[PATCH v9 02/12] landlock: Allow filesystem layout changes for domains without such rule type

Konstantin Meskhidze (A) konstantin.meskhidze at huawei.com
Tue Feb 14 12:57:57 UTC 2023



2/14/2023 3:07 PM, Mickaël Salaün пишет:
> 
> On 14/02/2023 09:51, Konstantin Meskhidze (A) wrote:
>> 
>> 
>> 2/10/2023 8:34 PM, Mickaël Salaün пишет:
>>> Hi Konstantin,
>>>
>>> I think this patch series is almost ready. Here is a first batch of
>>> review, I'll send more next week.
>>>
>>     Hi Mickaёl.
>>     thnaks for the review.
>> 
>>>
>>> I forgot to update the documentation. Can you please squash the
>>> following patch into this one?
>> 
>>     No problem. I will squash.
>>     Can I download this doc patch from your repo or I can use the diff below?
> 
> You can take the diff below.

   Ok. Will be done.
> 
>>>
>>>
>>> diff --git a/Documentation/userspace-api/landlock.rst
>>> b/Documentation/userspace-api/landlock.rst
>>> index 980558b879d6..fc2be89b423f 100644
>>> --- a/Documentation/userspace-api/landlock.rst
>>> +++ b/Documentation/userspace-api/landlock.rst
>>> @@ -416,9 +416,9 @@ Current limitations
>>>     Filesystem topology modification
>>>     --------------------------------
>>>
>>> -As for file renaming and linking, a sandboxed thread cannot modify its
>>> -filesystem topology, whether via :manpage:`mount(2)` or
>>> -:manpage:`pivot_root(2)`.  However, :manpage:`chroot(2)` calls are not
>>> denied.
>>> +Threads sandboxed with filesystem restrictions cannot modify filesystem
>>> +topology, whether via :manpage:`mount(2)` or :manpage:`pivot_root(2)`.
>>> +However, :manpage:`chroot(2)` calls are not denied.
>>>
>>>     Special filesystems
>>>     -------------------
>>>
>>>
>>> On 16/01/2023 09:58, Konstantin Meskhidze wrote:
>>>> From: Mickaël Salaün <mic at digikod.net>
>>>>
>>>> Allow mount point and root directory changes when there is no filesystem
>>>> rule tied to the current Landlock domain.  This doesn't change anything
>>>> for now because a domain must have at least a (filesystem) rule, but
>>>> this will change when other rule types will come.  For instance, a
>>>> domain only restricting the network should have no impact on filesystem
>>>> restrictions.
>>>>
>>>> Add a new get_current_fs_domain() helper to quickly check filesystem
>>>> rule existence for all filesystem LSM hooks.
>>>>
>>>> Remove unnecessary inlining.
>>>>
>>>> Signed-off-by: Mickaël Salaün <mic at digikod.net>
>>>> ---
>>>>
>>>> Changes since v8:
>>>> * Refactors get_handled_fs_accesses().
>>>> * Adds landlock_get_raw_fs_access_mask() helper.
>>>>
>>> .
> .



More information about the Linux-security-module-archive mailing list