Add new scope LANDLOCK_SCOPE_MEMFD_EXEC to restrict execution of anonymous memory file descriptors (memfd). This scope prevents execution of code through memfd files via execve() family syscalls and executable memory mappings.
Update UAPI headers, limits, audit infrastructure, and kunit config to support the new scope. The scope follows existing Landlock scoping patterns for hierarchical domain enforcement.
Signed-off-by: Abhinav Saxena xandfury@gmail.com --- include/uapi/linux/landlock.h | 5 +++++ security/landlock/.kunitconfig | 1 + security/landlock/audit.c | 4 ++++ security/landlock/audit.h | 1 + security/landlock/limits.h | 2 +- 5 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h index f030adc462ee..5fa439b65aa6 100644 --- a/include/uapi/linux/landlock.h +++ b/include/uapi/linux/landlock.h @@ -364,10 +364,15 @@ struct landlock_net_port_attr { * related Landlock domain (e.g., a parent domain or a non-sandboxed process). * - %LANDLOCK_SCOPE_SIGNAL: Restrict a sandboxed process from sending a signal * to another process outside the domain. + * - %LANDLOCK_SCOPE_MEMFD_EXEC: Restrict a sandboxed process from executing + * anonymous memory file descriptors (memfd). This prevents execution of + * code through memfd files via execve() family syscalls and executable + * memory mappings. */ /* clang-format off */ #define LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET (1ULL << 0) #define LANDLOCK_SCOPE_SIGNAL (1ULL << 1) +#define LANDLOCK_SCOPE_MEMFD_EXEC (1ULL << 2) /* clang-format on*/
#endif /* _UAPI_LINUX_LANDLOCK_H */ diff --git a/security/landlock/.kunitconfig b/security/landlock/.kunitconfig index f9423f01ac5b..a989785df65d 100644 --- a/security/landlock/.kunitconfig +++ b/security/landlock/.kunitconfig @@ -1,6 +1,7 @@ CONFIG_AUDIT=y CONFIG_KUNIT=y CONFIG_NET=y +CONFIG_MEMFD_CREATE=y CONFIG_SECURITY=y CONFIG_SECURITY_LANDLOCK=y CONFIG_SECURITY_LANDLOCK_KUNIT_TEST=y diff --git a/security/landlock/audit.c b/security/landlock/audit.c index c52d079cdb77..a439461d1b28 100644 --- a/security/landlock/audit.c +++ b/security/landlock/audit.c @@ -78,6 +78,10 @@ get_blocker(const enum landlock_request_type type, case LANDLOCK_REQUEST_SCOPE_SIGNAL: WARN_ON_ONCE(access_bit != -1); return "scope.signal"; + + case LANDLOCK_REQUEST_SCOPE_MEMFD_EXEC: + WARN_ON_ONCE(access_bit != -1); + return "scope.memfd_exec"; }
WARN_ON_ONCE(1); diff --git a/security/landlock/audit.h b/security/landlock/audit.h index 92428b7fc4d8..5a822bc50c4a 100644 --- a/security/landlock/audit.h +++ b/security/landlock/audit.h @@ -21,6 +21,7 @@ enum landlock_request_type { LANDLOCK_REQUEST_NET_ACCESS, LANDLOCK_REQUEST_SCOPE_ABSTRACT_UNIX_SOCKET, LANDLOCK_REQUEST_SCOPE_SIGNAL, + LANDLOCK_REQUEST_SCOPE_MEMFD_EXEC, };
/* diff --git a/security/landlock/limits.h b/security/landlock/limits.h index 65b5ff051674..130f925283fa 100644 --- a/security/landlock/limits.h +++ b/security/landlock/limits.h @@ -27,7 +27,7 @@ #define LANDLOCK_MASK_ACCESS_NET ((LANDLOCK_LAST_ACCESS_NET << 1) - 1) #define LANDLOCK_NUM_ACCESS_NET __const_hweight64(LANDLOCK_MASK_ACCESS_NET)
-#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_SIGNAL +#define LANDLOCK_LAST_SCOPE LANDLOCK_SCOPE_MEMFD_EXEC #define LANDLOCK_MASK_SCOPE ((LANDLOCK_LAST_SCOPE << 1) - 1) #define LANDLOCK_NUM_SCOPE __const_hweight64(LANDLOCK_MASK_SCOPE)