[PATCH 1/1] lsm: adds process attribute getter for Landlock
Günther Noack
gnoack3000 at gmail.com
Fri Mar 3 16:39:13 UTC 2023
Hello Shervin!
On Thu, Mar 02, 2023 at 10:52:57AM -0800, enlightened at chromium.org wrote:
> + if (landlocked(task))
> + val = "landlocked:1";
> + else
> + val = "landlocked:0";
Landlock policies can be stacked on top of each other, similar to
seccomp-bpf.
If a parent process has already enforced a (potentially trivial)
Landlock policy, then you can't tell apart based on this boolean
whether any additional policies are stacked on top. So what does
Chromium do with that information, if the flag is true for all the
involved processes that it manages?
Does this meet the needs of your intended use case? Should your API
expose more information about the stacked policies, so that it becomes
possible to tell it apart?
Thanks,
–Günther
More information about the Linux-security-module-archive
mailing list