes it possible to allow-list
> connections to other Landlock domains, but at the same time, it is
> safe if libraries set the scoped bit once it exists, as it does not
> have any bad runtime impact either.
>
> (con2): Consistency: Do all the scoped flags interact with their
> corresponding access rights in the same way?
>
> The other scope flags do not have corresponding access rights, so
> far.
>
> If we were to add corresponding access rights for the other scope
> flags, I would argue that we could apply a consistent logic there,
> because IPC access within the same scope is always safe:
>
> - A hypothetical access right type for "signal numbers" would only
> restrict signals that go beyond the current scope.
>
> - A hypothetical access right type for "abstract UNIX domain socket
> names" would only restrict connections to abstract UNIX domain
> servers that go beyond the current scope.
>
> I can not come up with a scenario where this doesn't work.
>
>
> In conclusion, I think the approach has significant upsides:
>
> * Simpler UAPI: Users only have one access bit to deal with, in the
> near future. Once we do add a scope flag for UNIX connections, it
> does not interact in a surprising way with the corresponding FS
> access right, because with either of these, scoped access is
> allowed.
>
> If users absolutely need to restrict scoped access, they can
> restrict LANDLOCK_ACCESS_FS_MAKE_SOCK. It is a slightly obscure
> API, but in line with the "make easy things easy, make hard things
> possible" API philosophy. And needing this should be the
> exception rather than the norm, after all.
>
> * Consistent behaviour between scoped flags and regular access
> rights, also for speculative access rights affecting the existing
> scoped flags for signals and abstract UNIX domain sockets.
>
> I know this was a slightly long mail, but I thought long and tried to
> be structured. Please let me know what you think.
>
> —Günther
>
>
> [1] https://lore.kernel.org/all/f07fe41a-96c5-4d3a-9966-35b30b3a71f1@maowtm.org/
^ permalink raw reply related
* Re: [PATCH] man/man7/kernel_lockdown.7: remove Secure Boot untruth
From: Heinrich Schuchardt @ 2026-02-03 20:47 UTC (permalink / raw)
To: Alejandro Colomar, Alyssa Ross
Cc: David Howells, Nicolas Bouchinet, Xiu Jianfeng,
linux-security-module, linux-man
In-Reply-To: <aYJZ31jO5ZE1Z6Xp@devuan>
Am 3. Februar 2026 21:27:44 MEZ schrieb Alejandro Colomar <alx@kernel.org>:
>Hi Alyssa,
>
>On 2026-02-03T20:53:33+0100, Alyssa Ross wrote:
>> On Tue, Feb 03, 2026 at 08:50:01PM +0100, Alyssa Ross wrote:
>> > This is true for Fedora, where this page was sourced from, but I don't
>> > believe it has ever been true for the mainline kernel, because Linus
>> > rejected it.
>> >
>> > Link: https://bbs.archlinux.org/viewtopic.php?pid=2088704#p2088704
>> > Link: https://lore.kernel.org/lkml/CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com/
>> > Fixes: bb509e6fc ("kernel_lockdown.7: New page documenting the Kernel Lockdown feature")
>
>I've now CCed you in an email documenting the format we use for these.
>It should be:
>
>Fixes: bb509e6fcbae (2020-10-16; "kernel_lockdown.7: New page documenting the Kernel Lockdown feature")
>
>I'll amend that myself.
>
>> > Signed-off-by: Alyssa Ross <hi@alyssa.is>
>>
>> Just noticed there's a long-open bug for this as well, so additionally:
>>
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=213577
>
>Thanks! I'll keep the patch for a few days, in case anyone wants to
>comment.
>
>
>Have a lovely night!
>Alex
>
Can we move the information from the Notes section to replace the removed statement? What causes lockdown is central for users.
Best regards
Heinrich
^ permalink raw reply
* Re: [PATCH] man/man7/kernel_lockdown.7: remove Secure Boot untruth
From: Alejandro Colomar @ 2026-02-03 20:27 UTC (permalink / raw)
To: Alyssa Ross
Cc: Heinrich Schuchardt, David Howells, Nicolas Bouchinet,
Xiu Jianfeng, linux-security-module, linux-man
In-Reply-To: <aYJSDDwK1T9xxca1@mbp.qyliss.net>
[-- Attachment #1: Type: text/plain, Size: 1148 bytes --]
Hi Alyssa,
On 2026-02-03T20:53:33+0100, Alyssa Ross wrote:
> On Tue, Feb 03, 2026 at 08:50:01PM +0100, Alyssa Ross wrote:
> > This is true for Fedora, where this page was sourced from, but I don't
> > believe it has ever been true for the mainline kernel, because Linus
> > rejected it.
> >
> > Link: https://bbs.archlinux.org/viewtopic.php?pid=2088704#p2088704
> > Link: https://lore.kernel.org/lkml/CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com/
> > Fixes: bb509e6fc ("kernel_lockdown.7: New page documenting the Kernel Lockdown feature")
I've now CCed you in an email documenting the format we use for these.
It should be:
Fixes: bb509e6fcbae (2020-10-16; "kernel_lockdown.7: New page documenting the Kernel Lockdown feature")
I'll amend that myself.
> > Signed-off-by: Alyssa Ross <hi@alyssa.is>
>
> Just noticed there's a long-open bug for this as well, so additionally:
>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=213577
Thanks! I'll keep the patch for a few days, in case anyone wants to
comment.
Have a lovely night!
Alex
--
<https://www.alejandro-colomar.es>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox