[PATCH 1/1] lsm: adds process attribute getter for Landlock

Günther Noack gnoack3000 at gmail.com
Fri Mar 3 16:39:13 UTC 2023


Hello Shervin!

On Thu, Mar 02, 2023 at 10:52:57AM -0800, enlightened at chromium.org wrote:
> +	if (landlocked(task))
> +		val = "landlocked:1";
> +	else
> +		val = "landlocked:0";

Landlock policies can be stacked on top of each other, similar to
seccomp-bpf.

If a parent process has already enforced a (potentially trivial)
Landlock policy, then you can't tell apart based on this boolean
whether any additional policies are stacked on top. So what does
Chromium do with that information, if the flag is true for all the
involved processes that it manages?

Does this meet the needs of your intended use case?  Should your API
expose more information about the stacked policies, so that it becomes
possible to tell it apart?

Thanks,
–Günther



More information about the Linux-security-module-archive mailing list