Hello!
I think this is a good idea.
Some minor implementation remarks below.
On Mon, Feb 19, 2024 at 08:18:04PM +0100, Mickaël Salaün wrote:
> Because sandboxing can be used as an opportunistic security measure,
> user space may not log unsupported features. Let the system
> administrator know if an application tries to use Landlock but failed
> because it isn't enabled at boot time. This may be caused by bootloader
> configurations with outdated "lsm" kernel's command-line parameter.
>
> Cc: Günther Noack <gnoack@xxxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 265885daf3e5 ("landlock: Add syscall implementations")
> Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
> ---
> security/landlock/syscalls.c | 18 +++++++++++++++---
> 1 file changed, 15 insertions(+), 3 deletions(-)
>
> diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> index f0bc50003b46..b5b424819dee 100644
> --- a/security/landlock/syscalls.c
> +++ b/security/landlock/syscalls.c
> @@ -33,6 +33,18 @@
> #include "ruleset.h"
> #include "setup.h"
>
> +static bool is_not_initialized(void)
> +{
> + if (likely(landlock_initialized))
> + return false;
Optional stylistic remark; I try to avoid predicate functions which
have a "negated" meaning, because double negations are slightly more
error prone. (We return false here, so Landlock is not not
initialized.)
> +
> + pr_warn_once(
> + "Disabled but requested by user space. "
> + "You should enable Landlock at boot time: "
> + "https://docs.kernel.org/userspace-api/landlock.html#kernel-support\n";);
> + return true;
> +}
> +
> /**
> * copy_min_struct_from_user - Safe future-proof argument copying
> *
> @@ -173,7 +185,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
> /* Build-time checks. */
> build_check_abi();
>
> - if (!landlock_initialized)
> + if (is_not_initialized())
> return -EOPNOTSUPP;
Technically, any Landlock user needs to go through the
landlock_create_ruleset() system call anyway; it might be enough to
just add it in that place and leave the other system calls as they
were. Then you could also omit the special function.
Reviewed-by: Günther Noack <gnoack3000@xxxxxxxxx>
–Günther
