FAILED: patch "[PATCH] landlock: Add the errata interface" failed to apply to 5.15-stable tree

FAILED: patch "[PATCH] landlock: Add the errata interface" failed to apply to 5.15-stable tree

[gregkh]

The patch below does not apply to the 5.15-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
git checkout FETCH_HEAD
git cherry-pick -x 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2025041713-engine-energy-1f26@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..

Possible dependencies:



thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
Date: Tue, 18 Mar 2025 17:14:37 +0100
Subject: [PATCH] landlock: Add the errata interface
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Some fixes may require user space to check if they are applied on the
running kernel before using a specific feature.  For instance, this
applies when a restriction was previously too restrictive and is now
getting relaxed (e.g. for compatibility reasons).  However, non-visible
changes for legitimate use (e.g. security fixes) do not require an
erratum.

Because fixes are backported down to a specific Landlock ABI, we need a
way to avoid cherry-pick conflicts.  The solution is to only update a
file related to the lower ABI impacted by this issue.  All the ABI files
are then used to create a bitmask of fixes.

The new errata interface is similar to the one used to get the supported
Landlock ABI version, but it returns a bitmask instead because the order
of fixes may not match the order of versions, and not all fixes may
apply to all versions.

The actual errata will come with dedicated commits.  The description is
not actually used in the code but serves as documentation.

Create the landlock_abi_version symbol and use its value to check errata
consistency.

Update test_base's create_ruleset_checks_ordering tests and add errata
tests.

This commit is backportable down to the first version of Landlock.

Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index e1d2c27533b4..8806a132d7b8 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -57,9 +57,11 @@ struct landlock_ruleset_attr {
  *
  * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
  *   version.
+ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
  */
 /* clang-format off */
 #define LANDLOCK_CREATE_RULESET_VERSION			(1U << 0)
+#define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)
 /* clang-format on */
 
 /**
diff --git a/security/landlock/errata.h b/security/landlock/errata.h
new file mode 100644
index 000000000000..f26b28b9873d
--- /dev/null
+++ b/security/landlock/errata.h
@@ -0,0 +1,87 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Landlock - Errata information
+ *
+ * Copyright © 2025 Microsoft Corporation
+ */
+
+#ifndef _SECURITY_LANDLOCK_ERRATA_H
+#define _SECURITY_LANDLOCK_ERRATA_H
+
+#include <linux/init.h>
+
+struct landlock_erratum {
+	const int abi;
+	const u8 number;
+};
+
+/* clang-format off */
+#define LANDLOCK_ERRATUM(NUMBER) \
+	{ \
+		.abi = LANDLOCK_ERRATA_ABI, \
+		.number = NUMBER, \
+	},
+/* clang-format on */
+
+/*
+ * Some fixes may require user space to check if they are applied on the running
+ * kernel before using a specific feature.  For instance, this applies when a
+ * restriction was previously too restrictive and is now getting relaxed (for
+ * compatibility or semantic reasons).  However, non-visible changes for
+ * legitimate use (e.g. security fixes) do not require an erratum.
+ */
+static const struct landlock_erratum landlock_errata_init[] __initconst = {
+
+/*
+ * Only Sparse may not implement __has_include.  If a compiler does not
+ * implement __has_include, a warning will be printed at boot time (see
+ * setup.c).
+ */
+#ifdef __has_include
+
+#define LANDLOCK_ERRATA_ABI 1
+#if __has_include("errata/abi-1.h")
+#include "errata/abi-1.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 2
+#if __has_include("errata/abi-2.h")
+#include "errata/abi-2.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 3
+#if __has_include("errata/abi-3.h")
+#include "errata/abi-3.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 4
+#if __has_include("errata/abi-4.h")
+#include "errata/abi-4.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+/*
+ * For each new erratum, we need to include all the ABI files up to the impacted
+ * ABI to make all potential future intermediate errata easy to backport.
+ *
+ * If such change involves more than one ABI addition, then it must be in a
+ * dedicated commit with the same Fixes tag as used for the actual fix.
+ *
+ * Each commit creating a new security/landlock/errata/abi-*.h file must have a
+ * Depends-on tag to reference the commit that previously added the line to
+ * include this new file, except if the original Fixes tag is enough.
+ *
+ * Each erratum must be documented in its related ABI file, and a dedicated
+ * commit must update Documentation/userspace-api/landlock.rst to include this
+ * erratum.  This commit will not be backported.
+ */
+
+#endif
+
+	{}
+};
+
+#endif /* _SECURITY_LANDLOCK_ERRATA_H */
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index c71832a8e369..0c85ea27e409 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -6,12 +6,14 @@
  * Copyright © 2018-2020 ANSSI
  */
 
+#include <linux/bits.h>
 #include <linux/init.h>
 #include <linux/lsm_hooks.h>
 #include <uapi/linux/lsm.h>
 
