fix review idea

Zheaoli · Zheaoli · commit af206278483c · 2024-12-20T17:54:22.000+08:00
Signed-off-by: Manjusaka &lt;me@manjusaka.me&gt;
diff --git a/config.md b/config.md
@@ -353,51 +353,51 @@ For Linux-based systems, the `process` object supports the following process-spe
       CPU affinity after the process is moved to container's cgroup, and the
       final affinity is determined by the Linux kernel.
 * **`landlock`** (object, OPTIONAL) specifies the Landlock unprivileged access control settings for the container process.
-    Note that `noNewPrivileges` must be set to true to use this feature.
-    For more information about Landlock, see [Landlock documentation][landlock].
-    `landlock` contains the following properties:
-
-    * **`ruleset`** (object, OPTIONAL) the `ruleset` field identifies a set of rules (i.e., actions on objects) that need to be handled (i.e., restricted).
-    The `ruleset` currently contains the following types:
-        * **`handledAccessFS`** (array of strings, OPTIONAL) is an array of FS typed actions that are handled by a ruleset.
-        If no rule explicitly allow them, they should then be forbidden.
-        * **`handledAssessNetwork`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are handled by a ruleset. (The NETWORK typed actions are avaliable when the ABI version >= 4. the behavior of the NETWORK typed actions is not used when the ABI version is less than 4 will depend on the **`disableBestEffort`**)
-    * **`rules`** (object, OPTIONAL) the `rules` field specifies the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
-    The `rules` currently contains the following types:
-        * **`pathBeneath`** (array of objects, OPTIONAL) is an array of the file-hierarchy typed rules.
-        Entries in the array contain the following properties:
-            * **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
-                1. ABI version >= 1:
-                    1. exectute
-                    2. write_file
-                    3. read_file
-                    4. read_dir
-                    5. remove_dir
-                    6. remove_file
-                    7. make_char
-                    8. make_dir
-                    9. make_reg
-                    10. make_sock
-                    11. make_fifo
-                    12. make_block
-                    13. make_sym
-                2. ABI version >= 2:
-                    1. refer
-                3. ABI version >= 3:
-                    1. truncate
-            * **`paths`** (array of strings, OPTIONAL) is an array of files or parent directories of the file hierarchies to restrict.
-        * **`portBeneath`** (array of objects, OPTIONAL) is an array of the network-hierarchy typed rules.
-        Entries in the array contain the following properties:
-            * **`allowedAccess`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
-                1. ABI version >= 4:
-                    1. bind
-                    2. connect
-            * **`ports`** (array of strings, OPTIONAL) is an array of network ports to restrict.
-    * **`disableBestEffort`** (bool, OPTIONAL) the `disableBestEffort` field disables the best-effort security approach for Landlock access rights.
-    This is for conditions when the Landlock access rights explicitly configured by the container are not supported or available in the running kernel.
-    If the best-effort security approach is enabled (`false`), the runtime SHOULD enforce the strongest rules configured up to the current kernel support, and only be [logged as a warning](runtime.md#warnings) for those not supported.
-    If disabled (`true`), the runtime MUST [generate an error](runtime.md#errors) if one or more rules specified by the container is not supported.
-	Default is `false`, i.e., following a best-effort security approach.
+   Note that `noNewPrivileges` must be set to true to use this feature.
+   For more information about Landlock, see [Landlock documentation][landlock].
+   `landlock` contains the following properties:
+
+   * **`handledAccess`** (object, OPTIONAL) specifies the access rights that will be restricted by the ruleset.
+   The `handledAccess` currently contains the following types:
+       * **`handledAccessFS`** (array of strings, OPTIONAL) is an array of FS typed actions that are handled by a ruleset.
+       If no rule explicitly allow them, they should then be forbidden.
+       * **`handledAccessNetwork`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are handled by a ruleset. (The NETWORK typed actions are available when the ABI version >= 4. The behavior when the ABI version is less than 4 will depend on the **`enableBestEffort`**)
+   * **`rules`** (object, OPTIONAL) specifies the security policies (i.e., actions allowed on objects) to be enforced.
+   The `rules` currently contains the following types:
+       * **`pathBeneath`** (array of objects, OPTIONAL) is an array of the file-hierarchy typed rules.
+       Entries in the array contain the following properties:
+           * **`allowedAccess`** (array of strings, OPTIONAL) is an array of FS typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
+               1. ABI version >= 1:
+                   1. execute
+                   2. write_file
+                   3. read_file
+                   4. read_dir
+                   5. remove_dir
+                   6. remove_file
+                   7. make_char
+                   8. make_dir
+                   9. make_reg
+                   10. make_sock
+                   11. make_fifo
+                   12. make_block
+                   13. make_sym
+               2. ABI version >= 2:
+                   1. refer
+               3. ABI version >= 3:
+                   1. truncate
+           * **`paths`** (array of strings, OPTIONAL) is an array of files or parent directories of the file hierarchies to restrict.
+       * **`networkPort`** (array of objects, OPTIONAL) is an array of the network socket rules.
+       Entries in the array contain the following properties:
+           * **`allowedAccess`** (array of strings, OPTIONAL) is an array of NETWORK typed actions that are allowed by a rule. The actions are grouped by the ABI version in the following description:
+               1. ABI version >= 4:
+                   1. bind
+                   2. connect
+           * **`ports`** (array of strings, OPTIONAL) is an array of network ports to restrict.
+   * **`enableBestEffort`** (bool, OPTIONAL) the `enableBestEffort` field disables the best-effort security approach for Landlock access rights.
+   This is for conditions when the Landlock access rights explicitly configured by the container are not supported or available in the running kernel.
+   If the best-effort security approach is enabled (`false`), the runtime SHOULD enforce the strongest rules configured up to the current kernel support, and only be [logged as a warning](runtime.md#warnings) for those not supported.
+   If disabled (`true`), the runtime MUST [generate an error](runtime.md#errors) if one or more rules specified by the container is not supported.
+   Default is `true`, i.e., following a best-effort security approach.
 
