[PATCH] landlock: Document fexecve sadly reopening files
Daniel Tang
danielzgtg.opensource at gmail.com
Fri Nov 14 03:23:32 UTC 2025
Relying on "Files or directories opened before the sandboxing are not
subject to these restrictions," I tried to modify `setpriv` to allow
`--landlock-access fs:execute busybox --help`. Sadly, support for this
use case is absent in fs/exec.c.
Signed-off-by: Daniel Tang <danielzgtg.opensource at gmail.com>
---
include/uapi/linux/landlock.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index f030adc462ee..a69e9fef703c 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -206,7 +206,7 @@ struct landlock_net_port_attr {
*
* The following access rights apply only to files:
*
- * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file.
+ * - %LANDLOCK_ACCESS_FS_EXECUTE: Execute a file. Note fexecve(2) reopens it.
* - %LANDLOCK_ACCESS_FS_WRITE_FILE: Open a file with write access. When
* opening files for writing, you will often additionally need the
* %LANDLOCK_ACCESS_FS_TRUNCATE right. In many cases, these system calls
--
2.51.0
More information about the Linux-security-module-archive
mailing list