 #include "common.h"
 #include "cred.h"
+#include "errata.h"
 #include "fs.h"
 #include "net.h"
 #include "setup.h"
@@ -31,8 +33,36 @@ struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
 	.lbs_superblock = sizeof(struct landlock_superblock_security),
 };
 
+int landlock_errata __ro_after_init;
+
+static void __init compute_errata(void)
+{
+	size_t i;
+
+#ifndef __has_include
+	/*
+	 * This is a safeguard to make sure the compiler implements
+	 * __has_include (see errata.h).
+	 */
+	WARN_ON_ONCE(1);
+	return;
+#endif
+
+	for (i = 0; landlock_errata_init[i].number; i++) {
+		const int prev_errata = landlock_errata;
+
+		if (WARN_ON_ONCE(landlock_errata_init[i].abi >
+				 landlock_abi_version))
+			continue;
+
+		landlock_errata |= BIT(landlock_errata_init[i].number - 1);
+		WARN_ON_ONCE(prev_errata == landlock_errata);
+	}
+}
+
 static int __init landlock_init(void)
 {
+	compute_errata();
 	landlock_add_cred_hooks();
 	landlock_add_task_hooks();
 	landlock_add_fs_hooks();
diff --git a/security/landlock/setup.h b/security/landlock/setup.h
index c4252d46d49d..fca307c35fee 100644
--- a/security/landlock/setup.h
+++ b/security/landlock/setup.h
@@ -11,7 +11,10 @@
 
 #include <linux/lsm_hooks.h>
 
+extern const int landlock_abi_version;
+
 extern bool landlock_initialized;
+extern int landlock_errata;
 
 extern struct lsm_blob_sizes landlock_blob_sizes;
 extern const struct lsm_id landlock_lsmid;
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index a9760d252fc2..cf9e0483e542 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -160,7 +160,9 @@ static const struct file_operations ruleset_fops = {
  *        the new ruleset.
  * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
  *        backward and forward compatibility).
- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
+ * @flags: Supported value:
+ *         - %LANDLOCK_CREATE_RULESET_VERSION
+ *         - %LANDLOCK_CREATE_RULESET_ERRATA
  *
  * This system call enables to create a new Landlock ruleset, and returns the
  * related file descriptor on success.
@@ -169,6 +171,10 @@ static const struct file_operations ruleset_fops = {
  * 0, then the returned value is the highest supported Landlock ABI version
  * (starting at 1).
  *
+ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
+ * 0, then the returned value is a bitmask of fixed issues for the current
+ * Landlock ABI version.
+ *
  * Possible returned errors are:
  *
  * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
@@ -192,9 +198,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
 		return -EOPNOTSUPP;
 
 	if (flags) {
-		if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
-		    !size)
-			return LANDLOCK_ABI_VERSION;
+		if (attr || size)
+			return -EINVAL;
+
+		if (flags == LANDLOCK_CREATE_RULESET_VERSION)
+			return landlock_abi_version;
+
+		if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
+			return landlock_errata;
+
 		return -EINVAL;
 	}
 
@@ -235,6 +247,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
 	return ruleset_fd;
 }
 
+const int landlock_abi_version = LANDLOCK_ABI_VERSION;
+
 /*
  * Returns an owned ruleset from a FD. It is thus needed to call
  * landlock_put_ruleset() on the return value.
diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
index 1bc16fde2e8a..4766f8fec9f6 100644
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -98,10 +98,54 @@ TEST(abi_version)
 	ASSERT_EQ(EINVAL, errno);
 }
 
+/*
+ * Old source trees might not have the set of Kselftest fixes related to kernel
+ * UAPI headers.
+ */
+#ifndef LANDLOCK_CREATE_RULESET_ERRATA
+#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
+#endif
+
+TEST(errata)
+{
+	const struct landlock_ruleset_attr ruleset_attr = {
+		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
+	};
+	int errata;
+
+	errata = landlock_create_ruleset(NULL, 0,
+					 LANDLOCK_CREATE_RULESET_ERRATA);
+	/* The errata bitmask will not be backported to tests. */
+	ASSERT_LE(0, errata);
+	TH_LOG("errata: 0x%x", errata);
+
+	ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
+					      LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(EINVAL, errno);
+
+	ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
+					      LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(EINVAL, errno);
+
+	ASSERT_EQ(-1,
+		  landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
+					  LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(EINVAL, errno);
+
+	ASSERT_EQ(-1, landlock_create_ruleset(
+			      NULL, 0,
+			      LANDLOCK_CREATE_RULESET_VERSION |
+				      LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
+					      LANDLOCK_CREATE_RULESET_ERRATA |
+						      1 << 31));
+	ASSERT_EQ(EINVAL, errno);
+}
+
 /* Tests ordering of syscall argument checks. */
 TEST(create_ruleset_checks_ordering)
 {
-	const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
+	const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
 	const int invalid_flag = last_flag << 1;
 	int ruleset_fd;
 	const struct landlock_ruleset_attr ruleset_attr = {

