diff options
author | Mickaël Salaün <mic@digikod.net> | 2022-05-06 19:11:02 +0300 |
---|---|---|
committer | Mickaël Salaün <mic@digikod.net> | 2022-05-23 14:28:01 +0300 |
commit | 9e0c76b9f1faac0a8ea4b42e2f844ea26106f140 (patch) | |
tree | 01ddafeda1729f24cbcc56237f4d2da259ef9a2e | |
parent | 09340cf4135f942d56742b36aaa3c37738aba000 (diff) | |
download | linux-9e0c76b9f1faac0a8ea4b42e2f844ea26106f140.tar.xz |
landlock: Add design choices documentation for filesystem access rights
Summarize the rationale of filesystem access rights according to the
file type.
Update the document date.
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-13-mic@digikod.net
-rw-r--r-- | Documentation/security/landlock.rst | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/Documentation/security/landlock.rst b/Documentation/security/landlock.rst index 3df68cb1d10f..5c77730b4479 100644 --- a/Documentation/security/landlock.rst +++ b/Documentation/security/landlock.rst @@ -7,7 +7,7 @@ Landlock LSM: kernel documentation ================================== :Author: Mickaël Salaün -:Date: March 2021 +:Date: May 2022 Landlock's goal is to create scoped access-control (i.e. sandboxing). To harden a whole system, this feature should be available to any process, @@ -42,6 +42,21 @@ Guiding principles for safe access controls * Computation related to Landlock operations (e.g. enforcing a ruleset) shall only impact the processes requesting them. +Design choices +============== + +Filesystem access rights +------------------------ + +All access rights are tied to an inode and what can be accessed through it. +Reading the content of a directory doesn't imply to be allowed to read the +content of a listed inode. Indeed, a file name is local to its parent +directory, and an inode can be referenced by multiple file names thanks to +(hard) links. Being able to unlink a file only has a direct impact on the +directory, not the unlinked inode. This is the reason why +`LANDLOCK_ACCESS_FS_REMOVE_FILE` or `LANDLOCK_ACCESS_FS_REFER` are not allowed +to be tied to files but only to directories. + Tests ===== |