From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack@google.com>
Cc: Alejandro Colomar <alx@kernel.org>,
Konstantin Meskhidze <konstantin.meskhidze@huawei.com>,
linux-man@vger.kernel.org
Subject: Re: [PATCH 2/5] landlock_create_ruleset.2: Update docs for landlock_ruleset_attr
Date: Tue, 16 Jul 2024 16:38:16 +0200 [thread overview]
Message-ID: <20240716.Zeid7zahthei@digikod.net> (raw)
In-Reply-To: <20240715155554.2791018-3-gnoack@google.com>
On Mon, Jul 15, 2024 at 03:55:51PM +0000, Günther Noack wrote:
> This updates the documentation for struct landlock_ruleset_attr
> in line with the changed kernel documentation (see link below).
>
> Cc: Alejandro Colomar <alx@kernel.org>
> Cc: Mickaël Salaün <mic@digikod.net>
> Link: https://lore.kernel.org/all/20240711165456.2148590-2-gnoack@google.com/
> Signed-off-by: Günther Noack <gnoack@google.com>
Reviewed-by: Mickaël Salaün <mic@digikod.net>
> ---
> man/man2/landlock_create_ruleset.2 | 34 ++++++++++++++++++++++++++++--
> 1 file changed, 32 insertions(+), 2 deletions(-)
>
> diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> index 871b91dcb..105e9b062 100644
> --- a/man/man2/landlock_create_ruleset.2
> +++ b/man/man2/landlock_create_ruleset.2
> @@ -51,8 +51,38 @@ is a bitmask of handled filesystem actions
> .B Filesystem actions
> in
> .BR landlock (7)).
> -This enables simply restricting ambient rights
> -(e.g., global filesystem access) and is needed for compatibility reasons.
> +.IP
> +This structure defines a set of
> +.IR "handled access rights" ,
> +a set of actions on different object types,
> +which should be denied by default
> +when the ruleset is enacted.
> +Vice versa,
> +access rights that are not specifically listed here
> +are not going to be denied by this ruleset when it is enacted.
> +.IP
> +For historical reasons, the
> +.B LANDLOCK_ACCESS_FS_REFER
> +right is always denied by default,
> +even when its bit is not set in
> +.IR handled_access_fs .
> +In order to add new rules with this access right,
> +the bit must still be set explicitly
> +(see
> +.B Filesystem actions
> +in
> +.BR landlock (7)).
> +.IP
> +The explicit listing of
> +.I handled access rights
> +is required for backwards compatibility reasons.
> +In most use cases,
> +processes that use Landlock will
> +.I handle
> +a wide range or all access rights that they know about at build time
> +(and that they have tested with a kernel that supported them all).
> +.IP
> +This structure can grow in future Landlock versions.
> .P
> .I size
> must be specified as
> --
> 2.45.2.993.g49e7a77208-goog
>
next prev parent reply other threads:[~2024-07-16 14:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-15 15:55 [PATCH 0/5] landlock*: Bring documentation up to date Günther Noack
2024-07-15 15:55 ` [PATCH 1/5] landlock.7, landlock_*.2: Wording improvements Günther Noack
2024-07-15 16:13 ` Alejandro Colomar
2024-07-19 13:17 ` Günther Noack
2024-07-19 13:22 ` Alejandro Colomar
2024-07-16 14:38 ` Mickaël Salaün
2024-07-15 15:55 ` [PATCH 2/5] landlock_create_ruleset.2: Update docs for landlock_ruleset_attr Günther Noack
2024-07-16 14:38 ` Mickaël Salaün [this message]
2024-07-15 15:55 ` [PATCH 3/5] landlock_add_rule.2: Document missing reason for EINVAL Günther Noack
2024-07-16 14:38 ` Mickaël Salaün
2024-07-15 15:55 ` [PATCH 4/5] landlock.7, landlock_*.2: Document Landlock ABI version 4 Günther Noack
2024-07-16 14:38 ` Mickaël Salaün
2024-07-15 15:55 ` [PATCH 5/5] landlock.7: Document Landlock ABI version 5 (IOCTL) Günther Noack
2024-07-15 16:20 ` Alejandro Colomar
2024-07-16 14:39 ` Mickaël Salaün
2024-07-19 13:48 ` Günther Noack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240716.Zeid7zahthei@digikod.net \
--to=mic@digikod.net \
--cc=alx@kernel.org \
--cc=gnoack@google.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-man@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.