[PATCH v3 1/5] landlock: Add ioctl access right

Günther Noack gnoack at google.com
Mon Aug 14 17:43:08 UTC 2023


Hi!

On Mon, Aug 14, 2023 at 07:28:12PM +0200, Günther Noack wrote:
> @@ -1207,7 +1209,8 @@ static int hook_file_open(struct file *const file)
>  {
>  	layer_mask_t layer_masks[LANDLOCK_NUM_ACCESS_FS] = {};
>  	access_mask_t open_access_request, full_access_request, allowed_access;
> -	const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE;
> +	const access_mask_t optional_access = LANDLOCK_ACCESS_FS_TRUNCATE |
> +					      LANDLOCK_ACCESS_FS_IOCTL;
>  	const struct landlock_ruleset *const dom =
>  		landlock_get_current_domain();
>  
> @@ -1280,6 +1283,36 @@ static int hook_file_truncate(struct file *const file)
>  	return -EACCES;
>  }

About the error code:

The ioctl(2) man page documents ENOTTY as "The specified request does not apply
to this kind of object".  It does not document EACCES.  EACCES would be slightly
more appropriate semantically, but existing programs might be more well-equipped
to handle ENOTTY.

Do you think we should return ENOTTY here?

—Günther

-- 
Sent using Mutt 🐕 Woof Woof



More information about the Linux-security-module-archive mailing list