Re: FAILED: patch "[PATCH] landlock: Add the errata interface" failed to apply to 5.15-stable tree

[Mickaël Salaün]

Hi Greg,

On Thu, Apr 17, 2025 at 03:39:13PM +0200, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 5.15-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
> 
> To reproduce the conflict and resubmit, you may use the following commands:
> 
> git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
> git checkout FETCH_HEAD
> git cherry-pick -x 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac

Running this command works for me:

  $ git cherry-pick -x 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac
  Auto-merging include/uapi/linux/landlock.h
  Auto-merging security/landlock/setup.c
  Auto-merging security/landlock/setup.h
  Auto-merging security/landlock/syscalls.c
  Auto-merging tools/testing/selftests/landlock/base_test.c
  [linux-5.15.y e2b5baf61146] landlock: Add the errata interface
   Date: Tue Mar 18 17:14:37 2025 +0100
   6 files changed, 185 insertions(+), 5 deletions(-)
   create mode 100644 security/landlock/errata.h

  $ git version # without custom .gitconfig
  git version 2.49.0

I previously tested and validated this approach that produces a working
commit.

However, trying to apply the raw patch does not work:

  $ git apply this.patch
  error: patch failed: security/landlock/setup.c:6
  error: security/landlock/setup.c: patch does not apply
  error: patch failed: security/landlock/setup.h:11
  error: security/landlock/setup.h: patch does not apply
  error: patch failed: security/landlock/syscalls.c:169
  error: security/landlock/syscalls.c: patch does not apply

This is the case for these stable trees: 5.15, 6.1, and 6.6

Could you please use Git to cherry-pick this commit on these 3 trees?

