On 8/22/2022 12:17 PM, Günther Noack wrote: > Hi! > > Very exciting to see! Thank you for sending this! :) > > I'm just throwing in some comments based on the very similar truncate > patch set, in the hope that it helps. (But obviously, Mickaël Salaün > has the last word on this code.) > > Slightly higher level question: Should we start to group the > functionality of multiple LSM hooks under one Landlock flag? (Will it > be harder to change the LSM hook interface in the future if we > continue to add one flag per hook? Or is this structure already > exposed to userspace by other LSMs?) I'm not a landlock expert. The question is nonsensical, yet somewhat frightening nonetheless. Could you put just a touch more context into what you're asking for? > For example, some of the "missing" operations listed on the Landlock > documentation could also be grouped roughly as: > > Modifying files: > - truncate > > Modifying file metadata: > - chmod > - chown > - setxattr > - utime > > Observing files (check presence and file metadata): > - access > - stat > - readlink, following links (can observe symlink presence) > - chdir (can observe dir presence and 'x' attribute) > > Ungrouped: > - flock > - ioctl > - fcntl > > Do you have opinions on this? > > —Günther > > On Mon, Aug 22, 2022 at 07:46:56PM +0800, Xiu Jianfeng wrote: >> hi, >> this patchset adds chmod and chown support for landlock >> >> Xiu Jianfeng (5): >> landlock: expand access_mask_t to u32 type >> landlock: add chmod and chown support >> landlock/selftests: add selftests for chmod and chown >> landlock/samples: add chmod and chown support >> landlock: update chmod and chown support in document >> >> Documentation/userspace-api/landlock.rst | 8 +- >> include/uapi/linux/landlock.h | 8 +- >> samples/landlock/sandboxer.c | 12 +- >> security/landlock/fs.c | 16 +- >> security/landlock/limits.h | 2 +- >> security/landlock/ruleset.h | 2 +- >> security/landlock/syscalls.c | 2 +- >> tools/testing/selftests/landlock/base_test.c | 2 +- >> tools/testing/selftests/landlock/fs_test.c | 234 ++++++++++++++++++- >> 9 files changed, 274 insertions(+), 12 deletions(-) >> >> -- >> 2.17.1 >> > --
