[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240719150618.197991-1-mic@digikod.net>
Date: Fri, 19 Jul 2024 17:06:15 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Günther Noack <gnoack@...gle.com>,
Ivanov Mikhail <ivanov.mikhail1@...wei-partners.com>,
Konstantin Meskhidze <konstantin.meskhidze@...wei.com>,
Paul Moore <paul@...l-moore.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
Casey Schaufler <casey@...aufler-ca.com>,
Jeff Xu <jeffxu@...gle.com>,
Kees Cook <keescook@...omium.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
Shervin Oloumi <enlightened@...omium.org>,
Tahera Fahimi <fahimitahera@...il.com>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [RFC PATCH v1 0/3] Use socket's Landlock domain
Hi,
While the current approach works, I think we should change the way
Landlock restricts network actions. Because this feature is relatively
new, we can still fix this inconsistency. In a nutshell, let's follow a
more capability-based model. Please let me know what you think.
Regards,
Mickaël Salaün (3):
landlock: Use socket's domain instead of current's domain
selftests/landlock: Add test for socket's domain
landlock: Document network restrictions tied to sockets
Documentation/userspace-api/landlock.rst | 4 ++-
security/landlock/net.c | 22 ++++++++--------
tools/testing/selftests/landlock/net_test.c | 29 +++++++++++++++++++++
3 files changed, 43 insertions(+), 12 deletions(-)
base-commit: f4b89d8ce5a835afa51404977ee7e3889c2b9722
--
2.45.2
Powered by blists - more mailing lists