[PATCH man] landlock.7: Re-group description of IOCTL access right

[PATCH man] landlock.7: Re-group description of IOCTL access right

[Günther Noack]

Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
together with the file access rights.

This group of access rights applies to files (in this case device
files), and they can be added to file or directory inodes using
landlock_add_rule(2).  The check for that works the same for all file
access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV.

Invoking ioctl(2) on directory FDs can not currently be restricted
with Landlock.  Having it grouped separately in the documentation is a
remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV
patch set.

The same change was also done in kernel documentation, linked below.

Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/
---
 man/man7/landlock.7 | 81 ++++++++++++++++++++++-----------------------
 1 file changed, 39 insertions(+), 42 deletions(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 5d4a24f79..c31d513d1 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -97,6 +97,45 @@ with
 .BR O_TRUNC .
 .IP
 This access right is available since the third version of the Landlock ABI.
+.TP
+.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+Invoke
+.BR ioctl (2)
+commands on an opened character or block device.
+.IP
+This access right applies to all
+.BR ioctl (2)
+commands implemented by device drivers.
+However, the following common IOCTL commands continue to be invokable
+independent of the
+.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+right:
+.RS
+.IP \[bu] 3
+IOCTL commands targeting file descriptors
+.RB ( FIOCLEX ,
+.BR FIONCLEX ),
+.IP \[bu]
+IOCTL commands targeting file descriptions
+.RB ( FIONBIO ,
+.BR FIOASYNC ),
+.IP \[bu]
+IOCTL commands targeting file systems
+.RB ( FIFREEZE ,
+.BR FITHAW ,
+.BR FIGETBSZ ,
+.BR FS_IOC_GETFSUUID ,
+.BR FS_IOC_GETFSSYSFSPATH )
+.IP \[bu]
+Some IOCTL commands which do not make sense when used with devices, but
+whose implementations are safe and return the right error codes
+.RB ( FS_IOC_FIEMAP ,
+.BR FICLONE ,
+.BR FICLONERANGE ,
+.BR FIDEDUPERANGE )
+.RE
+.IP
+This access right is available since the fifth version of the Landlock ABI.
 .P
 Whether an opened file can be truncated with
 .BR ftruncate (2)
@@ -198,48 +237,6 @@ If multiple requirements are not met, the
 .B EACCES
 error code takes precedence over
 .BR EXDEV .
-.P
-The following access right
-applies to both files and directories:
-.TP
-.B LANDLOCK_ACCESS_FS_IOCTL_DEV
-Invoke
-.BR ioctl (2)
-commands on an opened character or block device.
-.IP
-This access right applies to all
-.BR ioctl (2)
-commands implemented by device drivers.
-However, the following common IOCTL commands continue to be invokable
-independent of the
-.B LANDLOCK_ACCESS_FS_IOCTL_DEV
-right:
-.RS
-.IP \[bu] 3
-IOCTL commands targeting file descriptors
-.RB ( FIOCLEX ,
-.BR FIONCLEX ),
-.IP \[bu]
-IOCTL commands targeting file descriptions
-.RB ( FIONBIO ,
-.BR FIOASYNC ),
-.IP \[bu]
-IOCTL commands targeting file systems
-.RB ( FIFREEZE ,
-.BR FITHAW ,
-.BR FIGETBSZ ,
-.BR FS_IOC_GETFSUUID ,
-.BR FS_IOC_GETFSSYSFSPATH )
-.IP \[bu]
-Some IOCTL commands which do not make sense when used with devices, but
-whose implementations are safe and return the right error codes
-.RB ( FS_IOC_FIEMAP ,
-.BR FICLONE ,
-.BR FICLONERANGE ,
-.BR FIDEDUPERANGE )
-.RE
-.IP
-This access right is available since the fifth version of the Landlock ABI.
 .\"
 .SS Network flags
 These flags enable to restrict a sandboxed process
-- 
2.52.0

[PATCH man] landlock.7: Re-group description of IOCTL access right

[Günther Noack]

Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
together with the file access rights.

This group of access rights applies to files (in this case device
files), and they can be added to file or directory inodes using
landlock_add_rule(2).  The check for that works the same for all file
access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV.

Invoking ioctl(2) on directory FDs can not currently be restricted
with Landlock.  Having it grouped separately in the documentation is a
remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV
patch set.

The same change was also done in kernel documentation, linked below.

Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man7/landlock.7 | 81 ++++++++++++++++++++++-----------------------
 1 file changed, 39 insertions(+), 42 deletions(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 5d4a24f79..c31d513d1 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -97,6 +97,45 @@ with
 .BR O_TRUNC .
 .IP
 This access right is available since the third version of the Landlock ABI.
+.TP
+.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+Invoke
+.BR ioctl (2)
+commands on an opened character or block device.
+.IP
+This access right applies to all
+.BR ioctl (2)
+commands implemented by device drivers.
+However, the following common IOCTL commands continue to be invokable
+independent of the
+.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+right:
+.RS
+.IP \[bu] 3
+IOCTL commands targeting file descriptors
+.RB ( FIOCLEX ,
+.BR FIONCLEX ),
+.IP \[bu]
+IOCTL commands targeting file descriptions
+.RB ( FIONBIO ,
+.BR FIOASYNC ),
+.IP \[bu]
+IOCTL commands targeting file systems
+.RB ( FIFREEZE ,
+.BR FITHAW ,
+.BR FIGETBSZ ,
+.BR FS_IOC_GETFSUUID ,
+.BR FS_IOC_GETFSSYSFSPATH )
+.IP \[bu]
+Some IOCTL commands which do not make sense when used with devices, but
+whose implementations are safe and return the right error codes
+.RB ( FS_IOC_FIEMAP ,
+.BR FICLONE ,
+.BR FICLONERANGE ,
+.BR FIDEDUPERANGE )
+.RE
+.IP
+This access right is available since the fifth version of the Landlock ABI.
 .P
 Whether an opened file can be truncated with
 .BR ftruncate (2)
@@ -198,48 +237,6 @@ If multiple requirements are not met, the
 .B EACCES
 error code takes precedence over
 .BR EXDEV .
-.P
-The following access right
-applies to both files and directories:
-.TP
-.B LANDLOCK_ACCESS_FS_IOCTL_DEV
-Invoke
-.BR ioctl (2)
-commands on an opened character or block device.
-.IP
-This access right applies to all
-.BR ioctl (2)
-commands implemented by device drivers.
-However, the following common IOCTL commands continue to be invokable
-independent of the
-.B LANDLOCK_ACCESS_FS_IOCTL_DEV
-right:
-.RS
-.IP \[bu] 3
-IOCTL commands targeting file descriptors
-.RB ( FIOCLEX ,
-.BR FIONCLEX ),
-.IP \[bu]
-IOCTL commands targeting file descriptions
-.RB ( FIONBIO ,
-.BR FIOASYNC ),
-.IP \[bu]
-IOCTL commands targeting file systems
-.RB ( FIFREEZE ,
-.BR FITHAW ,
-.BR FIGETBSZ ,
-.BR FS_IOC_GETFSUUID ,
-.BR FS_IOC_GETFSSYSFSPATH )
-.IP \[bu]
-Some IOCTL commands which do not make sense when used with devices, but
-whose implementations are safe and return the right error codes
-.RB ( FS_IOC_FIEMAP ,
-.BR FICLONE ,
-.BR FICLONERANGE ,
-.BR FIDEDUPERANGE )
-.RE
-.IP
-This access right is available since the fifth version of the Landlock ABI.
 .\"
 .SS Network flags
 These flags enable to restrict a sandboxed process
-- 
2.52.0

Re: [PATCH man] landlock.7: Re-group description of IOCTL access right

[Günther Noack]

On Mon, Jan 12, 2026 at 08:43:24PM +0100, Günther Noack wrote:
> Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
> together with the file access rights.

Whoops, please ignore, I re-sent this with the signed-off line which
was missing here.

–Günther

Re: [PATCH man] landlock.7: Re-group description of IOCTL access right

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 5232 bytes --]

Hi Günther,

> Cc: Alejandro Colomar <alx.manpages@gmail.com>, 

Please remember to use <alx@kernel.org>.  :)

> Subject: Re: [PATCH man] landlock.7: Re-group description of IOCTL access right

Please use full path of the manual page (this can be done with the tab
key --autocompletion--).

On Mon, Jan 12, 2026 at 08:45:17PM +0100, Günther Noack wrote:
> Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
> together with the file access rights.
> 
> This group of access rights applies to files (in this case device
> files), and they can be added to file or directory inodes using
> landlock_add_rule(2).  The check for that works the same for all file
> access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV.
> 
> Invoking ioctl(2) on directory FDs can not currently be restricted
> with Landlock.  Having it grouped separately in the documentation is a
> remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV
> patch set.

If I understand correctly, the behavior has never changed, and the
documentation was wrong.  Did I understand correctly?
> 
> The same change was also done in kernel documentation, linked below.
> 

Could you please add a Fixes: tag?

