landlock: Reduce the maximum number of layers to 16
commit 75c542d6c6cc48720376862d5496d51509160dfd upstream. The maximum number of nested Landlock domains is currently 64. Because of the following fix and to help reduce the stack size, let's reduce it to 16. This seems large enough for a lot of use cases (e.g. sandboxed init service, spawning a sandboxed SSH service, in nested sandboxed containers). Reducing the number of nested domains may also help to discover misuse of Landlock (e.g. creating a domain per rule). Add and use a dedicated layer_mask_t typedef to fit with the number of layers. This might be useful when changing it and to keep it consistent with the maximum number of layers. Reviewed-by:Paul Moore <paul@paul-moore.com> Link: https://lore.kernel.org/r/20220506161102.525323-3-mic@digikod.net Cc: stable@vger.kernel.org Signed-off-by:
Mickaël Salaün <mic@digikod.net> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing
- Documentation/userspace-api/landlock.rst 2 additions, 2 deletionsDocumentation/userspace-api/landlock.rst
- security/landlock/fs.c 7 additions, 10 deletionssecurity/landlock/fs.c
- security/landlock/limits.h 1 addition, 1 deletionsecurity/landlock/limits.h
- security/landlock/ruleset.h 4 additions, 0 deletionssecurity/landlock/ruleset.h
- tools/testing/selftests/landlock/fs_test.c 1 addition, 1 deletiontools/testing/selftests/landlock/fs_test.c
Loading
Please register or sign in to comment