Re: [PATCH v24 02/12] landlock: Add ruleset and domain management

On Thu, 12 Nov 2020, Mickaël Salaün wrote:

Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Kees Cook keescook@chromium.org Cc: Serge E. Hallyn serge@hallyn.com Signed-off-by: Mickaël Salaün mic@linux.microsoft.com

---

Changes since v23:

• Always intersect access rights. Following the filesystem change logic, make ruleset updates more consistent by always intersecting access rights (boolean AND) instead of combining them (boolean OR) for the same layer. This defensive approach could also help avoid user space to inadvertently allow multiple access rights for the same object (e.g. write and execute access on a path hierarchy) instead of dealing with such inconsistency. This can happen when there is no deduplication of objects (e.g. paths and underlying inodes) whereas they get different access rights with landlock_add_rule(2).
• Add extra checks to make sure that:
  • there is always an (allocated) object in each used rules;
  • when updating a ruleset with a new rule (i.e. not merging two rulesets), the ruleset doesn't contain multiple layers.
• Hide merge parameter from the public landlock_insert_rule() API. This helps avoid misuse of this function.
• Replace a remaining hardcoded 1 with SINGLE_DEPTH_NESTING.

Jann: any chance you could review this patch again given the changes above?

Thanks.