syscalls.c 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Landlock - System call implementations and user space interfaces
  4. *
  5. * Copyright © 2016-2020 Mickaël Salaün <mic@digikod.net>
  6. * Copyright © 2018-2020 ANSSI
  7. * Copyright © 2021-2025 Microsoft Corporation
  8. */
  9. #include <asm/current.h>
  10. #include <linux/anon_inodes.h>
  11. #include <linux/bitops.h>
  12. #include <linux/build_bug.h>
  13. #include <linux/capability.h>
  14. #include <linux/cleanup.h>
  15. #include <linux/compiler_types.h>
  16. #include <linux/dcache.h>
  17. #include <linux/err.h>
  18. #include <linux/errno.h>
  19. #include <linux/fs.h>
  20. #include <linux/limits.h>
  21. #include <linux/mount.h>
  22. #include <linux/path.h>
  23. #include <linux/sched.h>
  24. #include <linux/security.h>
  25. #include <linux/stddef.h>
  26. #include <linux/syscalls.h>
  27. #include <linux/types.h>
  28. #include <linux/uaccess.h>
  29. #include <uapi/linux/landlock.h>
  30. #include "cred.h"
  31. #include "domain.h"
  32. #include "fs.h"
  33. #include "limits.h"
  34. #include "net.h"
  35. #include "ruleset.h"
  36. #include "setup.h"
  37. #include "tsync.h"
  38. static bool is_initialized(void)
  39. {
  40. if (likely(landlock_initialized))
  41. return true;
  42. pr_warn_once(
  43. "Disabled but requested by user space. "
  44. "You should enable Landlock at boot time: "
  45. "https://docs.kernel.org/userspace-api/landlock.html#boot-time-configuration\n");
  46. return false;
  47. }
  48. /**
  49. * copy_min_struct_from_user - Safe future-proof argument copying
  50. *
  51. * Extend copy_struct_from_user() to check for consistent user buffer.
  52. *
  53. * @dst: Kernel space pointer or NULL.
  54. * @ksize: Actual size of the data pointed to by @dst.
  55. * @ksize_min: Minimal required size to be copied.
  56. * @src: User space pointer or NULL.
  57. * @usize: (Alleged) size of the data pointed to by @src.
  58. */
  59. static __always_inline int
  60. copy_min_struct_from_user(void *const dst, const size_t ksize,
  61. const size_t ksize_min, const void __user *const src,
  62. const size_t usize)
  63. {
  64. /* Checks buffer inconsistencies. */
  65. BUILD_BUG_ON(!dst);
  66. if (!src)
  67. return -EFAULT;
  68. /* Checks size ranges. */
  69. BUILD_BUG_ON(ksize <= 0);
  70. BUILD_BUG_ON(ksize < ksize_min);
  71. if (usize < ksize_min)
  72. return -EINVAL;
  73. if (usize > PAGE_SIZE)
  74. return -E2BIG;
  75. /* Copies user buffer and fills with zeros. */
  76. return copy_struct_from_user(dst, ksize, src, usize);
  77. }
  78. /*
  79. * This function only contains arithmetic operations with constants, leading to
  80. * BUILD_BUG_ON(). The related code is evaluated and checked at build time,
  81. * but it is then ignored thanks to compiler optimizations.
  82. */
  83. static void build_check_abi(void)
  84. {
  85. struct landlock_ruleset_attr ruleset_attr;
  86. struct landlock_path_beneath_attr path_beneath_attr;
  87. struct landlock_net_port_attr net_port_attr;
  88. size_t ruleset_size, path_beneath_size, net_port_size;
  89. /*
  90. * For each user space ABI structures, first checks that there is no
  91. * hole in them, then checks that all architectures have the same
  92. * struct size.
