On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > From: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > > Add LANDLOCK_ACCESS_FS_REFER in the example and properly check to only > use it if the current kernel support it thanks to the Landlock ABI > version. > > Move the file renaming and linking limitation to a new "Previous > limitations" section. > > Improve documentation about the backward and forward compatibility, > including the rational for ruleset's handled_access_fs. > > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/r/20220221212522.320243-10-mic@xxxxxxxxxxx > --- > Documentation/userspace-api/landlock.rst | 124 +++++++++++++++++++---- > 1 file changed, 104 insertions(+), 20 deletions(-) Thanks for remembering to update the docs :) I made a few phrasing suggestions below, but otherwise it looks good to me. Reviewed-by: Paul Moore <paul@xxxxxxxxxxxxxx> > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst > index f35552ff19ba..97db09d36a5c 100644 > --- a/Documentation/userspace-api/landlock.rst > +++ b/Documentation/userspace-api/landlock.rst > @@ -281,6 +347,24 @@ Memory usage > Kernel memory allocated to create rulesets is accounted and can be restricted > by the Documentation/admin-guide/cgroup-v1/memory.rst. > > +Previous limitations > +==================== > + > +File renaming and linking (ABI 1) > +--------------------------------- > + > +Because Landlock targets unprivileged access controls, it is needed to properly ^^^^^ "... controls, it needs to ..." > +handle composition of rules. Such property also implies rules nesting. > +Properly handling multiple layers of ruleset, each one of them able to restrict ^^^^^^^ "rulesets," > +access to files, also implies to inherit the ruleset restrictions from a parent ^^^^^^^^^^ "... implies inheritance of the ..." > +to its hierarchy. Because files are identified and restricted by their > +hierarchy, moving or linking a file from one directory to another implies to > +propagate the hierarchy constraints. "... one directory to another implies propagation of the hierarchy constraints." > + To protect against privilege escalations > +through renaming or linking, and for the sake of simplicity, Landlock previously > +limited linking and renaming to the same directory. Starting with the Landlock > +ABI version 2, it is now possible to securely control renaming and linking > +thanks to the new `LANDLOCK_ACCESS_FS_REFER` access right. -- paul-moore.com