Regards,
 Mickaël

> # <resolve conflicts, build, test, etc.>
> git commit -s
> git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2025041713-engine-energy-1f26@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
> 
> Possible dependencies:
> 
> 
> 
> thanks,
> 
> greg k-h
> 
> ------------------ original commit in Linus's tree ------------------
> 
> From 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
> Date: Tue, 18 Mar 2025 17:14:37 +0100
> Subject: [PATCH] landlock: Add the errata interface
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> Some fixes may require user space to check if they are applied on the
> running kernel before using a specific feature.  For instance, this
> applies when a restriction was previously too restrictive and is now
> getting relaxed (e.g. for compatibility reasons).  However, non-visible
> changes for legitimate use (e.g. security fixes) do not require an
> erratum.
> 
> Because fixes are backported down to a specific Landlock ABI, we need a
> way to avoid cherry-pick conflicts.  The solution is to only update a
> file related to the lower ABI impacted by this issue.  All the ABI files
> are then used to create a bitmask of fixes.
> 
> The new errata interface is similar to the one used to get the supported
> Landlock ABI version, but it returns a bitmask instead because the order
> of fixes may not match the order of versions, and not all fixes may
> apply to all versions.
> 
> The actual errata will come with dedicated commits.  The description is
> not actually used in the code but serves as documentation.
> 
> Create the landlock_abi_version symbol and use its value to check errata
> consistency.
> 
> Update test_base's create_ruleset_checks_ordering tests and add errata
> tests.
> 
> This commit is backportable down to the first version of Landlock.
> 
> Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
> Cc: Günther Noack <gnoack@google.com>
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
> Signed-off-by: Mickaël Salaün <mic@digikod.net>
> 
> diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
> index e1d2c27533b4..8806a132d7b8 100644
> --- a/include/uapi/linux/landlock.h
> +++ b/include/uapi/linux/landlock.h
> @@ -57,9 +57,11 @@ struct landlock_ruleset_attr {
>   *
>   * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
>   *   version.
> + * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
>   */
>  /* clang-format off */
>  #define LANDLOCK_CREATE_RULESET_VERSION			(1U << 0)
> +#define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)
>  /* clang-format on */
>  
>  /**
> diff --git a/security/landlock/errata.h b/security/landlock/errata.h
> new file mode 100644
> index 000000000000..f26b28b9873d
> --- /dev/null
> +++ b/security/landlock/errata.h
> @@ -0,0 +1,87 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Landlock - Errata information
> + *
> + * Copyright © 2025 Microsoft Corporation
> + */
> +
> +#ifndef _SECURITY_LANDLOCK_ERRATA_H
> +#define _SECURITY_LANDLOCK_ERRATA_H
> +
> +#include <linux/init.h>
> +
> +struct landlock_erratum {
> +	const int abi;
> +	const u8 number;
> +};
> +
> +/* clang-format off */
> +#define LANDLOCK_ERRATUM(NUMBER) \
> +	{ \
> +		.abi = LANDLOCK_ERRATA_ABI, \
> +		.number = NUMBER, \
> +	},
> +/* clang-format on */
> +
> +/*
> + * Some fixes may require user space to check if they are applied on the running
> + * kernel before using a specific feature.  For instance, this applies when a
> + * restriction was previously too restrictive and is now getting relaxed (for
> + * compatibility or semantic reasons).  However, non-visible changes for
> + * legitimate use (e.g. security fixes) do not require an erratum.
> + */
> +static const struct landlock_erratum landlock_errata_init[] __initconst = {
> +
> +/*
> + * Only Sparse may not implement __has_include.  If a compiler does not
> + * implement __has_include, a warning will be printed at boot time (see
> + * setup.c).
> + */
> +#ifdef __has_include
> +
> +#define LANDLOCK_ERRATA_ABI 1
> +#if __has_include("errata/abi-1.h")
> +#include "errata/abi-1.h"
> +#endif
> +#undef LANDLOCK_ERRATA_ABI
> +
> +#define LANDLOCK_ERRATA_ABI 2
> +#if __has_include("errata/abi-2.h")
> +#include "errata/abi-2.h"
> +#endif
> +#undef LANDLOCK_ERRATA_ABI
> +
> +#define LANDLOCK_ERRATA_ABI 3
> +#if __has_include("errata/abi-3.h")
> +#include "errata/abi-3.h"
> +#endif
> +#undef LANDLOCK_ERRATA_ABI
> +
> +#define LANDLOCK_ERRATA_ABI 4
> +#if __has_include("errata/abi-4.h")
> +#include "errata/abi-4.h"
> +#endif
> +#undef LANDLOCK_ERRATA_ABI
> +
> +/*
> + * For each new erratum, we need to include all the ABI files up to the impacted
> + * ABI to make all potential future intermediate errata easy to backport.
> + *
> + * If such change involves more than one ABI addition, then it must be in a
> + * dedicated commit with the same Fixes tag as used for the actual fix.
> + *
> + * Each commit creating a new security/landlock/errata/abi-*.h file must have a
> + * Depends-on tag to reference the commit that previously added the line to
> + * include this new file, except if the original Fixes tag is enough.
> + *
> + * Each erratum must be documented in its related ABI file, and a dedicated
> + * commit must update Documentation/userspace-api/landlock.rst to include this
> + * erratum.  This commit will not be backported.
> + */
> +
> +#endif
> +
> +	{}
> +};
> +
> +#endif /* _SECURITY_LANDLOCK_ERRATA_H */
> diff --git a/security/landlock/setup.c b/security/landlock/setup.c
> index c71832a8e369..0c85ea27e409 100644
> --- a/security/landlock/setup.c
> +++ b/security/landlock/setup.c
