landlock/errata.rs
1// SPDX-License-Identifier: Apache-2.0 OR MIT
2
3use crate::compat::ABI;
4use crate::{uapi, BitFlags};
5use enumflags2::bitflags;
6
7/// Fixed kernel issues for the running Landlock implementation.
8///
9/// Each variant represents a specific bug fix that may have been
10/// backported to the running kernel. Use [`Erratum::current()`]
11/// before building a [`Ruleset`](crate::Ruleset) to decide which
12/// features are safe to use.
13///
14/// An [`ABI`] version can be converted into the set of applicable errata
15/// with `BitFlags::<Erratum>::from(abi)`.
16///
17/// # Warning
18///
19/// Most applications should **not** check errata. Disabling a sandboxing
20/// feature because an erratum is not fixed could leave the system **less**
21/// secure than using Landlock's best-effort protection with the buggy
22/// feature enabled. Errata should only be used to **add** features
23/// (e.g., enabling a restriction only when its bug is confirmed fixed),
24/// never to remove them.
25#[bitflags]
26#[repr(u32)]
27#[derive(Copy, Clone, Debug, PartialEq, Eq)]
28#[non_exhaustive]
29pub enum Erratum {
30 /// Erratum 1 (ABI 4): non-TCP stream sockets (SMC, MPTCP, SCTP)
31 /// were incorrectly restricted by TCP access rights during
32 /// `bind(2)` and `connect(2)`.
33 ///
34 /// Affects [`crate::AccessNet::BindTcp`] and [`crate::AccessNet::ConnectTcp`].
35 ///
36 /// See [erratum 1](https://docs.kernel.org/userspace-api/landlock.html#erratum-1-tcp-socket-identification).
37 TcpSocketIdentification = 1 << 0,
38 /// Erratum 2 (ABI 6): signal scoping was overly restrictive,
39 /// preventing sandboxed threads from signaling other threads
40 /// within the same process in different domains.
41 ///
42 /// Affects [`crate::Scope::Signal`].
43 ///
44 /// See [erratum 2](https://docs.kernel.org/userspace-api/landlock.html#erratum-2-scoped-signal-handling).
45 ScopedSignalHandling = 1 << 1,
46 /// Erratum 3 (ABI 1): access rights could be widened through
47 /// rename or link actions on disconnected directories under
48 /// bind mounts, potentially bypassing `LANDLOCK_ACCESS_FS_REFER`
49 /// restrictions.
50 ///
51 /// See [erratum 3](https://docs.kernel.org/userspace-api/landlock.html#erratum-3-disconnected-directory-handling).
52 DisconnectedDirectoryHandling = 1 << 2,
53}
54
55impl Erratum {
56 /// Queries the running kernel for fixed errata.
57 ///
58 /// Returns a bitmask of errata that have been fixed in the running
59 /// kernel. Unknown errata bits from newer kernels are preserved.
60 /// Returns empty if the kernel doesn't support the errata interface.
61 pub fn current() -> BitFlags<Self> {
62 let ret = unsafe {
63 uapi::landlock_create_ruleset(std::ptr::null(), 0, uapi::LANDLOCK_CREATE_RULESET_ERRATA)
64 };
65 if ret >= 0 {
66 // SAFETY: The kernel may return bits unknown to this crate version.
67 // Using from_bits_unchecked to preserve them.
68 unsafe { BitFlags::from_bits_unchecked(ret as u32) }
69 } else {
70 BitFlags::empty()
71 }
72 }
73}
74
75/// Converts an [`ABI`] version into the set of errata applicable to that ABI.
76///
77/// An erratum is applicable if the ABI includes the feature affected by the bug.
78/// For example, [`Erratum::TcpSocketIdentification`] is only applicable to
79/// [`ABI::V4`] and later, since TCP access rights were introduced in that version.
80///
81/// Uses the same incremental accumulation pattern as
82/// [`AccessFs::from_write()`](crate::AccessFs::from_write).
