Unverified Commit 9e0c76b9 authored by Mickaël Salaün's avatar Mickaël Salaün
Browse files

landlock: Add design choices documentation for filesystem access rights 



Summarize the rationale of filesystem access rights according to the
file type.

Update the document date.

Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-13-mic@digikod.net
parent 09340cf4

Documentation/security/landlock.rst

+16 −1
Original line number Diff line number Diff line
@@ -7,7 +7,7 @@ Landlock LSM: kernel documentation 
==================================



:Author: Mickaël Salaün

:Date: March 2021

:Date: May 2022



Landlock's goal is to create scoped access-control (i.e. sandboxing).  To

harden a whole system, this feature should be available to any process,
@@ -42,6 +42,21 @@ Guiding principles for safe access controls 
* Computation related to Landlock operations (e.g. enforcing a ruleset) shall

  only impact the processes requesting them.



Design choices

==============



Filesystem access rights

------------------------



All access rights are tied to an inode and what can be accessed through it.

Reading the content of a directory doesn't imply to be allowed to read the

content of a listed inode.  Indeed, a file name is local to its parent

directory, and an inode can be referenced by multiple file names thanks to

(hard) links.  Being able to unlink a file only has a direct impact on the

directory, not the unlinked inode.  This is the reason why

`LANDLOCK_ACCESS_FS_REMOVE_FILE` or `LANDLOCK_ACCESS_FS_REFER` are not allowed

to be tied to files but only to directories.



Tests

=====