aboutsummaryrefslogtreecommitdiff
path: root/Documentation/security
diff options
context:
space:
mode:
authorMickaël Salaün <mic@digikod.net>2022-05-06 18:11:02 +0200
committerMickaël Salaün <mic@digikod.net>2022-05-23 13:28:01 +0200
commit9e0c76b9f1faac0a8ea4b42e2f844ea26106f140 (patch)
tree01ddafeda1729f24cbcc56237f4d2da259ef9a2e /Documentation/security
parent09340cf4135f942d56742b36aaa3c37738aba000 (diff)
landlock: Add design choices documentation for filesystem access rights
Summarize the rationale of filesystem access rights according to the file type. Update the document date. Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20220506161102.525323-13-mic@digikod.net
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/landlock.rst17
1 files changed, 16 insertions, 1 deletions
diff --git a/Documentation/security/landlock.rst b/Documentation/security/landlock.rst
index 3df68cb1d10f..5c77730b4479 100644
--- a/Documentation/security/landlock.rst
+++ b/Documentation/security/landlock.rst
@@ -7,7 +7,7 @@ Landlock LSM: kernel documentation
==================================
:Author: Mickaël Salaün
-:Date: March 2021
+:Date: May 2022
Landlock's goal is to create scoped access-control (i.e. sandboxing). To
harden a whole system, this feature should be available to any process,
@@ -42,6 +42,21 @@ Guiding principles for safe access controls
* Computation related to Landlock operations (e.g. enforcing a ruleset) shall
only impact the processes requesting them.
+Design choices
+==============
+
+Filesystem access rights
+------------------------
+
+All access rights are tied to an inode and what can be accessed through it.
+Reading the content of a directory doesn't imply to be allowed to read the
+content of a listed inode. Indeed, a file name is local to its parent
+directory, and an inode can be referenced by multiple file names thanks to
+(hard) links. Being able to unlink a file only has a direct impact on the
+directory, not the unlinked inode. This is the reason why
+`LANDLOCK_ACCESS_FS_REMOVE_FILE` or `LANDLOCK_ACCESS_FS_REFER` are not allowed
+to be tied to files but only to directories.
+
Tests
=====