Thread (19 messages) 19 messages, 3 authors, 2020-09-16
STALE2117d
Revisions (21)
  1. v14 [diff vs current]
  2. v15 [diff vs current]
  3. v16 [diff vs current]
  4. v17 [diff vs current]
  5. v18 [diff vs current]
  6. v19 [diff vs current]
  7. v20 current
  8. v21 [diff vs current]
  9. v22 [diff vs current]
  10. v23 [diff vs current]
  11. v24 [diff vs current]
  12. v25 [diff vs current]
  13. v26 [diff vs current]
  14. v27 [diff vs current]
  15. v28 [diff vs current]
  16. v29 [diff vs current]
  17. v30 [diff vs current]
  18. v31 [diff vs current]
  19. v32 [diff vs current]
  20. v33 [diff vs current]
  21. v34 [diff vs current]

[PATCH v20 09/12] arch: Wire up Landlock syscalls

From: Mickaël Salaün <mic@digikod.net>
Date: 2020-08-02 22:00:18
Also in: linux-arch, linux-doc, linux-fsdevel, linux-kselftest, linux-security-module, lkml
Subsystem: alpha port, arm port, arm64 port (aarch64 architecture), generic include/asm header files, linux for powerpc (32-bit and 64-bit), m68k architecture, microblaze architecture, mips, parisc architecture, s390 architecture, sparc + ultrasparc (sparc/sparc64), superh, tensilica xtensa port (xtensa), the rest, x86 architecture (32-bit and 64-bit), x86 entry code · Maintainers: Richard Henderson, Matt Turner, Magnus Lindholm, Russell King, Catalin Marinas, Will Deacon, Arnd Bergmann, Madhavan Srinivasan, Michael Ellerman, Geert Uytterhoeven, Michal Simek, Thomas Bogendoerfer, "James E.J. Bottomley", Helge Deller, Heiko Carstens, Vasily Gorbik, Alexander Gordeev, "David S. Miller", Andreas Larsson, Yoshinori Sato, Rich Felker, John Paul Adrian Glaubitz, Chris Zankel, Max Filippov, Linus Torvalds, Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, Andy Lutomirski

Wire up the following system calls for all architectures:
* landlock_get_features(2)
* landlock_create_ruleset(2)
* landlock_add_rule(2)
* landlock_enforce_ruleset(2)

Signed-off-by: Mickaël Salaün <mic@digikod.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: James Morris <jmorris@namei.org>
Cc: Jann Horn <jannh@google.com>
Cc: Kees Cook <redacted>
Cc: Serge E. Hallyn <serge@hallyn.com>
---

Changes since v19:
* Increase syscall numbers by 4 to leave space for new ones (in
  linux-next): watch_mount(2), watch_sb(2), fsinfo(2) and
  process_madvise(2) (requested by Arnd Bergmann).
* Replace the previous multiplexor landlock(2) with 4 syscalls:
  landlock_get_features(2), landlock_create_ruleset(2),
  landlock_add_rule(2) and landlock_enforce_ruleset(2).

Changes since v18:
* Increase the syscall number because of the new faccessat2(2).

Changes since v14:
* Add all architectures.

