samples/landlock: Don't error out if a file path cannot be opened

Instead of creating a hard error and aborting the sandbox creation,
accept file path not usable in the LL_FS_RO and LL_FS_RW environment
variables but only print a warning. This makes it easier to test, for
instance with LL_FS_RO="${PATH}:/usr/lib:/lib"

Print that we are going to execute the command in the sandbox before
doing so.

Rename "launch" to "execute", and improve header description.

Reviewed-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20240307143849.1517218-1-mic@digikod.net
[mic: Improve header description as suggested by Günther]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

samples/landlock: Support TCP restrictions

Add TCP restrictions to the sandboxer demo. It's possible to allow a
sandboxer to bind/connect to a list of specified ports restricting
network actions to the rest of them. This is controlled with the new
LL_TCP_BIND and LL_TCP_CONNECT environment variables.

Rename ENV_PATH_TOKEN to ENV_DELIMITER.

Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Link: https://lore.kernel.org/r/20231026014751.414649-12-konstantin.meskhidze@huawei.com
[mic: Extend commit message]
Signed-off-by: Mickaël Salaün <mic@digikod.net>

samples/landlock: Document best-effort approach for LANDLOCK_ACCESS_FS_REFER

Add a comment to clarify how to handle best-effort backwards
compatibility for LANDLOCK_ACCESS_FS_REFER.

The "refer" access is special because these operations are always
forbidden in ABI 1, unlike most other operations, which are permitted
when using Landlock ABI levels where they are not supported yet.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20221107181651.4555-1-gnoack3000@gmail.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

samples/landlock: Extend sample tool to support LANDLOCK_ACCESS_FS_TRUNCATE

Update the sandboxer sample to restrict truncate actions. This is
automatically enabled by default if the running kernel supports
LANDLOCK_ACCESS_FS_TRUNCATE, except for the paths listed in the
LL_FS_RW environment variable.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20221018182216.301684-11-gnoack3000@gmail.com
Signed-off-by: Mickaël Salaün <mic@digikod.net>

samples/landlock: Print hints about ABI versions

Extend the help with the latest Landlock ABI version supported by the
sandboxer.

Inform users about the sandboxer or the kernel not being up-to-date.

Make the version check code easier to update and harder to misuse.

Cc: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20220923154207.3311629-2-mic@digikod.net

samples/landlock: Add support for file reparenting

Add LANDLOCK_ACCESS_FS_REFER to the "roughly write" access rights and
leverage the Landlock ABI version to only try to enforce it if it is
supported by the running kernel.

Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-10-mic@digikod.net

samples/landlock: Format with clang-format

Let's follow a consistent and documented coding style. Everything may
not be to our liking but it is better than tacit knowledge. Moreover,
this will help maintain style consistency between different developers.

This contains only whitespace changes.

Automatically formatted with:
clang-format-14 -i samples/landlock/*.[ch]

Link: https://lore.kernel.org/r/20220506160513.523257-8-mic@digikod.net
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>

samples/landlock: Add clang-format exceptions

In preparation to a following commit, add clang-format on and
clang-format off stanzas around constant definitions. This enables to
keep aligned values, which is much more readable than packed
definitions.

Link: https://lore.kernel.org/r/20220506160513.523257-7-mic@digikod.net
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>

samples/landlock: Fix path_list memory leak

Clang static analysis reports this error

sandboxer.c:134:8: warning: Potential leak of memory
pointed to by 'path_list'
ret = 0;
^
path_list is allocated in parse_path() but never freed.

Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20210428213852.2874324-1-trix@redhat.com
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>

samples/landlock: Add a sandbox manager example

Add a basic sandbox tool to launch a command which can only access a
list of file hierarchies in a read-only or read-write way.

Cc: James Morris <jmorris@namei.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Reviewed-by: Jann Horn <jannh@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210422154123.13086-12-mic@digikod.net
Signed-off-by: James Morris <jamorris@linux.microsoft.com>