From: Alejandro Colomar <alx@kernel.org>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: "Mickaël Salaün" <mic@digikod.net>, linux-man@vger.kernel.org
Subject: Re: [PATCH man v2] man/man7/landlock.7: Re-group description of IOCTL access right
Date: Wed, 14 Jan 2026 00:35:04 +0100 [thread overview]
Message-ID: <aWbWiK9ReypIhrj3@devuan> (raw)
In-Reply-To: <20260113192052.4703-2-gnoack3000@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4148 bytes --]
Hi Günther,
On Tue, Jan 13, 2026 at 08:20:53PM +0100, Günther Noack wrote:
> Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
> together with the file access rights.
>
> This group of access rights applies to files (in this case device
> files), and they can be added to file or directory inodes using
> landlock_add_rule(2). The check for that works the same for all file
> access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV.
>
> Invoking ioctl(2) on directory FDs can not currently be restricted
> with Landlock. Having it grouped separately in the documentation is a
> remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV
> patch set.
>
> The same change was also done in kernel documentation, linked below.
>
> Fixes: 893db5f60c73 (2024-08-21; "landlock.7: Document Landlock ABI version 5 (IOCTL)")
> Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Thanks! Patch applied.
Have a lovely night!
Alex
> ---
> man/man7/landlock.7 | 81 ++++++++++++++++++++++-----------------------
> 1 file changed, 39 insertions(+), 42 deletions(-)
>
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 5d4a24f79..c31d513d1 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -97,6 +97,45 @@ with
> .BR O_TRUNC .
> .IP
> This access right is available since the third version of the Landlock ABI.
> +.TP
> +.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +Invoke
> +.BR ioctl (2)
> +commands on an opened character or block device.
> +.IP
> +This access right applies to all
> +.BR ioctl (2)
> +commands implemented by device drivers.
> +However, the following common IOCTL commands continue to be invokable
> +independent of the
> +.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +right:
> +.RS
> +.IP \[bu] 3
> +IOCTL commands targeting file descriptors
> +.RB ( FIOCLEX ,
> +.BR FIONCLEX ),
> +.IP \[bu]
> +IOCTL commands targeting file descriptions
> +.RB ( FIONBIO ,
> +.BR FIOASYNC ),
> +.IP \[bu]
> +IOCTL commands targeting file systems
> +.RB ( FIFREEZE ,
> +.BR FITHAW ,
> +.BR FIGETBSZ ,
> +.BR FS_IOC_GETFSUUID ,
> +.BR FS_IOC_GETFSSYSFSPATH )
> +.IP \[bu]
> +Some IOCTL commands which do not make sense when used with devices, but
> +whose implementations are safe and return the right error codes
> +.RB ( FS_IOC_FIEMAP ,
> +.BR FICLONE ,
> +.BR FICLONERANGE ,
> +.BR FIDEDUPERANGE )
> +.RE
> +.IP
> +This access right is available since the fifth version of the Landlock ABI.
> .P
> Whether an opened file can be truncated with
> .BR ftruncate (2)
> @@ -198,48 +237,6 @@ If multiple requirements are not met, the
> .B EACCES
> error code takes precedence over
> .BR EXDEV .
> -.P
> -The following access right
> -applies to both files and directories:
> -.TP
> -.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> -Invoke
> -.BR ioctl (2)
> -commands on an opened character or block device.
> -.IP
> -This access right applies to all
> -.BR ioctl (2)
> -commands implemented by device drivers.
> -However, the following common IOCTL commands continue to be invokable
> -independent of the
> -.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> -right:
> -.RS
> -.IP \[bu] 3
> -IOCTL commands targeting file descriptors
> -.RB ( FIOCLEX ,
> -.BR FIONCLEX ),
> -.IP \[bu]
> -IOCTL commands targeting file descriptions
> -.RB ( FIONBIO ,
> -.BR FIOASYNC ),
> -.IP \[bu]
> -IOCTL commands targeting file systems
> -.RB ( FIFREEZE ,
> -.BR FITHAW ,
> -.BR FIGETBSZ ,
> -.BR FS_IOC_GETFSUUID ,
> -.BR FS_IOC_GETFSSYSFSPATH )
> -.IP \[bu]
> -Some IOCTL commands which do not make sense when used with devices, but
> -whose implementations are safe and return the right error codes
> -.RB ( FS_IOC_FIEMAP ,
> -.BR FICLONE ,
> -.BR FICLONERANGE ,
> -.BR FIDEDUPERANGE )
> -.RE
> -.IP
> -This access right is available since the fifth version of the Landlock ABI.
> .\"
> .SS Network flags
> These flags enable to restrict a sandboxed process
> --
> 2.52.0
>
>
--
<https://www.alejandro-colomar.es>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2026-01-13 23:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 19:20 [PATCH man v2] man/man7/landlock.7: Re-group description of IOCTL access right Günther Noack
2026-01-13 23:35 ` Alejandro Colomar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWbWiK9ReypIhrj3@devuan \
--to=alx@kernel.org \
--cc=gnoack3000@gmail.com \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.