  93. */
  94. ruleset_size = sizeof(ruleset_attr.handled_access_fs);
  95. ruleset_size += sizeof(ruleset_attr.handled_access_net);
  96. ruleset_size += sizeof(ruleset_attr.scoped);
  97. BUILD_BUG_ON(sizeof(ruleset_attr) != ruleset_size);
  98. BUILD_BUG_ON(sizeof(ruleset_attr) != 24);
  99. path_beneath_size = sizeof(path_beneath_attr.allowed_access);
  100. path_beneath_size += sizeof(path_beneath_attr.parent_fd);
  101. BUILD_BUG_ON(sizeof(path_beneath_attr) != path_beneath_size);
  102. BUILD_BUG_ON(sizeof(path_beneath_attr) != 12);
  103. net_port_size = sizeof(net_port_attr.allowed_access);
  104. net_port_size += sizeof(net_port_attr.port);
  105. BUILD_BUG_ON(sizeof(net_port_attr) != net_port_size);
  106. BUILD_BUG_ON(sizeof(net_port_attr) != 16);
  107. }
  108. /* Ruleset handling */
  109. static int fop_ruleset_release(struct inode *const inode,
  110. struct file *const filp)
  111. {
  112. struct landlock_ruleset *ruleset = filp->private_data;
  113. landlock_put_ruleset(ruleset);
  114. return 0;
  115. }
  116. static ssize_t fop_dummy_read(struct file *const filp, char __user *const buf,
  117. const size_t size, loff_t *const ppos)
  118. {
  119. /* Dummy handler to enable FMODE_CAN_READ. */
  120. return -EINVAL;
  121. }
  122. static ssize_t fop_dummy_write(struct file *const filp,
  123. const char __user *const buf, const size_t size,
  124. loff_t *const ppos)
  125. {
  126. /* Dummy handler to enable FMODE_CAN_WRITE. */
  127. return -EINVAL;
  128. }
  129. /*
  130. * A ruleset file descriptor enables to build a ruleset by adding (i.e.
  131. * writing) rule after rule, without relying on the task's context. This
  132. * reentrant design is also used in a read way to enforce the ruleset on the
  133. * current task.
  134. */
  135. static const struct file_operations ruleset_fops = {
  136. .release = fop_ruleset_release,
  137. .read = fop_dummy_read,
  138. .write = fop_dummy_write,
  139. };
  140. /*
  141. * The Landlock ABI version should be incremented for each new Landlock-related
  142. * user space visible change (e.g. Landlock syscalls). This version should
  143. * only be incremented once per Linux release. When incrementing, the date in
  144. * Documentation/userspace-api/landlock.rst should be updated to reflect the
  145. * UAPI change.
  146. * If the change involves a fix that requires userspace awareness, also update
  147. * the errata documentation in Documentation/userspace-api/landlock.rst .
  148. */
  149. const int landlock_abi_version = 8;
  150. /**
  151. * sys_landlock_create_ruleset - Create a new ruleset
  152. *
  153. * @attr: Pointer to a &struct landlock_ruleset_attr identifying the scope of
  154. * the new ruleset.
  155. * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
  156. * backward and forward compatibility).
  157. * @flags: Supported values:
  158. *
  159. * - %LANDLOCK_CREATE_RULESET_VERSION
  160. * - %LANDLOCK_CREATE_RULESET_ERRATA
  161. *
  162. * This system call enables to create a new Landlock ruleset, and returns the
  163. * related file descriptor on success.
  164. *
  165. * If %LANDLOCK_CREATE_RULESET_VERSION or %LANDLOCK_CREATE_RULESET_ERRATA is
  166. * set, then @attr must be NULL and @size must be 0.
