From: "Mickaël Salaün" <mic@digikod.net>
To: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
Paul Moore <paul@paul-moore.com>
Cc: gnoack@google.com, willemdebruijn.kernel@gmail.com,
matthieu@buffet.re, linux-security-module@vger.kernel.org,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
yusongping@huawei.com, artem.kuzin@huawei.com,
konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation
Date: Tue, 10 Dec 2024 19:08:38 +0100 [thread overview]
Message-ID: <20241210.kohGhez4osha@digikod.net> (raw)
In-Reply-To: <20241017110454.265818-8-ivanov.mikhail1@huawei-partners.com>
On Thu, Oct 17, 2024 at 07:04:53PM +0800, Mikhail Ivanov wrote:
> Add recommendation to specify Landlock first in CONFIG_LSM list, so user
> can have better LSM errors consistency provided by Landlock.
>
> Signed-off-by: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
> ---
> Documentation/userspace-api/landlock.rst | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index bb7480a05e2c..0db5eee9bffa 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -610,7 +610,8 @@ time as the other security modules. The list of security modules enabled by
> default is set with ``CONFIG_LSM``. The kernel configuration should then
> contains ``CONFIG_LSM=landlock,[...]`` with ``[...]`` as the list of other
> potentially useful security modules for the running system (see the
> -``CONFIG_LSM`` help).
> +``CONFIG_LSM`` help). It is recommended to specify Landlock first of all other
> +modules in CONFIG_LSM list since it provides better errors consistency.
This is partially correct because Landlock may not block anything
whereas another LSM could deny a network action, with potentially a
wrong error code. I don't think this patch is worth it, especially
because other LSMs have bugs that should be fixed.
>
> Boot time configuration
> -----------------------
> --
> 2.34.1
>
>
next prev parent reply other threads:[~2024-12-10 18:08 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 11:04 [RFC PATCH v2 0/8] Fix non-TCP restriction and inconsistency of TCP errors Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 1/8] landlock: Fix non-TCP sockets restriction Mikhail Ivanov
2024-10-17 12:59 ` Matthieu Baerts
2024-10-18 18:08 ` Mickaël Salaün
2024-10-31 16:21 ` Mikhail Ivanov
2024-11-08 17:16 ` David Laight
2024-12-04 19:29 ` Mickaël Salaün
2024-12-12 18:43 ` Mickaël Salaün
2024-12-13 18:19 ` Mikhail Ivanov
2025-01-24 15:02 ` Mickaël Salaün
2025-01-27 12:40 ` Mikhail Ivanov
2025-01-27 19:48 ` Mickaël Salaün
2025-01-28 10:56 ` Mikhail Ivanov
2025-01-28 18:14 ` Matthieu Baerts
2025-01-29 9:52 ` Mikhail Ivanov
2025-01-29 10:25 ` Matthieu Baerts
2025-01-29 11:02 ` Mikhail Ivanov
2025-01-29 11:33 ` Matthieu Baerts
2025-01-29 11:47 ` Mikhail Ivanov
2025-01-29 11:57 ` Matthieu Baerts
2025-01-29 14:51 ` Mickaël Salaün
2025-01-29 15:44 ` Matthieu Baerts
2025-01-30 9:51 ` Mickaël Salaün
2025-01-30 10:18 ` Matthieu Baerts
2025-01-31 11:04 ` Mikhail Ivanov
2024-12-04 19:27 ` Mickaël Salaün
2024-12-04 19:35 ` Mickaël Salaün
2024-12-09 10:19 ` Mikhail Ivanov
2024-12-10 18:04 ` Mickaël Salaün
2024-12-10 18:05 ` Mickaël Salaün
2024-12-11 15:24 ` Mikhail Ivanov
2024-12-12 18:43 ` Mickaël Salaün
2024-12-13 11:42 ` Mikhail Ivanov
2024-12-04 19:30 ` Mickaël Salaün
2024-12-09 10:19 ` Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 2/8] landlock: Make network stack layer checks explicit for each TCP action Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 3/8] landlock: Fix inconsistency of errors for TCP actions Mikhail Ivanov
2024-10-17 11:34 ` Mikhail Ivanov
2024-12-04 19:32 ` Mickaël Salaün
2024-10-17 11:04 ` [RFC PATCH v2 4/8] selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 5/8] selftests/landlock: Test that MPTCP actions are not restricted Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 6/8] selftests/landlock: Test consistency of errors for TCP actions Mikhail Ivanov
2024-12-10 18:07 ` Mickaël Salaün
2024-12-11 15:29 ` Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 7/8] landlock: Add note about errors consistency in documentation Mikhail Ivanov
2024-12-10 18:08 ` Mickaël Salaün [this message]
2024-12-11 15:30 ` Mikhail Ivanov
2024-10-17 11:04 ` [RFC PATCH v2 8/8] selftests/landlock: Test that SCTP actions are not restricted Mikhail Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241210.kohGhez4osha@digikod.net \
--to=mic@digikod.net \
--cc=artem.kuzin@huawei.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=matthieu@buffet.re \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=willemdebruijn.kernel@gmail.com \
--cc=yusongping@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).