[GIT PULL] Landlock changes for v5.19
Mickaël Salaün
mic at digikod.net
Mon May 23 16:12:45 UTC 2022
Hi Linus,
Please pull these Landlock changes for v5.19-rc1 . These 30 commits
have been successfully tested in the latest linux-next releases for
several weeks, and with syzkaller:
https://github.com/google/syzkaller/pull/3133
Regards,
Mickaël
--
The following changes since commit 672c0c5173427e6b3e2a9bbb7be51ceeec78093a:
Linux 5.18-rc5 (2022-05-01 13:57:58 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/landlock-5.19-rc1
for you to fetch changes up to 5e469829baa1b1320e843adf3631edef1d6d2cf2:
landlock: Explain how to support Landlock (2022-05-23 13:28:03 +0200)
----------------------------------------------------------------
Landlock updates for v5.19-rc1
Important changes:
* improve the path_rename LSM hook implementations for RENAME_EXCHANGE;
* fix a too-restrictive filesystem control for a rare corner case;
* set the nested sandbox limitation to 16 layers;
* add a new LANDLOCK_ACCESS_FS_REFER access right to properly handle
file reparenting (i.e. full rename and link support);
* add new tests and documentation;
* format code with clang-format to make it easier to maintain and
contribute.
Related patch series:
* [PATCH v1 0/7] Landlock: Clean up coding style with clang-format
https://lore.kernel.org/r/20220506160513.523257-1-mic@digikod.net
* [PATCH v2 00/10] Minor Landlock fixes and new tests
https://lore.kernel.org/r/20220506160820.524344-1-mic@digikod.net
* [PATCH v3 00/12] Landlock: file linking and renaming support
https://lore.kernel.org/r/20220506161102.525323-1-mic@digikod.net
* [PATCH v2] landlock: Explain how to support Landlock
https://lore.kernel.org/r/20220513112743.156414-1-mic@digikod.net
----------------------------------------------------------------
Mickaël Salaün (30):
landlock: Add clang-format exceptions
landlock: Format with clang-format
selftests/landlock: Add clang-format exceptions
selftests/landlock: Normalize array assignment
selftests/landlock: Format with clang-format
samples/landlock: Add clang-format exceptions
samples/landlock: Format with clang-format
landlock: Fix landlock_add_rule(2) documentation
selftests/landlock: Make tests build with old libc
selftests/landlock: Extend tests for minimal valid attribute size
selftests/landlock: Add tests for unknown access rights
selftests/landlock: Extend access right tests to directories
selftests/landlock: Fully test file rename with "remove" access
selftests/landlock: Add tests for O_PATH
landlock: Change landlock_add_rule(2) argument check ordering
landlock: Change landlock_restrict_self(2) check ordering
selftests/landlock: Test landlock_create_ruleset(2) argument check ordering
landlock: Define access_mask_t to enforce a consistent access mask size
landlock: Reduce the maximum number of layers to 16
landlock: Create find_rule() from unmask_layers()
landlock: Fix same-layer rule unions
landlock: Move filesystem helpers and add a new one
LSM: Remove double path_rename hook calls for RENAME_EXCHANGE
landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER
selftests/landlock: Add 11 new test suites dedicated to file reparenting
samples/landlock: Add support for file reparenting
landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning
landlock: Document good practices about filesystem policies
landlock: Add design choices documentation for filesystem access rights
landlock: Explain how to support Landlock
Documentation/security/landlock.rst | 17 +-
Documentation/userspace-api/landlock.rst | 180 ++-
include/linux/lsm_hook_defs.h | 2 +-
include/linux/lsm_hooks.h | 1 +
include/uapi/linux/landlock.h | 36 +-
samples/landlock/sandboxer.c | 132 +-
security/apparmor/lsm.c | 30 +-
security/landlock/cred.c | 4 +-
security/landlock/cred.h | 8 +-
security/landlock/fs.c | 815 +++++++++---
security/landlock/fs.h | 11 +-
security/landlock/limits.h | 10 +-
security/landlock/object.c | 6 +-
security/landlock/object.h | 6 +-
security/landlock/ptrace.c | 10 +-
security/landlock/ruleset.c | 84 +-
security/landlock/ruleset.h | 35 +-
security/landlock/syscalls.c | 95 +-
security/security.c | 9 +-
security/tomoyo/tomoyo.c | 11 +-
tools/testing/selftests/landlock/base_test.c | 179 ++-
tools/testing/selftests/landlock/common.h | 66 +-
tools/testing/selftests/landlock/fs_test.c | 1619 +++++++++++++++++++-----
tools/testing/selftests/landlock/ptrace_test.c | 40 +-
24 files changed, 2646 insertions(+), 760 deletions(-)
More information about the Linux-security-module-archive
mailing list