[PATCH v2 0/4] Update Landlock docs to Landlock ABI v8

[PATCH v2 0/4] Update Landlock docs to Landlock ABI v8

[Günther Noack]

Hello!

Thanks for the review!  Here's the second round of the patch set to
bring the Landlock manpages up to speed with Landlock ABI v8.

Change Log
==========

v2:
  - landlock_create_ruleset.2: added a tiny patch to add a missing
    mention of "scoped" in the errors list.
  - landlock_create_ruleset.2: various reformulations for errata
  - earlier patch from v1 about the default ABI version assumption was
    already merged (thanks!)    

Günther Noack (4):
  man/man2/landlock_create_ruleset.2: Document EINVAL scope case
  man/man[27]/{landlock_create_ruleset.2,landlock.7}: Document
    LANDLOCK_CREATE_RULESET_ERRATA
  man/man[27]/{landlock_restrict_self.2,landlock.7}: Document
    LANDLOCK_RESTRICT_SELF_TSYNC (ABI v8)
  man/man2/landlock_restrict_self.2: Document ABI requirement for
    logging flags

 man/man2/landlock_create_ruleset.2 | 59 ++++++++++++++++++++++++++----
 man/man2/landlock_restrict_self.2  | 20 ++++++++++
 man/man7/landlock.7                |  2 +
 3 files changed, 74 insertions(+), 7 deletions(-)

-- 
2.53.0

[PATCH v2 1/4] man/man2/landlock_create_ruleset.2: Document EINVAL scope case

[Günther Noack]

This brings the manpage in-line with the kernel documentation.  Here,
"scope" is a field in the passed struct landlock_ruleset_access, which
can result in EINVAL if populated improperly.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man2/landlock_create_ruleset.2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
index 5d64f4c2862c..d4eb5d827656 100644
--- a/man/man2/landlock_create_ruleset.2
+++ b/man/man2/landlock_create_ruleset.2
@@ -156,7 +156,7 @@ was not a valid address.
 .B EINVAL
 Unknown
 .IR flags ,
-or unknown access, or too small
+or unknown access, or unknown scope, or too small
 .IR size .
 .TP
 .B ENOMSG
-- 
2.53.0

[PATCH v2 2/4] man/man[27]/{landlock_create_ruleset.2,landlock.7}: Document LANDLOCK_CREATE_RULESET_ERRATA

[Günther Noack]

Document the LANDLOCK_CREATE_RULESET_ERRATA flag, which returns a
bitmask of fixed issues for the current Landlock ABI version.

This mechanism was introduced in Linux 6.15, but backported to all
older kernel releases where these errata fixes were backported to.
On official Linux kernel releases, if landlock_create_ruleset() with
LANDLOCK_CREATE_RULESET_ERRATA returns an error, this is equivalent to
the case where none of the known errata have been fixed.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man2/landlock_create_ruleset.2 | 57 ++++++++++++++++++++++++++----
 1 file changed, 51 insertions(+), 6 deletions(-)

diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
index d4eb5d827656..a24a4dd6cbb3 100644
--- a/man/man2/landlock_create_ruleset.2
+++ b/man/man2/landlock_create_ruleset.2
@@ -116,11 +116,7 @@ Otherwise,
 can be set to:
 .TP
 .B LANDLOCK_CREATE_RULESET_VERSION
-If
-.I attr
-is NULL and
-.I size
-is 0, then the returned value is the highest supported Landlock ABI version
+Return the highest supported Landlock ABI version
 (starting at 1).
 This version can be used for a best-effort security approach,
 which is encouraged when user space is not pinned to a specific kernel
@@ -129,11 +125,50 @@ version.
 Unless noted otherwise,
 all features documented in these manual pages are available with the
 version 1.
+.TP
+.B LANDLOCK_CREATE_RULESET_ERRATA
+Return a bitmask of fixed issues
+for the current Landlock ABI version.
+If bit N is set (i.e.,
+.IR "errata & (1 << (N - 1))" ),
+then erratum N has been fixed in the running kernel.
+.IP
+In addition to ABI versions,
+Landlock's errata mechanism
+tracks fixes for issues that
+may affect backwards compatibility
+or require userspace awareness.
+.IP
+Only check errata if your application specifically relies on behavior
+that changed due to the fix.
+.IP
+The full list of Landlock errata is available at
+.UR https:\://docs.kernel.org/userspace\-api/landlock.html#landlock\-errata
+.UE .
+.IP
+This flag is available on all Linux versions
+where Landlock errata were fixed.
+This specifically includes
+all newest bugfix releases
+of stable kernels
+where Landlock is supported.
+.P
+If
+.B LANDLOCK_CREATE_RULESET_VERSION
+or
+.B LANDLOCK_CREATE_RULESET_ERRATA
+is set,
+then
+.I attr
+must be NULL and
+.I size
+must be 0.
 .SH RETURN VALUE
 On success,
 .BR landlock_create_ruleset ()
 returns a new Landlock ruleset file descriptor,
-or a Landlock ABI version,
+a Landlock ABI version,
+or a Landlock errata bitmask,
 according to
 .IR flags .
 .P
@@ -159,6 +194,16 @@ Unknown
 or unknown access, or unknown scope, or too small
 .IR size .
 .TP
+.B EINVAL
+Non-NULL
+.IR attr
+or non-zero
+.IR size
+in combination with
+.B LANDLOCK_CREATE_RULESET_VERSION
+or
+.BR LANDLOCK_CREATE_RULESET_ERRATA .
+.TP
 .B ENOMSG
 Empty accesses (i.e.,
 .I attr
-- 
2.53.0

