All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: James Morris <jmorris@namei.org>, Jann Horn <jannh@google.com>,
	"Serge E . Hallyn" <serge@hallyn.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"Shuah Khan" <shuah@kernel.org>,
	"Vincent Dagonneau" <vincent.dagonneau@ssi.gouv.fr>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v1 9/9] landlock: Extend documentation about limitations
Date: Wed, 11 Nov 2020 22:34:42 +0100	[thread overview]
Message-ID: <20201111213442.434639-10-mic@digikod.net> (raw)
In-Reply-To: <20201111213442.434639-1-mic@digikod.net>

Explain limitations for the maximum number of stacked ruleset, and the
memory usage restrictions.

Cc: James Morris <jmorris@namei.org>
Cc: Jann Horn <jannh@google.com>
Cc: Serge E. Hallyn <serge@hallyn.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
---
 Documentation/userspace-api/landlock.rst | 17 +++++++++++++++++
 security/landlock/syscall.c              |  2 ++
 2 files changed, 19 insertions(+)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 8f727de20479..7e83e5def1bc 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -186,6 +186,23 @@ Enforcing a ruleset
 Current limitations
 ===================
 
+Ruleset layers
+--------------
+
+There is a limit of 64 layers of stacked rulesets.  This can be an issue for a
+task willing to enforce a new ruleset in complement to its 64 inherited
+rulesets.  Once this limit is reached, sys_landlock_enforce_ruleset_current()
+returns E2BIG.  It is then strongly suggested to carefully build rulesets once
+in the life of a thread, especially for applications able to launch other
+applications which may also want to sandbox themselves (e.g. shells, container
+managers, etc.).
+
+Memory usage
+------------
+
+Kernel memory allocated to create rulesets is accounted and can be restricted
+by the :doc:`/admin-guide/cgroup-v1/memory`.
+
 File renaming and linking
 -------------------------
 
diff --git a/security/landlock/syscall.c b/security/landlock/syscall.c
index 543ae36cd339..045bcac79e17 100644
--- a/security/landlock/syscall.c
+++ b/security/landlock/syscall.c
@@ -361,6 +361,8 @@ SYSCALL_DEFINE4(landlock_add_rule,
  * - EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
  *   current thread is not running with no_new_privs, or it doesn't have
  *   CAP_SYS_ADMIN in its namespace.
+ * - E2BIG: The maximum number of stacked rulesets is reached for the current
+ *   task.
  */
 SYSCALL_DEFINE2(landlock_enforce_ruleset_current,
 		const int, ruleset_fd, const __u32, flags)
-- 
2.29.2


  parent reply	other threads:[~2020-11-11 21:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-11 21:34 [PATCH v1 0/9] Landlock fixes Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 1/9] landlock: Fix memory allocation error handling Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 2/9] landlock: Cosmetic fixes for filesystem management Mickaël Salaün
2020-11-20  1:37   ` James Morris
2020-11-11 21:34 ` [PATCH v1 3/9] landlock: Enforce deterministic interleaved path rules Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 4/9] landlock: Always intersect access rights Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 5/9] landlock: Add extra checks when inserting a rule Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 6/9] selftests/landlock: Extend layout1.inherit_superset Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 7/9] landlock: Clean up get_ruleset_from_fd() Mickaël Salaün
2020-11-11 21:34 ` [PATCH v1 8/9] landlock: Add help to enable Landlock as a stacked LSM Mickaël Salaün
2020-11-11 21:34 ` Mickaël Salaün [this message]
2020-11-12  4:59 ` [PATCH v1 0/9] Landlock fixes James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201111213442.434639-10-mic@digikod.net \
    --to=mic@digikod.net \
    --cc=jannh@google.com \
    --cc=jmorris@namei.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=vincent.dagonneau@ssi.gouv.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.