Commit ba84b0bf authored by Mickaël Salaün's avatar Mickaël Salaün Committed by James Morris
Browse files

samples/landlock: Add a sandbox manager example 



Add a basic sandbox tool to launch a command which can only access a
list of file hierarchies in a read-only or read-write way.

Cc: James Morris <jmorris@namei.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: default avatarMickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: default avatarJann Horn <jannh@google.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210422154123.13086-12-mic@digikod.net


Signed-off-by: default avatarJames Morris <jamorris@linux.microsoft.com>
parent e1199815

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -10004,6 +10004,7 @@ S: Supported 
W:	https://landlock.io

T:	git https://github.com/landlock-lsm/linux.git

F:	include/uapi/linux/landlock.h

F:	samples/landlock/

F:	security/landlock/

F:	tools/testing/selftests/landlock/

K:	landlock

samples/Kconfig

+7 −0
Original line number Diff line number Diff line
@@ -124,6 +124,13 @@ config SAMPLE_HIDRAW 
	bool "hidraw sample"

	depends on CC_CAN_LINK && HEADERS_INSTALL



config SAMPLE_LANDLOCK

	bool "Landlock example"

	depends on CC_CAN_LINK && HEADERS_INSTALL

	help

	  Build a simple Landlock sandbox manager able to start a process

	  restricted by a user-defined filesystem access control policy.



config SAMPLE_PIDFD

	bool "pidfd sample"

	depends on CC_CAN_LINK && HEADERS_INSTALL

samples/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ obj-$(CONFIG_SAMPLE_KDB) += kdb/ 
obj-$(CONFIG_SAMPLE_KFIFO)		+= kfifo/

obj-$(CONFIG_SAMPLE_KOBJECT)		+= kobject/

obj-$(CONFIG_SAMPLE_KPROBES)		+= kprobes/

subdir-$(CONFIG_SAMPLE_LANDLOCK)	+= landlock

obj-$(CONFIG_SAMPLE_LIVEPATCH)		+= livepatch/

subdir-$(CONFIG_SAMPLE_PIDFD)		+= pidfd

obj-$(CONFIG_SAMPLE_QMI_CLIENT)		+= qmi/

samples/landlock/.gitignore

0 → 100644
+1 −0
Original line number Diff line number Diff line 
/sandboxer

samples/landlock/Makefile

0 → 100644
+13 −0
Original line number Diff line number Diff line 
# SPDX-License-Identifier: BSD-3-Clause



userprogs-always-y := sandboxer



userccflags += -I usr/include



.PHONY: all clean



all:

	$(MAKE) -C ../.. samples/landlock/



clean:

	$(MAKE) -C ../.. M=samples/landlock/ clean