The format we use can be generated with these git(1) aliases:

	[alias]
		ref = show --no-patch --abbrev=12 --date=short \
			--format=tformat:'%C(auto)%h%C(reset) %C(dim white)(%cd%x3B \"%C(reset)%C(auto)%s%C(reset)%C(dim white)\")%C(reset)'
		ref2 = show --no-patch --abbrev=12 --date=short \
			--format=tformat:'%C(auto)%h%C(reset) %C(dim white)(%ad, %cd%x3B \"%C(reset)%C(auto)%s%C(reset)%C(dim white)\")%C(reset)'

The format is:

	12-char-hash (commit-date; "commit-subject")

Important note: it's the commit date, not the author date.

Example:

	$ git ref HEAD
	92fc3fad3490 (2026-01-13; "man/man7/landlock.7: Re-group description of IOCTL access right")

I checked that this is not documented.  I'll add it to CONTRIBUTING.d/.

> Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>

The diff LGTM.  Thanks!

> ---
>  man/man7/landlock.7 | 81 ++++++++++++++++++++++-----------------------
>  1 file changed, 39 insertions(+), 42 deletions(-)
> 
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 5d4a24f79..c31d513d1 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -97,6 +97,45 @@ with
>  .BR O_TRUNC .
>  .IP
>  This access right is available since the third version of the Landlock ABI.
> +.TP
> +.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +Invoke
> +.BR ioctl (2)
> +commands on an opened character or block device.
> +.IP
> +This access right applies to all
> +.BR ioctl (2)
> +commands implemented by device drivers.
> +However, the following common IOCTL commands continue to be invokable
> +independent of the
> +.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +right:
> +.RS
> +.IP \[bu] 3
> +IOCTL commands targeting file descriptors
> +.RB ( FIOCLEX ,
> +.BR FIONCLEX ),
> +.IP \[bu]
> +IOCTL commands targeting file descriptions
> +.RB ( FIONBIO ,
> +.BR FIOASYNC ),
> +.IP \[bu]
> +IOCTL commands targeting file systems
> +.RB ( FIFREEZE ,
> +.BR FITHAW ,
> +.BR FIGETBSZ ,
> +.BR FS_IOC_GETFSUUID ,
> +.BR FS_IOC_GETFSSYSFSPATH )
> +.IP \[bu]
> +Some IOCTL commands which do not make sense when used with devices, but
> +whose implementations are safe and return the right error codes
> +.RB ( FS_IOC_FIEMAP ,
> +.BR FICLONE ,
> +.BR FICLONERANGE ,
> +.BR FIDEDUPERANGE )
> +.RE
> +.IP
> +This access right is available since the fifth version of the Landlock ABI.
>  .P
>  Whether an opened file can be truncated with
>  .BR ftruncate (2)
> @@ -198,48 +237,6 @@ If multiple requirements are not met, the
>  .B EACCES
>  error code takes precedence over
>  .BR EXDEV .
> -.P
> -The following access right
> -applies to both files and directories:
> -.TP
> -.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> -Invoke
> -.BR ioctl (2)
> -commands on an opened character or block device.
> -.IP
> -This access right applies to all
> -.BR ioctl (2)
> -commands implemented by device drivers.
> -However, the following common IOCTL commands continue to be invokable
> -independent of the
> -.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> -right:
> -.RS
> -.IP \[bu] 3
> -IOCTL commands targeting file descriptors
> -.RB ( FIOCLEX ,
> -.BR FIONCLEX ),
> -.IP \[bu]
> -IOCTL commands targeting file descriptions
> -.RB ( FIONBIO ,
> -.BR FIOASYNC ),
> -.IP \[bu]
> -IOCTL commands targeting file systems
> -.RB ( FIFREEZE ,
> -.BR FITHAW ,
> -.BR FIGETBSZ ,
> -.BR FS_IOC_GETFSUUID ,
> -.BR FS_IOC_GETFSSYSFSPATH )
> -.IP \[bu]
> -Some IOCTL commands which do not make sense when used with devices, but
> -whose implementations are safe and return the right error codes
> -.RB ( FS_IOC_FIEMAP ,
> -.BR FICLONE ,
> -.BR FICLONERANGE ,
> -.BR FIDEDUPERANGE )
> -.RE
> -.IP
> -This access right is available since the fifth version of the Landlock ABI.
>  .\"
>  .SS Network flags
>  These flags enable to restrict a sandboxed process
> -- 
> 2.52.0
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH man] landlock.7: Re-group description of IOCTL access right

[Günther Noack]

Hi Alejandro!