> @@ -6,12 +6,14 @@
>   * Copyright © 2018-2020 ANSSI
>   */
>  
> +#include <linux/bits.h>
>  #include <linux/init.h>
>  #include <linux/lsm_hooks.h>
>  #include <uapi/linux/lsm.h>
>  
>  #include "common.h"
>  #include "cred.h"
> +#include "errata.h"
>  #include "fs.h"
>  #include "net.h"
>  #include "setup.h"
> @@ -31,8 +33,36 @@ struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
>  	.lbs_superblock = sizeof(struct landlock_superblock_security),
>  };
>  
> +int landlock_errata __ro_after_init;
> +
> +static void __init compute_errata(void)
> +{
> +	size_t i;
> +
> +#ifndef __has_include
> +	/*
> +	 * This is a safeguard to make sure the compiler implements
> +	 * __has_include (see errata.h).
> +	 */
> +	WARN_ON_ONCE(1);
> +	return;
> +#endif
> +
> +	for (i = 0; landlock_errata_init[i].number; i++) {
> +		const int prev_errata = landlock_errata;
> +
> +		if (WARN_ON_ONCE(landlock_errata_init[i].abi >
> +				 landlock_abi_version))
> +			continue;
> +
> +		landlock_errata |= BIT(landlock_errata_init[i].number - 1);
> +		WARN_ON_ONCE(prev_errata == landlock_errata);
> +	}
> +}
> +
>  static int __init landlock_init(void)
>  {
> +	compute_errata();
>  	landlock_add_cred_hooks();
>  	landlock_add_task_hooks();
>  	landlock_add_fs_hooks();
> diff --git a/security/landlock/setup.h b/security/landlock/setup.h
> index c4252d46d49d..fca307c35fee 100644
> --- a/security/landlock/setup.h
> +++ b/security/landlock/setup.h
> @@ -11,7 +11,10 @@
>  
>  #include <linux/lsm_hooks.h>
>  
> +extern const int landlock_abi_version;
> +
>  extern bool landlock_initialized;
> +extern int landlock_errata;
>  
>  extern struct lsm_blob_sizes landlock_blob_sizes;
>  extern const struct lsm_id landlock_lsmid;
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index a9760d252fc2..cf9e0483e542 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -160,7 +160,9 @@ static const struct file_operations ruleset_fops = {
>   *        the new ruleset.
>   * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
>   *        backward and forward compatibility).
> - * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
> + * @flags: Supported value:
> + *         - %LANDLOCK_CREATE_RULESET_VERSION
> + *         - %LANDLOCK_CREATE_RULESET_ERRATA
>   *
>   * This system call enables to create a new Landlock ruleset, and returns the
>   * related file descriptor on success.
> @@ -169,6 +171,10 @@ static const struct file_operations ruleset_fops = {
>   * 0, then the returned value is the highest supported Landlock ABI version
>   * (starting at 1).
>   *
> + * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
> + * 0, then the returned value is a bitmask of fixed issues for the current
> + * Landlock ABI version.
> + *
>   * Possible returned errors are:
>   *
>   * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
> @@ -192,9 +198,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
>  		return -EOPNOTSUPP;
>  
>  	if (flags) {
> -		if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
> -		    !size)
> -			return LANDLOCK_ABI_VERSION;
> +		if (attr || size)
> +			return -EINVAL;
> +
> +		if (flags == LANDLOCK_CREATE_RULESET_VERSION)
> +			return landlock_abi_version;
> +
> +		if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
> +			return landlock_errata;
> +
>  		return -EINVAL;
>  	}
>  
> @@ -235,6 +247,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
>  	return ruleset_fd;
>  }
>  
> +const int landlock_abi_version = LANDLOCK_ABI_VERSION;
> +
>  /*
>   * Returns an owned ruleset from a FD. It is thus needed to call
>   * landlock_put_ruleset() on the return value.
> diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
> index 1bc16fde2e8a..4766f8fec9f6 100644
> --- a/tools/testing/selftests/landlock/base_test.c
> +++ b/tools/testing/selftests/landlock/base_test.c
> @@ -98,10 +98,54 @@ TEST(abi_version)
>  	ASSERT_EQ(EINVAL, errno);
>  }
>  
> +/*
> + * Old source trees might not have the set of Kselftest fixes related to kernel
> + * UAPI headers.
> + */
> +#ifndef LANDLOCK_CREATE_RULESET_ERRATA
> +#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
> +#endif
> +
> +TEST(errata)
> +{
> +	const struct landlock_ruleset_attr ruleset_attr = {
> +		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
> +	};
> +	int errata;
> +
> +	errata = landlock_create_ruleset(NULL, 0,
> +					 LANDLOCK_CREATE_RULESET_ERRATA);
> +	/* The errata bitmask will not be backported to tests. */
> +	ASSERT_LE(0, errata);
> +	TH_LOG("errata: 0x%x", errata);
> +
> +	ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
> +					      LANDLOCK_CREATE_RULESET_ERRATA));
> +	ASSERT_EQ(EINVAL, errno);
> +
> +	ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
> +					      LANDLOCK_CREATE_RULESET_ERRATA));
> +	ASSERT_EQ(EINVAL, errno);
> +
> +	ASSERT_EQ(-1,
> +		  landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
> +					  LANDLOCK_CREATE_RULESET_ERRATA));
> +	ASSERT_EQ(EINVAL, errno);
> +
> +	ASSERT_EQ(-1, landlock_create_ruleset(
> +			      NULL, 0,
> +			      LANDLOCK_CREATE_RULESET_VERSION |
> +				      LANDLOCK_CREATE_RULESET_ERRATA));
> +	ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
> +					      LANDLOCK_CREATE_RULESET_ERRATA |
> +						      1 << 31));
> +	ASSERT_EQ(EINVAL, errno);
> +}
> +
>  /* Tests ordering of syscall argument checks. */
>  TEST(create_ruleset_checks_ordering)
>  {
> -	const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
> +	const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
>  	const int invalid_flag = last_flag << 1;
>  	int ruleset_fd;
>  	const struct landlock_ruleset_attr ruleset_attr = {
> 

