linux/Documentation
Linus Torvalds 17ae69aba8 Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com>
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEgycj0O+d1G2aycA8rZhLv9lQBTwFAmCInP4ACgkQrZhLv9lQ
 BTza0g//dTeb9woC9H7qlEhK4l9yk62lTss60Q8X7m7ZSNfdL4tiEbi64SgK+iOW
 OOegbrOEb8Kzh4KJJYmVlVZ5YUWyH4szgmee1wnylBdsWiWaPLPF3Cflz77apy6T
 TiiBsJd7rRE29FKheaMt34B41BMh8QHESN+DzjzJWsFoi/uNxjgSs2W16XuSupKu
 bpRmB1pYNXMlrkzz7taL05jndZYE5arVriqlxgAsuLOFOp/ER7zecrjImdCM/4kL
 W6ej0R1fz2Geh6CsLBJVE+bKWSQ82q5a4xZEkSYuQHXgZV5eywE5UKu8ssQcRgQA
 VmGUY5k73rfY9Ofupf2gCaf/JSJNXKO/8Xjg0zAdklKtmgFjtna5Tyg9I90j7zn+
 5swSpKuRpilN8MQH+6GWAnfqQlNoviTOpFeq3LwBtNVVOh08cOg6lko/bmebBC+R
 TeQPACKS0Q0gCDPm9RYoU1pMUuYgfOwVfVRZK1prgi2Co7ZBUMOvYbNoKYoPIydr
 ENBYljlU1OYwbzgR2nE+24fvhU8xdNOVG1xXYPAEHShu+p7dLIWRLhl8UCtRQpSR
 1ofeVaJjgjrp29O+1OIQjB2kwCaRdfv/Gq1mztE/VlMU/r++E62OEzcH0aS+mnrg
 yzfyUdI8IFv1q6FGT9yNSifWUWxQPmOKuC8kXsKYfqfJsFwKmHM=
 =uCN4
 -----END PGP SIGNATURE-----

Merge tag 'landlock_v34' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull Landlock LSM from James Morris:
 "Add Landlock, a new LSM from Mickaël Salaün.

  Briefly, Landlock provides for unprivileged application sandboxing.

  From Mickaël's cover letter:
    "The goal of Landlock is to enable to restrict ambient rights (e.g.
     global filesystem access) for a set of processes. Because Landlock
     is a stackable LSM [1], it makes possible to create safe security
     sandboxes as new security layers in addition to the existing
     system-wide access-controls. This kind of sandbox is expected to
     help mitigate the security impact of bugs or unexpected/malicious
     behaviors in user-space applications. Landlock empowers any
     process, including unprivileged ones, to securely restrict
     themselves.

     Landlock is inspired by seccomp-bpf but instead of filtering
     syscalls and their raw arguments, a Landlock rule can restrict the
     use of kernel objects like file hierarchies, according to the
     kernel semantic. Landlock also takes inspiration from other OS
     sandbox mechanisms: XNU Sandbox, FreeBSD Capsicum or OpenBSD
     Pledge/Unveil.

     In this current form, Landlock misses some access-control features.
     This enables to minimize this patch series and ease review. This
     series still addresses multiple use cases, especially with the
     combined use of seccomp-bpf: applications with built-in sandboxing,
     init systems, security sandbox tools and security-oriented APIs [2]"

  The cover letter and v34 posting is here:

      https://lore.kernel.org/linux-security-module/20210422154123.13086-1-mic@digikod.net/

  See also:

      https://landlock.io/

  This code has had extensive design discussion and review over several
  years"

Link: https://lore.kernel.org/lkml/50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com/ [1]
Link: https://lore.kernel.org/lkml/f646e1c7-33cf-333f-070c-0a40ad0468cd@digikod.net/ [2]

