[RFC PATCH v2 01/12] landlock: Set the max rules limit in a domain to U16_MAX.
Tingmao Wang
m at maowtm.org
Sun Jul 6 15:16:42 UTC 2025
On Mon, 2 Jun 2025 at 21:50:05 +0200, Mickaël Salaün wrote [1]:
> Correct. We can either use u64 or reduce the maximum number of rules.
> I think LANDLOCK_MAX_NUM_RULES set to U16_MAX would be much more than
> the worse practical case. Even if one buggy policy tries to add one
> rule per network port, that will be OK. We could even reasonably test
> this limit. We'll need to backport this change but I'm OK with that.
The way this series will be implemented, we don't actually _need_ to
decrease this limit, as we can store a u64 instead of u32 as the layer
index and this will not change the size of landlock_domain_index on 64-bit
systems. But given agreement with Mickaël, I will reduce it anyway here.
Note that a limit of 2^24 still leaves us with more than enough room even
for u32 indices, but for future-proofing, setting this to U16_MAX here.
Link: https://lore.kernel.org/all/20250602.uBai6ge5maiw@digikod.net/ [1]
Signed-off-by: Tingmao Wang <m at maowtm.org>
---
security/landlock/limits.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/landlock/limits.h b/security/landlock/limits.h
index 65b5ff051674..8e7a8816cce2 100644
--- a/security/landlock/limits.h
+++ b/security/landlock/limits.h
@@ -17,7 +17,7 @@
/* clang-format off */
#define LANDLOCK_MAX_NUM_LAYERS 16
-#define LANDLOCK_MAX_NUM_RULES U32_MAX
+#define LANDLOCK_MAX_NUM_RULES U16_MAX
#define LANDLOCK_LAST_ACCESS_FS LANDLOCK_ACCESS_FS_IOCTL_DEV
#define LANDLOCK_MASK_ACCESS_FS ((LANDLOCK_LAST_ACCESS_FS << 1) - 1)
--
2.49.0
More information about the Linux-security-module-archive
mailing list