 ### <a name="configUser" />User
 
@@ -444,7 +444,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
         "priority": 4
     },
     "landlock": {
-        "ruleset": {
+        "handledAccess": {
             "handledAccessFS": [
                 "execute",
                 "write_file",
@@ -462,7 +462,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
                 "refer",
                 "truncate"
             ],
-            "handledAssessNetwork": [
+            "handledAccessNetwork": [
                 "bind",
                 "connect"
             ]
@@ -501,7 +501,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
                     ]
                 }
             ],
-            "portBeneath": [
+            "networkPort": [
                 {
                     "allowedAccess": [
                         "bind",
@@ -514,7 +514,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
                 }
             ]
         },
-        "disableBestEffort": false
+        "enableBestEffort": true
     },
     "noNewPrivileges": true,
     "capabilities": {
diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -166,13 +166,13 @@
                 "landlock": {
                     "type": "object",
                     "properties": {
-                        "ruleset": {
-                            "$ref": "defs.json#/definitions/LandlockRuleset"
+                        "handledAccess": {
+                            "$ref": "defs.json#/definitions/LandlockHandledAccess"
                         },
                         "rules": {
                             "$ref": "defs.json#/definitions/LandlockRules"
                         },
-                        "disableBestEffort": {
+                        "enableBestEffort": {
                             "type": "boolean"
                         }
                     }
diff --git a/schema/defs.json b/schema/defs.json
@@ -80,7 +80,7 @@
                 "type": "string"
             }
         },
-        "ArrayOfPorts":{
+        "ArrayOfPorts": {
             "type": "array",
             "items": {
                 "$ref": "#/definitions/port"
@@ -216,16 +216,16 @@
                 "$ref": "#/definitions/LandlockNetworkAction"
             }
         },
-        "LandlockRuleset": {
+        "LandlockHandledAccess": {
             "type": "object",
-             "properties": {
-                 "handledAccessFS": {
-                     "$ref": "#/definitions/ArrayOfLandlockFSActions"
-                 },
-                 "handledAssessNetwork": {
-                      "$ref": "#/definitions/ArrayOfLandlockNetworkActions"
-                 }
-             }
+            "properties": {
+                "handledAccessFS": {
+                    "$ref": "#/definitions/ArrayOfLandlockFSActions"
+                },
+                "handledAccessNetwork": {
+                    "$ref": "#/definitions/ArrayOfLandlockNetworkActions"
+                }
+            }
         },
         "LandlockRulePathBeneath": {
             "type": "object",
@@ -238,13 +238,13 @@
                 }
             }
         },
-        "LandlockRulePortBeneath": {
+        "LandlockRuleNetworkPort": {
             "type": "object",
             "properties": {
                 "allowedAccess": {
                     "$ref": "#/definitions/ArrayOfLandlockNetworkActions"
                 },
-                "paths": {
+                "ports": {
                     "$ref": "#/definitions/ArrayOfPorts"
                 }
             }
@@ -255,17 +255,20 @@
                 "$ref": "#/definitions/LandlockRulePathBeneath"
             }
         },
-        "ArrayOfLandlockRulePortBeneaths": {
+        "ArrayOfLandlockRuleNetworkPorts": {
             "type": "array",
             "items": {
-                "$ref": "#/definitions/LandlockRulePortBeneath"
+                "$ref": "#/definitions/LandlockRuleNetworkPort"
             }
         },
         "LandlockRules": {
             "type": "object",
             "properties": {
                 "pathBeneath": {
                     "$ref": "#/definitions/ArrayOfLandlockRulePathBeneaths"
+                },
+                "networkPort": {
+                    "$ref": "#/definitions/ArrayOfLandlockRuleNetworkPorts"
                 }
             }
         }
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -103,55 +103,53 @@ type Process struct {
 
