landlock: Add design choices documentation for filesystem access rights
Summarize the rationale of filesystem access rights according to the file type. Update the document date. Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-13-mic@digikod.net
This commit is contained in:
parent
09340cf413
commit
9e0c76b9f1
@ -7,7 +7,7 @@ Landlock LSM: kernel documentation
|
|||||||
==================================
|
==================================
|
||||||
|
|
||||||
:Author: Mickaël Salaün
|
:Author: Mickaël Salaün
|
||||||
:Date: March 2021
|
:Date: May 2022
|
||||||
|
|
||||||
Landlock's goal is to create scoped access-control (i.e. sandboxing). To
|
Landlock's goal is to create scoped access-control (i.e. sandboxing). To
|
||||||
harden a whole system, this feature should be available to any process,
|
harden a whole system, this feature should be available to any process,
|
||||||
@ -42,6 +42,21 @@ Guiding principles for safe access controls
|
|||||||
* Computation related to Landlock operations (e.g. enforcing a ruleset) shall
|
* Computation related to Landlock operations (e.g. enforcing a ruleset) shall
|
||||||
only impact the processes requesting them.
|
only impact the processes requesting them.
|
||||||
|
|
||||||
|
Design choices
|
||||||
|
==============
|
||||||
|
|
||||||
|
Filesystem access rights
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
All access rights are tied to an inode and what can be accessed through it.
|
||||||
|
Reading the content of a directory doesn't imply to be allowed to read the
|
||||||
|
content of a listed inode. Indeed, a file name is local to its parent
|
||||||
|
directory, and an inode can be referenced by multiple file names thanks to
|
||||||
|
(hard) links. Being able to unlink a file only has a direct impact on the
|
||||||
|
directory, not the unlinked inode. This is the reason why
|
||||||
|
`LANDLOCK_ACCESS_FS_REMOVE_FILE` or `LANDLOCK_ACCESS_FS_REFER` are not allowed
|
||||||
|
to be tied to files but only to directories.
|
||||||
|
|
||||||
Tests
|
Tests
|
||||||
=====
|
=====
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user