Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=master 2026-02-10T15:46:42Z 2026-02-10T15:46:42Z Günther Noack gnoack3000@gmail.com 2026-02-06T15:11:53Z urn:sha1:9adbe8935152c511c1e43a47d69f44f0e969afc8 fs_bench benchmarks the performance of Landlock's path walk by exercising it in a scenario that amplifies Landlock's overhead: * Create a large number of nested directories * Enforce a Landlock policy in which a rule is associated with each of these subdirectories * Benchmark openat() applied to the deepest directory, forcing Landlock to walk the entire path. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Link: https://lore.kernel.org/r/20260206151154.97915-3-gnoack3000@gmail.com [mic: Fix missing mode with O_CREAT, improve text consistency, sort includes] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-06T16:54:39Z Günther Noack gnoack@google.com 2025-11-27T11:51:35Z urn:sha1:50c058e3eafe31a5197d4cffb599f2f5f165d4eb Exercise various scenarios where Landlock domains are enforced across all of a processes' threads. Test coverage for security/landlock is 91.6% of 2130 lines according to LLVM 21. Cc: Andrew G. Morgan <morgan@kernel.org> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251127115136.3064948-3-gnoack@google.com [mic: Fix subject, use EXPECT_EQ(close()), make helpers static, add test coverage] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-02-06T16:54:37Z Günther Noack gnoack@google.com 2025-11-27T11:51:34Z urn:sha1:42fc7e6543f6d17d2cf9ed3e5021f103a3d11182 Introduce the LANDLOCK_RESTRICT_SELF_TSYNC flag. With this flag, a given Landlock ruleset is applied to all threads of the calling process, instead of only the current one. Without this flag, multithreaded userspace programs currently resort to using the nptl(7)/libpsx hack for multithreaded policy enforcement, which is also used by libcap and for setuid(2). Using this userspace-based scheme, the threads of a process enforce the same Landlock policy, but the resulting Landlock domains are still separate. The domains being separate causes multiple problems: * When using Landlock's "scoped" access rights, the domain identity is used to determine whether an operation is permitted. As a result, when using LANLDOCK_SCOPE_SIGNAL, signaling between sibling threads stops working. This is a problem for programming languages and frameworks which are inherently multithreaded (e.g. Go). * In audit logging, the domains of separate threads in a process will get logged with different domain IDs, even when they are based on the same ruleset FD, which might confuse users. Cc: Andrew G. Morgan <morgan@kernel.org> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Suggested-by: Jann Horn <jannh@google.com> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251127115136.3064948-2-gnoack@google.com [mic: Fix restrict_self_flags test, clean up Makefile, allign comments, reduce local variable scope, add missing includes] Closes: https://github.com/landlock-lsm/linux/issues/2 Signed-off-by: Mickaël Salaün <mic@digikod.net> 2026-01-09T10:52:47Z Günther Noack gnoack3000@gmail.com 2026-01-01T13:40:58Z urn:sha1:15e8d739fda1084d81f7d3813e9600eba6e0f134 Add a missing close(srv_fd) call, and use EXPECT_EQ() to check the result. Signed-off-by: Günther Noack <gnoack3000@gmail.com> Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets") Link: https://lore.kernel.org/r/20260101134102.25938-2-gnoack3000@gmail.com [mic: Use EXPECT_EQ() and update commit message] Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-29T15:19:39Z Tingmao Wang m@maowtm.org 2025-12-28T01:27:34Z urn:sha1:55dc93a7c2717311d48ca0a47c5f8c1b0755a115 ptrace_test.c currently contains a duplicated version of the scoped_domains fixture variants. This patch removes that and make it use the shared scoped_base_variants.h instead, like in scoped_abstract_unix_test and scoped_signal_test. This required renaming the hierarchy fixture to scoped_domains, but the test is otherwise the same. Cc: Tahera Fahimi <fahimitahera@gmail.com> Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/48148f0134f95f819a25277486a875a6fd88ecf9.1766885035.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-29T15:19:38Z Tingmao Wang m@maowtm.org 2025-12-28T01:27:32Z urn:sha1:7aa593d8fb64b884bf00c13e01387b0733f3d786 Add missing semicolon after EXPECT_EQ(0, close(stream_server_child)) in the scoped_vs_unscoped test. I suspect currently it's just not executing the close statement after the line, but this causes no observable difference. Fixes: fefcf0f7cf47 ("selftests/landlock: Test abstract UNIX socket scoping") Cc: Tahera Fahimi <fahimitahera@gmail.com> Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/d9e968e4cd4ecc9bf487593d7b7220bffbb3b5f5.1766885035.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-29T15:19:38Z Tingmao Wang m@maowtm.org 2025-12-28T01:27:31Z urn:sha1:14c00e30d3a29a7fb6053fcaa54aeb6c07fb1055 Signed-off-by: Tingmao Wang <m@maowtm.org> Link: https://lore.kernel.org/r/62d18e06eeb26f62bc49d24c4467b3793c5ba32b.1766885035.git.m@maowtm.org Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-26T19:38:58Z Matthieu Buffet matthieu@buffet.re 2025-12-02T21:51:41Z urn:sha1:e4aa4461d4acb922ef45785581232f0588a6eea8 The size of Unix pathname addresses is computed in selftests using offsetof(struct sockaddr_un, sun_path) + strlen(xxx). It should have been that +1, which makes addresses passed to the libc and kernel non-NULL-terminated. unix_mkname_bsd() fixes that in Linux so there is no harm, but just using sizeof(the address struct) should improve readability. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251202215141.689986-1-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-26T19:38:58Z Matthieu Buffet matthieu@buffet.re 2025-12-01T00:36:31Z urn:sha1:e1a57c33590a50a6639798e60a597af4a23b0340 Remove bind() call on a client socket that doesn't make sense. Since strlen(cli_un.sun_path) returns a random value depending on stack garbage, that many uninitialized bytes are read from the stack as an unix socket address. This creates random test failures due to the bind address being invalid or already in use if the same stack value comes up twice. Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets") Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Reviewed-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251201003631.190817-1-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net> 2025-12-26T19:38:57Z Matthieu Buffet matthieu@buffet.re 2025-10-27T19:07:25Z urn:sha1:6685201ebfacff0c889bcd569181fa6e8af5575e connect_variant(unspec_any0) is called twice. Both calls end up in connect_variant_addrlen() with an address length of get_addrlen(minimal=false). However, the connect() syscall and its variants (e.g. iouring/compat) accept much shorter addresses of 4 bytes and that behaviour was not tested. Replace one of these calls with one using a minimal address length (just a bare sa_family=AF_UNSPEC field with no actual address). Also add a call using a truncated address for good measure. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://lore.kernel.org/r/20251027190726.626244-3-matthieu@buffet.re Signed-off-by: Mickaël Salaün <mic@digikod.net>