[RFC PATCH 5/5] landlock: Improve the comment for domain_is_scoped
Mickaël Salaün
mic at digikod.net
Sun Dec 28 18:16:55 UTC 2025
On Sun, Dec 28, 2025 at 01:27:35AM +0000, Tingmao Wang wrote:
> Currently it is not obvious what "scoped" mean, and the fact that the
> function returns true when access should be denied is slightly surprising
> and in need of documentation.
>
> Cc: Tahera Fahimi <fahimitahera at gmail.com>
> Signed-off-by: Tingmao Wang <m at maowtm.org>
> ---
>
> Open to discussion on whether this actually explains it better.
>
> security/landlock/task.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/security/landlock/task.c b/security/landlock/task.c
> index bf4ed15a7f01..6dfcc1860d6e 100644
> --- a/security/landlock/task.c
> +++ b/security/landlock/task.c
> @@ -166,15 +166,16 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
> }
>
> /**
> - * domain_is_scoped - Checks if the client domain is scoped in the same
> - * domain as the server.
> + * domain_is_scoped - Check if an interaction from a client/sender to a
> + * server/receiver should be restricted based on scope controls.
> *
> * @client: IPC sender domain.
> * @server: IPC receiver domain.
> * @scope: The scope restriction criteria.
> *
> - * Returns: True if the @client domain is scoped to access the @server,
> - * unless the @server is also scoped in the same domain as @client.
> + * Returns: True if the @server is in a different domain from @client, and
> + * the @client domain is scoped to access the @server (i.e. access
> + * should be denied).
I removed the "the" and the heading spaces:
*
- * Returns: True if the @client domain is scoped to access the @server,
- * unless the @server is also scoped in the same domain as @client.
+ * Returns: True if @server is in a different domain from @client, and @client
+ * is scoped to access @server (i.e. access should be denied).
*/
> */
> static bool domain_is_scoped(const struct landlock_ruleset *const client,
> const struct landlock_ruleset *const server,
> --
> 2.52.0
>
More information about the Linux-security-module-archive
mailing list