[PATCH v1] landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER
Paul Moore
paul at paul-moore.com
Thu Aug 25 20:16:18 UTC 2022
On Wed, Aug 24, 2022 at 5:04 AM Mickaël Salaün <mic at digikod.net> wrote:
> On 23/08/2022 22:07, Günther Noack wrote:
> > On Tue, Aug 23, 2022 at 04:41:23PM +0200, Mickaël Salaün wrote:
> >> With the introduction of LANDLOCK_ACCESS_FS_REFER, we added the first
> >> globally denied-by-default access right. Indeed, this lifted an initial
> >> Landlock limitation to rename and link files, which was initially always
> >> denied when the source or the destination were different directories.
> >>
> >> This led to an inconsistent backward compatibility behavior which was
> >> only taken into account if no domain layer were using the new
> >> LANDLOCK_ACCESS_FS_REFER right. However, in a scenario where layers are
> >> using the first and the second Landlock ABI (i.e.
> >> LANDLOCK_ACCESS_FS_REFER or not), the access control behaves like if all
> >> domains were handling LANDLOCK_ACCESS_FS_REFER with their rules
> >> implicitely allowing such right.
>
> "the access control behaves like if domains not handling
> LANDLOCK_ACCESS_FS_REFER are in fact handling it and with their rules
> implicitely allowing such right."
>
> Is this better?
I'm still looking at the actual code changes, but I had similar
problems as Günther while I was reading the description. While the
new text above is different, I'm not sure it is significantly easier
to understand. I might suggest adding a short example to the commit
description showing what happens now and what will change with this
patch; similar to what Günther did in his reply.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list