[RFC PATCH v1 06/11] landlock: Enforce capability restrictions
Günther Noack
gnoack3000 at gmail.com
Wed Apr 22 21:36:51 UTC 2026
Hello!
On Thu, Mar 12, 2026 at 11:04:39AM +0100, Mickaël Salaün wrote:
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index 152d952e98f6..38a4bf92781a 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> [...]
> + /*
> + * Stores only the capabilities this kernel knows about.
> + * Unknown bits are silently accepted for forward compatibility:
> + * user space compiled against newer headers can pass new
> + * CAP_* bits without getting EINVAL on older kernels.
> + * Unknown bits have no effect because no hook checks them.
> + */
> + mutex_lock(&ruleset->lock);
> + ruleset->layers[0].allowed.caps |=
> + landlock_caps_to_bits(cap_attr.capabilities & CAP_VALID_MASK);
> + mutex_unlock(&ruleset->lock);
See the example in the documentation patch set [1]; I think it can be
an incompatibility if we ignore the unknown bits here (and I don't
know of a scenario where it would be a problem to reject them).
[1] https://lore.kernel.org/all/20260422.5a7059c06fb0@gnoack.org/
–Günther
More information about the Linux-security-module-archive
mailing list