1/6/2023 10:34 PM, Mickaël Salaün пишет:

On 05/01/2023 04:46, Konstantin Meskhidze (A) wrote:

quoted

11/16/2022 5:25 PM, Mickaël Salaün пишет:

[...]

quoted

quoted

quoted

   		fprintf(stderr,
   			"Hint: You should update the running kernel "
   			"to leverage Landlock features "

@@ -259,16 +342,36 @@ int main(const int argc, char *const argv[], char *const *const envp)
   	access_fs_ro &= ruleset_attr.handled_access_fs;
   	access_fs_rw &= ruleset_attr.handled_access_fs;

+	/* Removes bind access attribute if not supported by a user. */
+	env_port_name = getenv(ENV_TCP_BIND_NAME);
+	if (!env_port_name) {

You can move this logic at the populate_ruleset_net() call site and
update this helper to not call getenv() twice for the same variable.

    But here I exclude ruleset attributes, not rule itself. It will break
    the logic: creating a ruleset then applying rules.
    I suggest to leave here as its.

Right, but you can still avoid the duplicate getenv() calls.

   OK. Will fix it.

quoted

quoted

quoted

+		access_net_tcp &= ~LANDLOCK_ACCESS_NET_BIND_TCP;
+	}
+	/* Removes connect access attribute if not supported by a user. */
+	env_port_name = getenv(ENV_TCP_CONNECT_NAME);
+	if (!env_port_name) {
+		access_net_tcp &= ~LANDLOCK_ACCESS_NET_CONNECT_TCP;
+	}
+	ruleset_attr.handled_access_net &= access_net_tcp;

.