[PATCH v3 0/5] Implement LANDLOCK_ADD_RULE_NO_INHERIT
Justin Suess
utilityemal77 at gmail.com
Wed Nov 26 12:20:33 UTC 2025
Hi,
This is version 3 of the LANDLOCK_ADD_RULE_NO_INHERIT series, which
implements a new flag to suppress inheritance of access rights and
flags from parent objects.
This series is rebased on v5 of Tingmao Wang's "quiet flag" series.
The new flag enables policies where a parent directory needs broader
access than its children. For example, a sandbox may permit read-write
access to /home/user but still prohibit writes to ~/.bashrc or
~/.ssh, even though they are nested beneath the parent. Today this is
not possible because access rights always propagate from parent to
child within a layer.
When a rule is added with LANDLOCK_ADD_RULE_NO_INHERIT:
* access rights on parent inodes are ignored for that inode and its
descendants; and
* operations that change the direct parent subtree of such objects
(rename, rmdir, link) are denied up to the mountpoint; and
* parent flags do not propagate below a NO_INHERIT rule (new in v3).
These parent-directory restrictions help mitigate sandbox-restart
attacks: a sandboxed process could otherwise move a protected
directory before exit, causing the next sandbox instance to apply its
policy to the wrong path.
Changes since v2:
1. Add six new selftests for the new flag.
2. Add an optimization to stop permission harvesting when all
relevant layers are tagged with NO_INHERIT.
3. Suppress inheritance of parent flags.
4. Rebase onto v5 of the quiet-flag series.
5. Remove the xarray structure used for flag tracking in favor of
blank rule insertion, simplifying the implementation.
6. Fix edge cases involving flag inheritance across multiple
NO_INHERIT layers.
7. Add documenting comments to new functions.
Links:
v1:
https://lore.kernel.org/linux-security-module/20251105180019.1432367-1-utilityemal77@gmail.com/T/#t
v2:
https://lore.kernel.org/linux-security-module/20251120222346.1157004-1-utilityemal77@gmail.com/T/#t
quiet-flag v5:
https://lore.kernel.org/linux-security-module/cover.1763931318.git.m@maowtm.org/T/#t
Example usage:
# LL_FS_RO="" LL_FS_RW="/" LL_FS_RO_NO_INHERIT="/a/b/c" landlock-sandboxer sh
# touch /a/b/c/fi # denied; / RW does not inherit
# rmdir /a/b/c # denied due to parent-directory protections
# mv /a /bad # denied
# mkdir /a/good; touch /a/good/fi # allowed; unrelated path
If preferred, I'm happy to split the selftests into multiple commits.
I am particularly interested in feedback on:
* The soundness of inserting blank rules in ensure_rule_for_dentry.
A zero-access rule is lazily inserted into parent directories on
first access to enforce topology-change protections. This replaces
the prior xarray tracking, and should reduce complexity and improve
performance.
* Additional edge cases that should be covered by new tests.
* Performance implications of the current design.
All existing Landlock selftests and KUnit tests, as well as the new
tests added in this series, are passing.
Thank you for your time and review.
Regards,
Justin Suess
Justin Suess (5):
landlock: Implement LANDLOCK_ADD_RULE_NO_INHERIT
landlock: Implement LANDLOCK_ADD_RULE_NO_INHERIT userspace api
samples/landlock: Add LANDLOCK_ADD_RULE_NO_INHERIT to
landlock-sandboxer
selftests/landlock: Implement selftests for
LANDLOCK_ADD_RULE_NO_INHERIT
landlock: Implement KUnit test for LANDLOCK_ADD_RULE_NO_INHERIT
include/uapi/linux/landlock.h | 29 +
samples/landlock/sandboxer.c | 37 +-
security/landlock/audit.c | 4 +-
security/landlock/domain.c | 4 +-
security/landlock/fs.c | 592 ++++++++++++++++++++-
security/landlock/ruleset.c | 116 +++-
security/landlock/ruleset.h | 36 +-
security/landlock/syscalls.c | 14 +-
tools/testing/selftests/landlock/fs_test.c | 459 +++++++++++++++-
9 files changed, 1249 insertions(+), 42 deletions(-)
base-commit: 91d200c5385c926c8d1f2df33a8a4160924fa977
--
2.51.0
More information about the Linux-security-module-archive
mailing list