Changes since v13:
* New implementation.
---
 arch/alpha/kernel/syscalls/syscall.tbl      |  4 ++++
 arch/arm/tools/syscall.tbl                  |  4 ++++
 arch/arm64/include/asm/unistd.h             |  2 +-
 arch/arm64/include/asm/unistd32.h           |  8 ++++++++
 arch/ia64/kernel/syscalls/syscall.tbl       |  4 ++++
 arch/m68k/kernel/syscalls/syscall.tbl       |  4 ++++
 arch/microblaze/kernel/syscalls/syscall.tbl |  4 ++++
 arch/mips/kernel/syscalls/syscall_n32.tbl   |  4 ++++
 arch/mips/kernel/syscalls/syscall_n64.tbl   |  4 ++++
 arch/mips/kernel/syscalls/syscall_o32.tbl   |  4 ++++
 arch/parisc/kernel/syscalls/syscall.tbl     |  4 ++++
 arch/powerpc/kernel/syscalls/syscall.tbl    |  4 ++++
 arch/s390/kernel/syscalls/syscall.tbl       |  4 ++++
 arch/sh/kernel/syscalls/syscall.tbl         |  4 ++++
 arch/sparc/kernel/syscalls/syscall.tbl      |  4 ++++
 arch/x86/entry/syscalls/syscall_32.tbl      |  4 ++++
 arch/x86/entry/syscalls/syscall_64.tbl      |  4 ++++
 arch/xtensa/kernel/syscalls/syscall.tbl     |  4 ++++
 include/uapi/asm-generic/unistd.h           | 10 +++++++++-
 19 files changed, 82 insertions(+), 2 deletions(-)
diff --git a/arch/alpha/kernel/syscalls/syscall.tbl b/arch/alpha/kernel/syscalls/syscall.tbl
index 5ddd128d4b7a..d59664094690 100644
--- a/arch/alpha/kernel/syscalls/syscall.tbl
+++ b/arch/alpha/kernel/syscalls/syscall.tbl
@@ -478,3 +478,7 @@
 547	common	openat2				sys_openat2
 548	common	pidfd_getfd			sys_pidfd_getfd
 549	common	faccessat2			sys_faccessat2
+554	common	landlock_get_features		sys_landlock_get_features
+555	common	landlock_create_ruleset		sys_landlock_create_ruleset
+556	common	landlock_add_rule			sys_landlock_add_rule
+557	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/arm/tools/syscall.tbl b/arch/arm/tools/syscall.tbl
index d5cae5ffede0..9fe59a61fa75 100644
--- a/arch/arm/tools/syscall.tbl
+++ b/arch/arm/tools/syscall.tbl
@@ -452,3 +452,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/arm64/include/asm/unistd.h b/arch/arm64/include/asm/unistd.h
index 3b859596840d..fb7a0be2f3d9 100644
--- a/arch/arm64/include/asm/unistd.h
+++ b/arch/arm64/include/asm/unistd.h
@@ -38,7 +38,7 @@
 #define __ARM_NR_compat_set_tls		(__ARM_NR_COMPAT_BASE + 5)
 #define __ARM_NR_COMPAT_END		(__ARM_NR_COMPAT_BASE + 0x800)
 
-#define __NR_compat_syscalls		440
+#define __NR_compat_syscalls		448
 #endif
 
 #define __ARCH_WANT_SYS_CLONE
diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
index 6d95d0c8bf2f..d150396491e6 100644
--- a/arch/arm64/include/asm/unistd32.h
+++ b/arch/arm64/include/asm/unistd32.h
@@ -885,6 +885,14 @@ __SYSCALL(__NR_openat2, sys_openat2)
 __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
 #define __NR_faccessat2 439
 __SYSCALL(__NR_faccessat2, sys_faccessat2)
+#define __NR_landlock_get_features 444
+__SYSCALL(__NR_landlock_get_features, sys_landlock_get_features)
+#define __NR_landlock_create_ruleset 445
+__SYSCALL(__NR_landlock_create_ruleset, sys_landlock_create_ruleset)
+#define __NR_landlock_add_rule 446
+__SYSCALL(__NR_landlock_add_rule, sys_landlock_add_rule)
+#define __NR_landlock_enforce_ruleset 447
+__SYSCALL(__NR_landlock_enforce_ruleset, sys_landloc_enforce_rulesetk)
 
