syscall: add Landlock support for execve() on Linux by gnoack · Pull Request #77630 · golang/go

gnoack · 2026-02-15T22:36:52Z

Extend SysProcAttr on Linux to optionally store the ruleset FD and
flag arguments for landlock_restrict_self(2).
Extend forkAndExecInChild1() to invoke the system call.
Add a flag for the prctl(PR_SET_NO_NEW_PRIVS) call as well,
which is a prerequisite for unprivileged Landlock enforcement.
Define the necessary constants unexported as _PR_SET_NO_NEW_PRIVS
and _SYS_landlock_restrict_self.
The test case exercises the logic and demonstrates that it works
(provided that the host Linux system has the Landlock LSM enabled).

As it is customary in forkAndExecInChild1(), system calls need to be
invoked with RawSyscall(), and their system call numbers are defined
in the same package. (Depending on internal/syscall/unix would create
an import loop.)

The Landlock API is described in
https://docs.kernel.org/userspace-api/landlock.html

Updates landlock-lsm/go-landlock#45
Fixes #68595

gnoack · 2026-02-15T22:39:02Z

For a rationale on why I updated these generated files that way, please see #68595 (comment) -- the previously suggested approach to put these constants in internal/syscall/unix was not feasible, and I am under the impression that re-generation of the full files in syscall is not intended at this point either?

I'm happy to implement it either way, please let me know what you prefer.

gopherbot · 2026-02-15T22:52:29Z

This PR (HEAD: f4cd8f1) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

Don't comment on this PR. All discussion takes place in Gerrit.
You need a Gmail or other Google account to log in to Gerrit.
To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

gopherbot · 2026-02-15T23:01:31Z

Message from Gopher Robot:

Patch Set 1:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-02-16T09:31:41Z

Message from Günther Noack:

Patch Set 1:

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-02-16T09:31:42Z

Message from Günther Noack:

Patch Set 2:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-02-16T09:52:35Z

Message from Günther Noack:

Patch Set 2:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-02-16T12:53:02Z

This PR (HEAD: ed40a01) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

Don't comment on this PR. All discussion takes place in Gerrit.
You need a Gmail or other Google account to log in to Gerrit.
To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

gopherbot · 2026-02-16T13:02:29Z

This PR (HEAD: 6269c26) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

Don't comment on this PR. All discussion takes place in Gerrit.
You need a Gmail or other Google account to log in to Gerrit.
To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

gopherbot · 2026-02-16T13:11:54Z

Message from Günther Noack:

Patch Set 2:

(2 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-05-04T11:25:06Z

This PR (HEAD: 0f8ed8d) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

Don't comment on this PR. All discussion takes place in Gerrit.
You need a Gmail or other Google account to log in to Gerrit.
To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

gopherbot · 2026-05-04T12:30:27Z

Message from Günther Noack:

Patch Set 5:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-06-18T08:01:25Z

This PR (HEAD: 83e230e) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

Don't comment on this PR. All discussion takes place in Gerrit.
You need a Gmail or other Google account to log in to Gerrit.
To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

gopherbot · 2026-06-18T08:16:28Z

Message from Günther Noack:

Patch Set 6:

(1 comment)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-06-24T17:11:19Z

Message from Austin Clements:

Patch Set 7:

(3 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

* In forkAndExecInChild1() on Linux, when SysProcAttr.NoNewPrivs is set, call prctl(PR_SET_NO_NEW_PRIVS). * Define the necessary constant unexported as _PR_SET_NO_NEW_PRIVS. When the no_new_privs flag is set, execve() does not grant additional permissions through execve() (e.g., through the set-user-ID bit). The no_new_privs flag is a prerequisite for enabling a Landlock policy in an unprivileged (non-CAP_SYS_ADMIN) thread. The flag is documented in PR_SET_NO_NEW_PRIVS(2const). The name of the SysProcAttr.NoNewPrivs field is chosen to mirror the naming in the Linux API. Updates landlock-lsm/go-landlock#45 Updates golang#68595

