From patchwork Fri Sep 2 14:04:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 12964280 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 36F32C38145 for ; Fri, 2 Sep 2022 14:44:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236724AbiIBOoQ (ORCPT ); Fri, 2 Sep 2022 10:44:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236333AbiIBOns (ORCPT ); Fri, 2 Sep 2022 10:43:48 -0400 Received: from smtp-bc08.mail.infomaniak.ch (smtp-bc08.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc08]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF39754649 for ; Fri, 2 Sep 2022 07:04:58 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4MK05G58gxzMprrk; Fri, 2 Sep 2022 16:04:02 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4MK05G3jFtzlh8lB; Fri, 2 Sep 2022 16:04:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1662127442; bh=DKeH0QBhZBlZkVXCcVJahDvxYW92XszACrnYqFmxnYI=; h=From:To:Cc:Subject:Date:From; b=EfJsWgTdzJFSh17SfLFoir/JpoLnCCHypKF5q5vYRUWLag1uuwBUDqyzwmBKlvKbU 7WhguAmFg22688d5doyLVZAVTCIiZS9O/OvLuSmWVRZ5f5PYkT7e0KieoYF2L2a0Fy Bq6k8krMNSE2EA6IRZLaxMxyARdmWodzwwcqAlHM= From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Linus Torvalds Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , =?utf-8?q?G?= =?utf-8?q?=C3=BCnther_Noack?= , Konstantin Meskhidze , Paul Moore , Xiu Jianfeng , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, stable@vger.kernel.org Subject: [GIT PULL] Landlock fix for v6.0 Date: Fri, 2 Sep 2022 16:04:00 +0200 Message-Id: <20220902140400.1617323-1-mic@digikod.net> MIME-Version: 1.0 Precedence: bulk List-ID: Hi Linus, This change fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right when multiple rulesets/domains are stacked. The expected behaviour was that an additional ruleset can only restrict the set of permitted operations, but in this particular case, it was potentially possible to re-gain the LANDLOCK_ACCESS_FS_REFER right. Please pull this Landlock fix for v6.0-rc4 . These changes merged cleanly with your tree, and have been successfully tested in the latest linux-next releases for a week. This should be backported to v5.19 . Regards, Mickaël --- The following changes since commit 3d7cb6b04c3f3115719235cc6866b10326de34cd: Linux 5.19 (2022-07-31 14:03:01 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/landlock-6.0-rc4 for you to fetch changes up to 55e55920bbe3ccf516022c51f5527e7d026b8f1d: landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER (2022-09-02 15:29:08 +0200) ---------------------------------------------------------------- Landlock fix for v6.0-rc4 ---------------------------------------------------------------- Mickaël Salaün (1): landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER security/landlock/fs.c | 48 ++++----- tools/testing/selftests/landlock/fs_test.c | 155 +++++++++++++++++++++++++++-- 2 files changed, 170 insertions(+), 33 deletions(-)