  167. *
  168. * Possible returned errors are:
  169. *
  170. * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
  171. * - %EINVAL: unknown @flags, or unknown access, or unknown scope, or too small @size;
  172. * - %E2BIG: @attr or @size inconsistencies;
  173. * - %EFAULT: @attr or @size inconsistencies;
  174. * - %ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
  175. *
  176. * .. kernel-doc:: include/uapi/linux/landlock.h
  177. * :identifiers: landlock_create_ruleset_flags
  178. */
  179. SYSCALL_DEFINE3(landlock_create_ruleset,
  180. const struct landlock_ruleset_attr __user *const, attr,
  181. const size_t, size, const __u32, flags)
  182. {
  183. struct landlock_ruleset_attr ruleset_attr;
  184. struct landlock_ruleset *ruleset;
  185. int err, ruleset_fd;
  186. /* Build-time checks. */
  187. build_check_abi();
  188. if (!is_initialized())
  189. return -EOPNOTSUPP;
  190. if (flags) {
  191. if (attr || size)
  192. return -EINVAL;
  193. if (flags == LANDLOCK_CREATE_RULESET_VERSION)
  194. return landlock_abi_version;
  195. if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
  196. return landlock_errata;
  197. return -EINVAL;
  198. }
  199. /* Copies raw user space buffer. */
  200. err = copy_min_struct_from_user(&ruleset_attr, sizeof(ruleset_attr),
  201. offsetofend(typeof(ruleset_attr),
  202. handled_access_fs),
  203. attr, size);
  204. if (err)
  205. return err;
  206. /* Checks content (and 32-bits cast). */
  207. if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
  208. LANDLOCK_MASK_ACCESS_FS)
  209. return -EINVAL;
  210. /* Checks network content (and 32-bits cast). */
  211. if ((ruleset_attr.handled_access_net | LANDLOCK_MASK_ACCESS_NET) !=
  212. LANDLOCK_MASK_ACCESS_NET)
  213. return -EINVAL;
  214. /* Checks IPC scoping content (and 32-bits cast). */
  215. if ((ruleset_attr.scoped | LANDLOCK_MASK_SCOPE) != LANDLOCK_MASK_SCOPE)
  216. return -EINVAL;
  217. /* Checks arguments and transforms to kernel struct. */
  218. ruleset = landlock_create_ruleset(ruleset_attr.handled_access_fs,
  219. ruleset_attr.handled_access_net,
  220. ruleset_attr.scoped);
  221. if (IS_ERR(ruleset))
  222. return PTR_ERR(ruleset);
  223. /* Creates anonymous FD referring to the ruleset. */
  224. ruleset_fd = anon_inode_getfd("[landlock-ruleset]", &ruleset_fops,
  225. ruleset, O_RDWR | O_CLOEXEC);
  226. if (ruleset_fd < 0)
  227. landlock_put_ruleset(ruleset);
  228. return ruleset_fd;
  229. }
  230. /*
  231. * Returns an owned ruleset from a FD. It is thus needed to call
  232. * landlock_put_ruleset() on the return value.
  233. */
  234. static struct landlock_ruleset *get_ruleset_from_fd(const int fd,
  235. const fmode_t mode)
  236. {
  237. CLASS(fd, ruleset_f)(fd);
  238. struct landlock_ruleset *ruleset;
  239. if (fd_empty(ruleset_f))
  240. return ERR_PTR(-EBADF);
  241. /* Checks FD type and access right. */
  242. if (fd_file(ruleset_f)->f_op != &ruleset_fops)
  243. return ERR_PTR(-EBADFD);
  244. if (!(fd_file(ruleset_f)->f_mode & mode))
  245. return ERR_PTR(-EPERM);
  246. ruleset = fd_file(ruleset_f)->private_data;
  247. if (WARN_ON_ONCE(ruleset->num_layers != 1))
  248. return ERR_PTR(-EINVAL);
  249. landlock_get_ruleset(ruleset);
  250. return ruleset;
  251. }
  252. /* Path handling */
  253. /*
  254. * @path: Must call put_path(@path) after the call if it succeeded.
