[RFC PATCH v1 3/3] samples/landlock: Print domain ID

[Mickaël Salaün]

If the PIDFD_GET_INFO IOCTL command and the related
PIDFD_INFO_LANDLOCK_FIRST_DOMAIN flag are supported, print the newly
created domain before launching the sandboxed program.

Cc: Günther Noack <gnoack at google.com>
Cc: Praveen K Paladugu <prapal at linux.microsoft.com>
Signed-off-by: Mickaël Salaün <mic at digikod.net>
Link: https://lore.kernel.org/r/20250131163447.1140564-4-mic@digikod.net
---
 samples/landlock/sandboxer.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index 68a5f16bacd5..018bafaa470a 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -15,15 +15,20 @@
 #include <linux/landlock.h>
 #include <linux/prctl.h>
 #include <linux/socket.h>
+#include <stdbool.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/ioctl.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
 #include <unistd.h>
-#include <stdbool.h>
+
+/* Avoids conflict with fcntl.h */
+#define _LINUX_FCNTL_H
+#include <linux/pidfd.h>
 
 #ifndef landlock_create_ruleset
 static inline int
@@ -53,6 +58,11 @@ static inline int landlock_restrict_self(const int ruleset_fd,
 }
 #endif
 
+static inline int sys_pidfd_open(const pid_t pid, const unsigned int flags)
+{
+	return syscall(__NR_pidfd_open, pid, flags);
+}
+
 #define ENV_FS_RO_NAME "LL_FS_RO"
 #define ENV_FS_RW_NAME "LL_FS_RW"
 #define ENV_TCP_BIND_NAME "LL_TCP_BIND"
@@ -343,7 +353,7 @@ int main(const int argc, char *const argv[], char *const *const envp)
 {
 	const char *cmd_path;
 	char *const *cmd_argv;
-	int ruleset_fd, abi;
+	int ruleset_fd, abi, pidfd;
 	char *env_port_name, *env_force_log;
 	__u64 access_fs_ro = ACCESS_FS_ROUGHLY_READ,
 	      access_fs_rw = ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE;
@@ -510,6 +520,9 @@ int main(const int argc, char *const argv[], char *const *const envp)
 		goto err_close_ruleset;
 	}
 
+	/* Opens our own pidfd before sandboxing, if supported. */
+	pidfd = sys_pidfd_open(getpid(), 0);
+
 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
 		perror("Failed to restrict privileges");
 		goto err_close_ruleset;
@@ -520,6 +533,18 @@ int main(const int argc, char *const argv[], char *const *const envp)
 	}
 	close(ruleset_fd);
 
+	if (pidfd >= 0) {
+		struct pidfd_info info = {
+			.mask = PIDFD_INFO_LANDLOCK_FIRST_DOMAIN,
+		};
+
+		if (!ioctl(pidfd, PIDFD_GET_INFO, &info) &&
+		    (info.mask & PIDFD_INFO_LANDLOCK_FIRST_DOMAIN)) {
+			fprintf(stderr, "Entered the Landlock domain %llx.\n",
+				info.landlock_first_domain);
+		}
+	}
+
 	cmd_path = argv[1];
 	cmd_argv = argv + 1;
 	fprintf(stderr, "Executing the sandboxed command...\n");
-- 
2.48.1