On Thu, Mar 14, 2024 at 05:11:00PM +0100, Alejandro Colomar wrote: > Hi Günther, Mickaël, > > On Thu, Mar 14, 2024 at 05:08:02PM +0100, Alejandro Colomar wrote: > > > > .TP > > > > .B E2BIG > > > > The maximum number of composed rulesets is reached for the calling thread. > > > > -This limit is currently 64. > > > > +This limit is currently 16. > > BTW, do you think this limit change is something relevant for HISTORY? > Or should we maybe not document the limit? Or maybe should the kernel > provide a macro to name that limit (and thus let a user grep it in their > headers to learn their specific value)? Or maybe a combination? I doubt that anyone has run into that limit in real life yet (but I'd be happy to learn about it if they did). I think the most important reason why this limit is mentionworthy is because landlock_restrict_self() can fail when a process is trying to stack the N+1th Landlock policy on top. For programs that don't know all of their parent processes in detail, they anyway can't make assumptions about how many policies can still be stacked. So whether the limit is 64 or 16, it does not make much of a difference for the code that people have to write. —Günther
