Commit ed35e2f2 authored by Günther Noack's avatar Günther Noack Committed by Mickaël Salaün

landlock: Clarify documentation for the LANDLOCK_ACCESS_FS_REFER right

Clarify the "refer" documentation by splitting up a big paragraph of
text.

- Call out specifically that the denial by default applies to ABI v1 as
  well.
- Turn the three additional constraints for link/rename operations
  into bullet points, to give it more structure.
Signed-off-by: default avatarGünther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20230221165205.4231-1-gnoack3000@gmail.comSigned-off-by: default avatarMickaël Salaün <mic@digikod.net>
parent 1c1ea1c3
...@@ -130,21 +130,37 @@ struct landlock_path_beneath_attr { ...@@ -130,21 +130,37 @@ struct landlock_path_beneath_attr {
* - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device. * - %LANDLOCK_ACCESS_FS_MAKE_BLOCK: Create (or rename or link) a block device.
* - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link. * - %LANDLOCK_ACCESS_FS_MAKE_SYM: Create (or rename or link) a symbolic link.
* - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different * - %LANDLOCK_ACCESS_FS_REFER: Link or rename a file from or to a different
* directory (i.e. reparent a file hierarchy). This access right is * directory (i.e. reparent a file hierarchy).
* available since the second version of the Landlock ABI. This is also the *
* only access right which is always considered handled by any ruleset in * This access right is available since the second version of the Landlock
* such a way that reparenting a file hierarchy is always denied by default. * ABI.
* To avoid privilege escalation, it is not enough to add a rule with this *
* access right. When linking or renaming a file, the destination directory * This is the only access right which is denied by default by any ruleset,
* hierarchy must also always have the same or a superset of restrictions of * even if the right is not specified as handled at ruleset creation time.
* the source hierarchy. If it is not the case, or if the domain doesn't * The only way to make a ruleset grant this right is to explicitly allow it
* handle this access right, such actions are denied by default with errno * for a specific directory by adding a matching rule to the ruleset.
* set to ``EXDEV``. Linking also requires a ``LANDLOCK_ACCESS_FS_MAKE_*`` *
* access right on the destination directory, and renaming also requires a * In particular, when using the first Landlock ABI version, Landlock will
* ``LANDLOCK_ACCESS_FS_REMOVE_*`` access right on the source's (file or * always deny attempts to reparent files between different directories.
* directory) parent. Otherwise, such actions are denied with errno set to *
* ``EACCES``. The ``EACCES`` errno prevails over ``EXDEV`` to let user space * In addition to the source and destination directories having the
* efficiently deal with an unrecoverable error. * %LANDLOCK_ACCESS_FS_REFER access right, the attempted link or rename
* operation must meet the following constraints:
*
* * The reparented file may not gain more access rights in the destination
* directory than it previously had in the source directory. If this is
* attempted, the operation results in an ``EXDEV`` error.
*
* * When linking or renaming, the ``LANDLOCK_ACCESS_FS_MAKE_*`` right for the
* respective file type must be granted for the destination directory.
* Otherwise, the operation results in an ``EACCES`` error.
*
* * When renaming, the ``LANDLOCK_ACCESS_FS_REMOVE_*`` right for the
* respective file type must be granted for the source directory. Otherwise,
* the operation results in an ``EACCES`` error.
*
* If multiple requirements are not met, the ``EACCES`` error code takes
* precedence over ``EXDEV``.
* *
* .. warning:: * .. warning::
* *
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment