[PATCH v1] landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER

[Paul Moore]

On Thu, Aug 25, 2022 at 6:27 PM Mickaël Salaün <mic at digikod.net> wrote:
> This patch fixes the (absolute) rule access rights, which now always
> forbid LANDLOCK_ACCESS_FS_REFER except when it is explicitely allowed
> when creating a rule. Making all domain handle LANDLOCK_ACCESS_FS_REFER
> was may initial approach but there is two downsides:
> - it makes the code more complex because we still want to check that a
> rule allowing LANDLOCK_ACCESS_FS_REFER is legitimate according to the
> ruleset's handled access rights (i.e. ABI v1 != ABI v2);
> - it would not allow to identify if the user created a ruleset
> explicitely handling LANDLOCK_ACCESS_FS_REFER or not, which will be an
> issue to audit Landlock (not really possible right now but soon ;) ).

I like this explanation much better!

-- 
paul-moore.com