[RFC PATCH 5/5] landlock: Improve the comment for domain_is_scoped
Tingmao Wang
m at maowtm.org
Sun Dec 28 01:27:35 UTC 2025
Currently it is not obvious what "scoped" mean, and the fact that the
function returns true when access should be denied is slightly surprising
and in need of documentation.
Cc: Tahera Fahimi <fahimitahera at gmail.com>
Signed-off-by: Tingmao Wang <m at maowtm.org>
---
Open to discussion on whether this actually explains it better.
security/landlock/task.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/security/landlock/task.c b/security/landlock/task.c
index bf4ed15a7f01..6dfcc1860d6e 100644
--- a/security/landlock/task.c
+++ b/security/landlock/task.c
@@ -166,15 +166,16 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
}
/**
- * domain_is_scoped - Checks if the client domain is scoped in the same
- * domain as the server.
+ * domain_is_scoped - Check if an interaction from a client/sender to a
+ * server/receiver should be restricted based on scope controls.
*
* @client: IPC sender domain.
* @server: IPC receiver domain.
* @scope: The scope restriction criteria.
*
- * Returns: True if the @client domain is scoped to access the @server,
- * unless the @server is also scoped in the same domain as @client.
+ * Returns: True if the @server is in a different domain from @client, and
+ * the @client domain is scoped to access the @server (i.e. access
+ * should be denied).
*/
static bool domain_is_scoped(const struct landlock_ruleset *const client,
const struct landlock_ruleset *const server,
--
2.52.0
More information about the Linux-security-module-archive
mailing list