From: "Günther Noack" <gnoack@google.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
Jeff Xu <jeffxu@google.com>,
Jorge Lucangeli Obes <jorgelo@chromium.org>,
Allen Webb <allenwebb@google.com>,
Dmitry Torokhov <dtor@google.com>,
Paul Moore <paul@paul-moore.com>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Matt Bobrowski <repnop@google.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v8 9/9] landlock: Document IOCTL support
Date: Fri, 12 Jan 2024 12:51:14 +0100 [thread overview]
Message-ID: <ZaEnsqnybWKgXg4N@google.com> (raw)
In-Reply-To: <20231213.java5eeb4Nee@digikod.net>
On Wed, Dec 13, 2023 at 12:25:15PM +0100, Mickaël Salaün wrote:
> On Fri, Dec 08, 2023 at 04:51:21PM +0100, Günther Noack wrote:
> > Documentation/userspace-api/landlock.rst | 119 ++++++++++++++++++++---
> > 1 file changed, 104 insertions(+), 15 deletions(-)
> >
>
> > +Restricting IOCTL commands
> > +--------------------------
> > +
> > +When the ``LANDLOCK_ACCESS_FS_IOCTL`` access right is handled, Landlock will
>
> I only use "right" (instead of "access right") when LANDLOCK_ACCESS_*
> precede to avoid repetition.
Done.
> > +restrict the invocation of IOCTL commands. However, to *permit* these IOCTL
>
> This patch introduces the "permit*" wording instead of the currently
> used "allowed", which is inconsistent.
Done.
> > ++------------------------+-------------+-------------------+-------------------+
> > +| | ``IOCTL`` | ``IOCTL`` handled | ``IOCTL`` handled |
>
> I was a bit confused at first read, wondering why IOCTL was quoted, then
> I realized that it was in fact LANDLOCK_ACCESS_FS_IOCTL. Maybe using the
> "FS_" prefix would avoid this kind of misreading (same for READ_FILE)?
Done.
> > +| | not handled | and permitted | and not permitted |
> > ++------------------------+-------------+-------------------+-------------------+
> > +| ``READ_FILE`` not | allow | allow | deny |
> > +| handled | | | |
> > ++------------------------+ +-------------------+-------------------+
> > +| ``READ_FILE`` handled | | allow |
> > +| and permitted | | |
> > ++------------------------+ +-------------------+-------------------+
> > +| ``READ_FILE`` handled | | deny |
> > +| and not permitted | | |
>
> If it makes the raw text easier to read, it should be OK to extend this
> table to 100 columns (I guess checkpatch.pl will not complain).
I got it down to 72 columns and it still reads reasonably well.
(Emacs has support for editing ASCII tables. :))
—Günther
prev parent reply other threads:[~2024-01-12 11:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-08 15:51 [PATCH v8 0/9] Landlock: IOCTL support Günther Noack
2023-12-08 15:51 ` [PATCH v8 1/9] landlock: Remove remaining "inline" modifiers in .c files Günther Noack
2023-12-08 15:51 ` [PATCH v8 2/9] selftests/landlock: Rename "permitted" to "allowed" in ftruncate tests Günther Noack
2023-12-08 15:51 ` [PATCH v8 3/9] landlock: Optimize the number of calls to get_access_mask slightly Günther Noack
2024-01-05 9:38 ` Mickaël Salaün
2023-12-08 15:51 ` [PATCH v8 4/9] landlock: Add IOCTL access right Günther Noack
2023-12-14 9:26 ` Mickaël Salaün
2023-12-14 10:14 ` Mickaël Salaün
2023-12-14 14:28 ` Mickaël Salaün
2024-01-30 18:13 ` Günther Noack
2024-01-31 16:52 ` Mickaël Salaün
2023-12-08 15:51 ` [PATCH v8 5/9] selftests/landlock: Test IOCTL support Günther Noack
2023-12-15 12:52 ` Aishwarya TCV
2024-01-12 17:31 ` Günther Noack
2024-01-12 18:59 ` Mark Brown
2024-01-15 14:20 ` Günther Noack
2023-12-08 15:51 ` [PATCH v8 6/9] selftests/landlock: Test IOCTL with memfds Günther Noack
2023-12-08 15:51 ` [PATCH v8 7/9] selftests/landlock: Test ioctl(2) and ftruncate(2) with open(O_PATH) Günther Noack
2023-12-08 15:51 ` [PATCH v8 8/9] samples/landlock: Add support for LANDLOCK_ACCESS_FS_IOCTL Günther Noack
2023-12-08 15:51 ` [PATCH v8 9/9] landlock: Document IOCTL support Günther Noack
2023-12-11 7:04 ` Mickaël Salaün
2023-12-11 8:49 ` Günther Noack
2023-12-13 11:21 ` Mickaël Salaün
2023-12-13 11:25 ` Mickaël Salaün
2024-01-12 11:51 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZaEnsqnybWKgXg4N@google.com \
--to=gnoack@google.com \
--cc=allenwebb@google.com \
--cc=dtor@google.com \
--cc=jeffxu@google.com \
--cc=jorgelo@chromium.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=repnop@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.