* [PATCH v2] landlock: Expand restrict flags example for ABI version 8
@ 2026-02-21 22:12 Panagiotis "Ivory" Vasilopoulos
2026-02-25 18:53 ` Günther Noack
0 siblings, 1 reply; 2+ messages in thread
From: Panagiotis "Ivory" Vasilopoulos @ 2026-02-21 22:12 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack, Jonathan Corbet,
Shuah Khan
Cc: linux-security-module, linux-doc, linux-kernel
Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
for restrict flags. This introduces completeness, similar to that of
the ruleset attributes example.
Additionally, I modified the two comments of the example to make them
more consistent with the ruleset attributes example's.
Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
---
Changes in v2:
- Fix formatting error.
- Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
---
Documentation/userspace-api/landlock.rst | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 13134bccdd39d78ddce3daf454f32dda162ce91b..0affe1c953d61a4b32aca700cd262c49cee6304a 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -197,12 +197,18 @@ similar backwards compatibility check is needed for the restrict flags
.. code-block:: c
- __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
- if (abi < 7) {
- /* Clear logging flags unsupported before ABI 7. */
+ __u32 restrict_flags =
+ LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
+ LANDLOCK_RESTRICT_SELF_TSYNC;
+ switch (abi) {
+ case 1 ... 6:
+ /* Clear logging flags unsupported for ABI < 7 */
restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
+ case 7:
+ /* Removes multithread flag unsupported for ABI < 8 */
+ restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
}
The next step is to restrict the current thread from gaining more privileges
---
base-commit: ceb977bfe9e8715e6cd3a4785c7aab8ea5cd2b77
change-id: 20260221-landlock-docs-add-tsync-example-e8fd5c64a366
Best regards,
--
Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH v2] landlock: Expand restrict flags example for ABI version 8
2026-02-21 22:12 [PATCH v2] landlock: Expand restrict flags example for ABI version 8 Panagiotis "Ivory" Vasilopoulos
@ 2026-02-25 18:53 ` Günther Noack
0 siblings, 0 replies; 2+ messages in thread
From: Günther Noack @ 2026-02-25 18:53 UTC (permalink / raw)
To: Panagiotis "Ivory" Vasilopoulos
Cc: Mickaël Salaün, Günther Noack, Jonathan Corbet,
Shuah Khan, linux-security-module, linux-doc, linux-kernel
On Sat, Feb 21, 2026 at 11:12:25PM +0100, Panagiotis "Ivory" Vasilopoulos wrote:
> Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
> for restrict flags. This introduces completeness, similar to that of
> the ruleset attributes example.
>
> Additionally, I modified the two comments of the example to make them
> more consistent with the ruleset attributes example's.
>
> Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
> ---
> Changes in v2:
> - Fix formatting error.
> - Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
> ---
> Documentation/userspace-api/landlock.rst | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 13134bccdd39d78ddce3daf454f32dda162ce91b..0affe1c953d61a4b32aca700cd262c49cee6304a 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -197,12 +197,18 @@ similar backwards compatibility check is needed for the restrict flags
>
> .. code-block:: c
>
> - __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> - if (abi < 7) {
> - /* Clear logging flags unsupported before ABI 7. */
> + __u32 restrict_flags =
> + LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> + LANDLOCK_RESTRICT_SELF_TSYNC;
> + switch (abi) {
> + case 1 ... 6:
> + /* Clear logging flags unsupported for ABI < 7 */
> restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> + case 7:
> + /* Removes multithread flag unsupported for ABI < 8 */
> + restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
> }
Thanks Panagiotis, this makes sense. We overlooked this.
I'm slightly worried that people will copy-paste this example blindly
if it does not have a big warning in it. Unlike the other "backwards
compatibility" example code that we have, this one actually changes
how the enforcement works. (The other flags change logging, but audit
logging makes no difference to the process that sandboxes itself.)
Could you please add wording to the comment to state more explicitly
that below ABI v8, the enforced Landlock policy only applies to the
current thread?
Thanks,
–Günther
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-25 18:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-21 22:12 [PATCH v2] landlock: Expand restrict flags example for ABI version 8 Panagiotis "Ivory" Vasilopoulos
2026-02-25 18:53 ` Günther Noack
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox