--- v27
+++ v28
@@ -9,6 +9,11 @@
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: Jann Horn <jannh@google.com>
---
+
+Changes since v27:
+* Add samples/landlock/ to MAINTAINERS.
+* Update landlock_restrict_self(2).
+* Tweak Kconfig title and description.
Changes since v25:
* Improve comments and fix help (suggested by Jann Horn).
@@ -76,18 +81,31 @@
Previous changes:
https://lore.kernel.org/lkml/20190721213116.23476-9-mic@digikod.net/
---
- samples/Kconfig | 7 +
+ MAINTAINERS | 1 +
+ samples/Kconfig | 7 ++
samples/Makefile | 1 +
samples/landlock/.gitignore | 1 +
samples/landlock/Makefile | 13 ++
- samples/landlock/sandboxer.c | 239 +++++++++++++++++++++++++++++++++++
- 5 files changed, 261 insertions(+)
+ samples/landlock/sandboxer.c | 238 +++++++++++++++++++++++++++++++++++
+ 6 files changed, 261 insertions(+)
create mode 100644 samples/landlock/.gitignore
create mode 100644 samples/landlock/Makefile
create mode 100644 samples/landlock/sandboxer.c
+diff --git a/MAINTAINERS b/MAINTAINERS
+index 3df7b12dc7f1..cf49d9431439 100644
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -9943,6 +9943,7 @@ S: Supported
+ W: https://landlock.io
+ T: git https://github.com/landlock-lsm/linux.git
+ F: include/uapi/linux/landlock.h
++F: samples/landlock/
+ F: security/landlock/
+ F: tools/testing/selftests/landlock/
+ K: landlock
diff --git a/samples/Kconfig b/samples/Kconfig
-index 0ed6e4d71d87..d25d0e508153 100644
+index 0ed6e4d71d87..30ad633cd82c 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -124,6 +124,13 @@ config SAMPLE_HIDRAW
@@ -95,10 +113,10 @@
depends on CC_CAN_LINK && HEADERS_INSTALL
+config SAMPLE_LANDLOCK
-+ bool "Build Landlock sample code"
++ bool "Build Landlock example"
+ depends on CC_CAN_LINK && HEADERS_INSTALL
+ help
-+ Build a simple Landlock sandbox manager able to launch a process
++ Build a simple Landlock sandbox manager able to start a process
+ restricted by a user-defined filesystem access control policy.
+
config SAMPLE_PIDFD
@@ -144,10 +162,10 @@
+ $(MAKE) -C ../.. M=samples/landlock/ clean
diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
new file mode 100644
-index 000000000000..9ee45129869a
+index 000000000000..7a15910d2171
--- /dev/null
+++ b/samples/landlock/sandboxer.c
-@@ -0,0 +1,239 @@
+@@ -0,0 +1,238 @@
+// SPDX-License-Identifier: BSD-3-Clause
+/*
+ * Simple Landlock sandbox manager able to launch a process restricted by a
@@ -190,12 +208,11 @@
+}
+#endif
+
-+#ifndef landlock_enforce_ruleset_self
-+static inline int landlock_enforce_ruleset_self(const int ruleset_fd,
++#ifndef landlock_restrict_self
++static inline int landlock_restrict_self(const int ruleset_fd,
+ const __u32 flags)
+{
-+ return syscall(__NR_landlock_enforce_ruleset_self, ruleset_fd,
-+ flags);
++ return syscall(__NR_landlock_restrict_self, ruleset_fd, flags);
+}
+#endif
+
@@ -368,7 +385,7 @@
+ perror("Failed to restrict privileges");
+ goto err_close_ruleset;
+ }
-+ if (landlock_enforce_ruleset_self(ruleset_fd, 0)) {
++ if (landlock_restrict_self(ruleset_fd, 0)) {
+ perror("Failed to enforce ruleset");
+ goto err_close_ruleset;
+ }