[PATCH v4] landlock: Expand restrict flags example for ABI version 8

[PATCH v4] landlock: Expand restrict flags example for ABI version 8

[Panagiotis "Ivory" Vasilopoulos]

Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
for restrict flags. This introduces completeness, similar to that of
the ruleset attributes example. However, as the new example can impact
enforcement in certain cases, an appropriate warning is also included.

Additionally, I modified the two comments of the example to make them
more consistent with the ruleset attributes example's.

Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
Co-developed-by: Dan Cojocaru <dan@dcdev.ro>
Signed-off-by: Dan Cojocaru <dan@dcdev.ro>
---
Changes in v4:
- Make warning somewhat more terse, merge comments.
  - Remove some sensationalization. ("Don't copy-paste this just yet!")
  - Apply Günther's suggestion (v3 "recycled" some phrases, was long)
    - ... but also retain some of the wording on ABI differences
- Provide a brief overview that contextualizes the example further:
  - Clarify the difference behind ABI < 8 & ABI v8, to avoid
    misunderstandings on which option is the default.
  - Make "linear reading" easier.
- Based on Mickaël's feedback: Avoid cans of worms w.r.t. use cases
- Link to v3: https://lore.kernel.org/r/20260228-landlock-docs-add-tsync-example-v3-1-140ab50f0524@n0toose.net

Changes in v3:
- Add __attribute__((fallthrough)) like in earlier example.
- Improve comment for LANDLOCK_RESTRICT_SELF_TSYNC (ABI < 8) example.
- Add relevant warning for ABI < 8 example based on Günther's feedback.
- Link to v2: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v2-1-60990986bba5@n0toose.net

Changes in v2:
- Fix formatting error.
- Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
---
 Documentation/userspace-api/landlock.rst | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 13134bccdd39d78ddce3daf454f32dda162ce91b..64c7138a788d74f99da0a71428da392b3d873bf8 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -196,13 +196,27 @@ similar backwards compatibility check is needed for the restrict flags
 (see sys_landlock_restrict_self() documentation for available flags):
 
 .. code-block:: c
-
-    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
-    if (abi < 7) {
-        /* Clear logging flags unsupported before ABI 7. */
+    __u32 restrict_flags =
+        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
+        LANDLOCK_RESTRICT_SELF_TSYNC;
+    switch (abi) {
+    case 1 ... 6:
+        /* Clear logging flags unsupported for ABI < 7 */
         restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
                             LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
                             LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
+        __attribute__((fallthrough));
+    case 7:
+        /*
+         * Removes multithreaded enforcement flag unsupported for ABI < 8
+         *
+         * WARNING: Without this flag, calling landlock_restrict_self(2) is
+         * only equivalent if the calling process is single-threaded. Below
+         * ABI v8 (and as of ABI v8, when not using this flag), a Landlock
+         * policy would only be enforced for the calling thread and its
+         * children (and not for all threads, including parents and siblings).
+         */
+        restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
     }
 
 The next step is to restrict the current thread from gaining more privileges

---
base-commit: ceb977bfe9e8715e6cd3a4785c7aab8ea5cd2b77
change-id: 20260221-landlock-docs-add-tsync-example-e8fd5c64a366

Best regards,
-- 
Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>

Re: [PATCH v4] landlock: Expand restrict flags example for ABI version 8

[Mickaël Salaün]

Thanks!  I pushed your patch in next with a minor fix.

Günther, does it look good to you?

