--- v19
+++ v28
@@ -1,12 +1,56 @@
+From: Mickaël Salaün <mic@linux.microsoft.com>
+
 Add a basic sandbox tool to launch a command which can only access a
-whitelist of file hierarchies in a read-only or read-write way.
-
-Signed-off-by: Mickaël Salaün <mic@digikod.net>
+list of file hierarchies in a read-only or read-write way.
+
 Cc: James Morris <jmorris@namei.org>
-Cc: Jann Horn <jannh@google.com>
 Cc: Kees Cook <keescook@chromium.org>
 Cc: Serge E. Hallyn <serge@hallyn.com>
+Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
+Reviewed-by: Jann Horn <jannh@google.com>
 ---
+
+Changes since v27:
+* Add samples/landlock/ to MAINTAINERS.
+* Update landlock_restrict_self(2).
+* Tweak Kconfig title and description.
+
+Changes since v25:
+* Improve comments and fix help (suggested by Jann Horn).
+* Add a safeguard for errno check (suggested by Jann Horn).
+* Allows users to not use all possible restrictions (e.g. use LL_FS_RO
+  without LL_FS_RW).
+* Update syscall names.
+* Improve Makefile:
+  - Replace hostprogs/always-y with userprogs-always-y, available since
+    commit faabed295ccc ("kbuild: introduce hostprogs-always-y and
+    userprogs-always-y").
+  - Depends on CC_CAN_LINK.
+* Add Reviewed-by Jann Horn.
+
+Changes since v25:
+* Remove useless errno set in the syscall wrappers.
+* Cosmetic variable renames.
+
+Changes since v23:
+* Re-add hints to help users understand the required kernel
+  configuration.  This was removed with the removal of
+  landlock_get_features(2).
+
+Changes since v21:
+* Remove LANDLOCK_ACCESS_FS_CHROOT.
+* Clean up help.
+
+Changes since v20:
+* Update with new syscalls and type names.
+* Update errno check for EOPNOTSUPP.
+* Use the full syscall interfaces: explicitely set the "flags" field to
+  zero.
+
+Changes since v19:
+* Update with the new Landlock syscalls.
+* Comply with commit 5f2fb52fac15 ("kbuild: rename hostprogs-y/always to
+  hostprogs/always-y").
 
 Changes since v16:
 * Switch syscall attribute pointer and size arguments.
@@ -37,18 +81,31 @@
 Previous changes:
 https://lore.kernel.org/lkml/20190721213116.23476-9-mic@digikod.net/
 ---
+ MAINTAINERS                  |   1 +
  samples/Kconfig              |   7 ++
  samples/Makefile             |   1 +
  samples/landlock/.gitignore  |   1 +
- samples/landlock/Makefile    |  15 +++
- samples/landlock/sandboxer.c | 228 +++++++++++++++++++++++++++++++++++
- 5 files changed, 252 insertions(+)
+ samples/landlock/Makefile    |  13 ++
+ samples/landlock/sandboxer.c | 238 +++++++++++++++++++++++++++++++++++
+ 6 files changed, 261 insertions(+)
  create mode 100644 samples/landlock/.gitignore
  create mode 100644 samples/landlock/Makefile
  create mode 100644 samples/landlock/sandboxer.c
 
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 3df7b12dc7f1..cf49d9431439 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -9943,6 +9943,7 @@ S:	Supported
+ W:	https://landlock.io
+ T:	git https://github.com/landlock-lsm/linux.git
+ F:	include/uapi/linux/landlock.h
++F:	samples/landlock/
+ F:	security/landlock/
+ F:	tools/testing/selftests/landlock/
+ K:	landlock
 diff --git a/samples/Kconfig b/samples/Kconfig
-index 0ed6e4d71d87..092962924f0d 100644
+index 0ed6e4d71d87..30ad633cd82c 100644
 --- a/samples/Kconfig
 +++ b/samples/Kconfig
 @@ -124,6 +124,13 @@ config SAMPLE_HIDRAW
@@ -56,17 +113,17 @@
  	depends on CC_CAN_LINK && HEADERS_INSTALL
  
 +config SAMPLE_LANDLOCK
-+	bool "Build Landlock sample code"
-+	depends on HEADERS_INSTALL
++	bool "Build Landlock example"
++	depends on CC_CAN_LINK && HEADERS_INSTALL
 +	help
-+	  Build a simple Landlock sandbox manager able to launch a process
-+	  restricted by a user-defined filesystem access-control security policy.
++	  Build a simple Landlock sandbox manager able to start a process
++	  restricted by a user-defined filesystem access control policy.
