[RFC PATCH 0/2] landlock: Refactor layer masks
Günther Noack
gnoack3000 at gmail.com
Tue Dec 30 10:48:21 UTC 2025
On Tue, Dec 30, 2025 at 11:39:17AM +0100, Günther Noack wrote:
> Tentative results with and without this patch set show that the
> hypothesis likely holds true. The benchmark I used exercises a "worst
> case" scenario that attempts to be bottlenecked on the affected code:
> constructs a large number of nested directories, with one "path
> beneath" rule each and then tries to open the innermost directory many
> times. The benchmark is intentionally unrealistic to amplify the
> amount of time used for the path walk logic and forces Landlock to
> walk the full path (eventually failing the open syscall). (I'll send
> the benchmark program in a reply to this mail for full transparency.)
Please see the benchmark program below.
To compile it, use:
cc -o benchmark_worsecase benchmark_worsecase.c
Source code:
```
#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <linux/landlock.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/times.h>
#include <time.h>
#include <unistd.h>
/* Flags */
bool use_landlock = true;
size_t num_iterations = 100000;
size_t num_subdirs = 10000;
void usage() { puts("Usage: benchmark_worstcase [-no-landlock]"); }
/*
* Build a deep directory, enforce Landlock and return the FD to the
* deepest dir. On any failure, exit the process with an error.
*/
int build_directory(size_t depth) {
const char *path = "d"; /* directory name */
if (use_landlock) {
int abi = syscall(SYS_landlock_create_ruleset, NULL, 0,
LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 7)
err(1, "Landlock ABI too low: got %d, wanted 7+", abi);
}
int ruleset_fd = -1;
if (use_landlock) {
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
err(1, "prctl");
struct landlock_ruleset_attr attr = {
.handled_access_fs = 0xffff, /* All FS access rights as of 2025-12 */
};
ruleset_fd = syscall(SYS_landlock_create_ruleset, &attr, sizeof(attr), 0U);
if (ruleset_fd < 0)
err(1, "landlock_create_ruleset");
}
int current = open(".", O_PATH);
if (current < 0)
err(1, "open(.)");
while (depth--) {
if (use_landlock) {
struct landlock_path_beneath_attr attr = {
.allowed_access = LANDLOCK_ACCESS_FS_IOCTL_DEV,
.parent_fd = current,
};
if (syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&attr, 0) < 0)
err(1, "landlock_add_rule");
}
if (mkdirat(current, path, 0700) < 0)
err(1, "mkdirat(%s)", path);
int previous = current;
current = openat(current, path, O_PATH);
if (current < 0)
err(1, "open(%s)", path);
close(previous);
}
if (use_landlock) {
if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0) < 0)
err(1, "landlock_restrict_self");
}
close(ruleset_fd);
return current;
}
int main(int argc, char *argv[]) {
for (int i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-no-landlock")) {
use_landlock = false;
} else if (!strcmp(argv[i], "-d")) {
i++;
if (i < argc)
err(1, "expected number of subdirs after -d");
num_subdirs = atoi(argv[i]);
} else if (!strcmp(argv[i], "-n")) {
i++;
if (i < argc)
err(1, "expected number of iterations after -n");
num_iterations = atoi(argv[i]);
} else {
usage();
errx(1, "unknown argument: %s", argv[i]);
}
}
printf("*** Benchmark ***\n");
printf("%zu dirs, %zu iterations, %s landlock\n", num_subdirs,
num_iterations, use_landlock ? "with" : "without");
struct tms start_time;
if (times(&start_time) == -1)
err(1, "times");
int current = build_directory(num_subdirs);
for (int i = 0; i < num_iterations; i++) {
int fd = openat(current, ".", O_DIRECTORY);
if (fd != -1)
errx(1, "openat succeeded, expected error");
}
struct tms end_time;
if (times(&end_time) == -1)
err(1, "times");
printf("*** Benchmark concluded ***\n");
printf("System: %ld clocks\n", end_time.tms_stime - start_time.tms_stime);
printf("User : %ld clocks\n", end_time.tms_utime - start_time.tms_utime);
printf("Clocks per second: %d\n", CLOCKS_PER_SEC);
close(current);
}
```
More information about the Linux-security-module-archive
mailing list