From: Alejandro Colomar <alx@kernel.org>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: "Mickaël Salaün" <mic@digikod.net>, linux-man@vger.kernel.org
Subject: Re: [PATCH v2 2/3] man/man7/landlock.7: Simplify references to ABI versions
Date: Sat, 16 May 2026 00:54:33 +0200 [thread overview]
Message-ID: <agekFCPOqkvmgFL_@devuan> (raw)
In-Reply-To: <20260515165753.8830-3-gnoack3000@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4325 bytes --]
Hi!
On 2026-05-15T18:57:52+0200, Günther Noack wrote:
> * Use cardinal numbers for referring to Landlock ABI versions,
> where possible.
>
> * Adopt the format already used in landlock_restrict_self(2),
> where the ABI versions are described next to the flag names
> in their tagged paragraphs. For example:
>
> .TP
> .BR FLAG " (since Landlock ABI version X)"
>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Patch applied; thanks!
Have a lovely night!
Alex
> ---
> man/man7/landlock.7 | 26 ++++++++------------------
> 1 file changed, 8 insertions(+), 18 deletions(-)
>
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 0e3a11489af2..60915bdd9728 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -89,7 +89,7 @@ these system calls truncate existing files when overwriting them
> .B LANDLOCK_ACCESS_FS_READ_FILE
> Open a file with read access.
> .TP
> -.B LANDLOCK_ACCESS_FS_TRUNCATE
> +.BR LANDLOCK_ACCESS_FS_TRUNCATE " (since Landlock ABI version 3)"
> Truncate a file with
> .BR truncate (2),
> .BR ftruncate (2),
> @@ -98,10 +98,8 @@ or
> .BR open (2)
> with
> .BR O_TRUNC .
> -.IP
> -This access right is available since the third version of the Landlock ABI.
> .TP
> -.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +.BR LANDLOCK_ACCESS_FS_IOCTL_DEV " (since Landlock ABI version 5)"
> Invoke
> .BR ioctl (2)
> commands on an opened character or block device.
> @@ -137,8 +135,6 @@ whose implementations are safe and return the right error codes
> .BR FICLONERANGE ,
> .BR FIDEDUPERANGE )
> .RE
> -.IP
> -This access right is available since the fifth version of the Landlock ABI.
> .P
> Whether an opened file can be truncated with
> .BR ftruncate (2)
> @@ -191,19 +187,17 @@ Create (or rename or link) a block device.
> .B LANDLOCK_ACCESS_FS_MAKE_SYM
> Create (or rename or link) a symbolic link.
> .TP
> -.B LANDLOCK_ACCESS_FS_REFER
> +.BR LANDLOCK_ACCESS_FS_REFER " (since Landlock ABI version 2)"
> Link or rename a file from or to a different directory
> (i.e., reparent a file hierarchy).
> .IP
> -This access right is available since the second version of the Landlock ABI.
> -.IP
> This is the only access right which is denied by default by any ruleset,
> even if the right is not specified as handled at ruleset creation time.
> The only way to make a ruleset grant this right
> is to explicitly allow it for a specific directory
> by adding a matching rule to the ruleset.
> .IP
> -In particular, when using the first Landlock ABI version,
> +In particular, when using Landlock ABI version 1,
> Landlock will always deny attempts to reparent files
> between different directories.
> .IP
> @@ -245,14 +239,12 @@ error code takes precedence over
> These flags enable to restrict a sandboxed process
> to a set of network actions.
> .P
> -This is supported since Landlock ABI version 4.
> -.P
> The following access rights apply to TCP port numbers:
> .TP
> -.B LANDLOCK_ACCESS_NET_BIND_TCP
> +.BR LANDLOCK_ACCESS_NET_BIND_TCP " (since Landlock ABI version 4)"
> Bind a TCP socket to a local port.
> .TP
> -.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> +.BR LANDLOCK_ACCESS_NET_CONNECT_TCP " (since Landlock ABI version 4)"
> Connect an active TCP socket to a remote port.
> .\"
> .SS Scope flags
> @@ -260,16 +252,14 @@ These flags enable isolating a sandboxed process from a set of IPC actions.
> Setting a flag for a ruleset will isolate the Landlock domain
> to forbid connections to resources outside the domain.
> .P
> -This is supported since Landlock ABI version 6.
> -.P
> The following scopes exist:
> .TP
> -.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
> +.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET " (since Landlock ABI version 6)"
> Restrict a sandboxed process from connecting to an abstract UNIX socket
> created by a process outside the related Landlock domain
> (e.g., a parent domain or a non-sandboxed process).
> .TP
> -.B LANDLOCK_SCOPE_SIGNAL
> +.BR LANDLOCK_SCOPE_SIGNAL " (since Landlock ABI version 6)"
> Restrict a sandboxed process from sending a signal
> to another process outside the domain.
> .\"
> --
> 2.54.0
>
--
<https://www.alejandro-colomar.es>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2026-05-15 22:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 16:57 [PATCH v2 0/3] Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX Günther Noack
2026-05-15 16:57 ` [PATCH v2 1/3] man/man7/landlock.7: Adapt compatibility in code example to ABI v8 Günther Noack
2026-05-15 16:57 ` [PATCH v2 2/3] man/man7/landlock.7: Simplify references to ABI versions Günther Noack
2026-05-15 22:54 ` Alejandro Colomar [this message]
2026-05-15 16:57 ` [PATCH v2 3/3] man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9) Günther Noack
2026-05-15 22:56 ` Alejandro Colomar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agekFCPOqkvmgFL_@devuan \
--to=alx@kernel.org \
--cc=gnoack3000@gmail.com \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.