On 12/04/2022 16:05, Konstantin Meskhidze wrote:
4/12/2022 4:48 PM, Mickaël Salaün пишет:
On 12/04/2022 13:21, Mickaël Salaün wrote:
On 09/03/2022 14:44, Konstantin Meskhidze wrote:
[...]
@@ -184,7 +185,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
/* Checks content (and 32-bits cast). */
if ((ruleset_attr.handled_access_fs | LANDLOCK_MASK_ACCESS_FS) !=
- LANDLOCK_MASK_ACCESS_FS)
+ LANDLOCK_MASK_ACCESS_FS)
Don't add cosmetic changes. FYI, I'm relying on the way Vim does line
cuts, which is mostly tabs. Please try to do the same.
Well, let's make it simple and avoid tacit rules. I'll update most of
the existing Landlock code and tests to be formatted with clang-format
(-i *.[ch]), and I'll update the landlock-wip branch so that you can
base your next patch series on it. There should be some exceptions
that need customization but we'll see that in the next series. Anyway,
don't worry too much, just make sure you don't have style-only changes
in your patches.
I have already rebased my next patch series on your landlock-wip
branch. So I will wait for your changes meanwhile refactoring my v5
patch series according your comments.
Good.
Also I want to discuss adding demo in sandboxer.c to show how landlock
supports network sandboxing:
- Add additional args like "LL_NET_BIND=port1:...:portN"
- Add additional args like "LL_NET_CONNECT=port1:...:portN"
- execv 2 bash procceses:
1. first bash listens in loop - $ nc -l -k -p <port1> -v
2. second bash to connects the first one - $ nc <ip> <port>
What do you think? its possible to present this demo in the next v5
patch series.
This looks good! I think LL_TCP_BIND and LL_TCP_CONNECT would fit better
though.
I'm not sure if I already said that, but please remove the "RFC " part
for the next series.
