Merge branch 'for-next/execve' of git://git.kernel.org/pub/scm/linux/kernel/git/kees...

diff --cc Documentation/userspace-api/index.rst
Simple merge

diff --cc fs/exec.c
Simple merge

diff --cc samples/Kconfig
index 8d5a36f0e5d6b63b345aab2d4ccb18c5424fd48b,84a9d4e8d94772f3d22d041af80a3f198223c36b..820e00b2ed683a8fea823df9a5e4305932042137
--- 1/samples/Kconfig
--- 2/samples/Kconfig
+++ b/samples/Kconfig
@@@ -291,10 -291,17 +291,19 @@@ config SAMPLE_CGROU
        help
          Build samples that demonstrate the usage of the cgroup API.
  
+ config SAMPLE_CHECK_EXEC
+       bool "Exec secure bits examples"
+       depends on CC_CAN_LINK && HEADERS_INSTALL
+       help
+         Build a tool to easily configure SECBIT_EXEC_RESTRICT_FILE and
+         SECBIT_EXEC_DENY_INTERACTIVE, and a simple script interpreter to
+         demonstrate how they should be used with execveat(2) +
+         AT_EXECVE_CHECK.
+ 
  source "samples/rust/Kconfig"
  
 +source "samples/damon/Kconfig"
 +
  endif # SAMPLES
  
  config HAVE_SAMPLE_FTRACE_DIRECT

diff --cc samples/Makefile
Simple merge

diff --cc security/security.c
Simple merge

diff --cc tools/testing/selftests/kselftest/ktap_helpers.sh
Simple merge

diff --cc tools/testing/selftests/landlock/fs_test.c
index 8ac9aaf38eaa8c9be0fcbeb6ea3adec8c6a4801c,cd66901be612b5a44bec44e194faecb2ac4f9983..2af86bd796bab61e4ce097f801b1fb9c34580a8a
--- 1/tools/testing/selftests/landlock/fs_test.c
--- 2/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@@ -2027,10 -2041,14 +2047,14 @@@ TEST_F_FORK(layout1, execute
                create_ruleset(_metadata, rules[0].access, rules);
  
        ASSERT_LE(0, ruleset_fd);
 -      copy_binary(_metadata, file1_s1d1);
 -      copy_binary(_metadata, file1_s1d2);
 -      copy_binary(_metadata, file1_s1d3);
 +      copy_file(_metadata, bin_true, file1_s1d1);
 +      copy_file(_metadata, bin_true, file1_s1d2);
 +      copy_file(_metadata, bin_true, file1_s1d3);
  
+       /* Checks before file1_s1d1 being denied. */
+       test_execute(_metadata, 0, file1_s1d1);
+       test_check_exec(_metadata, 0, file1_s1d1);
+ 
        enforce_ruleset(_metadata, ruleset_fd);
        ASSERT_EQ(0, close(ruleset_fd));
  
@@@ -2045,85 -2065,9 +2071,86 @@@
        ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
        ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
        test_execute(_metadata, 0, file1_s1d3);
+       test_check_exec(_metadata, 0, file1_s1d3);
  }
  
 +TEST_F_FORK(layout1, umount_sandboxer)
 +{
 +      int pipe_child[2], pipe_parent[2];
 +      char buf_parent;
 +      pid_t child;
 +      int status;
 +
 +      copy_file(_metadata, bin_sandbox_and_launch, file1_s3d3);
 +      ASSERT_EQ(0, pipe2(pipe_child, 0));
 +      ASSERT_EQ(0, pipe2(pipe_parent, 0));
 +
 +      child = fork();
 +      ASSERT_LE(0, child);
 +      if (child == 0) {
 +              char pipe_child_str[12], pipe_parent_str[12];
 +              char *const argv[] = { (char *)file1_s3d3,
 +                                     (char *)bin_wait_pipe, pipe_child_str,
 +                                     pipe_parent_str, NULL };
 +
 +              /* Passes the pipe FDs to the executed binary and its child. */
 +              EXPECT_EQ(0, close(pipe_child[0]));
 +              EXPECT_EQ(0, close(pipe_parent[1]));
 +              snprintf(pipe_child_str, sizeof(pipe_child_str), "%d",
 +                       pipe_child[1]);
 +              snprintf(pipe_parent_str, sizeof(pipe_parent_str), "%d",
 +                       pipe_parent[0]);
 +
 +              /*
 +               * We need bin_sandbox_and_launch (copied inside the mount as
 +               * file1_s3d3) to execute bin_wait_pipe (outside the mount) to
 +               * make sure the mount point will not be EBUSY because of
 +               * file1_s3d3 being in use.  This avoids a potential race
 +               * condition between the following read() and umount() calls.
 +               */
 +              ASSERT_EQ(0, execve(argv[0], argv, NULL))
 +              {
 +                      TH_LOG("Failed to execute \"%s\": %s", argv[0],
 +                             strerror(errno));
 +              };
 +              _exit(1);
 +              return;
 +      }
 +
 +      EXPECT_EQ(0, close(pipe_child[1]));
 +      EXPECT_EQ(0, close(pipe_parent[0]));
 +
 +      /* Waits for the child to sandbox itself. */
 +      EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
 +
 +      /* Tests that the sandboxer is tied to its mount point. */
 +      set_cap(_metadata, CAP_SYS_ADMIN);
 +      EXPECT_EQ(-1, umount(dir_s3d2));
 +      EXPECT_EQ(EBUSY, errno);
 +      clear_cap(_metadata, CAP_SYS_ADMIN);
 +
 +      /* Signals the child to launch a grandchild. */
 +      EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
 +
 +      /* Waits for the grandchild. */
 +      EXPECT_EQ(1, read(pipe_child[0], &buf_parent, 1));
 +
 +      /* Tests that the domain's sandboxer is not tied to its mount point. */
 +      set_cap(_metadata, CAP_SYS_ADMIN);
 +      EXPECT_EQ(0, umount(dir_s3d2))
 +      {
 +              TH_LOG("Failed to umount \"%s\": %s", dir_s3d2,
 +                     strerror(errno));
 +      };
 +      clear_cap(_metadata, CAP_SYS_ADMIN);
 +
 +      /* Signals the grandchild to terminate. */
 +      EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
 +      ASSERT_EQ(child, waitpid(child, &status, 0));
 +      ASSERT_EQ(1, WIFEXITED(status));
 +      ASSERT_EQ(0, WEXITSTATUS(status));
 +}
 +
  TEST_F_FORK(layout1, link)
  {
        const struct rule layer1[] = {