From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Jonathan Corbet <corbet@lwn.net>,
linux-security-module@vger.kernel.org,
Alejandro Colomar <alx.manpages@gmail.com>,
Paul Moore <paul@paul-moore.com>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
Xiu Jianfeng <xiujianfeng@huawei.com>,
linux-doc@vger.kernel.org
Subject: Re: [PATCH v3] landlock: Clarify documentation for the LANDLOCK_ACCESS_FS_REFER right
Date: Tue, 21 Feb 2023 17:51:25 +0100 [thread overview]
Message-ID: <Y/T2jcoFcjYO8LZj@galopp> (raw)
In-Reply-To: <0e5bf1f7-47b5-382e-ae56-4556980a908b@digikod.net>
On Fri, Feb 17, 2023 at 08:28:41PM +0100, Mickaël Salaün wrote:
> On 16/02/2023 21:07, Günther Noack wrote:
> > Clarify the "refer" documentation by splitting up a big paragraph of text.
> >
> > - Call out specifically that the denial by default applies to ABI v1 as well.
> > - Turn the three additional constraints for link/rename operations
> > into bullet points, to give it more structure.
> >
> > Includes wording and semantics corrections by Mickaël Salaün.
>
> No need to add this line, It's part of the maintainer job. ;)
OK, removed for V4.
> Some of my suggestions are about style, so feel free to ignore them if you
> think the original is better. Anyway, I'm not a native english speaker
> either, so there are good chances I'm not correct on some suggestions. What
> about that?:
>
> This is the only access right implicitly handled by any ruleset, even if
> this right is not specified at ruleset creation time. Reparenting files will
> then always be denied by default. Given that %LANDLOCK_ACCESS_FS_REFER is
> available since the second Landlock ABI version, using the first Landlock
> ABI version will always forbid file reparenting.
>
> For these kind of link or rename actions to be possible, one or two rules
> must explicitly allow %LANDLOCK_ACCESS_FS_REFER on the source and the
> destination hierarchies. In addition, the following constraints must be met:
I reworded it again, it's meeting somewhere in the middle I hope. It
should be a bit better now. (Sending another version.)
Documentation is hard... it's difficult to find an objective best wording.
–-Günther
prev parent reply other threads:[~2023-02-21 16:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-16 20:07 [PATCH v3] landlock: Clarify documentation for the LANDLOCK_ACCESS_FS_REFER right Günther Noack
2023-02-17 19:28 ` Mickaël Salaün
2023-02-21 16:51 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/T2jcoFcjYO8LZj@galopp \
--to=gnoack3000@gmail.com \
--cc=alx.manpages@gmail.com \
--cc=corbet@lwn.net \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=xiujianfeng@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).