On Wed, Mar 04, 2026 at 07:13:04PM +0100, Panagiotis "Ivory" Vasilopoulos wrote:
> Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
> for restrict flags. This introduces completeness, similar to that of
> the ruleset attributes example. However, as the new example can impact
> enforcement in certain cases, an appropriate warning is also included.
> 
> Additionally, I modified the two comments of the example to make them
> more consistent with the ruleset attributes example's.
> 
> Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
> Co-developed-by: Dan Cojocaru <dan@dcdev.ro>
> Signed-off-by: Dan Cojocaru <dan@dcdev.ro>
> ---
> Changes in v4:
> - Make warning somewhat more terse, merge comments.
>   - Remove some sensationalization. ("Don't copy-paste this just yet!")
>   - Apply Günther's suggestion (v3 "recycled" some phrases, was long)
>     - ... but also retain some of the wording on ABI differences
> - Provide a brief overview that contextualizes the example further:
>   - Clarify the difference behind ABI < 8 & ABI v8, to avoid
>     misunderstandings on which option is the default.
>   - Make "linear reading" easier.
> - Based on Mickaël's feedback: Avoid cans of worms w.r.t. use cases
> - Link to v3: https://lore.kernel.org/r/20260228-landlock-docs-add-tsync-example-v3-1-140ab50f0524@n0toose.net
> 
> Changes in v3:
> - Add __attribute__((fallthrough)) like in earlier example.
> - Improve comment for LANDLOCK_RESTRICT_SELF_TSYNC (ABI < 8) example.
> - Add relevant warning for ABI < 8 example based on Günther's feedback.
> - Link to v2: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v2-1-60990986bba5@n0toose.net
> 
> Changes in v2:
> - Fix formatting error.
> - Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
> ---
>  Documentation/userspace-api/landlock.rst | 22 ++++++++++++++++++----
>  1 file changed, 18 insertions(+), 4 deletions(-)
> 
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 13134bccdd39d78ddce3daf454f32dda162ce91b..64c7138a788d74f99da0a71428da392b3d873bf8 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -196,13 +196,27 @@ similar backwards compatibility check is needed for the restrict flags
>  (see sys_landlock_restrict_self() documentation for available flags):
>  
>  .. code-block:: c
> -
> -    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> -    if (abi < 7) {
> -        /* Clear logging flags unsupported before ABI 7. */
> +    __u32 restrict_flags =
> +        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> +        LANDLOCK_RESTRICT_SELF_TSYNC;
> +    switch (abi) {
> +    case 1 ... 6:
> +        /* Clear logging flags unsupported for ABI < 7 */
>          restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
>                              LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
>                              LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> +        __attribute__((fallthrough));
> +    case 7:
> +        /*
> +         * Removes multithreaded enforcement flag unsupported for ABI < 8
> +         *
> +         * WARNING: Without this flag, calling landlock_restrict_self(2) is
> +         * only equivalent if the calling process is single-threaded. Below
> +         * ABI v8 (and as of ABI v8, when not using this flag), a Landlock
> +         * policy would only be enforced for the calling thread and its
> +         * children (and not for all threads, including parents and siblings).
> +         */
> +        restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
>      }
>  
>  The next step is to restrict the current thread from gaining more privileges
> 
> ---
> base-commit: ceb977bfe9e8715e6cd3a4785c7aab8ea5cd2b77
> change-id: 20260221-landlock-docs-add-tsync-example-e8fd5c64a366
> 
> Best regards,
> -- 
> Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
> 
> 

Re: [PATCH v4] landlock: Expand restrict flags example for ABI version 8

[Günther Noack]

Hello!

On Mon, Mar 23, 2026 at 07:56:21PM +0100, Mickaël Salaün wrote:
> Thanks!  I pushed your patch in next with a minor fix.
> 
> Günther, does it look good to you?
> 
> On Wed, Mar 04, 2026 at 07:13:04PM +0100, Panagiotis "Ivory" Vasilopoulos wrote:
> > Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
> > for restrict flags. This introduces completeness, similar to that of
> > the ruleset attributes example. However, as the new example can impact
> > enforcement in certain cases, an appropriate warning is also included.
> > 
> > Additionally, I modified the two comments of the example to make them
> > more consistent with the ruleset attributes example's.
> > 
> > Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
> > Co-developed-by: Dan Cojocaru <dan@dcdev.ro>
> > Signed-off-by: Dan Cojocaru <dan@dcdev.ro>
> > ---
> > Changes in v4:
> > - Make warning somewhat more terse, merge comments.
> >   - Remove some sensationalization. ("Don't copy-paste this just yet!")
> >   - Apply Günther's suggestion (v3 "recycled" some phrases, was long)
> >     - ... but also retain some of the wording on ABI differences
> > - Provide a brief overview that contextualizes the example further:
> >   - Clarify the difference behind ABI < 8 & ABI v8, to avoid
> >     misunderstandings on which option is the default.
> >   - Make "linear reading" easier.
> > - Based on Mickaël's feedback: Avoid cans of worms w.r.t. use cases
> > - Link to v3: https://lore.kernel.org/r/20260228-landlock-docs-add-tsync-example-v3-1-140ab50f0524@n0toose.net
> > 
> > Changes in v3:
> > - Add __attribute__((fallthrough)) like in earlier example.
> > - Improve comment for LANDLOCK_RESTRICT_SELF_TSYNC (ABI < 8) example.
> > - Add relevant warning for ABI < 8 example based on Günther's feedback.
> > - Link to v2: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v2-1-60990986bba5@n0toose.net
> > 
> > Changes in v2:
> > - Fix formatting error.
> > - Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
> > ---
> >  Documentation/userspace-api/landlock.rst | 22 ++++++++++++++++++----
> >  1 file changed, 18 insertions(+), 4 deletions(-)
> > 
> > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> > index 13134bccdd39d78ddce3daf454f32dda162ce91b..64c7138a788d74f99da0a71428da392b3d873bf8 100644
> > --- a/Documentation/userspace-api/landlock.rst
> > +++ b/Documentation/userspace-api/landlock.rst
> > @@ -196,13 +196,27 @@ similar backwards compatibility check is needed for the restrict flags
> >  (see sys_landlock_restrict_self() documentation for available flags):
> >  
> >  .. code-block:: c
> > -
> > -    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> > -    if (abi < 7) {
> > -        /* Clear logging flags unsupported before ABI 7. */
> > +    __u32 restrict_flags =
> > +        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> > +        LANDLOCK_RESTRICT_SELF_TSYNC;
> > +    switch (abi) {
> > +    case 1 ... 6:
> > +        /* Clear logging flags unsupported for ABI < 7 */
> >          restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> >                              LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> >                              LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> > +        __attribute__((fallthrough));
> > +    case 7:
> > +        /*
> > +         * Removes multithreaded enforcement flag unsupported for ABI < 8
> > +         *
> > +         * WARNING: Without this flag, calling landlock_restrict_self(2) is
> > +         * only equivalent if the calling process is single-threaded. Below
> > +         * ABI v8 (and as of ABI v8, when not using this flag), a Landlock
> > +         * policy would only be enforced for the calling thread and its
> > +         * children (and not for all threads, including parents and siblings).
> > +         */
> > +        restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
> >      }
> >  
> >  The next step is to restrict the current thread from gaining more privileges
> > 
> > ---
> > base-commit: ceb977bfe9e8715e6cd3a4785c7aab8ea5cd2b77
> > change-id: 20260221-landlock-docs-add-tsync-example-e8fd5c64a366
> > 
> > Best regards,
> > -- 
> > Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
> > 
> > 

Apologies for the delay, this must have slipped through the cracks.
Thanks for bringing it up again.  Yes, this looks good.

Signed-off-by: Günther Noack <gnoack@google.com>

—Günther

Re: [PATCH v4] landlock: Expand restrict flags example for ABI version 8

[Mickaël Salaün]