* tag 'landlock_v34' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  landlock: Enable user space to infer supported features
  landlock: Add user and kernel documentation
  samples/landlock: Add a sandbox manager example
  selftests/landlock: Add user space tests
  landlock: Add syscall implementations
  arch: Wire up Landlock syscalls
  fs,security: Add sb_delete hook
  landlock: Support filesystem access-control
  LSM: Infrastructure management of the superblock
  landlock: Add ptrace restrictions
  landlock: Set up the security framework and manage credentials
  landlock: Add ruleset and domain management
  landlock: Add object management
2021-05-01 18:50:44 -07:00
..
ABI ARM: 2021-05-01 10:14:08 -07:00
accounting
admin-guide IOMMU Updates for Linux v5.13 2021-05-01 09:33:00 -07:00
arm It's been a relatively busy cycle in docsland, though more than usually 2021-04-26 13:22:43 -07:00
arm64 arm64 updates for 5.13: 2021-04-26 10:25:03 -07:00
block
bpf bpf: Document the pahole release info related to libbpf in bpf_devel_QA.rst 2021-04-23 17:11:58 -07:00
cdrom
core-api mm/mmzone.h: fix existing kernel-doc comments and link them to core-api 2021-04-30 11:20:43 -07:00
cpu-freq
crypto
dev-tools kasan: docs: update tests section 2021-04-30 11:20:42 -07:00
devicetree ARM: 2021-05-01 10:14:08 -07:00
doc-guide
driver-api This is the bulk of the pin control changes for the v5.13 kernel cycle 2021-04-30 13:04:30 -07:00
fault-injection
fb Documentation: Add leading slash to some paths 2021-03-31 13:49:19 -06:00
features powerpc updates for 5.13 2021-04-30 12:22:28 -07:00
filesystems New features for ext4 this cycle include support for encrypted 2021-04-30 15:35:30 -07:00
firmware_class
firmware-guide Merge branches 'acpi-pci' and 'acpi-processor' 2021-04-26 17:03:05 +02:00
fpga Documentation: fpga: dfl: Add description for DFL UIO support 2021-03-28 14:58:18 +02:00
gpu drm-misc-next for 5.13: 2021-04-07 17:32:12 +10:00
hid Documentation: Add leading slash to some paths 2021-03-31 13:49:19 -06:00
hwmon hwmon: Remove amd_energy driver 2021-04-20 06:52:08 -07:00
i2c
ia64
ide
iio iio: hrtimer: Allow sub Hz granularity 2021-03-25 19:13:49 +00:00
infiniband
input
isdn
kbuild Kconfig updates for v5.13 2021-04-29 14:32:00 -07:00
kernel-hacking
leds Documentation: Add leading slash to some paths 2021-03-31 13:49:19 -06:00
litmus-tests
livepatch
locking
m68k
maintainer media: add a subsystem profile documentation 2021-03-22 08:56:42 +01:00
mhi
mips
misc-devices dw-xdata-pcie: Update outdated info and improve text format 2021-04-14 19:47:28 +02:00
netlabel
networking Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-04-28 11:59:31 -07:00
nios2
nvdimm
openrisc
parisc
PCI
pcmcia
power power supply and reset changes for the v5.13 series 2021-04-28 15:43:58 -07:00
powerpc powerpc updates for 5.13 2021-04-30 12:22:28 -07:00
process It's been a relatively busy cycle in docsland, though more than usually 2021-04-26 13:22:43 -07:00
RCU docs: Correctly spell Stephen Hemminger's name 2021-03-15 13:53:24 -07:00
riscv
s390 s390/pci: expose UID uniqueness guarantee 2021-04-05 11:30:57 +02:00
scheduler sched/debug: Rename the sched_debug parameter to sched_verbose 2021-04-17 13:22:44 +02:00
scsi for-5.13/block-2021-04-27 2021-04-28 14:27:12 -07:00
security Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com> 2021-05-01 18:50:44 -07:00
sh
sound
sparc
sphinx
sphinx-static
spi spi: Updates for v5.13 2021-04-26 16:32:11 -07:00
staging
target
timers
trace Documentation: trace: Add documentation for TRBE 2021-04-06 16:05:38 -06:00
translations It's been a relatively busy cycle in docsland, though more than usually 2021-04-26 13:22:43 -07:00
usb docs: usbip: Fix major fields and descriptions in protocol 2021-04-09 16:04:45 +02:00
userspace-api Add Landlock, a new LSM from Mickaël Salaün <mic@linux.microsoft.com> 2021-05-01 18:50:44 -07:00
virt ARM: 2021-05-01 10:14:08 -07:00
vm mm: gup: remove FOLL_SPLIT 2021-04-30 11:20:37 -07:00
w1
watchdog
x86 x86/sgx: Introduce virtual EPC for use by KVM guests 2021-04-06 09:43:17 +02:00
xtensa
.gitignore
arch.rst docs: Group arch-specific documentation under "CPU Architectures" 2021-03-15 13:35:35 -06:00
asm-annotations.rst
atomic_bitops.txt
atomic_t.txt
Changes
CodingStyle
conf.py
COPYING-logo
docutils.conf
dontdiff kbuild: generate Module.symvers only when vmlinux exists 2021-04-25 05:17:02 +09:00
index.rst docs: Group arch-specific documentation under "CPU Architectures" 2021-03-15 13:35:35 -06:00
Kconfig
logo.gif
Makefile
memory-barriers.txt
SubmittingPatches
watch_queue.rst