Explain limitations for the maximum number of stacked ruleset, and the memory usage restrictions.
Cc: James Morris jmorris@namei.org Cc: Jann Horn jannh@google.com Cc: Serge E. Hallyn serge@hallyn.com Signed-off-by: Mickaël Salaün mic@digikod.net --- Documentation/userspace-api/landlock.rst | 17 +++++++++++++++++ security/landlock/syscall.c | 2 ++ 2 files changed, 19 insertions(+)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 8f727de20479..7e83e5def1bc 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -186,6 +186,23 @@ Enforcing a ruleset Current limitations ===================
+Ruleset layers +-------------- + +There is a limit of 64 layers of stacked rulesets. This can be an issue for a +task willing to enforce a new ruleset in complement to its 64 inherited +rulesets. Once this limit is reached, sys_landlock_enforce_ruleset_current() +returns E2BIG. It is then strongly suggested to carefully build rulesets once +in the life of a thread, especially for applications able to launch other +applications which may also want to sandbox themselves (e.g. shells, container +managers, etc.). + +Memory usage +------------ + +Kernel memory allocated to create rulesets is accounted and can be restricted +by the :doc:`/admin-guide/cgroup-v1/memory`. + File renaming and linking -------------------------
diff --git a/security/landlock/syscall.c b/security/landlock/syscall.c index 543ae36cd339..045bcac79e17 100644 --- a/security/landlock/syscall.c +++ b/security/landlock/syscall.c @@ -361,6 +361,8 @@ SYSCALL_DEFINE4(landlock_add_rule, * - EPERM: @ruleset_fd has no read access to the underlying ruleset, or the * current thread is not running with no_new_privs, or it doesn't have * CAP_SYS_ADMIN in its namespace. + * - E2BIG: The maximum number of stacked rulesets is reached for the current + * task. */ SYSCALL_DEFINE2(landlock_enforce_ruleset_current, const int, ruleset_fd, const __u32, flags)