On Tue, Mar 24, 2026 at 10:48:29AM +0100, Günther Noack wrote:
> Hello!
> 
> On Mon, Mar 23, 2026 at 07:56:21PM +0100, Mickaël Salaün wrote:
> > Thanks!  I pushed your patch in next with a minor fix.
> > 
> > Günther, does it look good to you?
> > 
> > On Wed, Mar 04, 2026 at 07:13:04PM +0100, Panagiotis "Ivory" Vasilopoulos wrote:
> > > Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
> > > for restrict flags. This introduces completeness, similar to that of
> > > the ruleset attributes example. However, as the new example can impact
> > > enforcement in certain cases, an appropriate warning is also included.
> > > 
> > > Additionally, I modified the two comments of the example to make them
> > > more consistent with the ruleset attributes example's.
> > > 
> > > Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
> > > Co-developed-by: Dan Cojocaru <dan@dcdev.ro>
> > > Signed-off-by: Dan Cojocaru <dan@dcdev.ro>
> > > ---
> > > Changes in v4:
> > > - Make warning somewhat more terse, merge comments.
> > >   - Remove some sensationalization. ("Don't copy-paste this just yet!")
> > >   - Apply Günther's suggestion (v3 "recycled" some phrases, was long)
> > >     - ... but also retain some of the wording on ABI differences
> > > - Provide a brief overview that contextualizes the example further:
> > >   - Clarify the difference behind ABI < 8 & ABI v8, to avoid
> > >     misunderstandings on which option is the default.
> > >   - Make "linear reading" easier.
> > > - Based on Mickaël's feedback: Avoid cans of worms w.r.t. use cases
> > > - Link to v3: https://lore.kernel.org/r/20260228-landlock-docs-add-tsync-example-v3-1-140ab50f0524@n0toose.net
> > > 
> > > Changes in v3:
> > > - Add __attribute__((fallthrough)) like in earlier example.
> > > - Improve comment for LANDLOCK_RESTRICT_SELF_TSYNC (ABI < 8) example.
> > > - Add relevant warning for ABI < 8 example based on Günther's feedback.
> > > - Link to v2: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v2-1-60990986bba5@n0toose.net
> > > 
> > > Changes in v2:
> > > - Fix formatting error.
> > > - Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
> > > ---
> > >  Documentation/userspace-api/landlock.rst | 22 ++++++++++++++++++----
> > >  1 file changed, 18 insertions(+), 4 deletions(-)
> > > 
> > > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> > > index 13134bccdd39d78ddce3daf454f32dda162ce91b..64c7138a788d74f99da0a71428da392b3d873bf8 100644
> > > --- a/Documentation/userspace-api/landlock.rst
> > > +++ b/Documentation/userspace-api/landlock.rst
> > > @@ -196,13 +196,27 @@ similar backwards compatibility check is needed for the restrict flags
> > >  (see sys_landlock_restrict_self() documentation for available flags):
> > >  
> > >  .. code-block:: c
> > > -
> > > -    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> > > -    if (abi < 7) {
> > > -        /* Clear logging flags unsupported before ABI 7. */
> > > +    __u32 restrict_flags =
> > > +        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> > > +        LANDLOCK_RESTRICT_SELF_TSYNC;
> > > +    switch (abi) {
> > > +    case 1 ... 6:
> > > +        /* Clear logging flags unsupported for ABI < 7 */
> > >          restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> > >                              LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> > >                              LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> > > +        __attribute__((fallthrough));
> > > +    case 7:
> > > +        /*
> > > +         * Removes multithreaded enforcement flag unsupported for ABI < 8
> > > +         *
> > > +         * WARNING: Without this flag, calling landlock_restrict_self(2) is
> > > +         * only equivalent if the calling process is single-threaded. Below
> > > +         * ABI v8 (and as of ABI v8, when not using this flag), a Landlock
> > > +         * policy would only be enforced for the calling thread and its
> > > +         * children (and not for all threads, including parents and siblings).
> > > +         */
> > > +        restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
> > >      }
> > >  
> > >  The next step is to restrict the current thread from gaining more privileges
> > > 
> > > ---
> > > base-commit: ceb977bfe9e8715e6cd3a4785c7aab8ea5cd2b77
> > > change-id: 20260221-landlock-docs-add-tsync-example-e8fd5c64a366
> > > 
> > > Best regards,
> > > -- 
> > > Panagiotis "Ivory" Vasilopoulos <git@n0toose.net>
> > > 
> > > 
> 
> Apologies for the delay, this must have slipped through the cracks.
> Thanks for bringing it up again.  Yes, this looks good.
> 
> Signed-off-by: Günther Noack <gnoack@google.com>

Shouldn't it be a Reviewed-by?

Re: [PATCH v4] landlock: Expand restrict flags example for ABI version 8

[Günther Noack]

On Tue, Mar 24, 2026 at 04:06:01PM +0100, Mickaël Salaün wrote:
> On Tue, Mar 24, 2026 at 10:48:29AM +0100, Günther Noack wrote:
> > Apologies for the delay, this must have slipped through the cracks.
> > Thanks for bringing it up again.  Yes, this looks good.
> > 
> > Signed-off-by: Günther Noack <gnoack@google.com>
> 
> Shouldn't it be a Reviewed-by?

Absolutely, thanks! I meant to send a Reviewed-by.
Please ignore the previous message.

Reviewed-by: Günther Noack <gnoack@google.com>

—Günther