Re: FAILED: patch "[PATCH] landlock: Add the errata interface" failed to apply to 5.15-stable tree

[Greg KH]

On Fri, Apr 18, 2025 at 10:40:08AM +0200, Mickaël Salaün wrote:
> Hi Greg,
> 
> On Thu, Apr 17, 2025 at 03:39:13PM +0200, gregkh@linuxfoundation.org wrote:
> > 
> > The patch below does not apply to the 5.15-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> > 
> > To reproduce the conflict and resubmit, you may use the following commands:
> > 
> > git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
> > git checkout FETCH_HEAD
> > git cherry-pick -x 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac
> 
> Running this command works for me:
> 
>   $ git cherry-pick -x 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac
>   Auto-merging include/uapi/linux/landlock.h
>   Auto-merging security/landlock/setup.c
>   Auto-merging security/landlock/setup.h
>   Auto-merging security/landlock/syscalls.c
>   Auto-merging tools/testing/selftests/landlock/base_test.c
>   [linux-5.15.y e2b5baf61146] landlock: Add the errata interface
>    Date: Tue Mar 18 17:14:37 2025 +0100
>    6 files changed, 185 insertions(+), 5 deletions(-)
>    create mode 100644 security/landlock/errata.h
> 
>   $ git version # without custom .gitconfig
>   git version 2.49.0
> 
> I previously tested and validated this approach that produces a working
> commit.
> 
> However, trying to apply the raw patch does not work:
> 
>   $ git apply this.patch
>   error: patch failed: security/landlock/setup.c:6
>   error: security/landlock/setup.c: patch does not apply
>   error: patch failed: security/landlock/setup.h:11
>   error: security/landlock/setup.h: patch does not apply
>   error: patch failed: security/landlock/syscalls.c:169
>   error: security/landlock/syscalls.c: patch does not apply
> 
> This is the case for these stable trees: 5.15, 6.1, and 6.6
> 
> Could you please use Git to cherry-pick this commit on these 3 trees?

Sorry, but we don't use git cherry-pick, we need them in patch form.

thanks,

greg k-h

[PATCH 5.15.y] landlock: Add the errata interface

[Mickaël Salaün]

Some fixes may require user space to check if they are applied on the
running kernel before using a specific feature.  For instance, this
applies when a restriction was previously too restrictive and is now
getting relaxed (e.g. for compatibility reasons).  However, non-visible
changes for legitimate use (e.g. security fixes) do not require an
erratum.

Because fixes are backported down to a specific Landlock ABI, we need a
way to avoid cherry-pick conflicts.  The solution is to only update a
file related to the lower ABI impacted by this issue.  All the ABI files
are then used to create a bitmask of fixes.

The new errata interface is similar to the one used to get the supported
Landlock ABI version, but it returns a bitmask instead because the order
of fixes may not match the order of versions, and not all fixes may
apply to all versions.

The actual errata will come with dedicated commits.  The description is
not actually used in the code but serves as documentation.

Create the landlock_abi_version symbol and use its value to check errata
consistency.

Update test_base's create_ruleset_checks_ordering tests and add errata
tests.

This commit is backportable down to the first version of Landlock.

Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
Cc: Günther Noack <gnoack@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
(cherry picked from commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac)
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 include/uapi/linux/landlock.h                |  2 +
 security/landlock/errata.h                   | 87 ++++++++++++++++++++
 security/landlock/setup.c                    | 30 +++++++
 security/landlock/setup.h                    |  3 +
 security/landlock/syscalls.c                 | 22 ++++-
 tools/testing/selftests/landlock/base_test.c | 46 ++++++++++-
 6 files changed, 185 insertions(+), 5 deletions(-)
 create mode 100644 security/landlock/errata.h

diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index 21c8d58283c9..d00621d4d52d 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -32,9 +32,11 @@ struct landlock_ruleset_attr {
  *
  * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
  *   version.
+ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
  */
 /* clang-format off */
 #define LANDLOCK_CREATE_RULESET_VERSION			(1U << 0)
+#define LANDLOCK_CREATE_RULESET_ERRATA			(1U << 1)
 /* clang-format on */
 
