On Thu, Oct 17, 2024 at 07:04:53PM +0800, Mikhail Ivanov wrote: > Add recommendation to specify Landlock first in CONFIG_LSM list, so user > can have better LSM errors consistency provided by Landlock. > > Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@xxxxxxxxxxxxxxxxxxx> > --- > Documentation/userspace-api/landlock.rst | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst > index bb7480a05e2c..0db5eee9bffa 100644 > --- a/Documentation/userspace-api/landlock.rst > +++ b/Documentation/userspace-api/landlock.rst > @@ -610,7 +610,8 @@ time as the other security modules. The list of security modules enabled by > default is set with ``CONFIG_LSM``. The kernel configuration should then > contains ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other > potentially useful security modules for the running system (see the > -``CONFIG_LSM`` help). > +``CONFIG_LSM`` help). It is recommended to specify Landlock first of all other > +modules in CONFIG_LSM list since it provides better errors consistency. This is partially correct because Landlock may not block anything whereas another LSM could deny a network action, with potentially a wrong error code. I don't think this patch is worth it, especially because other LSMs have bugs that should be fixed. > > Boot time configuration > ----------------------- > -- > 2.34.1 > >