On Tue, Jan 13, 2026 at 01:01:22AM +0100, Alejandro Colomar wrote:
> > Cc: Alejandro Colomar <alx.manpages@gmail.com>, 
> 
> Please remember to use <alx@kernel.org>.  :)

Thanks, updated my helper scripts.

> > Subject: Re: [PATCH man] landlock.7: Re-group description of IOCTL access right
> 
> Please use full path of the manual page (this can be done with the tab
> key --autocompletion--).

Done, will do.


> On Mon, Jan 12, 2026 at 08:45:17PM +0100, Günther Noack wrote:
> > Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
> > together with the file access rights.
> > 
> > This group of access rights applies to files (in this case device
> > files), and they can be added to file or directory inodes using
> > landlock_add_rule(2).  The check for that works the same for all file
> > access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV.
> > 
> > Invoking ioctl(2) on directory FDs can not currently be restricted
> > with Landlock.  Having it grouped separately in the documentation is a
> > remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV
> > patch set.
> 
> If I understand correctly, the behavior has never changed, and the
> documentation was wrong.  Did I understand correctly?

Yes, that is correct.  It made more sense in an earlier version of the
LANDLOCK_ACCESS_FS_IOCTL_DEV patch set, but then did not make sense in
the final version any more.  I missed to keep the documentation up to
date.


> > 
> > The same change was also done in kernel documentation, linked below.
> > 
> 
> Could you please add a Fixes: tag?

Done. Thanks for sharing the handy git alias as well - this is very
neat, I added that to my toolbox :)

Will send a v2 shortly.

–Günther

Re: [PATCH man] landlock.7: Re-group description of IOCTL access right

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 3153 bytes --]

On Tue, Jan 13, 2026 at 08:18:59PM +0100, Günther Noack wrote:
> Hi Alejandro!

Hi Günther!

[...]
> > > 
> > > The same change was also done in kernel documentation, linked below.
> > > 
> > 
> > Could you please add a Fixes: tag?
> 
> Done. Thanks for sharing the handy git alias as well - this is very
> neat, I added that to my toolbox :)

Nice!  :)

BTW, I should explain the rationale for the format.  I based it on two
things: the format used in the kernel, which is

	12-char-hash ("commit-subject")

and 'git log --pretty=reference', which is

	short-hash (commit-subject, author-date)

(example:)

	alx@devuan:~/src/shadow/shadow/master$ git log -1 --pretty=reference HEAD
	b55a55aeb (lib/string/: Use QChar_of() to simplify some macros, 2025-11-25)

The kernel format is known to not be good enough, as 12-char-hashes are
known to have collisions.  And the subject isn't enough to disambiguate,
as some commits have quite generic subjects which also have collisions
(e.g., tfix).  Thus, a date helps disambiguate.

The problem with the author dates is that they're not correlative.  You
could have commits applied today that have been authored a few years
ago (consider a slow review process).  Commit dates, instead, are always
correlative (unless you specify a different one with
GIT_COMMITTER_DATE).  When disambiguating, you could look at git-log(1),
do a binary search on the commit date, and then from the few commits of
that day, the hash should be easy to find unambiguously.

I used the quotes, for consistency with the kernel format, and because
it reads better.

About putting the date before instead of after, it has several reasons:

-  Avoid confusion.  If I left the date at the end, one could think I'm
   using --pretty=reference format, and thus think it's an author date.

-  Alignment.  The dates always take the same space XXXX-XX-XX, so
   having them first results in a visually more pleasing format.  Your
   eyes can find both the date and the start of the subject easily,
   without having to parse anything.

-  It allows knowing how old the bug being fixed is, and in which
   release it was introduced (if you know the dates of each release).

And in some cases, the author date might be important, which is why
I sometimes use ref2, but it's an exception.  When I use the author
date, it goes before the commit date, for consistency with how
git-log(1) shows them.

The dates are separated with a comma between then, and then with
a semicolon from the subject.  This makes it even machine parseable.

	alx@devuan:~/src/shadow/shadow/master$ git ref HEAD
	b55a55aebc5d (2025-12-26; "lib/string/: Use QChar_of() to simplify some macros")
	alx@devuan:~/src/shadow/shadow/master$ git ref2 HEAD
	b55a55aebc5d (2025-11-25, 2025-12-26; "lib/string/: Use QChar_of() to simplify some macros")

The full format would be

	12-char-hash ([author-date,] commit-date; "commit-subject")

where [] denotes an optional field.


Have a lovely night!
Alex

> Will send a v2 shortly.
> 
> –Günther

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]