From: "Günther Noack" <gnoack3000@gmail.com>
To: "Alejandro Colomar" <alx.manpages@gmail.com>,
"Mickaël Salaün" <mic@digikod.net>
Cc: "Michael Kerrisk" <mtk.manpages@gmail.com>,
linux-man@vger.kernel.org, "Günther Noack" <gnoack3000@gmail.com>
Subject: [PATCH v4 3/3] landlock.7: Give a pointer to how to implement a fallback mechanism
Date: Fri, 10 Mar 2023 23:08:51 +0100 [thread overview]
Message-ID: <20230310220851.22261-3-gnoack3000@gmail.com> (raw)
In-Reply-To: <20230310220851.22261-1-gnoack3000@gmail.com>
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
man7/landlock.7 | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/man7/landlock.7 b/man7/landlock.7
index 9c305edef..c173cbb98 100644
--- a/man7/landlock.7
+++ b/man7/landlock.7
@@ -393,12 +393,14 @@ accessible through these system call families:
Future Landlock evolutions will enable to restrict them.
.SH EXAMPLES
We first need to create the ruleset that will contain our rules.
+.PP
For this example,
the ruleset will contain rules that only allow read actions,
but write actions will be denied.
The ruleset then needs to handle both of these kinds of actions.
-See below for the description of filesystem actions.
-.PP
+See the
+.B DESCRIPTION
+section for the description of filesystem actions.
.in +4n
.EX
struct landlock_ruleset_attr attr = {0};
@@ -429,6 +431,16 @@ if (ruleset_fd == \-1) {
.EE
.in
.PP
+The ruleset we have constructed requires Landlock ABI version 3 or higher.
+On kernels which do not provide that,
+the call to
+.BR landlock_create_ruleset (2)
+will fail.
+You can build a more graceful fallback mechanism
+by using the version compatibility table from the
+.B VERSIONS
+section.
+.PP
We can now add a new rule to this ruleset thanks to the returned file
descriptor referring to this ruleset.
The rule will only allow reading the file hierarchy
--
2.39.2
next prev parent reply other threads:[~2023-03-10 22:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-10 22:08 [PATCH v4 1/3] landlock.7: Document Landlock ABI v2 (file reparenting; Linux 5.19) Günther Noack
2023-03-10 22:08 ` [PATCH v4 2/3] landlock.7: Document Landlock ABI v3 (file truncation; Linux 6.2) Günther Noack
2023-03-10 22:08 ` Günther Noack [this message]
2023-03-15 21:39 ` [PATCH v4 3/3] landlock.7: Give a pointer to how to implement a fallback mechanism Mickaël Salaün
2023-03-16 6:54 ` Günther Noack
2023-03-16 13:33 ` Alejandro Colomar
2023-03-23 11:49 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230310220851.22261-3-gnoack3000@gmail.com \
--to=gnoack3000@gmail.com \
--cc=alx.manpages@gmail.com \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox