tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
landlock: Add design choices documentation for filesystem access rights
Summarize the rationale of filesystem access rights according to the
file type.
Update the document date.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-13-mic@digikod.net
+16
-1
+16
-1
Documentation/security/landlock.rst
+16
-1
Documentation/security/landlock.rst
···
7
7
==================================
8
8
9
9
:Author: Mickaël Salaün
10
-
:Date: March 2021
10
+
:Date: May 2022
11
11
12
12
Landlock's goal is to create scoped access-control (i.e. sandboxing). To
13
13
harden a whole system, this feature should be available to any process,
···
41
41
processes.
42
42
* Computation related to Landlock operations (e.g. enforcing a ruleset) shall
43
43
only impact the processes requesting them.
44
+
45
+
Design choices
46
+
==============
47
+
48
+
Filesystem access rights
49
+
------------------------
50
+
51
+
All access rights are tied to an inode and what can be accessed through it.
52
+
Reading the content of a directory doesn't imply to be allowed to read the
53
+
content of a listed inode. Indeed, a file name is local to its parent
54
+
directory, and an inode can be referenced by multiple file names thanks to
55
+
(hard) links. Being able to unlink a file only has a direct impact on the
56
+
directory, not the unlinked inode. This is the reason why
57
+
`LANDLOCK_ACCESS_FS_REMOVE_FILE` or `LANDLOCK_ACCESS_FS_REFER` are not allowed
58
+
to be tied to files but only to directories.
44
59
45
60
Tests
46
61
=====