Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4590067iob;
        Sun, 8 May 2022 18:26:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwiTZ++fSlOi6EUTP3GwUcLHc9hh92sHeKOR6ktcJOA9QbkRoJm6YopsCQql9RALB51lyrK
X-Received: by 2002:a63:1d4:0:b0:3c2:479d:39e0 with SMTP id 203-20020a6301d4000000b003c2479d39e0mr11131235pgb.427.1652059585796;
        Sun, 08 May 2022 18:26:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652059585; cv=none;
        d=google.com; s=arc-20160816;
        b=rjkXAIRA+9B0PvwdENC3GtvszXKrT7ZMJd7/PW03OsKBdxJM55vAiMTYBIeiu2WBU1
         dYOvEEH55RN5ljBUtkPzUMfaS2G3/oLEepzKW17tnmmmslhl1NvguJ4CQjsXvLNSVQ0k
         /Clb+zq2GFzPzzUgIhkrIPMUFQubleHm6xBCrMWMSihhUP0u5b7V18XklsmZ+YA8UpST
         H8+wASApaS73feJmaxgfs4TtiEvOxo8JiNgWHMb37VkepUrXse/opH3aF0XtD6dxKfCh
         ylswhUYoQrGTPwujp/+vxau655MQ1nXCvG1ct/xgl2vQWsB7/FUxy+ABiplZcWOD0LdB
         cBEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=vK+yLWpRVfdbIF9ghG2gsoXasvjXqTIZXILS33GPIzc=;
        b=NyfBTxN61z5EC2eMTMiLyru1yiYBGDlawK2pg1gZcUQOTVexeROtdlJ92OUu8PtYoe
         HOXugVKvKFLBACHj98Qkto0jR7IyjZk40NhSEUWtRp/AdUFyIBmOmtTV7Q0aJMX+VHNd
         W6CbTmdDbQ+J5UfMqSEvz5uGzKfjpNdzh0eP5mXMdRz0t6cwXlO/Mvy2uXb1J+6UZlJk
         jwzvknNOmTIUr8ktDt8/5GGVo0BPjS7YMVeMnbHzPO8MVz/+iCPLkNgZUFU8jM3LMXs8
         dPvIAOIWMUfiz9lVs+C4G/ehKkLhkYZ+Kv7ZCjFlNkuAm/4Zlm9gpD8527rkbyBRA16d
         10hw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=nIOdNUaD;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id rm6-20020a17090b3ec600b001d8f9dac4c4si12529689pjb.150.2022.05.08.18.26.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 08 May 2022 18:26:25 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digikod.net header.s=20191114 header.b=nIOdNUaD;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8C88315816;
	Sun,  8 May 2022 18:26:14 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1443529AbiEFQO5 (ORCPT <rfc822;anthony.2lannoy@gmail.com>
        + 99 others); Fri, 6 May 2022 12:14:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44596 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1443676AbiEFQNd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 May 2022 12:13:33 -0400
Received: from smtp-42ae.mail.infomaniak.ch (smtp-42ae.mail.infomaniak.ch [84.16.66.174])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A4686EB1B
        for <linux-kernel@vger.kernel.org>; Fri,  6 May 2022 09:09:48 -0700 (PDT)
Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108])
        by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KvwWH1WXnzMqTZm;
        Fri,  6 May 2022 18:09:47 +0200 (CEST)
Received: from localhost (unknown [23.97.221.149])
        by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KvwWG6XmtzlhMBP;
        Fri,  6 May 2022 18:09:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
        s=20191114; t=1651853387;
        bh=ZDryU4YCGeAlBj3UmZfjsG1L2XAydajY89QXvphUw5g=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=nIOdNUaDfCq7/HTHeI2gajSnrvZXuId9Gu/WQzRpgEfvmihY6jJiwasP5hzdqt86q
         BG56+DUc5KY7kZGWp9Fv6RS6XoWU7NbJEu88RSerW2tc7Y+fyUVR6/DOpJIM6/MfqV
         2EF31mpkU5Ls5W4ALvgfqvHeLVLrOXiaDH73HITc=
From:   =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
To:     James Morris <jmorris@namei.org>,
        "Serge E . Hallyn" <serge@hallyn.com>
Cc:     =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Jann Horn <jannh@google.com>,
        John Johansen <john.johansen@canonical.com>,
        Kees Cook <keescook@chromium.org>,
        Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
        Paul Moore <paul@paul-moore.com>,
        Shuah Khan <shuah@kernel.org>,
        Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
        linux-doc@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [PATCH v3 12/12] landlock: Add design choices documentation for filesystem access rights
Date:   Fri,  6 May 2022 18:11:02 +0200
Message-Id: <20220506161102.525323-13-mic@digikod.net>
In-Reply-To: <20220506161102.525323-1-mic@digikod.net>
References: <20220506161102.525323-1-mic@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Summarize the rationale of filesystem access rights according to the
file type.

Update the document date.

Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220506161102.525323-13-mic@digikod.net
---

Changes since v2:
* Add more explanation in the commit message.
* Update date.

Changes since v1:
* Add Reviewed-by: Paul Moore.
* Update date.
---
 Documentation/security/landlock.rst | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/Documentation/security/landlock.rst b/Documentation/security/landlock.rst
index 3df68cb1d10f..5c77730b4479 100644
--- a/Documentation/security/landlock.rst
+++ b/Documentation/security/landlock.rst
@@ -7,7 +7,7 @@ Landlock LSM: kernel documentation
 ==================================
 
 :Author: Mickaël Salaün
-:Date: March 2021
+:Date: May 2022
 
 Landlock's goal is to create scoped access-control (i.e. sandboxing).  To
 harden a whole system, this feature should be available to any process,
@@ -42,6 +42,21 @@ Guiding principles for safe access controls
 * Computation related to Landlock operations (e.g. enforcing a ruleset) shall
   only impact the processes requesting them.
 
+Design choices
+==============
+
+Filesystem access rights
+------------------------
+
+All access rights are tied to an inode and what can be accessed through it.
+Reading the content of a directory doesn't imply to be allowed to read the
+content of a listed inode.  Indeed, a file name is local to its parent
+directory, and an inode can be referenced by multiple file names thanks to
+(hard) links.  Being able to unlink a file only has a direct impact on the
+directory, not the unlinked inode.  This is the reason why
+`LANDLOCK_ACCESS_FS_REMOVE_FILE` or `LANDLOCK_ACCESS_FS_REFER` are not allowed
+to be tied to files but only to directories.
+
 Tests
 =====
 
-- 
2.35.1