  255. */
  256. static int get_path_from_fd(const s32 fd, struct path *const path)
  257. {
  258. CLASS(fd_raw, f)(fd);
  259. BUILD_BUG_ON(!__same_type(
  260. fd, ((struct landlock_path_beneath_attr *)NULL)->parent_fd));
  261. if (fd_empty(f))
  262. return -EBADF;
  263. /*
  264. * Forbids ruleset FDs, internal filesystems (e.g. nsfs), including
  265. * pseudo filesystems that will never be mountable (e.g. sockfs,
  266. * pipefs).
  267. */
  268. if ((fd_file(f)->f_op == &ruleset_fops) ||
  269. (fd_file(f)->f_path.mnt->mnt_flags & MNT_INTERNAL) ||
  270. (fd_file(f)->f_path.dentry->d_sb->s_flags & SB_NOUSER) ||
  271. IS_PRIVATE(d_backing_inode(fd_file(f)->f_path.dentry)))
  272. return -EBADFD;
  273. *path = fd_file(f)->f_path;
  274. path_get(path);
  275. return 0;
  276. }
  277. static int add_rule_path_beneath(struct landlock_ruleset *const ruleset,
  278. const void __user *const rule_attr)
  279. {
  280. struct landlock_path_beneath_attr path_beneath_attr;
  281. struct path path;
  282. int res, err;
  283. access_mask_t mask;
  284. /* Copies raw user space buffer. */
  285. res = copy_from_user(&path_beneath_attr, rule_attr,
  286. sizeof(path_beneath_attr));
  287. if (res)
  288. return -EFAULT;
  289. /*
  290. * Informs about useless rule: empty allowed_access (i.e. deny rules)
  291. * are ignored in path walks.
  292. */
  293. if (!path_beneath_attr.allowed_access)
  294. return -ENOMSG;
  295. /* Checks that allowed_access matches the @ruleset constraints. */
  296. mask = ruleset->access_masks[0].fs;
  297. if ((path_beneath_attr.allowed_access | mask) != mask)
  298. return -EINVAL;
  299. /* Gets and checks the new rule. */
  300. err = get_path_from_fd(path_beneath_attr.parent_fd, &path);
  301. if (err)
  302. return err;
  303. /* Imports the new rule. */
  304. err = landlock_append_fs_rule(ruleset, &path,
  305. path_beneath_attr.allowed_access);
  306. path_put(&path);
  307. return err;
  308. }
  309. static int add_rule_net_port(struct landlock_ruleset *ruleset,
  310. const void __user *const rule_attr)
  311. {
  312. struct landlock_net_port_attr net_port_attr;
  313. int res;
  314. access_mask_t mask;
  315. /* Copies raw user space buffer. */
  316. res = copy_from_user(&net_port_attr, rule_attr, sizeof(net_port_attr));
  317. if (res)
  318. return -EFAULT;
  319. /*
  320. * Informs about useless rule: empty allowed_access (i.e. deny rules)
  321. * are ignored by network actions.
  322. */
  323. if (!net_port_attr.allowed_access)
  324. return -ENOMSG;
  325. /* Checks that allowed_access matches the @ruleset constraints. */
  326. mask = landlock_get_net_access_mask(ruleset, 0);
  327. if ((net_port_attr.allowed_access | mask) != mask)
  328. return -EINVAL;
  329. /* Denies inserting a rule with port greater than 65535. */
  330. if (net_port_attr.port > U16_MAX)
  331. return -EINVAL;
  332. /* Imports the new rule. */
  333. return landlock_append_net_rule(ruleset, net_port_attr.port,
  334. net_port_attr.allowed_access);
  335. }
  336. /**
  337. * sys_landlock_add_rule - Add a new rule to a ruleset
  338. *
  339. * @ruleset_fd: File descriptor tied to the ruleset that should be extended
  340. * with the new rule.
  341. * @rule_type: Identify the structure type pointed to by @rule_attr:
  342. * %LANDLOCK_RULE_PATH_BENEATH or %LANDLOCK_RULE_NET_PORT.
  343. * @rule_attr: Pointer to a rule (matching the @rule_type).
  344. * @flags: Must be 0.
  345. *
  346. * This system call enables to define a new rule and add it to an existing
  347. * ruleset.
  348. *
  349. * Possible returned errors are:
  350. *
  351. * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
  352. * - %EAFNOSUPPORT: @rule_type is %LANDLOCK_RULE_NET_PORT but TCP/IP is not
  353. * supported by the running kernel;
  354. * - %EINVAL: @flags is not 0;
  355. * - %EINVAL: The rule accesses are inconsistent (i.e.
  356. * &landlock_path_beneath_attr.allowed_access or
  357. * &landlock_net_port_attr.allowed_access is not a subset of the ruleset
  358. * handled accesses)
  359. * - %EINVAL: &landlock_net_port_attr.port is greater than 65535;
  360. * - %ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access is
  361. * 0);
  362. * - %EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
  363. * member of @rule_attr is not a file descriptor as expected;
  364. * - %EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
  365. * @rule_attr is not the expected file descriptor type;
  366. * - %EPERM: @ruleset_fd has no write access to the underlying ruleset;
  367. * - %EFAULT: @rule_attr was not a valid address.
  368. */
  369. SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
  370. const enum landlock_rule_type, rule_type,
  371. const void __user *const, rule_attr, const __u32, flags)
  372. {
  373. struct landlock_ruleset *ruleset __free(landlock_put_ruleset) = NULL;
  374. if (!is_initialized())
  375. return -EOPNOTSUPP;
  376. /* No flag for now. */
  377. if (flags)
  378. return -EINVAL;
  379. /* Gets and checks the ruleset. */
  380. ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_WRITE);
  381. if (IS_ERR(ruleset))
  382. return PTR_ERR(ruleset);
  383. switch (rule_type) {
  384. case LANDLOCK_RULE_PATH_BENEATH:
  385. return add_rule_path_beneath(ruleset, rule_attr);
  386. case LANDLOCK_RULE_NET_PORT:
  387. return add_rule_net_port(ruleset, rule_attr);
  388. default:
  389. return -EINVAL;
  390. }
  391. }
  392. /* Enforcement */
  393. /**
  394. * sys_landlock_restrict_self - Enforce a ruleset on the calling thread
  395. *
  396. * @ruleset_fd: File descriptor tied to the ruleset to merge with the target.
  397. * @flags: Supported values:
  398. *
  399. * - %LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
  400. * - %LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
  401. * - %LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
  402. * - %LANDLOCK_RESTRICT_SELF_TSYNC
  403. *
  404. * This system call enforces a Landlock ruleset on the current thread.
  405. * Enforcing a ruleset requires that the task has %CAP_SYS_ADMIN in its
  406. * namespace or is running with no_new_privs. This avoids scenarios where
  407. * unprivileged tasks can affect the behavior of privileged children.
  408. *
  409. * Possible returned errors are:
  410. *
  411. * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
  412. * - %EINVAL: @flags contains an unknown bit.
  413. * - %EBADF: @ruleset_fd is not a file descriptor for the current thread;
  414. * - %EBADFD: @ruleset_fd is not a ruleset file descriptor;
  415. * - %EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
  416. * current thread is not running with no_new_privs, or it doesn't have
  417. * %CAP_SYS_ADMIN in its namespace.
  418. * - %E2BIG: The maximum number of stacked rulesets is reached for the current
  419. * thread.