 /*
  * Please add new compat syscalls above this comment and update
diff --git a/arch/ia64/kernel/syscalls/syscall.tbl b/arch/ia64/kernel/syscalls/syscall.tbl
index 49e325b604b3..84872f8daa42 100644
--- a/arch/ia64/kernel/syscalls/syscall.tbl
+++ b/arch/ia64/kernel/syscalls/syscall.tbl
@@ -359,3 +359,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/m68k/kernel/syscalls/syscall.tbl b/arch/m68k/kernel/syscalls/syscall.tbl
index f71b1bbcc198..a362b4b16d7b 100644
--- a/arch/m68k/kernel/syscalls/syscall.tbl
+++ b/arch/m68k/kernel/syscalls/syscall.tbl
@@ -438,3 +438,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/microblaze/kernel/syscalls/syscall.tbl b/arch/microblaze/kernel/syscalls/syscall.tbl
index edacc4561f2b..acc931725b43 100644
--- a/arch/microblaze/kernel/syscalls/syscall.tbl
+++ b/arch/microblaze/kernel/syscalls/syscall.tbl
@@ -444,3 +444,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/mips/kernel/syscalls/syscall_n32.tbl b/arch/mips/kernel/syscalls/syscall_n32.tbl
index f777141f5256..5e1d5bfced9d 100644
--- a/arch/mips/kernel/syscalls/syscall_n32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n32.tbl
@@ -377,3 +377,7 @@
 437	n32	openat2				sys_openat2
 438	n32	pidfd_getfd			sys_pidfd_getfd
 439	n32	faccessat2			sys_faccessat2
+444	n32	landlock_get_features		sys_landlock_get_features
+445	n32	landlock_create_ruleset		sys_landlock_create_ruleset
+446	n32	landlock_add_rule			sys_landlock_add_rule
+447	n32	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/mips/kernel/syscalls/syscall_n64.tbl b/arch/mips/kernel/syscalls/syscall_n64.tbl
index da8c76394e17..8d9b6175f4af 100644
--- a/arch/mips/kernel/syscalls/syscall_n64.tbl
+++ b/arch/mips/kernel/syscalls/syscall_n64.tbl
@@ -353,3 +353,7 @@
 437	n64	openat2				sys_openat2
 438	n64	pidfd_getfd			sys_pidfd_getfd
 439	n64	faccessat2			sys_faccessat2
+444	n64	landlock_get_features		sys_landlock_get_features
+445	n64	landlock_create_ruleset		sys_landlock_create_ruleset
+446	n64	landlock_add_rule			sys_landlock_add_rule
+447	n64	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/mips/kernel/syscalls/syscall_o32.tbl b/arch/mips/kernel/syscalls/syscall_o32.tbl
index 13280625d312..66e58338772a 100644
--- a/arch/mips/kernel/syscalls/syscall_o32.tbl
+++ b/arch/mips/kernel/syscalls/syscall_o32.tbl
@@ -426,3 +426,7 @@
 437	o32	openat2				sys_openat2
 438	o32	pidfd_getfd			sys_pidfd_getfd
 439	o32	faccessat2			sys_faccessat2
+444	o32	landlock_get_features		sys_landlock_get_features
+445	o32	landlock_create_ruleset		sys_landlock_create_ruleset
+446	o32	landlock_add_rule			sys_landlock_add_rule
+447	o32	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/parisc/kernel/syscalls/syscall.tbl b/arch/parisc/kernel/syscalls/syscall.tbl
index 5a758fa6ec52..70bdc7c43464 100644
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -436,3 +436,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/powerpc/kernel/syscalls/syscall.tbl b/arch/powerpc/kernel/syscalls/syscall.tbl
index f833a3190822..3f1d2c12eb98 100644
--- a/arch/powerpc/kernel/syscalls/syscall.tbl
+++ b/arch/powerpc/kernel/syscalls/syscall.tbl
@@ -528,3 +528,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/s390/kernel/syscalls/syscall.tbl b/arch/s390/kernel/syscalls/syscall.tbl
index bfdcb7633957..577d590450e9 100644
--- a/arch/s390/kernel/syscalls/syscall.tbl
+++ b/arch/s390/kernel/syscalls/syscall.tbl
@@ -441,3 +441,7 @@
 437  common	openat2			sys_openat2			sys_openat2
 438  common	pidfd_getfd		sys_pidfd_getfd			sys_pidfd_getfd
 439  common	faccessat2		sys_faccessat2			sys_faccessat2
+444  common	landlock_get_features		sys_landlock_get_features		sys_landlock_get_features
+445  common	landlock_create_ruleset		sys_landlock_create_ruleset		sys_landlock_create_ruleset
+446  common	landlock_add_rule			sys_landlock_add_rule			sys_landlock_add_rule
+447  common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/sh/kernel/syscalls/syscall.tbl b/arch/sh/kernel/syscalls/syscall.tbl
index acc35daa1b79..9202338a9e70 100644
--- a/arch/sh/kernel/syscalls/syscall.tbl
+++ b/arch/sh/kernel/syscalls/syscall.tbl
@@ -441,3 +441,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/sparc/kernel/syscalls/syscall.tbl b/arch/sparc/kernel/syscalls/syscall.tbl
index 8004a276cb74..b4c47eefda57 100644
--- a/arch/sparc/kernel/syscalls/syscall.tbl
+++ b/arch/sparc/kernel/syscalls/syscall.tbl
@@ -484,3 +484,7 @@
 437	common	openat2			sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index d8f8a1a69ed1..26735df8c19e 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -443,3 +443,7 @@
 437	i386	openat2			sys_openat2
 438	i386	pidfd_getfd		sys_pidfd_getfd
 439	i386	faccessat2		sys_faccessat2
+444	i386	landlock_get_features		sys_landlock_get_features
+445	i386	landlock_create_ruleset		sys_landlock_create_ruleset
+446	i386	landlock_add_rule			sys_landlock_add_rule
+447	i386	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index 78847b32e137..7e9c927b51fb 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -360,6 +360,10 @@
 437	common	openat2			sys_openat2
 438	common	pidfd_getfd		sys_pidfd_getfd
 439	common	faccessat2		sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
 
