From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0042132936D for ; Sun, 1 Feb 2026 12:23:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.68 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769948635; cv=none; b=qAdTToyi+wFrZe/s3BacRyWnIkI0rwWdmUlSTWGFD2wbmPBx4QFBRgnpE/Fe2HoANlgz2QerKPmaI18TmDG9MjgW4djfzZuyH6tlL27DShJ+hpS9OT7DXju9bedxrE19bxfF8FxYENftL5+MnC15evmQp+4as4uYbfWxkRKF0Ys= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769948635; c=relaxed/simple; bh=u9WzVtq3FflXvLajh9HLE6R+XJwIscID3OJVOnuPSXs=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=qc/aUotIJp9s2kBUdKzfAsFVBCXvIpRHBMOsIXff4hRJO3n7sOEWbZtjR3gHxQmrMI8O2BYB0emL9QmS4eTQcLjSW8sNyRTXaud0Q2xhbgHKQuSEuMwJMrY4E6xhrEw7FLpwd6SN9UmCV07qNxVth9iphjStju23ZQYxq5NdK9U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R1lIJT7C; arc=none smtp.client-ip=209.85.128.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R1lIJT7C" Received: by mail-wm1-f68.google.com with SMTP id 5b1f17b1804b1-4806d23e9f1so39656445e9.2 for ; Sun, 01 Feb 2026 04:23:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769948632; x=1770553432; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=fMxuPTCQDeYX3OcLb4TDFsExc7fTzzeJw8TFQDM/n+E=; b=R1lIJT7CvOkHxvD2YI8AfzusH3RDUcTvph5PDgYXdaC0ewg6BeQOoC6JF5OFI4fm4D SKc8FObV5Bkk5sJExRhi4JJG0dAbmNeU7Y6yRghA6/kmcbGJ5Z/jBUmbQK52If3etuF4 CHzz1A59MjL6qgA6yuN/3ru6VeYU+OZtRaaNW+axq+P7HonOrJRs7z4EVrWpohZIb3oL 3XjEb8rDBuJYhRyWw5cuUAjtWXvEM/BoCzqaFrLLiZWR/GC8M9CdQGsqLvLSxTWG6b1o 6lEJzpYKreRxgVmLAD584/I2JRJXMDDtmoweI38c+5seR5h8YSmKZfCPRjiyBnK2Exk4 ANyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769948632; x=1770553432; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fMxuPTCQDeYX3OcLb4TDFsExc7fTzzeJw8TFQDM/n+E=; b=MtokvHP4aCQ9yIUmdl9t9i0ItFiLzpZErGulE4B37DH+H8iV4ME7GBWfU+0tRftPv8 4FdMtKxRf6BNySpfOBauJpchcmXSp8vL96DkaCPd4CRzUyVQL/vEx6sX7RZJBSMmm6lR 5ARzXrMuQ7wdwQyNFOqFNlivOn1TI8KDuiuGyPuh+6FIz8SjQDM8E/I5lNCGAX0dOpB8 j0qITdW1Nl5TF21cQ5Lx4vXCLHlNcW7dNILpere/mRa4qQW+OwBTXNB1CNn3AX8lSRtn BK01nUd58nnfwSChvQ/vLZRHHf7jhVKc8JsYjP0IVMh8SFLB4ulu7+6Z6cutYyCnHL0f PaEg== X-Forwarded-Encrypted: i=1; AJvYcCXROyeHrzZydDS6hFvwVnqvldHfXwwMfSMcar5VhMtkvE0SVAWhbLmdZJRHdg/uPA0ZghgmwvbNSpCwa8I=@vger.kernel.org X-Gm-Message-State: AOJu0YximxLLkT4JyG7ae38LjJ2AZh1eytFnzoko5WTLcc+2NRQj2VGa U34gRWLDzu6MrFZqzag3720uwxJJiQpufhwcLBD7xGsJcSKeeXi8m+SEmrq1v/p0 X-Gm-Gg: AZuq6aIahq9VY7r42BZrlXMBTuX+VZXVK0X3S2V2Zq+BcxkBr8VwXuQs2hC5V1kQIej TRVM8w2bEe8Ame6Z9cda4tlBVLEsoyBScgJK6z6eXR5grQ5SbFiTTQ8tJTGP/NJlR9tHiTIXAyP UxhOgpcIYiz64yHsBHEUe+VFncspf4bVlKStvgy7BlwjiEN+nBKBVT3gvBr5Eco4+8Cn9Lvkd91 qzxxC1DMprMAKHVCkTnXO8oHgvXNiayI1GNoB3dI11kleXPtRe+xhwYVFjag32t2DJwzKmQDnIE GLo9CkPVVoiBb80WLEzFojDO5ugJpyekQt32vka8Gx9K0akOViveDAWwLO4E6mXKcrPzWNEzNLK Z8vwuW74mv0/02amo9CZR8uXB569j7sQ/6x7OmdubVwlebG5Qn0kYORWGQH94UCnkW+w4CwgYyX p7EBxH/jJ3tGnWn9ZPMppU0qXSgmo1VUaV9Sqb X-Received: by 2002:a05:600c:8716:b0:47a:80f8:82ab with SMTP id 5b1f17b1804b1-482db48d4c0mr110664345e9.24.1769948631989; Sun, 01 Feb 2026 04:23:51 -0800 (PST) Received: from localhost (ip87-106-108-193.pbiaas.com. [87.106.108.193]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4806cdd77b8sm324696025e9.3.2026.02.01.04.23.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Feb 2026 04:23:51 -0800 (PST) Date: Sun, 1 Feb 2026 13:23:45 +0100 From: =?iso-8859-1?Q?G=FCnther?