  420. *
  421. * .. kernel-doc:: include/uapi/linux/landlock.h
  422. * :identifiers: landlock_restrict_self_flags
  423. */
  424. SYSCALL_DEFINE2(landlock_restrict_self, const int, ruleset_fd, const __u32,
  425. flags)
  426. {
  427. struct landlock_ruleset *ruleset __free(landlock_put_ruleset) = NULL;
  428. struct cred *new_cred;
  429. struct landlock_cred_security *new_llcred;
  430. bool __maybe_unused log_same_exec, log_new_exec, log_subdomains,
  431. prev_log_subdomains;
  432. if (!is_initialized())
  433. return -EOPNOTSUPP;
  434. /*
  435. * Similar checks as for seccomp(2), except that an -EPERM may be
  436. * returned.
  437. */
  438. if (!task_no_new_privs(current) &&
  439. !ns_capable_noaudit(current_user_ns(), CAP_SYS_ADMIN))
  440. return -EPERM;
  441. if ((flags | LANDLOCK_MASK_RESTRICT_SELF) !=
  442. LANDLOCK_MASK_RESTRICT_SELF)
  443. return -EINVAL;
  444. /* Translates "off" flag to boolean. */
  445. log_same_exec = !(flags & LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF);
  446. /* Translates "on" flag to boolean. */
  447. log_new_exec = !!(flags & LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON);
  448. /* Translates "off" flag to boolean. */
  449. log_subdomains = !(flags & LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
  450. /*
  451. * It is allowed to set LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF with
  452. * -1 as ruleset_fd, but no other flag must be set.
  453. */
  454. if (!(ruleset_fd == -1 &&
  455. flags == LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF)) {
  456. /* Gets and checks the ruleset. */
  457. ruleset = get_ruleset_from_fd(ruleset_fd, FMODE_CAN_READ);
  458. if (IS_ERR(ruleset))
  459. return PTR_ERR(ruleset);
  460. }
  461. /* Prepares new credentials. */
  462. new_cred = prepare_creds();
  463. if (!new_cred)
  464. return -ENOMEM;
  465. new_llcred = landlock_cred(new_cred);
  466. #ifdef CONFIG_AUDIT
  467. prev_log_subdomains = !new_llcred->log_subdomains_off;
  468. new_llcred->log_subdomains_off = !prev_log_subdomains ||
  469. !log_subdomains;
  470. #endif /* CONFIG_AUDIT */
  471. /*
  472. * The only case when a ruleset may not be set is if
  473. * LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF is set and ruleset_fd is -1.
  474. * We could optimize this case by not calling commit_creds() if this flag
  475. * was already set, but it is not worth the complexity.
  476. */
  477. if (ruleset) {
  478. /*
  479. * There is no possible race condition while copying and
  480. * manipulating the current credentials because they are
  481. * dedicated per thread.
  482. */
  483. struct landlock_ruleset *const new_dom =
  484. landlock_merge_ruleset(new_llcred->domain, ruleset);
  485. if (IS_ERR(new_dom)) {
  486. abort_creds(new_cred);
  487. return PTR_ERR(new_dom);
  488. }
  489. #ifdef CONFIG_AUDIT
  490. new_dom->hierarchy->log_same_exec = log_same_exec;
  491. new_dom->hierarchy->log_new_exec = log_new_exec;
  492. if ((!log_same_exec && !log_new_exec) || !prev_log_subdomains)
  493. new_dom->hierarchy->log_status = LANDLOCK_LOG_DISABLED;
  494. #endif /* CONFIG_AUDIT */
  495. /* Replaces the old (prepared) domain. */
  496. landlock_put_ruleset(new_llcred->domain);
  497. new_llcred->domain = new_dom;
  498. #ifdef CONFIG_AUDIT
  499. new_llcred->domain_exec |= BIT(new_dom->num_layers - 1);
  500. #endif /* CONFIG_AUDIT */
  501. }
  502. if (flags & LANDLOCK_RESTRICT_SELF_TSYNC) {
  503. const int err = landlock_restrict_sibling_threads(
  504. current_cred(), new_cred);
  505. if (err) {
  506. abort_creds(new_cred);
  507. return err;
  508. }
  509. }
  510. return commit_creds(new_cred);
  511. }