 /**
diff --git a/security/landlock/errata.h b/security/landlock/errata.h
new file mode 100644
index 000000000000..f26b28b9873d
--- /dev/null
+++ b/security/landlock/errata.h
@@ -0,0 +1,87 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Landlock - Errata information
+ *
+ * Copyright © 2025 Microsoft Corporation
+ */
+
+#ifndef _SECURITY_LANDLOCK_ERRATA_H
+#define _SECURITY_LANDLOCK_ERRATA_H
+
+#include <linux/init.h>
+
+struct landlock_erratum {
+	const int abi;
+	const u8 number;
+};
+
+/* clang-format off */
+#define LANDLOCK_ERRATUM(NUMBER) \
+	{ \
+		.abi = LANDLOCK_ERRATA_ABI, \
+		.number = NUMBER, \
+	},
+/* clang-format on */
+
+/*
+ * Some fixes may require user space to check if they are applied on the running
+ * kernel before using a specific feature.  For instance, this applies when a
+ * restriction was previously too restrictive and is now getting relaxed (for
+ * compatibility or semantic reasons).  However, non-visible changes for
+ * legitimate use (e.g. security fixes) do not require an erratum.
+ */
+static const struct landlock_erratum landlock_errata_init[] __initconst = {
+
+/*
+ * Only Sparse may not implement __has_include.  If a compiler does not
+ * implement __has_include, a warning will be printed at boot time (see
+ * setup.c).
+ */
+#ifdef __has_include
+
+#define LANDLOCK_ERRATA_ABI 1
+#if __has_include("errata/abi-1.h")
+#include "errata/abi-1.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 2
+#if __has_include("errata/abi-2.h")
+#include "errata/abi-2.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 3
+#if __has_include("errata/abi-3.h")
+#include "errata/abi-3.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+#define LANDLOCK_ERRATA_ABI 4
+#if __has_include("errata/abi-4.h")
+#include "errata/abi-4.h"
+#endif
+#undef LANDLOCK_ERRATA_ABI
+
+/*
+ * For each new erratum, we need to include all the ABI files up to the impacted
+ * ABI to make all potential future intermediate errata easy to backport.
+ *
+ * If such change involves more than one ABI addition, then it must be in a
+ * dedicated commit with the same Fixes tag as used for the actual fix.
+ *
+ * Each commit creating a new security/landlock/errata/abi-*.h file must have a
+ * Depends-on tag to reference the commit that previously added the line to
+ * include this new file, except if the original Fixes tag is enough.
+ *
+ * Each erratum must be documented in its related ABI file, and a dedicated
+ * commit must update Documentation/userspace-api/landlock.rst to include this
+ * erratum.  This commit will not be backported.
+ */
+
+#endif
+
+	{}
+};
+
+#endif /* _SECURITY_LANDLOCK_ERRATA_H */
diff --git a/security/landlock/setup.c b/security/landlock/setup.c
index f8e8e980454c..cdee579901da 100644
--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -6,11 +6,13 @@
  * Copyright © 2018-2020 ANSSI
  */
 
+#include <linux/bits.h>
 #include <linux/init.h>
 #include <linux/lsm_hooks.h>
 
 #include "common.h"
 #include "cred.h"
+#include "errata.h"
 #include "fs.h"
 #include "ptrace.h"
 #include "setup.h"
@@ -23,8 +25,36 @@ struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
 	.lbs_superblock = sizeof(struct landlock_superblock_security),
 };
 
+int landlock_errata __ro_after_init;
+
+static void __init compute_errata(void)
+{
+	size_t i;
+
+#ifndef __has_include
+	/*
+	 * This is a safeguard to make sure the compiler implements
+	 * __has_include (see errata.h).
+	 */
+	WARN_ON_ONCE(1);
+	return;
+#endif
+
+	for (i = 0; landlock_errata_init[i].number; i++) {
+		const int prev_errata = landlock_errata;
+
+		if (WARN_ON_ONCE(landlock_errata_init[i].abi >
+				 landlock_abi_version))
+			continue;
+
+		landlock_errata |= BIT(landlock_errata_init[i].number - 1);
+		WARN_ON_ONCE(prev_errata == landlock_errata);
+	}
+}
+
 static int __init landlock_init(void)
 {
+	compute_errata();
 	landlock_add_cred_hooks();
 	landlock_add_ptrace_hooks();
 	landlock_add_fs_hooks();
diff --git a/security/landlock/setup.h b/security/landlock/setup.h
index 1daffab1ab4b..420dceca35d2 100644
--- a/security/landlock/setup.h
+++ b/security/landlock/setup.h
@@ -11,7 +11,10 @@
 
 #include <linux/lsm_hooks.h>
 
+extern const int landlock_abi_version;
+
 extern bool landlock_initialized;
+extern int landlock_errata;
 
 extern struct lsm_blob_sizes landlock_blob_sizes;
 
diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
index 229a6918b52f..c0deb7044d16 100644
--- a/security/landlock/syscalls.c
+++ b/security/landlock/syscalls.c
@@ -150,7 +150,9 @@ static const struct file_operations ruleset_fops = {
  *        the new ruleset.
  * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
  *        backward and forward compatibility).
- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
+ * @flags: Supported value:
+ *         - %LANDLOCK_CREATE_RULESET_VERSION
+ *         - %LANDLOCK_CREATE_RULESET_ERRATA
  *
  * This system call enables to create a new Landlock ruleset, and returns the
  * related file descriptor on success.
@@ -159,6 +161,10 @@ static const struct file_operations ruleset_fops = {
  * 0, then the returned value is the highest supported Landlock ABI version
  * (starting at 1).
  *
+ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
+ * 0, then the returned value is a bitmask of fixed issues for the current
+ * Landlock ABI version.
+ *
  * Possible returned errors are:
  *
  * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
@@ -181,9 +187,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
 		return -EOPNOTSUPP;
 
 	if (flags) {
-		if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
-		    !size)
-			return LANDLOCK_ABI_VERSION;
+		if (attr || size)
+			return -EINVAL;
+
+		if (flags == LANDLOCK_CREATE_RULESET_VERSION)
+			return landlock_abi_version;
+
+		if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
+			return landlock_errata;
+
 		return -EINVAL;
 	}
 