 +
  config SAMPLE_PIDFD
  	bool "pidfd sample"
  	depends on CC_CAN_LINK && HEADERS_INSTALL
 diff --git a/samples/Makefile b/samples/Makefile
-index 754553597581..4a6ce8f64a4c 100644
+index c3392a595e4b..087e0988ccc5 100644
 --- a/samples/Makefile
 +++ b/samples/Makefile
 @@ -11,6 +11,7 @@ obj-$(CONFIG_SAMPLE_KDB)		+= kdb/
@@ -86,17 +143,15 @@
 +/sandboxer
 diff --git a/samples/landlock/Makefile b/samples/landlock/Makefile
 new file mode 100644
-index 000000000000..9dfb571641ba
+index 000000000000..5d601e51c2eb
 --- /dev/null
 +++ b/samples/landlock/Makefile
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,13 @@
 +# SPDX-License-Identifier: BSD-3-Clause
 +
-+hostprogs-y := sandboxer
-+
-+always := $(hostprogs-y)
-+
-+KBUILD_HOSTCFLAGS += -I$(objtree)/usr/include
++userprogs-always-y := sandboxer
++
++userccflags += -I usr/include
 +
 +.PHONY: all clean
 +
@@ -107,14 +162,14 @@
 +	$(MAKE) -C ../.. M=samples/landlock/ clean
 diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
 new file mode 100644
-index 000000000000..e0059706c11f
+index 000000000000..7a15910d2171
 --- /dev/null
 +++ b/samples/landlock/sandboxer.c
-@@ -0,0 +1,228 @@
+@@ -0,0 +1,238 @@
 +// SPDX-License-Identifier: BSD-3-Clause
 +/*
 + * Simple Landlock sandbox manager able to launch a process restricted by a
-+ * user-defined filesystem access-control security policy.
++ * user-defined filesystem access control policy.
 + *
 + * Copyright © 2017-2020 Mickaël Salaün <mic@digikod.net>
 + * Copyright © 2020 ANSSI
@@ -134,14 +189,30 @@
 +#include <sys/syscall.h>
 +#include <unistd.h>
 +
-+#ifndef landlock
-+static inline int landlock(const unsigned int command,
-+		const unsigned int options, void *const attr_ptr,
-+		const size_t attr_size)
-+{
-+	errno = 0;
-+	return syscall(__NR_landlock, command, options, attr_ptr, attr_size,
-+			NULL, 0);
++#ifndef landlock_create_ruleset
++static inline int landlock_create_ruleset(
++		const struct landlock_ruleset_attr *const attr,
++		const size_t size, const __u32 flags)
++{
++	return syscall(__NR_landlock_create_ruleset, attr, size, flags);
++}
++#endif
++
++#ifndef landlock_add_rule
++static inline int landlock_add_rule(const int ruleset_fd,
++		const enum landlock_rule_type rule_type,
++		const void *const rule_attr, const __u32 flags)
++{
++	return syscall(__NR_landlock_add_rule, ruleset_fd, rule_type,
++			rule_attr, flags);
++}
++#endif
++
++#ifndef landlock_restrict_self
++static inline int landlock_restrict_self(const int ruleset_fd,
++		const __u32 flags)
++{
++	return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
 +}
 +#endif
 +
@@ -151,20 +222,20 @@
 +
 +static int parse_path(char *env_path, const char ***const path_list)
 +{
-+	int i, path_nb = 0;
++	int i, num_paths = 0;
 +
 +	if (env_path) {
-+		path_nb++;
++		num_paths++;
 +		for (i = 0; env_path[i]; i++) {
 +			if (env_path[i] == ENV_PATH_TOKEN[0])
-+				path_nb++;
++				num_paths++;
 +		}
 +	}
-+	*path_list = malloc(path_nb * sizeof(**path_list));
-+	for (i = 0; i < path_nb; i++)
++	*path_list = malloc(num_paths * sizeof(**path_list));
++	for (i = 0; i < num_paths; i++)
 +		(*path_list)[i] = strsep(&env_path, ENV_PATH_TOKEN);
 +
-+	return path_nb;
++	return num_paths;
 +}
 +
 +#define ACCESS_FILE ( \
@@ -173,32 +244,35 @@
 +	LANDLOCK_ACCESS_FS_READ_FILE)
 +
 +static int populate_ruleset(
-+		const struct landlock_attr_features *const attr_features,
 +		const char *const env_var, const int ruleset_fd,
 +		const __u64 allowed_access)
 +{
-+	int path_nb, i;
++	int num_paths, i, ret = 1;
 +	char *env_path_name;
 +	const char **path_list = NULL;
-+	struct landlock_attr_path_beneath path_beneath = {
-+		.ruleset_fd = ruleset_fd,
++	struct landlock_path_beneath_attr path_beneath = {
 +		.parent_fd = -1,
 +	};
 +
 +	env_path_name = getenv(env_var);
 +	if (!env_path_name) {
++		/* Prevents users to forget a setting. */
 +		fprintf(stderr, "Missing environment variable %s\n", env_var);
 +		return 1;
 +	}
 +	env_path_name = strdup(env_path_name);
 +	unsetenv(env_var);
-+	path_nb = parse_path(env_path_name, &path_list);
-+	if (path_nb == 1 && path_list[0][0] == '\0') {
-+		fprintf(stderr, "Missing path in %s\n", env_var);
-+		goto err_free_name;
-+	}
-+
-+	for (i = 0; i < path_nb; i++) {
++	num_paths = parse_path(env_path_name, &path_list);
++	if (num_paths == 1 && path_list[0][0] == '\0') {
++		/*
++		 * Allows to not use all possible restrictions (e.g. use
++		 * LL_FS_RO without LL_FS_RW).
