[PATCH v17 02/10] landlock: Add ruleset and domain management
James Morris
jmorris at namei.org
Thu May 14 03:09:32 UTC 2020
On Mon, 11 May 2020, Mickaël Salaün wrote:
> + * .. warning::
> + *
> + * It is currently not possible to restrict some file-related actions
> + * accessible through these syscall families: :manpage:`chdir(2)`,
> + * :manpage:`truncate(2)`, :manpage:`stat(2)`, :manpage:`flock(2)`,
> + * :manpage:`chmod(2)`, :manpage:`chown(2)`, :manpage:`setxattr(2)`,
> + * :manpage:`ioctl(2)`, :manpage:`fcntl(2)`.
> + * Future Landlock evolutions will enable to restrict them.
I have to wonder how useful Landlock will be without more coverage per
the above.
It would be helpful if you could outline a threat model for this initial
version, so people can get an idea of what kind of useful protection may
be gained from it.
Are there any distros or other major users who are planning on enabling or
at least investigating Landlock?
Do you have any examples of a practical application of this scheme?
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list