83///
84/// # Stability
85///
86/// The set of errata returned for a given ABI may grow in future versions
87/// of this crate as new kernel bug fixes are identified and backported.
88/// Do not rely on the exact set being stable across crate versions.
89impl From<ABI> for BitFlags<Erratum> {
90 fn from(abi: ABI) -> Self {
91 match abi {
92 ABI::Unsupported => BitFlags::empty(),
93 // Erratum 3: disconnected directory handling (FS, ABI 1+).
94 ABI::V1 | ABI::V2 | ABI::V3 => Erratum::DisconnectedDirectoryHandling.into(),
95 // Erratum 1: TCP socket identification (net, ABI 4+).
96 ABI::V4 | ABI::V5 => Self::from(ABI::V3) | Erratum::TcpSocketIdentification,
97 // Erratum 2: scoped signal handling (scopes, ABI 6+).
98 // When adding a new ABI version without new errata, append it here.
99 ABI::V6 | ABI::V7 => Self::from(ABI::V5) | Erratum::ScopedSignalHandling,
100 }
101 }
102}
103
104/// Extracts the (major, minor, patch, suffix) from /proc/version's
105/// "Linux version X.Y.Z-suffix..." line.
106///
107/// Returns `None` if the input does not start with "Linux version " or if
108/// the major/minor numbers cannot be parsed. The patch number defaults to
109/// 0 when absent (e.g., for RC kernels).
110#[cfg(test)]
111fn parse_kernel_version(proc_version: &str) -> Option<(u32, u32, u32, &str)> {
112 let after_prefix = proc_version.strip_prefix("Linux version ")?;
113 let token = after_prefix.split_whitespace().next()?;
114 let first_dot = token.find('.')?;
115 let major: u32 = token[..first_dot].parse().ok()?;
116 let rest = &token[first_dot + 1..];
117 let minor_end = rest
118 .find(|c: char| !c.is_ascii_digit())
119 .unwrap_or(rest.len());
120 let minor: u32 = rest[..minor_end].parse().ok()?;
121 let after_minor = &rest[minor_end..];
122 // If a second dot follows, parse the patch number; otherwise default to 0.
123 let (patch, suffix) = match after_minor.strip_prefix('.') {
124 Some(after_dot) => {
125 let patch_end = after_dot
126 .find(|c: char| !c.is_ascii_digit())
127 .unwrap_or(after_dot.len());
128 let patch: u32 = after_dot[..patch_end].parse().unwrap_or(0);
129 (patch, &after_dot[patch_end..])
130 }
131 None => (0, after_minor),
132 };
133 Some((major, minor, patch, suffix))
134}
135
136#[test]
137fn parse_kernel_version_cases() {
138 // Distro-suffixed stable release.
139 assert_eq!(
140 parse_kernel_version("Linux version 6.15.0-29-generic (build@host) ..."),
141 Some((6, 15, 0, "-29-generic")),
142 );
143 // Distro-suffixed older stable.
144 assert_eq!(
145 parse_kernel_version("Linux version 5.10.234-1-amd64 (debian) ..."),
146 Some((5, 10, 234, "-1-amd64")),
147 );
148 // Release candidate without patch number.
149 assert_eq!(
150 parse_kernel_version("Linux version 6.15-rc1 (...)"),
151 Some((6, 15, 0, "-rc1")),
152 );
153 // Bare version with no suffix.
154 assert_eq!(
155 parse_kernel_version("Linux version 6.15"),
156 Some((6, 15, 0, "")),
157 );
158 // Stable patch level with no distro suffix.
159 assert_eq!(
160 parse_kernel_version("Linux version 6.12.5"),
161 Some((6, 12, 5, "")),
162 );
163 // Missing prefix.
164 assert_eq!(parse_kernel_version(""), None);
165 assert_eq!(parse_kernel_version("Some other text"), None);
166 // Unparseable version after prefix.
