On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > From: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > > The maximum number of nested Landlock domains is currently 64. Because > of the following fix and to help reduce the stack size, let's reduce it > to 16. This seems large enough for a lot of use cases (e.g. sandboxed > init service, spawning a sandboxed SSH service, in nested sandboxed > containers). Reducing the number of nested domains may also help to > discover misuse of Landlock (e.g. creating a domain per rule). > > Add and use a dedicated layer_mask_t typedef to fit with the number of > layers. This might be useful when changing it and to keep it consistent > with the maximum number of layers. > > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/r/20220221212522.320243-3-mic@xxxxxxxxxxx > --- > security/landlock/fs.c | 13 +++++-------- > security/landlock/limits.h | 2 +- > security/landlock/ruleset.h | 4 ++++ > tools/testing/selftests/landlock/fs_test.c | 2 +- > 4 files changed, 11 insertions(+), 10 deletions(-) I'm assuming that the drop in Landlock nesting down to 16 isn't going to cause any userspace breakage :) Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com
