On Fri, Jan 28, 2022 at 11:19:38PM +0100, Omar Polo wrote:
>  add landlock support on linux

> +static int
> +open_landlock(void)
> +{
> +	struct landlock_ruleset_attr rattr = {
> +		.handled_access_fs =	LANDLOCK_ACCESS_FS_EXECUTE	|
> +					LANDLOCK_ACCESS_FS_WRITE_FILE	|
> +					LANDLOCK_ACCESS_FS_READ_FILE	|
> +					LANDLOCK_ACCESS_FS_READ_DIR	|
> +					LANDLOCK_ACCESS_FS_REMOVE_DIR	|
> +					LANDLOCK_ACCESS_FS_REMOVE_FILE	|
> +					LANDLOCK_ACCESS_FS_MAKE_CHAR	|
> +					LANDLOCK_ACCESS_FS_MAKE_DIR	|
> +					LANDLOCK_ACCESS_FS_MAKE_REG	|
> +					LANDLOCK_ACCESS_FS_MAKE_SOCK	|
> +					LANDLOCK_ACCESS_FS_MAKE_FIFO	|
> +					LANDLOCK_ACCESS_FS_MAKE_BLOCK	|
> +					LANDLOCK_ACCESS_FS_MAKE_SYM,

Pardon my ignorance, I don't know anything about landlock yet.

Is the above a list which restricts operations that the process can
perform, or something else?

Or is it a list of operations which landlock should act upon?

If there is a possibility to here to disable features we do not need,
please make good use of it.

AFAIK the application code only uses regular files, symlinks, and directories.
And the only file mode bit we about is the x bit.
I don't think we would ever need to create character or block devices.
Perhaps the imsg framework requires fifos or named sockets, but do
we need both?