++		 */
++		ret = 0;
++		goto out_free_name;
++	}
++
++	for (i = 0; i < num_paths; i++) {
 +		struct stat statbuf;
 +
 +		path_beneath.parent_fd = open(path_list[i], O_PATH |
@@ -207,40 +281,35 @@
 +			fprintf(stderr, "Failed to open \"%s\": %s\n",
 +					path_list[i],
 +					strerror(errno));
-+			goto err_free_name;
++			goto out_free_name;
 +		}
 +		if (fstat(path_beneath.parent_fd, &statbuf)) {
 +			close(path_beneath.parent_fd);
-+			goto err_free_name;
++			goto out_free_name;
 +		}
-+		/* Follows a best-effort approach. */
-+		path_beneath.allowed_access = allowed_access &
-+			attr_features->access_fs;
++		path_beneath.allowed_access = allowed_access;
 +		if (!S_ISDIR(statbuf.st_mode))
 +			path_beneath.allowed_access &= ACCESS_FILE;
-+		if (landlock(LANDLOCK_CMD_ADD_RULE,
-+					LANDLOCK_OPT_ADD_RULE_PATH_BENEATH,
-+					&path_beneath, sizeof(path_beneath))) {
++		if (landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
++					&path_beneath, 0)) {
 +			fprintf(stderr, "Failed to update the ruleset with \"%s\": %s\n",
 +					path_list[i], strerror(errno));
 +			close(path_beneath.parent_fd);
-+			goto err_free_name;
++			goto out_free_name;
 +		}
 +		close(path_beneath.parent_fd);
 +	}
++	ret = 0;
++
++out_free_name:
 +	free(env_path_name);
-+	return 0;
-+
-+err_free_name:
-+	free(env_path_name);
-+	return 1;
++	return ret;
 +}
 +
 +#define ACCESS_FS_ROUGHLY_READ ( \
 +	LANDLOCK_ACCESS_FS_EXECUTE | \
 +	LANDLOCK_ACCESS_FS_READ_FILE | \
-+	LANDLOCK_ACCESS_FS_READ_DIR | \
-+	LANDLOCK_ACCESS_FS_CHROOT)
++	LANDLOCK_ACCESS_FS_READ_DIR)
 +
 +#define ACCESS_FS_ROUGHLY_WRITE ( \
 +	LANDLOCK_ACCESS_FS_WRITE_FILE | \
@@ -259,22 +328,21 @@
 +	const char *cmd_path;
 +	char *const *cmd_argv;
 +	int ruleset_fd;
-+	struct landlock_attr_features attr_features;
-+	struct landlock_attr_ruleset ruleset = {
++	struct landlock_ruleset_attr ruleset_attr = {
 +		.handled_access_fs = ACCESS_FS_ROUGHLY_READ |
 +			ACCESS_FS_ROUGHLY_WRITE,
 +	};
-+	struct landlock_attr_enforce attr_enforce = {};
 +
 +	if (argc < 2) {
 +		fprintf(stderr, "usage: %s=\"...\" %s=\"...\" %s <cmd> [args]...\n\n",
 +				ENV_FS_RO_NAME, ENV_FS_RW_NAME, argv[0]);
 +		fprintf(stderr, "Launch a command in a restricted environment.\n\n");
-+		fprintf(stderr, "Environment variables containing paths, each separated by a colon:\n");
++		fprintf(stderr, "Environment variables containing paths, "
++				"each separated by a colon:\n");
 +		fprintf(stderr, "* %s: list of paths allowed to be used in a read-only way.\n",
 +				ENV_FS_RO_NAME);
 +		fprintf(stderr, "* %s: list of paths allowed to be used in a read-write way.\n",
-+				ENV_FS_RO_NAME);
++				ENV_FS_RW_NAME);
 +		fprintf(stderr, "\nexample:\n"
 +				"%s=\"/bin:/lib:/usr:/proc:/etc:/dev/urandom\" "
 +				"%s=\"/dev/null:/dev/full:/dev/zero:/dev/pts:/tmp\" "
@@ -283,45 +351,41 @@
 +		return 1;
 +	}
 +