[PATCH v2 3/4] man/man[27]/{landlock_restrict_self.2,landlock.7}: Document LANDLOCK_RESTRICT_SELF_TSYNC (ABI v8)

[Günther Noack]

Document the new LANDLOCK_RESTRICT_SELF_TSYNC flag, which applies the
Landlock configuration atomically to all threads of the calling process.

Available since Linux 7.0 (Landlock ABI version 8).

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man2/landlock_restrict_self.2 | 18 ++++++++++++++++++
 man/man7/landlock.7               |  2 ++
 2 files changed, 20 insertions(+)

diff --git a/man/man2/landlock_restrict_self.2 b/man/man2/landlock_restrict_self.2
index 9e80a40ee4a4..1265ea2feb91 100644
--- a/man/man2/landlock_restrict_self.2
+++ b/man/man2/landlock_restrict_self.2
@@ -133,6 +133,24 @@ It can also be used with a
 .I ruleset_fd
 value of \-1 to mute subdomain logs
 without creating a domain.
+.P
+The following flag supports policy enforcement in multithreaded processes:
+.TP
+.B LANDLOCK_RESTRICT_SELF_TSYNC
+Applies the new Landlock configuration atomically
+to all threads of the current process,
+including the Landlock domain and logging configuration.
+This overrides the Landlock configuration of sibling threads,
+irrespective of previously established Landlock domains
+and logging configurations on those threads.
+.IP
+If the calling thread is running with
+.IR no_new_privs ,
+this operation enables
+.I no_new_privs
+on the sibling threads as well.
+.IP
+This flag is available since Landlock ABI version 8.
 .SH RETURN VALUE
 On success,
 .BR landlock_restrict_self ()
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index bcf06ea30ad4..06910ccab5b1 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -476,6 +476,8 @@ _	_	_
 7	6.15	LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
 \^	\^	LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
 \^	\^	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
+_	_	_
+8	7.0	LANDLOCK_RESTRICT_SELF_TSYNC
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version
-- 
2.53.0

[PATCH v2 4/4] man/man2/landlock_restrict_self.2: Document ABI requirement for logging flags

[Günther Noack]

Missed this on the earlier commit; we should mention since which
Landlock version these flags are available.  Users can correlate this
with the Landlock ABI version as it can be queried through
landlock_create_ruleset(2).

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man2/landlock_restrict_self.2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/man/man2/landlock_restrict_self.2 b/man/man2/landlock_restrict_self.2
index 1265ea2feb91..99288b582fea 100644
--- a/man/man2/landlock_restrict_self.2
+++ b/man/man2/landlock_restrict_self.2
@@ -134,6 +134,8 @@ It can also be used with a
 value of \-1 to mute subdomain logs
 without creating a domain.
 .P
+These flags are available since Landlock ABI version 7.
+.P
 The following flag supports policy enforcement in multithreaded processes:
 .TP
 .B LANDLOCK_RESTRICT_SELF_TSYNC
-- 
2.53.0

Re: [PATCH v2 2/4] man/man[27]/{landlock_create_ruleset.2,landlock.7}: Document LANDLOCK_CREATE_RULESET_ERRATA

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 3470 bytes --]

Hi Günther,

On 2026-04-21T00:35:15+0200, Günther Noack wrote:
> Document the LANDLOCK_CREATE_RULESET_ERRATA flag, which returns a
> bitmask of fixed issues for the current Landlock ABI version.
> 
> This mechanism was introduced in Linux 6.15, but backported to all
> older kernel releases where these errata fixes were backported to.
> On official Linux kernel releases, if landlock_create_ruleset() with
> LANDLOCK_CREATE_RULESET_ERRATA returns an error, this is equivalent to
> the case where none of the known errata have been fixed.
> 
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
>  man/man2/landlock_create_ruleset.2 | 57 ++++++++++++++++++++++++++----
>  1 file changed, 51 insertions(+), 6 deletions(-)
> 
> diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> index d4eb5d827656..a24a4dd6cbb3 100644
> --- a/man/man2/landlock_create_ruleset.2
> +++ b/man/man2/landlock_create_ruleset.2
> @@ -116,11 +116,7 @@ Otherwise,
>  can be set to:
>  .TP
>  .B LANDLOCK_CREATE_RULESET_VERSION
> -If
> -.I attr
> -is NULL and
> -.I size
> -is 0, then the returned value is the highest supported Landlock ABI version

This fix (and the related changes below) should be done in a separate
patch.

Other than that, this patch LGTM.


