Re: [PATCH v1 09/11] landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning

From: Mickaël Salaün
Date: Thu Mar 17 2022 - 08:05:28 EST

Next message: Jonathan Neuschäfer: "Re: [PATCH 14/18] dt-bindings: irqchip: nuvoton,wpcm450-aic: include generic schema"
Previous message: Wander Costa: "Re: [PATCH v4 2/5] serial/8250: Use the cache value of the FCR register"
In reply to: Paul Moore: "Re: [PATCH v1 09/11] landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17/03/2022 02:27, Paul Moore wrote:

On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote:

From: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx>

Add LANDLOCK_ACCESS_FS_REFER in the example and properly check to only
use it if the current kernel support it thanks to the Landlock ABI
version.

Move the file renaming and linking limitation to a new "Previous
limitations" section.

Improve documentation about the backward and forward compatibility,
including the rational for ruleset's handled_access_fs.

Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx>
Link: https://lore.kernel.org/r/20220221212522.320243-10-mic@xxxxxxxxxxx
---
Documentation/userspace-api/landlock.rst | 124 +++++++++++++++++++----
1 file changed, 104 insertions(+), 20 deletions(-)

Thanks for remembering to update the docs :) I made a few phrasing
suggestions below, but otherwise it looks good to me.

Thanks Paul! I'll take them.

Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx>

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index f35552ff19ba..97db09d36a5c 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -281,6 +347,24 @@ Memory usage
Kernel memory allocated to create rulesets is accounted and can be restricted
by the Documentation/admin-guide/cgroup-v1/memory.rst.

+Previous limitations
+====================
+
+File renaming and linking (ABI 1)
+---------------------------------
+
+Because Landlock targets unprivileged access controls, it is needed to properly

^^^^^
"... controls, it needs to ..."

+handle composition of rules. Such property also implies rules nesting.
+Properly handling multiple layers of ruleset, each one of them able to restrict

^^^^^^^
"rulesets,"

+access to files, also implies to inherit the ruleset restrictions from a parent

^^^^^^^^^^
"... implies inheritance of the ..."

+to its hierarchy. Because files are identified and restricted by their
+hierarchy, moving or linking a file from one directory to another implies to
+propagate the hierarchy constraints.

"... one directory to another implies propagation of the hierarchy constraints."

+ To protect against privilege escalations

+through renaming or linking, and for the sake of simplicity, Landlock previously
+limited linking and renaming to the same directory. Starting with the Landlock
+ABI version 2, it is now possible to securely control renaming and linking
+thanks to the new `LANDLOCK_ACCESS_FS_REFER` access right.

--
paul-moore.com

Next message: Jonathan Neuschäfer: "Re: [PATCH 14/18] dt-bindings: irqchip: nuvoton,wpcm450-aic: include generic schema"
Previous message: Wander Costa: "Re: [PATCH v4 2/5] serial/8250: Use the cache value of the FCR register"
In reply to: Paul Moore: "Re: [PATCH v1 09/11] landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]