= Noack To: Samasth Norway Ananda Cc: gnoack@google.com, mic@digikod.net, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3 2/3] landlock: add errata documentation section Message-ID: <20260201.3b3b0fb4f042@gnoack.org> References: <20260128031814.2945394-1-samasth.norway.ananda@oracle.com> <20260128031814.2945394-3-samasth.norway.ananda@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20260128031814.2945394-3-samasth.norway.ananda@oracle.com> On Tue, Jan 27, 2026 at 07:18:11PM -0800, Samasth Norway Ananda wrote: > Add errata section with code examples for querying errata and a warning > that most applications should not check errata. Use kernel-doc directives > to include errata descriptions from the header files instead of manual > links. > > Also enhance existing DOC sections in security/landlock/errata/abi-*.h > files with Impact sections, and update the code comment in syscalls.c > to remind developers to update errata documentation when applicable. > > This addresses the gap where the kernel implements errata tracking > but provides no user-facing documentation on how to use it, while > improving the existing technical documentation in-place rather than > duplicating it. > > Signed-off-by: Samasth Norway Ananda > --- > Documentation/userspace-api/landlock.rst | 67 ++++++++++++++++++++++-- > security/landlock/errata/abi-1.h | 8 +++ > security/landlock/errata/abi-4.h | 7 +++ > security/landlock/errata/abi-6.h | 10 ++++ > security/landlock/syscalls.c | 4 +- > 5 files changed, 91 insertions(+), 5 deletions(-) > > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst > index c8ef1392a0c7..405b2d73e699 100644 > --- a/Documentation/userspace-api/landlock.rst > +++ b/Documentation/userspace-api/landlock.rst > @@ -8,7 +8,7 @@ Landlock: unprivileged access control > ===================================== > > :Author: Mickaël Salaün > -:Date: December 2025 > +:Date: January 2026 > > The goal of Landlock is to enable restriction of ambient rights (e.g. global > filesystem or network access) for a set of processes. Because Landlock > @@ -492,9 +492,68 @@ system call: > printf("Landlock supports LANDLOCK_ACCESS_FS_REFER.\n"); > } > > -The following kernel interfaces are implicitly supported by the first ABI > -version. Features only supported from a specific version are explicitly marked > -as such. > +All Landlock kernel interfaces are supported by the first ABI version unless > +explicitly noted in their documentation. > + > +Landlock errata > +--------------- > + > +In addition to ABI versions, Landlock provides an errata mechanism to track > +fixes for issues that may affect backwards compatibility or require userspace > +awareness. The errata bitmask can be queried using: > + > +.. code-block:: c > + > + int errata; > + > + errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA); > + if (errata < 0) { > + /* Landlock not available or disabled */ > + return 0; > + } > + > +The returned value is a bitmask where each bit represents a specific erratum. > +If bit N is set (``errata & (1 << (N - 1))``), then erratum N has been fixed > +in the running kernel. > + > +.. warning:: > + > + **Most applications should NOT check errata.** In 99.9% of cases, checking > + errata is unnecessary, increases code complexity, and can potentially > + decrease protection if misused. For example, disabling the sandbox when an > + erratum is not fixed could leave the system less secure than using > + Landlock's best-effort protection. When in doubt, ignore errata. > + > +.. kernel-doc:: security/landlock/errata/abi-4.h > + :doc: erratum_1 > + > +.. kernel-doc:: security/landlock/errata/abi-6.h > + :doc: erratum_2 > + > +.. kernel-doc:: security/landlock/errata/abi-1.h > + :doc: erratum_3 > + > +How to check for errata > +~~~~~~~~~~~~~~~~~~~~~~~ > + > +If you determine that your application needs to check for specific errata, > +use this pattern: > + > +.. code-block:: c > + > + int errata = landlock_create_ruleset(NULL, 0, LANDLOCK_CREATE_RULESET_ERRATA); > + if (errata >= 0) { > + /* Check for specific erratum (1-indexed) */ > + if (errata & (1 << (erratum_number - 1))) { > + /* Erratum N is fixed in this kernel */ > + } else { > + /* Erratum N is NOT fixed - consider implications for your use case */ > + } > + } > + > +**Important:** Only check errata if your application specifically relies on > +behavior that changed due to the fix. The fixes generally make Landlock less > +restrictive or more correct, not more restrictive. > > Kernel interface > ================ > diff --git a/security/landlock/errata/abi-1.h b/security/landlock/errata/abi-1.h > index e8a2bff2e5b6..3f099555f059 100644 > --- a/security/landlock/errata/abi-1.h > +++ b/security/landlock/errata/abi-1.h > @@ -12,5 +12,13 @@ > * hierarchy down to its filesystem root and those from the related mount point > * hierarchy. This prevents access right widening through rename or link > * actions. > + * > + * Impact: > + * > + * Without this fix, it was possible to widen access rights through rename or > + * link actions involving disconnected directories, potentially bypassing > + * ``LANDLOCK_ACCESS_FS_REFER`` restrictions. This could allow privilege > + * escalation in complex mount scenarios where directories become disconnected > + * from their original mount points. > */ > LANDLOCK_ERRATUM(3) > diff --git a/security/landlock/errata/abi-4.h b/security/landlock/errata/abi-4.h > index c052ee54f89f..fe11ec7d7ddf 100644 > --- a/security/landlock/errata/abi-4.h > +++ b/security/landlock/errata/abi-4.h > @@ -11,5 +11,12 @@ > * :manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures > * that only TCP sockets are subject to TCP access rights, allowing other > * protocols to operate without unnecessary restrictions. > + * > + * Impact: > + * > + * In kernels without this fix, using ``LANDLOCK_ACCESS_NET_BIND_TCP`` or > + * ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` would incorrectly restrict non-TCP > + * stream protocols (SMC, MPTCP, SCTP), potentially breaking applications > + * that rely on these protocols while using Landlock network restrictions. > */ > LANDLOCK_ERRATUM(1) > diff --git a/security/landlock/errata/abi-6.h b/security/landlock/errata/abi-6.h > index 5113a829f87e..5cb1475c7ea8 100644 > --- a/security/landlock/errata/abi-6.h > +++ b/security/landlock/errata/abi-6.h > @@ -15,5 +15,15 @@ > * interaction between threads of the same process should always be allowed. > * This change ensures that any thread is allowed to send signals to any other > * thread within the same process, regardless of their domain. > + * > + * Impact: > + * > + * This problem only manifests when the userspace process is itself using > + * :manpage:`libpsx(3)` or an equivalent mechanism to enforce a Landlock policy > + * on multiple already-running threads at once. Programs which enforce a > + * Landlock policy at startup time and only then become multithreaded are not > + * affected. Without this fix, signal scoping could break multi-threaded > + * applications that expect threads within the same process to freely signal > + * each other. > */ > LANDLOCK_ERRATUM(2) > diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c > index 8eaec8d35c44..9b7a7f39f26c 100644 > --- a/security/landlock/syscalls.c > +++ b/security/landlock/syscalls.c > @@ -158,9 +158,11 @@ static const struct file_operations ruleset_fops = { > /* > * The Landlock ABI version should be incremented for each new Landlock-related > * user space visible change (e.g. Landlock syscalls). This version should > - * only be incremented once per Linux release, and the date in > + * only be incremented once per Linux release. When incrementing, the date in > * Documentation/userspace-api/landlock.rst should be updated to reflect the > * UAPI change. > + * If the change involves a fix that requires userspace awareness, also update > + * the errata documentation in Documentation/userspace-api/landlock.rst. > */ > const int landlock_abi_version = 9; > > -- > 2.50.1 > Reviewed-by: Günther Noack Thanks! –Günther