Have a lovely night!
Alex

> +Return the highest supported Landlock ABI version
>  (starting at 1).
>  This version can be used for a best-effort security approach,
>  which is encouraged when user space is not pinned to a specific kernel
> @@ -129,11 +125,50 @@ version.
>  Unless noted otherwise,
>  all features documented in these manual pages are available with the
>  version 1.
> +.TP
> +.B LANDLOCK_CREATE_RULESET_ERRATA
> +Return a bitmask of fixed issues
> +for the current Landlock ABI version.
> +If bit N is set (i.e.,
> +.IR "errata & (1 << (N - 1))" ),
> +then erratum N has been fixed in the running kernel.
> +.IP
> +In addition to ABI versions,
> +Landlock's errata mechanism
> +tracks fixes for issues that
> +may affect backwards compatibility
> +or require userspace awareness.
> +.IP
> +Only check errata if your application specifically relies on behavior
> +that changed due to the fix.
> +.IP
> +The full list of Landlock errata is available at
> +.UR https:\://docs.kernel.org/userspace\-api/landlock.html#landlock\-errata
> +.UE .
> +.IP
> +This flag is available on all Linux versions
> +where Landlock errata were fixed.
> +This specifically includes
> +all newest bugfix releases
> +of stable kernels
> +where Landlock is supported.
> +.P
> +If
> +.B LANDLOCK_CREATE_RULESET_VERSION
> +or
> +.B LANDLOCK_CREATE_RULESET_ERRATA
> +is set,
> +then
> +.I attr
> +must be NULL and
> +.I size
> +must be 0.
>  .SH RETURN VALUE
>  On success,
>  .BR landlock_create_ruleset ()
>  returns a new Landlock ruleset file descriptor,
> -or a Landlock ABI version,
> +a Landlock ABI version,
> +or a Landlock errata bitmask,
>  according to
>  .IR flags .
>  .P
> @@ -159,6 +194,16 @@ Unknown
>  or unknown access, or unknown scope, or too small
>  .IR size .
>  .TP
> +.B EINVAL
> +Non-NULL
> +.IR attr
> +or non-zero
> +.IR size
> +in combination with
> +.B LANDLOCK_CREATE_RULESET_VERSION
> +or
> +.BR LANDLOCK_CREATE_RULESET_ERRATA .
> +.TP
>  .B ENOMSG
>  Empty accesses (i.e.,
>  .I attr
> -- 
> 2.53.0
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v2 1/4] man/man2/landlock_create_ruleset.2: Document EINVAL scope case

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 972 bytes --]

On 2026-04-21T00:35:14+0200, Günther Noack wrote:
> This brings the manpage in-line with the kernel documentation.  Here,
> "scope" is a field in the passed struct landlock_ruleset_access, which
> can result in EINVAL if populated improperly.
> 
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>

I've applied this patch; thanks!


Cheers,
Alex

> ---
>  man/man2/landlock_create_ruleset.2 | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> index 5d64f4c2862c..d4eb5d827656 100644
> --- a/man/man2/landlock_create_ruleset.2
> +++ b/man/man2/landlock_create_ruleset.2
> @@ -156,7 +156,7 @@ was not a valid address.
>  .B EINVAL
>  Unknown
>  .IR flags ,
> -or unknown access, or too small
> +or unknown access, or unknown scope, or too small
>  .IR size .
>  .TP
>  .B ENOMSG
> -- 
> 2.53.0
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v2 2/4] man/man[27]/{landlock_create_ruleset.2,landlock.7}: Document LANDLOCK_CREATE_RULESET_ERRATA

[Günther Noack]

Hello Alejandro!

On Tue, Apr 21, 2026 at 02:16:38AM +0200, Alejandro Colomar wrote:
> On 2026-04-21T00:35:15+0200, Günther Noack wrote:
> > Document the LANDLOCK_CREATE_RULESET_ERRATA flag, which returns a
> > bitmask of fixed issues for the current Landlock ABI version.
> > 
> > This mechanism was introduced in Linux 6.15, but backported to all
> > older kernel releases where these errata fixes were backported to.
> > On official Linux kernel releases, if landlock_create_ruleset() with
> > LANDLOCK_CREATE_RULESET_ERRATA returns an error, this is equivalent to
> > the case where none of the known errata have been fixed.
> > 
> > Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> > ---
> >  man/man2/landlock_create_ruleset.2 | 57 ++++++++++++++++++++++++++----
> >  1 file changed, 51 insertions(+), 6 deletions(-)
> > 
> > diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> > index d4eb5d827656..a24a4dd6cbb3 100644
> > --- a/man/man2/landlock_create_ruleset.2
> > +++ b/man/man2/landlock_create_ruleset.2
> > @@ -116,11 +116,7 @@ Otherwise,
> >  can be set to:
> >  .TP
> >  .B LANDLOCK_CREATE_RULESET_VERSION
> > -If
> > -.I attr
> > -is NULL and
> > -.I size
> > -is 0, then the returned value is the highest supported Landlock ABI version
> 
> This fix (and the related changes below) should be done in a separate
> patch.
> 
> Other than that, this patch LGTM.

Thanks for the review. I'll split it out and send a v3.

–Günther