-+	if (landlock(LANDLOCK_CMD_GET_FEATURES, LANDLOCK_OPT_GET_FEATURES,
-+				&attr_features, sizeof(attr_features))) {
-+		perror("Failed to probe the Landlock supported features");
-+		switch (errno) {
++	ruleset_fd = landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), 0);
++	if (ruleset_fd < 0) {
++		const int err = errno;
++
++		perror("Failed to create a ruleset");
++		switch (err) {
 +		case ENOSYS:
-+			fprintf(stderr, "Hint: this kernel does not support Landlock.\n");
++			fprintf(stderr, "Hint: Landlock is not supported by the current kernel. "
++					"To support it, build the kernel with "
++					"CONFIG_SECURITY_LANDLOCK=y and prepend "
++					"\"landlock,\" to the content of CONFIG_LSM.\n");
 +			break;
-+		case ENOPKG:
-+			fprintf(stderr, "Hint: Landlock is currently disabled. It can be enabled in the kernel configuration or at boot with the \"lsm=landlock\" parameter.\n");
++		case EOPNOTSUPP:
++			fprintf(stderr, "Hint: Landlock is currently disabled. "
++					"It can be enabled in the kernel configuration by "
++					"prepending \"landlock,\" to the content of CONFIG_LSM, "
++					"or at boot time by setting the same content to the "
++					"\"lsm\" kernel parameter.\n");
 +			break;
 +		}
 +		return 1;
 +	}
-+	/* Follows a best-effort approach. */
-+	ruleset.handled_access_fs &= attr_features.access_fs;
-+	ruleset_fd = landlock(LANDLOCK_CMD_CREATE_RULESET,
-+			LANDLOCK_OPT_CREATE_RULESET, &ruleset,
-+			sizeof(ruleset));
-+	if (ruleset_fd < 0) {
-+		perror("Failed to create a ruleset");
-+		return 1;
-+	}
-+	if (populate_ruleset(&attr_features, ENV_FS_RO_NAME, ruleset_fd,
++	if (populate_ruleset(ENV_FS_RO_NAME, ruleset_fd,
 +				ACCESS_FS_ROUGHLY_READ)) {
 +		goto err_close_ruleset;
 +	}
-+	if (populate_ruleset(&attr_features, ENV_FS_RW_NAME, ruleset_fd,
-+				ACCESS_FS_ROUGHLY_READ |
-+				ACCESS_FS_ROUGHLY_WRITE)) {
++	if (populate_ruleset(ENV_FS_RW_NAME, ruleset_fd,
++				ACCESS_FS_ROUGHLY_READ | ACCESS_FS_ROUGHLY_WRITE)) {
 +		goto err_close_ruleset;
 +	}
 +	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
 +		perror("Failed to restrict privileges");
 +		goto err_close_ruleset;
 +	}
-+	attr_enforce.ruleset_fd = ruleset_fd;
-+	if (landlock(LANDLOCK_CMD_ENFORCE_RULESET,
-+				LANDLOCK_OPT_ENFORCE_RULESET, &attr_enforce,
-+				sizeof(attr_enforce))) {
++	if (landlock_restrict_self(ruleset_fd, 0)) {
 +		perror("Failed to enforce ruleset");
 +		goto err_close_ruleset;
 +	}
@@ -332,7 +396,8 @@
 +	execvpe(cmd_path, cmd_argv, envp);
 +	fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,
 +			strerror(errno));
-+	fprintf(stderr, "Hint: access to the binary, the interpreter or shared libraries may be denied.\n");
++	fprintf(stderr, "Hint: access to the binary, the interpreter or "
++			"shared libraries may be denied.\n");
 +	return 1;
 +
 +err_close_ruleset:
@@ -340,5 +405,5 @@
 +	return 1;
 +}
 -- 
-2.27.0
-
+2.30.0
+