kevin/linux
1
Fork 0
Code

landlock: Improve documentation of previous limitations

Browse Source 
Improve consistency of previous limitations' subsection titles, and
expand a bit the IOCTL section.

This changes some HTML anchors and may break some external links though.

Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://lore.kernel.org/r/20241004153122.501775-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
Mickaël Salaün 2024-10-04 17:31:20 +02:00
parent 8e929cb546
commit 9803787a23
No known key found for this signature in database
GPG Key ID: E5E3D0E88C82F6D2
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Documentation/userspace-api/landlock.rst
View File

@ -8,7 +8,7 @@ Landlock: unprivileged access control
===================================== =====================================
:Author: Mickaël Salaün :Author: Mickaël Salaün
:Date: September 2024 :Date: October 2024
The goal of Landlock is to enable to restrict ambient rights (e.g. global The goal of Landlock is to enable to restrict ambient rights (e.g. global
filesystem or network access) for a set of processes. Because Landlock filesystem or network access) for a set of processes. Because Landlock
@ -563,33 +563,34 @@ always allowed when using a kernel that only supports the first or second ABI.
Starting with the Landlock ABI version 3, it is now possible to securely control Starting with the Landlock ABI version 3, it is now possible to securely control
truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right. truncation thanks to the new ``LANDLOCK_ACCESS_FS_TRUNCATE`` access right.
Network support (ABI < 4) TCP bind and connect (ABI < 4)
------------------------- ------------------------------
Starting with the Landlock ABI version 4, it is now possible to restrict TCP Starting with the Landlock ABI version 4, it is now possible to restrict TCP
bind and connect actions to only a set of allowed ports thanks to the new bind and connect actions to only a set of allowed ports thanks to the new
``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP`` ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
access rights. access rights.
IOCTL (ABI < 5) Device IOCTL (ABI < 5)
--------------- ----------------------
IOCTL operations could not be denied before the fifth Landlock ABI, so IOCTL operations could not be denied before the fifth Landlock ABI, so
:manpage:`ioctl(2)` is always allowed when using a kernel that only supports an :manpage:`ioctl(2)` is always allowed when using a kernel that only supports an
earlier ABI. earlier ABI.
Starting with the Landlock ABI version 5, it is possible to restrict the use of Starting with the Landlock ABI version 5, it is possible to restrict the use of
:manpage:`ioctl(2)` using the new ``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right. :manpage:`ioctl(2)` on character and block devices using the new
``LANDLOCK_ACCESS_FS_IOCTL_DEV`` right.
Abstract UNIX socket scoping (ABI < 6) Abstract UNIX socket (ABI < 6)
-------------------------------------- ------------------------------
Starting with the Landlock ABI version 6, it is possible to restrict Starting with the Landlock ABI version 6, it is possible to restrict
connections to an abstract :manpage:`unix(7)` socket by setting connections to an abstract :manpage:`unix(7)` socket by setting
``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute. ``LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET`` to the ``scoped`` ruleset attribute.
Signal scoping (ABI < 6) Signal (ABI < 6)
------------------------ ----------------
Starting with the Landlock ABI version 6, it is possible to restrict Starting with the Landlock ABI version 6, it is possible to restrict
:manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the :manpage:`signal(7)` sending by setting ``LANDLOCK_SCOPE_SIGNAL`` to the