[RFC PATCH v14 05/10] fs, landlock: Support filesystem access-control
Jann Horn
jannh at google.com
Thu Feb 27 16:51:51 UTC 2020
On Thu, Feb 27, 2020 at 5:50 PM Mickaël Salaün <mic at digikod.net> wrote:
> On 26/02/2020 21:29, Jann Horn wrote:
> > On Mon, Feb 24, 2020 at 5:03 PM Mickaël Salaün <mic at digikod.net> wrote:
> >> +static inline u32 get_mem_access(unsigned long prot, bool private)
> >> +{
> >> + u32 access = LANDLOCK_ACCESS_FS_MAP;
> >> +
> >> + /* Private mapping do not write to files. */
> >> + if (!private && (prot & PROT_WRITE))
> >> + access |= LANDLOCK_ACCESS_FS_WRITE;
> >> + if (prot & PROT_READ)
> >> + access |= LANDLOCK_ACCESS_FS_READ;
> >> + if (prot & PROT_EXEC)
> >> + access |= LANDLOCK_ACCESS_FS_EXECUTE;
> >> + return access;
> >> +}
[...]
> However, I'm not sure this hook is useful for now. Indeed, the process
> still need to have a file descriptor open with the right accesses.
Yeah, agreed.
More information about the Linux-security-module-archive
mailing list