Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

landlock: split .special into .makeipc and .makedev #6187

Merged
merged 1 commit into from
Feb 5, 2024
Merged

landlock: split .special into .makeipc and .makedev #6187

merged 1 commit into from
Feb 5, 2024

Conversation

kmk3
Copy link
Collaborator

@kmk3 kmk3 commented Feb 2, 2024
edited
Loading

As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices. Also,
landlock.special is not very descriptive of what it allows.

So split landlock.special into:

  • landlock.makeipc: allow creating named pipes and sockets (which are
    usually used for inter-process communication)
  • landlock.makedev: allow creating block and character devices

Misc: The makedev name is based on nodev from mount(8), which makes
mount not interpret block and character devices. ipc was suggested by
@rusty-snake[2].

Relates to #6078.

[1] #6078 (review)
[2] #6187 (comment)

@rusty-snake
Copy link
Collaborator

Good to see this design choice getting corrected.

landlock.special is now a landlock.ipc. Do we want to rename it too (in a followup PR)?

@kmk3
landlock: split .special into .makeipc and .makedev
f70ffbe 
As discussed with @topimiettinen[1], it is unlikely that an unprivileged
process would need to directly create block or character devices.  Also,
`landlock.special` is not very descriptive of what it allows.

So split `landlock.special` into:

* `landlock.makeipc`: allow creating named pipes and sockets (which are
  usually used for inter-process communication)
* `landlock.makedev`: allow creating block and character devices

Misc: The `makedev` name is based on `nodev` from mount(8), which makes
mount not interpret block and character devices.  `ipc` was suggested by
@rusty-snake[2].

Relates to netblue30#6078.

[1] netblue30#6078 (review)
[2] netblue30#6187 (comment)
@kmk3 kmk3 changed the title landlock: move char/block devices into landlock.dev landlock: split .special into .makeipc and .makedev Feb 2, 2024
@kmk3
Copy link
Collaborator Author

kmk3 commented Feb 2, 2024

Good to see this design choice getting corrected.

landlock.special is now a landlock.ipc. Do we want to rename it too (in a
followup PR)?

Good idea, renamed them to landlock.makeipc and landlock.makedev.

@kmk3 kmk3 merged commit e488eb3 into netblue30:master Feb 5, 2024
14 checks passed
@kmk3 kmk3 deleted the landlock-add-dev branch February 5, 2024 07:44
kmk3 added a commit that referenced this pull request Feb 5, 2024
@kmk3
RELNOTES: add many items
1c94947 
Relates to #6172 #6178 #6184 #6186 #6187.
This was referenced Feb 6, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@topimiettinen topimiettinen topimiettinen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Release 0.9.74
Status: Done (on RELNOTES)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kmk3 @rusty-snake @topimiettinen