On Wed, Feb 21, 2024 at 10:35:50PM +0100, Günther Noack wrote:
> Hello!
>
> I think this is a good idea.
> Some minor implementation remarks below.
>
> On Mon, Feb 19, 2024 at 08:18:04PM +0100, Mickaël Salaün wrote:
> > Because sandboxing can be used as an opportunistic security measure,
> > user space may not log unsupported features. Let the system
> > administrator know if an application tries to use Landlock but failed
> > because it isn't enabled at boot time. This may be caused by bootloader
> > configurations with outdated "lsm" kernel's command-line parameter.
> >
> > Cc: Günther Noack <gnoack@xxxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: 265885daf3e5 ("landlock: Add syscall implementations")
> > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx>
> > ---
> > security/landlock/syscalls.c | 18 +++++++++++++++---
> > 1 file changed, 15 insertions(+), 3 deletions(-)
> >
> > diff --git a/security/landlock/syscalls.c b/security/landlock/syscalls.c
> > index f0bc50003b46..b5b424819dee 100644
> > --- a/security/landlock/syscalls.c
> > +++ b/security/landlock/syscalls.c
> > @@ -33,6 +33,18 @@
> > #include "ruleset.h"
> > #include "setup.h"
> >
> > +static bool is_not_initialized(void)
> > +{
> > + if (likely(landlock_initialized))
> > + return false;
>
> Optional stylistic remark; I try to avoid predicate functions which
> have a "negated" meaning, because double negations are slightly more
> error prone. (We return false here, so Landlock is not not
> initialized.)
I agree, I was also bothered about this double negation. I'll send a v2
with the same behavior but an is_initialized() helper instead.
>
> > +
> > + pr_warn_once(
> > + "Disabled but requested by user space. "
> > + "You should enable Landlock at boot time: "
> > + "https://docs.kernel.org/userspace-api/landlock.html#kernel-support\n";);
> > + return true;
> > +}
> > +
> > /**
> > * copy_min_struct_from_user - Safe future-proof argument copying
> > *
> > @@ -173,7 +185,7 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
> > /* Build-time checks. */
> > build_check_abi();
> >
> > - if (!landlock_initialized)
> > + if (is_not_initialized())
> > return -EOPNOTSUPP;
>
> Technically, any Landlock user needs to go through the
> landlock_create_ruleset() system call anyway; it might be enough to
> just add it in that place and leave the other system calls as they
> were. Then you could also omit the special function.
True, but we never know. I prefer to cover all entry points the same
way. It makes things more consistent and easier to review.
>
> Reviewed-by: Günther Noack <gnoack3000@xxxxxxxxx>
>
> –Günther
>
