Closed gnoack closed 3 years ago
Main risk: Migrating from Landlock ABI N to ABI N+1 could lock down the calling process more than originally intended.
Migration between Landlock ABIs should therefore be explicit, as it can be a potentially breaking change.
I assume that for most users it should not break in practice though... the use cases I've come across often only rely on basic file operations, which are already supported in Landlock V1.
We could make the Go module version be the same as the used Landlock ABI version.
Go packages are supposed to give compatibility guarantees within major versions (doc), but an upgrade between major versions is a step where library users are naturally supposed to double check that it keeps working.
Pros:
Cons:
Ask users to pass "V1/V2" into the Restrict()
function. That would make it very explicit what's happening.
Pros:
Cons:
The scenario is that Restrict()
is called on a kernel that has an older version of Landlock, or where Landlock is not supported.
The use cases I know of are:
That would make it possible for users to tell whether a downgrade happened and react accordingly:
downgraded, err := golandlock.Restrict(...)
if err != nil {
// ...
}
if downgraded {
panic("Could not enforce Landlock rules")
}
Assumption: When users use the strict mode, they do it because they want to panic
or log.Fatal
otherwise. Maybe what is needed is not to always run in strict mode, but to just make it detectable what level of enforcement Landlock managed to enforce.
I consider the above change to be OK for fixing the "arguments" and "flexibility" concerns. Feedback is welcome.
I consider backwards and forwards-compatibility to be appropriately addressed with these changes.
Main risk: Migrating from Landlock ABI N to ABI N+1 could lock down the calling process more than originally intended.
Migration between Landlock ABIs should therefore be explicit, as it can be a potentially breaking change.
Just to be clear, future (kernel) Landlock versions will always be compatible with older versions (e.g. the default behavior or implicit options will never change). This is required for (simple) backward compatibility (i.e. by avoiding user space to give an ABI version to the kernel) and to get a deterministic access-control.
Comment about AccessFSRoughlyRead
: https://github.com/gnoack/golandlock/commit/f6bba1285ffd2c64b2b8774876c29c62213d1e5a#r53543969
This package does not provide stability guarantees yet, and we need to fix the API so that we can provide these guarantees.
Things I'd like to fix:
Restrict()
call should lock permissions down as much as possible given the kernel that it's running on. Other users might want to still fail in that case though.Prior art for backwards compatibility: @l0kod's rust-landlock supports multiple backwards compatibility strategies. (See ErrorThreshold enum)