Reviewed-by: Günther Noack <gnoack3000@xxxxxxxxx> On Fri, Sep 23, 2022 at 05:42:06PM +0200, Mickaël Salaün wrote: > Now that we have more than one ABI version, make limitation explanation > more consistent by replacing "ABI 1" with "ABI < 2". This also > indicates which ABIs support such past limitation. > > Improve documentation consistency by not using contractions. > > Fix spelling in fs.c . > > Cc: Günther Noack <gnoack3000@xxxxxxxxx> > Cc: Paul Moore <paul@xxxxxxxxxxxxxx> > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx> > Link: https://lore.kernel.org/r/20220923154207.3311629-3-mic@xxxxxxxxxxx > --- > Documentation/security/landlock.rst | 4 ++-- > Documentation/userspace-api/landlock.rst | 10 +++++----- > security/landlock/fs.c | 2 +- > 3 files changed, 8 insertions(+), 8 deletions(-) > > diff --git a/Documentation/security/landlock.rst b/Documentation/security/landlock.rst > index 5c77730b4479..cc9617f3175b 100644 > --- a/Documentation/security/landlock.rst > +++ b/Documentation/security/landlock.rst > @@ -7,7 +7,7 @@ Landlock LSM: kernel documentation > ================================== > > :Author: Mickaël Salaün > -:Date: May 2022 > +:Date: September 2022 > > Landlock's goal is to create scoped access-control (i.e. sandboxing). To > harden a whole system, this feature should be available to any process, > @@ -49,7 +49,7 @@ Filesystem access rights > ------------------------ > > All access rights are tied to an inode and what can be accessed through it. > -Reading the content of a directory doesn't imply to be allowed to read the > +Reading the content of a directory does not imply to be allowed to read the > content of a listed inode. Indeed, a file name is local to its parent > directory, and an inode can be referenced by multiple file names thanks to > (hard) links. Being able to unlink a file only has a direct impact on the > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst > index b8ea59493964..83bae71bf042 100644 > --- a/Documentation/userspace-api/landlock.rst > +++ b/Documentation/userspace-api/landlock.rst > @@ -8,7 +8,7 @@ Landlock: unprivileged access control > ===================================== > > :Author: Mickaël Salaün > -:Date: May 2022 > +:Date: September 2022 > > The goal of Landlock is to enable to restrict ambient rights (e.g. global > filesystem access) for a set of processes. Because Landlock is a stackable > @@ -170,7 +170,7 @@ It is recommended setting access rights to file hierarchy leaves as much as > possible. For instance, it is better to be able to have ``~/doc/`` as a > read-only hierarchy and ``~/tmp/`` as a read-write hierarchy, compared to > ``~/`` as a read-only hierarchy and ``~/tmp/`` as a read-write hierarchy. > -Following this good practice leads to self-sufficient hierarchies that don't > +Following this good practice leads to self-sufficient hierarchies that do not > depend on their location (i.e. parent directories). This is particularly > relevant when we want to allow linking or renaming. Indeed, having consistent > access rights per directory enables to change the location of such directory > @@ -380,8 +380,8 @@ by the Documentation/admin-guide/cgroup-v1/memory.rst. > Previous limitations > ==================== > > -File renaming and linking (ABI 1) > ---------------------------------- > +File renaming and linking (ABI < 2) > +----------------------------------- > > Because Landlock targets unprivileged access controls, it needs to properly > handle composition of rules. Such property also implies rules nesting. > @@ -410,7 +410,7 @@ contains `CONFIG_LSM=landlock,[...]` with `[...]` as the list of other > potentially useful security modules for the running system (see the > `CONFIG_LSM` help). > > -If the running kernel doesn't have `landlock` in `CONFIG_LSM`, then we can > +If the running kernel does not have `landlock` in `CONFIG_LSM`, then we can > still enable it by adding ``lsm=landlock,[...]`` to > Documentation/admin-guide/kernel-parameters.rst thanks to the bootloader > configuration. > diff --git a/security/landlock/fs.c b/security/landlock/fs.c > index a9dbd99d9ee7..64ed7665455f 100644 > --- a/security/landlock/fs.c > +++ b/security/landlock/fs.c > @@ -712,7 +712,7 @@ static inline access_mask_t maybe_remove(const struct dentry *const dentry) > * allowed accesses in @layer_masks_dom. > * > * This is similar to check_access_path_dual() but much simpler because it only > - * handles walking on the same mount point and only check one set of accesses. > + * handles walking on the same mount point and only checks one set of accesses. > * > * Returns: > * - true if all the domain access rights are allowed for @dir; > -- > 2.37.2 > --
