On Thu, Mar 14, 2024 at 05:49:07PM +0100, Günther Noack wrote: > On Thu, Mar 14, 2024 at 05:11:00PM +0100, Alejandro Colomar wrote: > > Hi Günther, Mickaël, > > > > On Thu, Mar 14, 2024 at 05:08:02PM +0100, Alejandro Colomar wrote: > > > > > .TP > > > > > .B E2BIG > > > > > The maximum number of composed rulesets is reached for the calling thread. > > > > > -This limit is currently 64. > > > > > +This limit is currently 16. > > > > BTW, do you think this limit change is something relevant for HISTORY? > > Or should we maybe not document the limit? Or maybe should the kernel > > provide a macro to name that limit (and thus let a user grep it in their > > headers to learn their specific value)? Or maybe a combination? > > I doubt that anyone has run into that limit in real life yet (but I'd be happy > to learn about it if they did). > > I think the most important reason why this limit is mentionworthy is because > landlock_restrict_self() can fail when a process is trying to stack the N+1th > Landlock policy on top. For programs that don't know all of their parent > processes in detail, they anyway can't make assumptions about how many policies > can still be stacked. So whether the limit is 64 or 16, it does not make much > of a difference for the code that people have to write. Hmmm, thanks! Cheers, Alex > —Günther -- <https://www.alejandro-colomar.es/>
Attachment:
signature.asc
Description: PGP signature
