Re: [PATCH v4 3/3] landlock.7: Give a pointer to how to implement a fallback mechanism

["Günther Noack" <gnoack3000@gmail.com>]

Thank you for the review!

On Wed, Mar 15, 2023 at 10:39:50PM +0100, Mickaël Salaün wrote:
> On 10/03/2023 23:08, Günther Noack wrote:
> > +The ruleset we have constructed requires Landlock ABI version 3 or higher.
> > +On kernels which do not provide that,
> > +the call to
> > +.BR landlock_create_ruleset (2)
> > +will fail.
> 
> One of the goal of Landlock is to avoid developers and their code to
> (lazily) error out if one feature is not supported by the running kernel. If
> this happens, a lot of sandboxing will be disabled (and then useless)
> because users don't necessarily have the same kernel as developers'.
> 
> Such security feature is not the same as a "necessary" feature. Indeed,
> sandboxing is and should be optional for applications to run correctly,
> hence the recommended best-effort approach: https://docs.kernel.org/userspace-api/landlock.html#backward-and-forward-compatibility
> 
> I agree that the man page should not be too complex, but I think teaching
> the best (default) approach should be the goal.
> 
> For the example, we can ignore LANDLOCK_ACCESS_FS_REFER but use all other
> access rights, especially LANDLOCK_ACCESS_FS_TRUNCATE. However, this last
> one should be masked if not supported by the running kernel. See https://docs.kernel.org/userspace-api/landlock.html#defining-and-enforcing-a-security-policy
> 
> An alternative would be to ignore access rights for ABI > 1 to make it
> simple, but this would not help developers dealing with real use cases.
> 
> This comment applies to all these 3 patches.

I can do it either way, but I would need you and Alejandro to find a
common ground on this.  Alejandro's stance in a previous review thread
was to only support the latest and greatest kernel:
https://lore.kernel.org/linux-man/cb3d6b3e-0c9b-635e-380a-c79e36ae8ede@gmail.com/

Alejandro, what are your thoughts?  (Happy Birthday, btw :))


(My personal stance is: I'm concerned that the man page example might
become too long if we try to add the "best effort" fallback to it, so
I would slightly prefer to explain the fallback logic outside, but
could be convinced otherwise.  I see the point that people might
cut&paste the example from the man page and miss the longer
explanation in a different place.

I have attempted to explain the "best effort" fallback on my weblog
starting from a blank slate, and ended up with the explanation at
https://blog.gnoack.org/post/landlock-best-effort/.  I believe that
most users can use a simpler "best effort" fallback logic when doing
this case analysis, but the explanation is probably too long for the
man page.)

Another alternative would be to make the example assume Landlock v2
(Linux 5.19). In that case, the fallback logic would be simpler and
the case analysis from the weblog entry collapse into a single case,
but the example would fall back to not using Landlock on Linux 5.13 to
5.18 (including the long-term release 5.15), which is also not nice.)

–-Günther