@@ -213,6 +225,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
 	return ruleset_fd;
 }
 
+const int landlock_abi_version = LANDLOCK_ABI_VERSION;
+
 /*
  * Returns an owned ruleset from a FD. It is thus needed to call
  * landlock_put_ruleset() on the return value.
diff --git a/tools/testing/selftests/landlock/base_test.c b/tools/testing/selftests/landlock/base_test.c
index 1a8fa6b0c887..c78064cf50b1 100644
--- a/tools/testing/selftests/landlock/base_test.c
+++ b/tools/testing/selftests/landlock/base_test.c
@@ -98,10 +98,54 @@ TEST(abi_version)
 	ASSERT_EQ(EINVAL, errno);
 }
 
+/*
+ * Old source trees might not have the set of Kselftest fixes related to kernel
+ * UAPI headers.
+ */
+#ifndef LANDLOCK_CREATE_RULESET_ERRATA
+#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
+#endif
+
+TEST(errata)
+{
+	const struct landlock_ruleset_attr ruleset_attr = {
+		.handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
+	};
+	int errata;
+
+	errata = landlock_create_ruleset(NULL, 0,
+					 LANDLOCK_CREATE_RULESET_ERRATA);
+	/* The errata bitmask will not be backported to tests. */
+	ASSERT_LE(0, errata);
+	TH_LOG("errata: 0x%x", errata);
+
+	ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
+					      LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(EINVAL, errno);
+
+	ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
+					      LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(EINVAL, errno);
+
+	ASSERT_EQ(-1,
+		  landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
+					  LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(EINVAL, errno);
+
+	ASSERT_EQ(-1, landlock_create_ruleset(
+			      NULL, 0,
+			      LANDLOCK_CREATE_RULESET_VERSION |
+				      LANDLOCK_CREATE_RULESET_ERRATA));
+	ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
+					      LANDLOCK_CREATE_RULESET_ERRATA |
+						      1 << 31));
+	ASSERT_EQ(EINVAL, errno);
+}
+
 /* Tests ordering of syscall argument checks. */
 TEST(create_ruleset_checks_ordering)
 {
-	const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
+	const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
 	const int invalid_flag = last_flag << 1;
 	int ruleset_fd;
 	const struct landlock_ruleset_attr ruleset_attr = {
-- 
2.49.0

Re: [PATCH 5.15.y] landlock: Add the errata interface

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Found matching upstream commit but patch is missing proper reference to it

Found matching upstream commit: 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac

Status in newer kernel trees:
6.14.y | Present (different SHA1: 728f62bff8a0)
6.13.y | Present (different SHA1: be73220526b7)
6.12.y | Present (different SHA1: ed390ad1458c)
6.6.y | Not found
6.1.y | Not found

Note: The patch differs from the upstream commit:
---
1:  15383a0d63dbc ! 1:  13e28a2a55f3a landlock: Add the errata interface
    @@ Commit message
         Cc: Günther Noack <gnoack@google.com>
         Cc: stable@vger.kernel.org
         Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
    +    (cherry picked from commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac)
         Signed-off-by: Mickaël Salaün <mic@digikod.net>
     
      ## include/uapi/linux/landlock.h ##
    @@ security/landlock/setup.c
     +#include <linux/bits.h>
      #include <linux/init.h>
      #include <linux/lsm_hooks.h>
    - #include <uapi/linux/lsm.h>
      
      #include "common.h"
      #include "cred.h"
     +#include "errata.h"
      #include "fs.h"
    - #include "net.h"
    + #include "ptrace.h"
      #include "setup.h"
    -@@ security/landlock/setup.c: struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
    +@@ security/landlock/setup.c: struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
      	.lbs_superblock = sizeof(struct landlock_superblock_security),
      };
      
    @@ security/landlock/setup.c: struct lsm_blob_sizes landlock_blob_sizes __ro_after_
      {
     +	compute_errata();
      	landlock_add_cred_hooks();
    - 	landlock_add_task_hooks();
    + 	landlock_add_ptrace_hooks();
      	landlock_add_fs_hooks();
     
      ## security/landlock/setup.h ##
    @@ security/landlock/setup.h
     +extern int landlock_errata;
      
      extern struct lsm_blob_sizes landlock_blob_sizes;
    - extern const struct lsm_id landlock_lsmid;
    + 
     
      ## security/landlock/syscalls.c ##
     @@ security/landlock/syscalls.c: static const struct file_operations ruleset_fops = {
    @@ security/landlock/syscalls.c: static const struct file_operations ruleset_fops =
     + *
       * Possible returned errors are:
       *
    -  * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
    +  * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
     @@ security/landlock/syscalls.c: SYSCALL_DEFINE3(landlock_create_ruleset,
      		return -EOPNOTSUPP;
      
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Success   |