[PATCH v3 3/5] samples/landlock: Add LANDLOCK_ADD_RULE_NO_INHERIT to landlock-sandboxer

[Justin Suess]

It totally does. I think that would be more way more clear and reduce LOC.

It'll be in the next version.

>
>>  	"* " ENV_TCP_BIND_NAME ": ports allowed to bind (server)\n"
>>  	"* " ENV_TCP_CONNECT_NAME ": ports allowed to connect (client)\n"
>>  	"* " ENV_SCOPED_NAME ": actions denied on the outside of the landlock domain\n"
>> @@ -596,17 +604,28 @@ int main(const int argc, char *const argv[], char *const *const envp)
>>  	}
>>  
>>  	if (populate_ruleset_fs(ENV_FS_RO_NAME, ruleset_fd, access_fs_ro,
>> -				false)) {
>> +			0, true)) {
>>  		goto err_close_ruleset;
>>  	}
>>  	if (populate_ruleset_fs(ENV_FS_RW_NAME, ruleset_fd, access_fs_rw,
>> +			0, true)) {
>> +		goto err_close_ruleset;
>> +	}
>> +	/* Optional no-inherit rules mirror the regular read-only/read-write sets. */
>> +	if (populate_ruleset_fs(ENV_FS_RO_NO_INHERIT_NAME, ruleset_fd,
>> +				access_fs_ro, LANDLOCK_ADD_RULE_NO_INHERIT,
>> +				false)) {
>> +		goto err_close_ruleset;
>> +	}
>> +	if (populate_ruleset_fs(ENV_FS_RW_NO_INHERIT_NAME, ruleset_fd,
>> +				access_fs_rw, LANDLOCK_ADD_RULE_NO_INHERIT,
>
> These need to be under an ABI version check like the quiet one - this
> sandboxer is designed to "downgrade" what it tries to do gracefully if
> running on older kernel.
>
> However, there is an argument that maybe if deny rules aren't supported in
> the current running kernel, it should just refuse to run the program at
> all, otherwise by running the sandboxed program without the deny rules it
> might expose the user to risks they might mitigate via some other means.
> But in that case we should still have a better error message when running
> on an older kernel than "Failed to update the ruleset with ...: Invalid
> argument"

Gotcha. I'll put it under the ABI check. 

I think it'd be better to let the user decide if they wanna continue
with the policy if it's using an unsupported feature.

Kind Regards,

Justin Suess