Sorry for the late reply. > > (Looking in the direction of Jeff Xu, who has inquired about Landlock > for Chromium in the past -- do you happen to know in which ways you'd > want to restrict ioctls, if you have that need? :)) > Regarding this patch, here is some feedback from ChromeOS: - In the short term: we are looking to integrate Landlock into our sandboxer, so the ability to restrict to a specific device is huge. - Fundamentally though, in the effort of bringing process expected behaviour closest to allowed behaviour, the ability to speak of ioctl() path access in Landlock would be huge -- at least we can continue to enumerate in policy what processes are allowed to do, even if we still lack the ability to restrict individual ioctl commands for a specific device node. Regarding medium term: My thoughts are, from software architecture point of view, it would be nice to think in planes: i.e. Data plane / Control plane/ Signaling Plane/Normal User Plane/Privileged User Plane. Let the application define its planes, and assign operations to them. Landlock provides data structure and syscall to construct the planes. However, one thing I'm not sure is the third arg from ioctl: int ioctl(int fd, unsigned long request, ...); Is it possible for the driver to use the same request id, then put whatever into the third arg ? how to deal with that effectively ? For real world user cases, Dmitry Torokhov (added to list) can help. PS: There is also lwn article about SELinux implementation of ioctl: [1] [1] https://lwn.net/Articles/428140/ Thanks! -Jeff Xu
