Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp684421pxb; Wed, 11 Nov 2020 13:38:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJznnLaAYjSHA2+Ubx8kl9fsDHFFRstGmsSzhGFqA0bakVJMCPcmVSA+GLgXsx1yGY4DfKvr X-Received: by 2002:a50:a6d0:: with SMTP id f16mr1632900edc.135.1605130694008; Wed, 11 Nov 2020 13:38:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605130693; cv=none; d=google.com; s=arc-20160816; b=odGlp7denYqYYEjwis+OhaB1aYipODcKTAdvqDuiLBV45tIndVEpWA2wyzSjd12dhY Vsl1KorMvt8oxOWkoUI8F6nJwNuwHcekYGdJ0N2RvDXscUXwAyPTGIajjhDIRbz3ZeZx yPkKM77yPZgg3lJGSFhTuyZulPlYJhqjlUObcEIS8hMDu9D+0OXXAg9W4/A9lSummD1T ocRjYJwgmds8on0WT3T+1PeaTz0pWizRc2uw7saMSLlrFwvc98dQXHd6RPZ3Oh5OPxjK RI0FA18RYZKt4zcA5eHEjiR1J1s6rAMKI68Z/L7aZYTEHG1aI3U4Ks/7TGX34psFHbx6 rXCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=pOSUHFuDCivl70qR+xI9IYVrKdwcEG1Xbjaf5c5Fud0=; b=Ho3wJ2Tz45Fkd4JDZJhum5IwX9Rg4G8Ng+LkNucNzZGi3LCQIIR0ZKeZ+hQgYwH2kP Pa+RQLlmpzLlo7fTMAj+CpvCKLiGXQEopLWxKTB5ePQPdWlehtMdQc/pB/DUuLBOSfKg ApuH/mROWE7jHK2wC36igyKGrdOMIfVnu17OhSgM76yWhjcDOND5MFkT4KK9muvdaBkj oheIwRaq12E8eI6Ue0tusLIvEoyR0DjdhRx9ltlw3xnwxwdIXOhTQaSZsrBIW03LpOTA VEnICVLKaOl4AaQ+undI+vQ+6GN38jq0S5U1Mosh0AtYhqxpxVybydlSwa3RFKZxR6Jj EBpA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y10si2343314ejq.401.2020.11.11.13.37.50; Wed, 11 Nov 2020 13:38:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726573AbgKKVer (ORCPT + 99 others); Wed, 11 Nov 2020 16:34:47 -0500 Received: from smtp-bc0b.mail.infomaniak.ch ([45.157.188.11]:46417 "EHLO smtp-bc0b.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbgKKVer (ORCPT ); Wed, 11 Nov 2020 16:34:47 -0500 Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4CWdKx0gBtzlhGL9; Wed, 11 Nov 2020 22:34:45 +0100 (CET) Received: from localhost (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4CWdKw4jtzzlh8T5; Wed, 11 Nov 2020 22:34:44 +0100 (CET) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: James Morris , Jann Horn , "Serge E . Hallyn" Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Shuah Khan , Vincent Dagonneau , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v1 0/9] Landlock fixes Date: Wed, 11 Nov 2020 22:34:33 +0100 Message-Id: <20201111213442.434639-1-mic@digikod.net> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, This patch series fixes some issues and makes the Landlock filesystem access-control more consistent and deterministic when stacking multiple rulesets. This is checked by current and new tests. I also extended documentation and example to help users. This series can be applied on top of https://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git/log/?h=landlock_lsm Regards, Mickaël Salaün (9): landlock: Fix memory allocation error handling landlock: Cosmetic fixes for filesystem management landlock: Enforce deterministic interleaved path rules landlock: Always intersect access rights landlock: Add extra checks when inserting a rule selftests/landlock: Extend layout1.inherit_superset landlock: Clean up get_ruleset_from_fd() landlock: Add help to enable Landlock as a stacked LSM landlock: Extend documentation about limitations Documentation/userspace-api/landlock.rst | 17 +++ samples/landlock/sandboxer.c | 21 +++- security/landlock/Kconfig | 4 +- security/landlock/fs.c | 67 +++++----- security/landlock/object.c | 5 +- security/landlock/ruleset.c | 34 ++--- security/landlock/syscall.c | 24 ++-- tools/testing/selftests/landlock/fs_test.c | 140 +++++++++++++++++++-- 8 files changed, 239 insertions(+), 73 deletions(-) base-commit: 96b3198c4025c11347651700b77e45a686d78553 -- 2.29.2