| Message ID | 20250303195056.136777-2-gnoack@google.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [man,v3,1/2] landlock.7: Copy introductory description of Landlock rules | expand |
Hi! On Mon, Mar 03, 2025 at 08:50:29PM +0100, Günther Noack wrote: > +.P > +The two existing types of rules are: BTW, I didn't want to send back the patch for another revision, so I applied it as is, but this sentence is likely to get outdated at some point. I would have removed the "two" from it. But we'll be able to remove it when/if it changes. I'm just mentioning this for future documentation. Cheers, Alex > +.TP > +.B Filesystem rules > +For these rules, the object is a file hierarchy, > +and the related filesystem actions are defined with > +.IR "filesystem access rights" . > +.TP > +.BR "Network rules" " (since ABI v4)" > +For these rules, the object is a TCP port, > +and the related actions are defined with > +.IR "network access rights" . > .\" > .SS Filesystem actions > These flags enable to restrict a sandboxed process to a > -- > 2.48.1.711.g2feabab25a-goog > >
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index c6b7272ea..7b7a797ad 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -39,13 +39,23 @@ the running kernel must support Landlock and it must be enabled at boot time. .\" .SS Landlock rules -A Landlock rule describes an action on an object. -An object is currently a file hierarchy, -and the related filesystem actions are defined with access rights (see -.BR landlock_add_rule (2)). +A Landlock rule describes an action on an object +which the process intends to perform. A set of rules is aggregated in a ruleset, which can then restrict the thread enforcing it, and its future children. +.P +The two existing types of rules are: +.TP +.B Filesystem rules +For these rules, the object is a file hierarchy, +and the related filesystem actions are defined with +.IR "filesystem access rights" . +.TP +.BR "Network rules" " (since ABI v4)" +For these rules, the object is a TCP port, +and the related actions are defined with +.IR "network access rights" . .\" .SS Filesystem actions These flags enable to restrict a sandboxed process to a
Copy over the existing wording from kernel documentation, as it was introduced in Linux commit 51442e8d64bc ("landlock: Document network support"). Landlock rules are not only about the filesystem any more and the new wording is more appropriate. Signed-off-by: Günther Noack <gnoack@google.com> --- man/man7/landlock.7 | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-)