 // Landlock specifies the Landlock unprivileged access control settings for the container process.
 type Landlock struct {
-	// Ruleset identifies a set of rules (i.e., actions on objects) that need to be handled.
-	Ruleset *LandlockRuleset `json:"ruleset,omitempty" platform:"linux"`
-	// Rules are the security policies (i.e., actions allowed on objects) to be added to an existing ruleset.
+	// HandledAccess specifies the access rights that will be restricted by the ruleset.
+	HandledAccess *LandlockHandledAccess `json:"handledAccess,omitempty" platform:"linux"`
+	// Rules are the security policies (i.e., actions allowed on objects) to be enforced.
 	Rules *LandlockRules `json:"rules,omitempty" platform:"linux"`
-	// DisableBestEffort disables the best-effort security approach for Landlock access rights.
+	// EnableBestEffort disables the best-effort security approach for Landlock access rights.
 	// This is for conditions when the Landlock access rights explicitly configured by the container are not
 	// supported or available in the running kernel.
 	// Default is false, i.e., following a best-effort security approach.
-	DisableBestEffort bool `json:"disableBestEffort,omitempty" platform:"linux"`
+	EnableBestEffort bool `json:"enableBestEffort,omitempty" platform:"linux"`
 }
 
-// LandlockRuleset identifies a set of rules (i.e., actions on objects) that need to be handled.
-type LandlockRuleset struct {
-	// HandledAccessFS is a list of actions that is handled by this ruleset and should then be
-	// forbidden if no rule explicitly allow them.
+// LandlockHandledAccess specifies the access rights that will be restricted by the ruleset.
+type LandlockHandledAccess struct {
+	// HandledAccessFS specifies filesystem actions that will be restricted unless explicitly allowed by rules.
 	HandledAccessFS []LandlockFSAction `json:"handledAccessFS,omitempty" platform:"linux"`
-	// HandledAccessNetwork is a list of actions that is handled by this ruleset and should then be
-	// forbidden if no rule explicitly allow them.
+	// HandledAccessNetwork specifies network actions that will be restricted unless explicitly allowed by rules.
 	HandledAccessNetwork []LandlockNetworkAction `json:"handledAccessNetwork,omitempty" platform:"linux"`
 }
 
 // LandlockRules represents the security policies (i.e., actions allowed on objects).
 type LandlockRules struct {
-	// PathBeneath specifies the file-hierarchy typed rules.
+	// PathBeneath specifies file-hierarchy access rules.
 	PathBeneath []LandlockRulePathBeneath `json:"pathBeneath,omitempty" platform:"linux"`
-	// PortBeneath specifies the network-socket typed rules.
-	PortBeneath []LandlockRulePortBeneath `json:"portBeneath,omitempty" platform:"linux"`
+	// NetworkPort specifies network socket access rules.
+	NetworkPort []LandlockRuleNetworkPort `json:"networkPort,omitempty" platform:"linux"`
 }
 
-// LandlockRulePathBeneath defines the file-hierarchy typed rule that grants the access rights specified by
-// `AllowedAccess` to the file hierarchies under the given `Paths`.
+// LandlockRulePathBeneath grants filesystem access rights to hierarchies under specified paths.
 type LandlockRulePathBeneath struct {
-	// AllowedAccess contains a list of allowed filesystem actions for the file hierarchies.
+	// AllowedAccess lists allowed filesystem actions for the file hierarchies.
 	AllowedAccess []LandlockFSAction `json:"allowedAccess,omitempty" platform:"linux"`
 	// Paths are the files or parent directories of the file hierarchies to restrict.
 	Paths []string `json:"paths,omitempty" platform:"linux"`
 }
 
-type LandlockRulePortBeneath struct {
-	// AllowedAccess contains a list of allowed network actions for the network sockets.
+// LandlockRuleNetworkPort grants network access rights to specified ports.
+type LandlockRuleNetworkPort struct {
+	// AllowedAccess lists allowed network actions for the network sockets.
 	AllowedAccess []LandlockNetworkAction `json:"allowedAccess,omitempty" platform:"linux"`
 	// Ports are the network ports to restrict.
 	Ports []string `json:"ports,omitempty" platform:"linux"`
 }
 
-// LandlockFSAction used to specify the FS actions that are handled by a ruleset or allowed by a rule.
+// LandlockFSAction specifies filesystem actions that can be restricted by Landlock.
 type LandlockFSAction string
 
-// Define actions on files and directories that Landlock can restrict a sandboxed process to.
+// Actions on files and directories that Landlock can restrict a sandboxed process to
 const (
 	LLFSActExecute    LandlockFSAction = "execute"
 	LLFSActWriteFile  LandlockFSAction = "write_file"
@@ -170,6 +168,7 @@ const (
 	LLFSActTruncate   LandlockFSAction = "truncate"
 )
 
+// LandlockNetworkAction specifies network actions that can be restricted by Landlock.
 type LandlockNetworkAction string
 
 const (
