samples/landlock: Add a sandbox manager example

Add a basic sandbox tool to launch a command which can only access a list of file hierarchies in a read-only or read-write way. Cc: James Morris <jmorris@namei.org> Cc: Serge E. Hallyn <serge@hallyn.com> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Reviewed-by: Jann Horn <jannh@google.com> Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210407160726.542794-12-mic@digikod.net Signed-off-by: James Morris <jamorris@linux.microsoft.com>
author: Mickaël Salaün <mic@linux.microsoft.com> 2021-04-07 18:07:25 +0200
committer: James Morris <jamorris@linux.microsoft.com> 2021-04-08 18:37:59 -0700
commit: c7cdbef681bc3adac9a9f268babcf6dd87228a03 (patch)
tree: 50f0cd2eab45a9bc48371833464209d670ca8035 /samples/Kconfig
parent: 7ea3e7b24ece86b18070fec52765cd4fefbb0b9a (diff)
download: linux-next-c7cdbef681bc3adac9a9f268babcf6dd87228a03.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/samples/Kconfig b/samples/Kconfig
index e76cdfc50e25..b5a1a7aa7e23 100644
--- a/samples/Kconfig
+++ b/samples/Kconfig
@@ -124,6 +124,13 @@ config SAMPLE_HIDRAW
 	bool "hidraw sample"
 	depends on CC_CAN_LINK && HEADERS_INSTALL
 
+config SAMPLE_LANDLOCK
+	bool "Landlock example"
+	depends on CC_CAN_LINK && HEADERS_INSTALL
+	help
+	  Build a simple Landlock sandbox manager able to start a process
+	  restricted by a user-defined filesystem access control policy.
+
 config SAMPLE_PIDFD
 	bool "pidfd sample"
 	depends on CC_CAN_LINK && HEADERS_INSTALL
author	Mickaël Salaün <mic@linux.microsoft.com>	2021-04-07 18:07:25 +0200
committer	James Morris <jamorris@linux.microsoft.com>	2021-04-08 18:37:59 -0700
commit	c7cdbef681bc3adac9a9f268babcf6dd87228a03 (patch)
tree	50f0cd2eab45a9bc48371833464209d670ca8035 /samples/Kconfig
parent	7ea3e7b24ece86b18070fec52765cd4fefbb0b9a (diff)
download	linux-next-c7cdbef681bc3adac9a9f268babcf6dd87228a03.tar.gz