136cc1e1f5
-----BEGIN PGP SIGNATURE----- iIYEABYIAC4WIQSVyBthFV4iTW/VU1/l49DojIL20gUCZUOZKRAcbWljQGRpZ2lr b2QubmV0AAoJEOXj0OiMgvbSoaIBAMHG8wxzRcTMplddgQHXmbWPByFIjhA0hqqp +hEgLFfyAQCqLPi4fW49CokrkynATKXTLMIBfZ37EYZ3llJgveHTDw== =rPTd -----END PGP SIGNATURE----- Merge tag 'landlock-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux Pull landlock updates from Mickaël Salaün: "A Landlock ruleset can now handle two new access rights: LANDLOCK_ACCESS_NET_BIND_TCP and LANDLOCK_ACCESS_NET_CONNECT_TCP. When handled, the related actions are denied unless explicitly allowed by a Landlock network rule for a specific port. The related patch series has been reviewed for almost two years, it has evolved a lot and we now have reached a decent design, code and testing. The refactored kernel code and the new test helpers also bring the foundation to support more network protocols. Test coverage for security/landlock is 92.4% of 710 lines according to gcc/gcov-13, and it was 93.1% of 597 lines before this series. The decrease in coverage is due to code refactoring to make the ruleset management more generic (i.e. dealing with inodes and ports) that also added new WARN_ON_ONCE() checks not possible to test from user space. syzkaller has been updated accordingly [4], and such patched instance (tailored to Landlock) has been running for a month, covering all the new network-related code [5]" Link: https://lore.kernel.org/r/20231026014751.414649-1-konstantin.meskhidze@huawei.com [1] Link: https://lore.kernel.org/r/CAHC9VhS1wwgH6NNd+cJz4MYogPiRV8NyPDd1yj5SpaxeUB4UVg@mail.gmail.com [2] Link: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next-history.git/commit/?id=c8dc5ee69d3a [3] Link: https://github.com/google/syzkaller/pull/4266 [4] Link: https://storage.googleapis.com/syzbot-assets/82e8608dec36/ci-upstream-linux-next-kasan-gce-root-ab577164.html#security%2flandlock%2fnet.c [5] * tag 'landlock-6.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux: selftests/landlock: Add tests for FS topology changes with network rules landlock: Document network support samples/landlock: Support TCP restrictions selftests/landlock: Add network tests selftests/landlock: Share enforce_ruleset() helper landlock: Support network rules with TCP bind and connect landlock: Refactor landlock_add_rule() syscall landlock: Refactor layer helpers landlock: Move and rename layer helpers landlock: Refactor merge/inherit_ruleset helpers landlock: Refactor landlock_find_rule/insert_rule helpers landlock: Allow FS topology changes for domains without such rule type landlock: Make ruleset's access masks more generic |
||
|---|---|---|
| .. | ||
| accounting | ||
| arch | ||
| bootconfig | ||
| bpf | ||
| build | ||
| certs | ||
| cgroup | ||
| counter | ||
| crypto/ccp | ||
| debugging | ||
| edid | ||
| firewire | ||
| firmware | ||
| gpio | ||
| hv | ||
| iio | ||
| include | ||
| kvm/kvm_stat | ||
| laptop | ||
| leds | ||
| lib | ||
| memory-model | ||
| mm | ||
| net/ynl | ||
| objtool | ||
| pci | ||
| pcmcia | ||
| perf | ||
| power | ||
| rcu | ||
| scripts | ||
| spi | ||
| testing | ||
| thermal | ||
| time | ||
| tracing | ||
| usb | ||
| verification | ||
| virtio | ||
| wmi | ||
| workqueue | ||
| Makefile | ||