From: "Günther Noack" <gnoack3000@gmail.com>
To: "Alejandro Colomar" <alx@kernel.org>, "Mickaël Salaün" <mic@digikod.net>
Cc: linux-man@vger.kernel.org, "Günther Noack" <gnoack3000@gmail.com>
Subject: [PATCH 3/4] man/man[27]/{landlock_restrict_self.2,landlock.7}: Document LANDLOCK_RESTRICT_SELF_TSYNC (ABI v8)
Date: Mon, 13 Apr 2026 21:34:48 +0200 [thread overview]
Message-ID: <20260413193446.24328-6-gnoack3000@gmail.com> (raw)
In-Reply-To: <20260413193446.24328-2-gnoack3000@gmail.com>
Document the new LANDLOCK_RESTRICT_SELF_TSYNC flag, which applies the
Landlock configuration atomically to all threads of the calling process.
Available since Linux 7.0 (Landlock ABI version 8).
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
man/man2/landlock_restrict_self.2 | 18 ++++++++++++++++++
man/man7/landlock.7 | 2 ++
2 files changed, 20 insertions(+)
diff --git a/man/man2/landlock_restrict_self.2 b/man/man2/landlock_restrict_self.2
index 9e80a40ee4a4..1265ea2feb91 100644
--- a/man/man2/landlock_restrict_self.2
+++ b/man/man2/landlock_restrict_self.2
@@ -133,6 +133,24 @@ It can also be used with a
.I ruleset_fd
value of \-1 to mute subdomain logs
without creating a domain.
+.P
+The following flag supports policy enforcement in multithreaded processes:
+.TP
+.B LANDLOCK_RESTRICT_SELF_TSYNC
+Applies the new Landlock configuration atomically
+to all threads of the current process,
+including the Landlock domain and logging configuration.
+This overrides the Landlock configuration of sibling threads,
+irrespective of previously established Landlock domains
+and logging configurations on those threads.
+.IP
+If the calling thread is running with
+.IR no_new_privs ,
+this operation enables
+.I no_new_privs
+on the sibling threads as well.
+.IP
+This flag is available since Landlock ABI version 8.
.SH RETURN VALUE
On success,
.BR landlock_restrict_self ()
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index bcf06ea30ad4..06910ccab5b1 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -476,6 +476,8 @@ _ _ _
7 6.15 LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
\^ \^ LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
\^ \^ LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
+_ _ _
+8 7.0 LANDLOCK_RESTRICT_SELF_TSYNC
.TE
.P
Users should use the Landlock ABI version rather than the kernel version
--
2.53.0
next prev parent reply other threads:[~2026-04-13 19:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 19:34 [PATCH 1/4] man/man2/landlock_create_ruleset.2: Clarify default Landlock ABI Günther Noack
2026-04-13 19:34 ` [PATCH 2/4] man/man[27]/{landlock_create_ruleset.2,landlock.7}: Document LANDLOCK_CREATE_RULESET_ERRATA Günther Noack
2026-04-19 20:11 ` Alejandro Colomar
2026-04-20 22:25 ` Günther Noack
2026-04-13 19:34 ` Günther Noack [this message]
2026-04-13 19:34 ` [PATCH 4/4] man/man2/landlock_restrict_self.2: Document ABI requirement for logging flags Günther Noack
2026-04-19 20:02 ` [PATCH 1/4] man/man2/landlock_create_ruleset.2: Clarify default Landlock ABI Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413193446.24328-6-gnoack3000@gmail.com \
--to=gnoack3000@gmail.com \
--cc=alx@kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.