167 assert_eq!(parse_kernel_version("Linux version garbage"), None);
168}
169
170/// Returns the set of errata that have not been backported yet for a given
171/// kernel version.
172///
173/// This is the single source of truth for known backport gaps. The version
174/// is the (major, minor, patch, suffix) parsed from /proc/version.
175/// Backports are made per kernel version (not per Landlock ABI), so this
176/// lookup is keyed by kernel version. The patch number and distro suffix
177/// allow narrowing to specific kernel builds when a fix arrives in a stable
178/// patch level or distro-specific backport. When an erratum is backported
179/// to a kernel version, remove it from the corresponding match arm. The
180/// CI will catch mismatches.
181#[cfg(test)]
182fn not_backported_yet(version: (u32, u32, u32, &str)) -> BitFlags<Erratum> {
183 match version {
184 // TODO: erratum 3 (DisconnectedDirectoryHandling) should be backported.
185 (5, 15, _, _) | (6, 1, _, _) => Erratum::DisconnectedDirectoryHandling.into(),
186
187 // 6.15: errata 1 and 2 backported.
188 // TODO: erratum 3 (DisconnectedDirectoryHandling) should be backported.
189 (6, 15, _, _) => Erratum::DisconnectedDirectoryHandling.into(),
190
191 // 6.4, 6.7, 6.10: EOL, no errata interface on stable.kernel.
192 // 6.12: all errata backported.
193 // Future or unknown kernel: assume all errata backported.
194 _ => BitFlags::empty(),
195 }
196}
197
198#[test]
199fn errata_query() {
200 // Verifies the syscall wrapper works on any kernel.
201 let _errata = Erratum::current();
202}
203
204#[test]
205fn errata_up_to_date() {
206 use crate::compat::{ABI, TEST_ABI, TEST_ABI_ENV_NAME};
207
208 // Print /proc/version for diagnostic info when this test runs in CI.
209 let proc_version = std::fs::read_to_string("/proc/version").unwrap_or_default();
210 eprintln!("/proc/version: {}", proc_version.trim());
211
212 // This test requires LANDLOCK_CRATE_TEST_ABI to be explicitly set because
213 // the errata assertions are tied to specific CI kernel versions. Without
214 // it, TEST_ABI is auto-detected from the running kernel, but From<i32>
215 // maps unknown ABI versions to the highest known one, making the
216 // ABI-to-kernel mapping ambiguous (e.g., a 6.15 kernel maps to V6 before
217 // ABI::V7 exists). Since Erratum::current() queries the real kernel, the
218 // expected errata for the declared ABI may not match.
219 if std::env::var(TEST_ABI_ENV_NAME).is_err() {
220 eprintln!("Skipping errata_up_to_date: {} not set", TEST_ABI_ENV_NAME,);
221 return;
222 }
223
224 let kernel_version =
225 parse_kernel_version(&proc_version).expect("Failed to parse /proc/version");
226 eprintln!("Parsed kernel version: {:?}", kernel_version);
227
228 let current = Erratum::current();
229 let applicable: BitFlags<Erratum> = (*TEST_ABI).into();
230 let expected = applicable & !not_backported_yet(kernel_version);
231
232 // Kernel must never report errata for features absent from this ABI.
233 assert!(
234 current & !applicable == BitFlags::empty(),
235 "kernel reported errata not applicable to ABI {:?}: {:?}",
236 *TEST_ABI,
237 current & !applicable,
238 );
239
240 match *TEST_ABI {
241 ABI::Unsupported => assert!(current.is_empty()),
242 ABI::V1 | ABI::V2 => assert_eq!(current, expected),
243 // 6.4, 6.7, 6.10: EOL, no errata interface on stable.kernel.
244 ABI::V3 | ABI::V4 | ABI::V5 => {}
245 ABI::V6 | ABI::V7 => assert_eq!(current, expected),
246 }
247}