[GIT PULL] Landlock update for v6.15-rc1

From: Mickaël Salaün
Date: Fri Mar 28 2025 - 12:26:34 EST


Linus,

This PR brings two main changes to Landlock:
* A signal scoping fix with a new interface for user space to know if it
is compatible with the running kernel.
* Audit support to give visibility on why access requests are denied,
including the origin of the security policy, missing access rights,
and description of object(s). This was designed to limit log spam as
much as possible while still alerting about unexpected blocked access.

With these changes come new and improved documentation, and a lot of new
tests.

Please pull these changes for v6.15-rc1 . These commits merge cleanly
with your master branch. Most kernel code has been tested in the latest
linux-next releases for a few weeks and recently rebased to apply fixes.

syzkaller has been running for a few months on a private instance with
these changes. The upstream project can now also test them:
https://github.com/google/syzkaller/pull/5851

Test coverage with Kselftest for master:security/landlock is 93.6% of
1525 lines according to gcc/gcov-14, and it was 92.6% of 1115 lines
before this PR.

Regards,
Mickaël

--
The following changes since commit 7eb172143d5508b4da468ed59ee857c6e5e01da6:

Linux 6.14-rc5 (2025-03-02 11:48:20 -0800)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/landlock-6.15-rc1

for you to fetch changes up to 8e2dd47b10e77452733eae23cc83078fa29c1e9a:

landlock: Add audit documentation (2025-03-26 13:59:49 +0100)

----------------------------------------------------------------
Landlock update for v6.15-rc1

----------------------------------------------------------------
Günther Noack (1):
landlock: Clarify IPC scoping documentation

Mickaël Salaün (35):
landlock: Move code to ease future backports
landlock: Add the errata interface
landlock: Add erratum for TCP fix
landlock: Prepare to add second errata
landlock: Always allow signals between threads of the same process
selftests/landlock: Split signal_scoping_threads tests
selftests/landlock: Add a new test for setuid()
lsm: Add audit_log_lsm_data() helper
landlock: Add unique ID generator
landlock: Move domain hierarchy management
landlock: Prepare to use credential instead of domain for filesystem
landlock: Prepare to use credential instead of domain for network
landlock: Prepare to use credential instead of domain for scope
landlock: Prepare to use credential instead of domain for fowner
landlock: Identify domain execution crossing
landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials
landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status
landlock: Log mount-related denials
landlock: Log file-related denials
landlock: Factor out IOCTL hooks
landlock: Log truncate and IOCTL denials
landlock: Log TCP bind and connect denials
landlock: Log scoped denials
landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags
landlock: Add LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
samples/landlock: Enable users to log sandbox denials
selftests/landlock: Add test for invalid ruleset file descriptor
selftests/landlock: Extend tests for landlock_restrict_self(2)'s flags
selftests/landlock: Add tests for audit flags and domain IDs
selftests/landlock: Test audit with restrict flags
selftests/landlock: Add audit tests for ptrace
selftests/landlock: Add audit tests for abstract UNIX socket scoping
selftests/landlock: Add audit tests for filesystem
selftests/landlock: Add audit tests for network
landlock: Add audit documentation

Documentation/admin-guide/LSM/index.rst | 1 +
Documentation/admin-guide/LSM/landlock.rst | 158 ++++++
Documentation/security/landlock.rst | 13 +-
Documentation/userspace-api/landlock.rst | 72 ++-
MAINTAINERS | 1 +
include/linux/lsm_audit.h | 8 +
include/uapi/linux/audit.h | 4 +-
include/uapi/linux/landlock.h | 35 ++
samples/landlock/sandboxer.c | 37 +-
security/landlock/.kunitconfig | 2 +
security/landlock/Makefile | 5 +
security/landlock/access.h | 25 +-
security/landlock/audit.c | 522 ++++++++++++++++++
security/landlock/audit.h | 76 +++
security/landlock/cred.c | 28 +-
security/landlock/cred.h | 92 +++-
security/landlock/domain.c | 264 +++++++++
security/landlock/domain.h | 174 ++++++
security/landlock/errata.h | 99 ++++
security/landlock/errata/abi-4.h | 15 +
security/landlock/errata/abi-6.h | 19 +
security/landlock/fs.c | 321 ++++++++---
security/landlock/fs.h | 40 +-
security/landlock/id.c | 251 +++++++++
security/landlock/id.h | 25 +
security/landlock/limits.h | 7 +-
security/landlock/net.c | 78 ++-
security/landlock/ruleset.c | 30 +-
security/landlock/ruleset.h | 48 +-
security/landlock/setup.c | 40 +-
security/landlock/setup.h | 3 +
security/landlock/syscalls.c | 99 +++-
security/landlock/task.c | 257 ++++++---
security/lsm_audit.c | 27 +-
tools/testing/kunit/configs/all_tests.config | 2 +
tools/testing/selftests/landlock/.gitignore | 1 +
tools/testing/selftests/landlock/Makefile | 6 +-
tools/testing/selftests/landlock/audit.h | 472 ++++++++++++++++
tools/testing/selftests/landlock/audit_test.c | 551 +++++++++++++++++++
tools/testing/selftests/landlock/base_test.c | 130 ++++-
tools/testing/selftests/landlock/common.h | 20 +
tools/testing/selftests/landlock/config | 1 +
tools/testing/selftests/landlock/fs_test.c | 594 +++++++++++++++++++++
tools/testing/selftests/landlock/net_test.c | 132 +++++
tools/testing/selftests/landlock/ptrace_test.c | 140 +++++
.../selftests/landlock/scoped_abstract_unix_test.c | 111 ++++
.../selftests/landlock/scoped_signal_test.c | 108 +++-
.../testing/selftests/landlock/wait-pipe-sandbox.c | 131 +++++
48 files changed, 4960 insertions(+), 315 deletions(-)
create mode 100644 Documentation/admin-guide/LSM/landlock.rst
create mode 100644 security/landlock/audit.c
create mode 100644 security/landlock/audit.h
create mode 100644 security/landlock/domain.c
create mode 100644 security/landlock/domain.h
create mode 100644 security/landlock/errata.h
create mode 100644 security/landlock/errata/abi-4.h
create mode 100644 security/landlock/errata/abi-6.h
create mode 100644 security/landlock/id.c
create mode 100644 security/landlock/id.h
create mode 100644 tools/testing/selftests/landlock/audit.h
create mode 100644 tools/testing/selftests/landlock/audit_test.c
create mode 100644 tools/testing/selftests/landlock/wait-pipe-sandbox.c