* Extend SysProcAttr on Linux to optionally store the ruleset FD and flag arguments for landlock_restrict_self(2). * Extend forkAndExecInChild1() to invoke the system call. * The test case exercises the logic and demonstrates that it works (provided that the host Linux system has the Landlock LSM enabled). * Define the necessary unexported _SYS_landlock_restrict_self constant. As it is customary in forkAndExecInChild1(), system calls need to be invoked with RawSyscall(), and their system call numbers are defined in the same package. (Depending on internal/syscall/unix would create an import loop.) The Landlock API is described in https://docs.kernel.org/userspace-api/landlock.html Updates landlock-lsm/go-landlock#45 Fixes golang#68595

gopherbot · 2026-06-25T10:55:19Z

Message from Günther Noack:

Patch Set 7:

(3 comments)

Please don’t reply on this GitHub thread. Visit golang.org/cl/745940.
After addressing review feedback, remember to publish your drafts!

gopherbot · 2026-06-25T10:55:30Z

This PR (HEAD: 7b6b6b1) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/745940.

Important tips:

Don't comment on this PR. All discussion takes place in Gerrit.
You need a Gmail or other Google account to log in to Gerrit.
To change your code in response to feedback:
- Push a new commit to the branch used by your GitHub PR.
- A new "patch set" will then appear in Gerrit.
- Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
- Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
- Multiple commits in the PR will be squashed by GerritBot.
The title and description of the GitHub PR are used to construct the final commit message.
- Edit these as needed via the GitHub web interface (not via Gerrit or git).
- You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

gnoack mentioned this pull request Feb 15, 2026

Landlock specific processes? landlock-lsm/go-landlock#45

Open

gnoack force-pushed the landlock-exec branch from f4cd8f1 to ed40a01 Compare February 16, 2026 12:49

gnoack force-pushed the landlock-exec branch 2 times, most recently from 95c53bb to 6269c26 Compare February 16, 2026 12:59

gnoack force-pushed the landlock-exec branch from 6269c26 to 0f8ed8d Compare May 4, 2026 11:22

gnoack mentioned this pull request May 4, 2026

syscall: support process sandboxing using Landlock on Linux #68595

Open

hbrooks mentioned this pull request May 28, 2026

syscall: add Landlock support for execve() on Linux ellipsis-dev-test/go#20

Open

gnoack force-pushed the landlock-exec branch from 0f8ed8d to 83e230e Compare June 18, 2026 07:53

Icelain mentioned this pull request Jun 24, 2026

net/http: add QUERY HTTP method Icelain/go#3

Merged

3 tasks

gnoack added 2 commits June 25, 2026 12:43

gnoack force-pushed the landlock-exec branch from 83e230e to 7b6b6b1 Compare June 25, 2026 10:44

Uh oh!

Conversation

gnoack commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gnoack commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gopherbot commented Feb 15, 2026

Uh oh!

gopherbot commented Feb 15, 2026

Uh oh!

gopherbot commented Feb 16, 2026

Uh oh!

gopherbot commented Feb 16, 2026

Uh oh!

gopherbot commented Feb 16, 2026

Uh oh!

gopherbot commented Feb 16, 2026

Uh oh!

gopherbot commented Feb 16, 2026

Uh oh!

gopherbot commented Feb 16, 2026

Uh oh!

gopherbot commented May 4, 2026

Uh oh!

gopherbot commented May 4, 2026

Uh oh!

gopherbot commented Jun 18, 2026

Uh oh!

gopherbot commented Jun 18, 2026

Uh oh!

gopherbot commented Jun 24, 2026

Uh oh!

gopherbot commented Jun 25, 2026

Uh oh!

gopherbot commented Jun 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

gnoack commented Feb 15, 2026 •

edited

Loading

gnoack commented Feb 15, 2026 •

edited

Loading