 #
 # x32-specific system call numbers start at 512 to avoid cache impact
diff --git a/arch/xtensa/kernel/syscalls/syscall.tbl b/arch/xtensa/kernel/syscalls/syscall.tbl
index 69d0d73876b3..c8b1a6218ee6 100644
--- a/arch/xtensa/kernel/syscalls/syscall.tbl
+++ b/arch/xtensa/kernel/syscalls/syscall.tbl
@@ -409,3 +409,7 @@
 437	common	openat2				sys_openat2
 438	common	pidfd_getfd			sys_pidfd_getfd
 439	common	faccessat2			sys_faccessat2
+444	common	landlock_get_features		sys_landlock_get_features
+445	common	landlock_create_ruleset		sys_landlock_create_ruleset
+446	common	landlock_add_rule			sys_landlock_add_rule
+447	common	landlock_enforce_ruleset	sys_landlock_enforce_ruleset
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index f4a01305d9a6..ff3afbf02b51 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -857,9 +857,17 @@ __SYSCALL(__NR_openat2, sys_openat2)
 __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
 #define __NR_faccessat2 439
 __SYSCALL(__NR_faccessat2, sys_faccessat2)
+#define __NR_landlock_get_features 444
+__SYSCALL(__NR_landlock_get_features, sys_landlock_get_features)
+#define __NR_landlock_create_ruleset 445
+__SYSCALL(__NR_landlock_create_ruleset, sys_landlock_create_ruleset)
+#define __NR_landlock_add_rule 446
+__SYSCALL(__NR_landlock_add_rule, sys_landlock_add_rule)
+#define __NR_landlock_enforce_ruleset 447
+__SYSCALL(__NR_landlock_enforce_ruleset, sys_landloc_enforce_rulesetk)
 
 #undef __NR_syscalls
-#define __NR_syscalls 440
+#define __NR_syscalls 448
 
 /*
  * 32 bit systems traditionally used different
-- 
2.28.0.rc2
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help