From: "Günther Noack" <gnoack3000@gmail.com>
To: "Alejandro Colomar" <alx@kernel.org>, "Mickaël Salaün" <mic@digikod.net>
Cc: linux-man@vger.kernel.org, "Günther Noack" <gnoack3000@gmail.com>
Subject: [PATCH v2 3/3] man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9)
Date: Fri, 15 May 2026 18:57:53 +0200 [thread overview]
Message-ID: <20260515165753.8830-4-gnoack3000@gmail.com> (raw)
In-Reply-To: <20260515165753.8830-1-gnoack3000@gmail.com>
Document the new LANDLOCK_ACCESS_FS_RESOLVE_UNIX filesystem access right,
which controls lookups of pathname UNIX domain sockets. Restricts both
connect(2) and sendmsg(2) with an explicit recipient address to UNIX
sockets created outside the Landlock domain (same semantics as
LANDLOCK_SCOPE_* flags). Denied attempts return EACCES.
Available since Linux 7.1 (Landlock ABI version 9).
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
man/man7/landlock.7 | 54 ++++++++++++++++++++++++++++++++++++---------
1 file changed, 44 insertions(+), 10 deletions(-)
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 60915bdd9728..55cd002d5789 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -135,6 +135,36 @@ whose implementations are safe and return the right error codes
.BR FICLONERANGE ,
.BR FIDEDUPERANGE )
.RE
+.TP
+.BR LANDLOCK_ACCESS_FS_RESOLVE_UNIX " (since Landlock ABI version 9)"
+Look up pathname UNIX
+domain sockets
+.RB ( unix (7)).
+On UNIX domain sockets,
+this restricts both calls to
+.BR connect (2)
+and
+.BR sendmsg (2)
+with an explicit recipient address.
+.IP
+This access right applies only to connections to UNIX server sockets
+which were created outside the newly created Landlock domain
+(e.g., from within a parent domain or from an unrestricted process).
+Newly created UNIX servers
+within the same Landlock domain
+continue to be accessible.
+In this regard,
+.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
+has the same semantics as the
+.BI LANDLOCK_SCOPE_ *
+flags.
+.IP
+If a resolution attempt is denied,
+the operation returns an
+.B EACCES
+error,
+in line with other filesystem access rights
+(but different to denials for abstract UNIX domain sockets).
.P
Whether an opened file can be truncated with
.BR ftruncate (2)
@@ -468,6 +498,8 @@ _ _ _
\^ \^ LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
_ _ _
8 7.0 LANDLOCK_RESTRICT_SELF_TSYNC
+_ _ _
+9 7.1 LANDLOCK_ACCESS_FS_RESOLVE_UNIX
.TE
.P
Users should use the Landlock ABI version rather than the kernel version
@@ -553,7 +585,8 @@ attr.handled_access_fs =
LANDLOCK_ACCESS_FS_MAKE_SYM |
LANDLOCK_ACCESS_FS_REFER |
LANDLOCK_ACCESS_FS_TRUNCATE |
- LANDLOCK_ACCESS_FS_IOCTL_DEV;
+ LANDLOCK_ACCESS_FS_IOCTL_DEV |
+ LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
.EE
.in
.P
@@ -568,14 +601,15 @@ and only use the available subset of access rights:
* numbers hardcoded to keep the example short.
*/
__u64 landlock_fs_access_rights[] = {
- (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1, /* v1 */
- (LANDLOCK_ACCESS_FS_REFER << 1) \- 1, /* v2: add "refer" */
- (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, /* v3: add "truncate" */
- (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, /* v4: TCP support */
- (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, /* v5: add "ioctl_dev" */
- (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, /* v6: same */
- (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, /* v7: same */
- (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, /* v8: same */
+ (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1, // v1
+ (LANDLOCK_ACCESS_FS_REFER << 1) \- 1, // v2: add "refer"
+ (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, // v3: add "truncate"
+ (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1, // v4: TCP support
+ (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, // v5: add "ioctl_dev"
+ (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, // v6: same
+ (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, // v7: same
+ (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1, // v8: same
+ (LANDLOCK_ACCESS_FS_RESOLVE_UNIX << 1) \- 1, // v9: add "resolve_unix"
};
\&
int abi = landlock_create_ruleset(NULL, 0,
@@ -588,7 +622,7 @@ if (abi == \-1) {
perror("Unable to use Landlock");
return; /* Graceful fallback: Do nothing. */
}
-abi = MIN(abi, 8);
+abi = MIN(abi, 9);
\&
/* Only use the available rights in the ruleset. */
attr.handled_access_fs &= landlock_fs_access_rights[abi \- 1];
--
2.54.0
next prev parent reply other threads:[~2026-05-15 16:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 16:57 [PATCH v2 0/3] Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-05-15 16:57 ` [PATCH v2 1/3] man/man7/landlock.7: Adapt compatibility in code example to ABI v8 Günther Noack
2026-05-15 16:57 ` [PATCH v2 2/3] man/man7/landlock.7: Simplify references to ABI versions Günther Noack
2026-05-15 22:54 ` Alejandro Colomar
2026-05-15 16:57 ` Günther Noack [this message]
2026-05-15 22:56 ` [PATCH v2 3/3] man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9) Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515165753.8830-4-gnoack3000@gmail.com \
--to=gnoack3000@gmail.com \
--cc=alx@kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.