Re: [PATCH v1 09/11] landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning

From: "Mickaël Salaün" <mic@digikod.net>
To: Paul Moore <paul@paul-moore.com>
Cc: "James Morris" <jmorris@namei.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	"Al Viro" <viro@zeniv.linux.org.uk>,
	"Jann Horn" <jannh@google.com>,
	"Kees Cook" <keescook@chromium.org>,
	"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
	"Shuah Khan" <shuah@kernel.org>,
	linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	"Mickaël Salaün" <mic@linux.microsoft.com>
Subject: Re: [PATCH v1 09/11] landlock: Document LANDLOCK_ACCESS_FS_REFER and ABI versioning
Date: Thu, 17 Mar 2022 13:06:02 +0100	[thread overview]
Message-ID: <ebf1f65c-c0eb-c818-e3e4-46ad9292bdec@digikod.net> (raw)
In-Reply-To: <CAHC9VhSmz1ga5NTu=vG3+Z+gxD8C+-W+k5UweUROe2p4BfjSTg@mail.gmail.com>

On 17/03/2022 02:27, Paul Moore wrote:
> On Mon, Feb 21, 2022 at 4:15 PM Mickaël Salaün <mic@digikod.net> wrote:
>>
>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>
>> Add LANDLOCK_ACCESS_FS_REFER in the example and properly check to only
>> use it if the current kernel support it thanks to the Landlock ABI
>> version.
>>
>> Move the file renaming and linking limitation to a new "Previous
>> limitations" section.
>>
>> Improve documentation about the backward and forward compatibility,
>> including the rational for ruleset's handled_access_fs.
>>
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>> Link: https://lore.kernel.org/r/20220221212522.320243-10-mic@digikod.net
>> ---
>>   Documentation/userspace-api/landlock.rst | 124 +++++++++++++++++++----
>>   1 file changed, 104 insertions(+), 20 deletions(-)
> 
> Thanks for remembering to update the docs :)  I made a few phrasing
> suggestions below, but otherwise it looks good to me.

Thanks Paul! I'll take them.

> 
> Reviewed-by: Paul Moore <paul@paul-moore.com>
> 
>> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
>> index f35552ff19ba..97db09d36a5c 100644
>> --- a/Documentation/userspace-api/landlock.rst
>> +++ b/Documentation/userspace-api/landlock.rst
>> @@ -281,6 +347,24 @@ Memory usage
>>   Kernel memory allocated to create rulesets is accounted and can be restricted
>>   by the Documentation/admin-guide/cgroup-v1/memory.rst.
>>
>> +Previous limitations
>> +====================
>> +
>> +File renaming and linking (ABI 1)
>> +---------------------------------
>> +
>> +Because Landlock targets unprivileged access controls, it is needed to properly
>                                                            ^^^^^
>                                             "... controls, it needs to ..."
> 
>> +handle composition of rules.  Such property also implies rules nesting.
>> +Properly handling multiple layers of ruleset, each one of them able to restrict
>                                          ^^^^^^^
>                                        "rulesets,"
> 
>> +access to files, also implies to inherit the ruleset restrictions from a parent
>                                   ^^^^^^^^^^
>                      "... implies inheritance of the ..."
> 
>> +to its hierarchy.  Because files are identified and restricted by their
>> +hierarchy, moving or linking a file from one directory to another implies to
>> +propagate the hierarchy constraints.
> 
> "... one directory to another implies propagation of the hierarchy constraints."
> 
>> +                                     To protect against privilege escalations
> 
>> +through renaming or linking, and for the sake of simplicity, Landlock previously
>> +limited linking and renaming to the same directory.  Starting with the Landlock
>> +ABI version 2, it is now possible to securely control renaming and linking
>> +thanks to the new `LANDLOCK_ACCESS_FS_REFER` access right.
> 
> --
> paul-moore.com