Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=master 2026-02-22T01:09:51Z 2026-02-22T01:09:51Z Linus Torvalds torvalds@linux-foundation.org 2026-02-22T01:06:51Z urn:sha1:323bbfcf1ef8836d0d2ad9e2c1f1c684f0e3b5b3 This is the exact same thing as the 'alloc_obj()' version, only much smaller because there are a lot fewer users of the *alloc_flex() interface. As with alloc_obj() version, this was done entirely with mindless brute force, using the same script, except using 'flex' in the pattern rather than 'objs*'. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28Z Kees Cook kees@kernel.org 2026-02-21T07:49:23Z urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2026-02-10T15:46:50Z Günther Noack gnoack3000@gmail.com 2026-02-06T15:11:55Z urn:sha1:65b691f84dba54a446518c51b25d3d4f1739dec5 The layer masks data structure tracks the requested but unfulfilled access rights during an operation's security check. It stores one bit for each combination of access right and layer index. If the bit is set, that access right is not granted (yet) in the given layer and we have to traverse the path further upwards to grant it. Previously, the layer masks were stored as arrays mapping from access right indices to layer_mask_t. The layer_mask_t value then indicates all layers in which the given access right is still (tentatively) denied. This patch introduces struct layer_access_masks instead: This struct contains an array with the access_mask_t of each (tentatively) denied access right in that layer. The hypothesis of this patch is that this simplifies the code enough so that the resulting code will run faster: * We can use bitwise operations in multiple places where we previously looped over bits individually with macros. (Should require less branch speculation and lends itself to better loop unrolling.) * Code is ~75 lines smaller. Other noteworthy changes: * In no_more_access(), call a new helper function may_refer(), which only solves the asymmetric case. Previously, the code interleaved the checks for the two symmetric cases in RENAME_EXCHANGE. It feels that the code is clearer when renames without RENAME_EXCHANGE are more obviously the normal case. Tradeoffs: This change improves performance, at a slight size increase to the layer masks data structure. This fixes the size of the data structure at 32 bytes for all types of access rights. (64, once we introduce a 17th filesystem access right). For filesystem access rights, at the moment, the data structure has the same size as before, but once we introduce the 17th filesystem access right, it will double in size (from 32 to 64 bytes), as access_mask_t grows from 16 to 32 bit [1]. Link: https://lore.kernel.org/all/20260120.haeCh4li9Vae@digikod.net/ [1] Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260206151154.97915-5-gnoack3000@gmail.com [mic: Cosmetic fixes, moved struct layer_access_masks definition] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-10T15:46:48Z Günther Noack gnoack3000@gmail.com 2026-02-06T15:11:54Z urn:sha1:45f2a2926b2187d1b08132d2728af50785b007a7 This helper function checks whether an access_mask_t has a subset of the bits enabled than another one. This expresses the intent a bit smoother in the code and does not cost us anything when it gets inlined. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260206151154.97915-4-gnoack3000@gmail.com [mic: Improve subject] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-06T16:54:43Z Samasth Norway Ananda samasth.norway.ananda@oracle.com 2026-01-28T03:18:11Z urn:sha1:fe72ce6710cba088b67e3279de87d7341fafc357 Add errata section with code examples for querying errata and a warning that most applications should not check errata. Use kernel-doc directives to include errata descriptions from the header files instead of manual links. Also enhance existing DOC sections in security/landlock/errata/abi-*.h files with Impact sections, and update the code comment in syscalls.c to remind developers to update errata documentation when applicable. This addresses the gap where the kernel implements errata tracking but provides no user-facing documentation on how to use it, while improving the existing technical documentation in-place rather than duplicating it. Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com> Reviewed-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260128031814.2945394-3-samasth.norway.ananda@oracle.com [mic: Cosmetic fix] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-06T16:54:41Z Matthieu Buffet matthieu@buffet.re 2025-12-12T16:36:58Z urn:sha1:d90ba69e3335aba96c25a0ea7d46c5c115cd4756 Move the socket type check earlier, so that we will later be able to add elseifs for other types. Ordering of checks (socket is of a type we enforce restrictions on) / (current creds have Landlock restrictions) should not change anything. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20251212163704.142301-3-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-06T16:54:37Z Günther Noack gnoack@google.com 2025-11-27T11:51:34Z urn:sha1:42fc7e6543f6d17d2cf9ed3e5021f103a3d11182 Introduce the LANDLOCK_RESTRICT_SELF_TSYNC flag. With this flag, a given Landlock ruleset is applied to all threads of the calling process, instead of only the current one. Without this flag, multithreaded userspace programs currently resort to using the nptl(7)/libpsx hack for multithreaded policy enforcement, which is also used by libcap and for setuid(2). Using this userspace-based scheme, the threads of a process enforce the same Landlock policy, but the resulting Landlock domains are still separate. The domains being separate causes multiple problems: * When using Landlock's "scoped" access rights, the domain identity is used to determine whether an operation is permitted. As a result, when using LANLDOCK_SCOPE_SIGNAL, signaling between sibling threads stops working. This is a problem for programming languages and frameworks which are inherently multithreaded (e.g. Go). * In audit logging, the domains of separate threads in a process will get logged with different domain IDs, even when they are based on the same ruleset FD, which might confuse users. Cc: Andrew G. Morgan <morgan@kernel.org> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251127115136.3064948-2-gnoack@google.com [mic: Fix restrict_self_flags test, clean up Makefile, allign comments, reduce local variable scope, add missing includes] Closes: https://github.com/landlock-lsm/linux/issues/2 Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-29T15:19:39Z Tingmao Wang m@maowtm.org 2025-12-28T01:27:35Z urn:sha1:ef4536f15224418b327a7b5d5cae07dab042760f Currently it is not obvious what "scoped" mean, and the fact that the function returns true when access should be denied is slightly surprising and in need of documentation. Cc: Tahera Fahimi <fahimitahera@gmail.com> Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/06393bc18aee5bc278df5ef31c64a05b742ebc10.1766885035.git.m@maowtm.org [mic: Fix formatting and improve consistency] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-29T15:19:35Z Mickaël Salaün mic@digikod.net 2025-12-19T14:22:59Z urn:sha1:602acfb541195eb35584d7a3fc7d1db676f059bd Until now, each landlock_request struct were allocated on the stack, even if not really used, because is_access_to_paths_allowed() unconditionally modified the passed references. Even if the changed landlock_request variables are not used, the compiler is not smart enough to detect this case. To avoid this issue, explicitly disable the related code when CONFIG_AUDIT is not set, which enables elision of log_request_parent* and associated caller's stack variables thanks to dead code elimination. This makes it possible to reduce the stack frame by 32 bytes for the path_link and path_rename hooks, and by 20 bytes for most other filesystem hooks. Here is a summary of scripts/stackdelta before and after this change when CONFIG_AUDIT is disabled: current_check_refer_path 560 320 -240 current_check_access_path 328 184 -144 hook_file_open 328 184 -144 is_access_to_paths_allowed 376 360 -16 Also, add extra pointer checks to be more future-proof. Cc: Günther Noack <gnoack@google.com> Reported-by: Tingmao Wang <m@maowtm.org> Closes: https://lore.kernel.org/r/eb86863b-53b0-460b-b223-84dd31d765b9@maowtm.org Fixes: 2fc80c69df82 ("landlock: Log file-related denials") Link: https://lore.kernel.org/r/20251219142302.744917-2-mic@digikod.net Reviewed-by: Günther Noack <gnoack3000@gmail.com> [mic: Improve stack usage measurement accuracy with scripts/stackdelta] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-26T19:39:01Z Mickaël Salaün mic@digikod.net 2025-12-19T19:38:50Z urn:sha1:6548fb521822a5c0a688e423df28b2248a59543b Cc: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20251219193855.825889-4-mic@digikod.net Reviewed-by: Günther Noack <gnoack3000@gmail.com> Signed-off-by: Mickaël Salaün <mic@digikod.net>