[PATCH v4 0/2] Update Landlock docs to Landlock ABI v8

[PATCH v4 0/2] Update Landlock docs to Landlock ABI v8

[Günther Noack]

Hello!

Thanks for the review!  Here's the fourth round of the patch set, this
time just adding the missing ABI version information.  Added another
small patch in the same style for the adjacent Landlock man page where
it applies.  (The third Landlock manpage, landlock_create_ruleset.2,
doesn't need it because one flag is available since the start and the
errata flag is available where needed and backported everywhere, as
previously discussed.)

Kept the cover letter title as is, to reduce confusion (but the part
where Landlock ABI v8 gets described is already submitted).

–Günther

P.S.: I have a half-finished commit for the upcoming Linux 7.1 release
as well; I can send this one soon, I assume it's OK to send these
slightly before the release, given that the code is already on Linux
master?


Change Log
==========

v4:
  - mention ABI versions for flags next to the tagged paragraph title
    where they are described
    - 1/2: do that in landlock_restrict_self.2 (based on v3's patch 4)
    - 2/2: do that in landlock_add_rule.2 as well
  - earlier patches 1,2,3 from v3 were already merged

v3:
  - split the size/attr clarifications from the "errata" patch into a
    separate commit
  - earlier patch from v2 about the "scoped" EINVAL error was already
    merged
  
v2:
  - landlock_create_ruleset.2: added a tiny patch to add a missing
    mention of "scoped" in the errors list.
  - landlock_create_ruleset.2: various reformulations for errata
  - earlier patch from v1 about the default ABI version assumption was
    already merged (thanks!)    

Günther Noack (2):
  man/man2/landlock_restrict_self.2: Document ABI requirement for
    logging flags
  man/man2/landlock_add_rule.2: mention ABI version for
    LANDLOCK_RULE_NET_PORT

 man/man2/landlock_add_rule.2      | 2 +-
 man/man2/landlock_restrict_self.2 | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

-- 
2.53.0

[PATCH v4 1/2] man/man2/landlock_restrict_self.2: Document ABI requirement for logging flags

[Günther Noack]

Missed this on the earlier commit; we should mention since which
Landlock version these flags are available.  Users can correlate this
with the Landlock ABI version as it can be queried through
landlock_create_ruleset(2).

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man2/landlock_restrict_self.2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/man/man2/landlock_restrict_self.2 b/man/man2/landlock_restrict_self.2
index c43b9cc4dd3e..3b8f897cff05 100644
--- a/man/man2/landlock_restrict_self.2
+++ b/man/man2/landlock_restrict_self.2
@@ -89,7 +89,7 @@ and
 .B LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
 flags apply to the newly created Landlock domain.
 .TP
-.B LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF
+.BR LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF "  (since Landlock ABI version 7)"
 Disables logging of denied accesses
 originating from the thread creating the Landlock domain,
 as well as its children,
@@ -105,7 +105,7 @@ Programs that only sandbox themselves should not set this flag,
 so users can be notified of unauthorized access attempts
 via system logs.
 .TP
-.B LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON
+.BR LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON "  (since Landlock ABI version 7)"
 Enables logging of denied accesses after an
 .BR execve (2)
 call,
@@ -116,7 +116,7 @@ in the domain are expected to comply with the access restrictions,
 as excessive audit log entries could make it more difficult
 to identify critical events.
 .TP
-.B LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
+.BR LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF "  (since Landlock ABI version 7)"
 Disables logging of denied accesses
 originating from nested Landlock domains created by the caller
 or its descendants.
-- 
2.53.0

[PATCH v4 2/2] man/man2/landlock_add_rule.2: mention ABI version for LANDLOCK_RULE_NET_PORT

[Günther Noack]

Add the ABI version in the place where LANDLOCK_RULE_NET_PORT is
described.  For LANDLOCK_RULE_PATH_BENEATH, the ABI version is
implicit, it is supported since the start.

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man2/landlock_add_rule.2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
index 48d7d3b25c9e..fe01a98d99ea 100644
--- a/man/man2/landlock_add_rule.2
+++ b/man/man2/landlock_add_rule.2
@@ -80,7 +80,7 @@ flag,
 which identifies the parent directory of the file hierarchy or
 just a file.
 .TP
-.B LANDLOCK_RULE_NET_PORT
+.BR LANDLOCK_RULE_NET_PORT "  (since Landlock ABI version 4)"
 For these rules,
 the object is a TCP port,
 and the related actions are defined with
-- 
2.53.0

Re: [PATCH v4 0/2] Update Landlock docs to Landlock ABI v8

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 2375 bytes --]

On 2026-04-22T21:23:28+0200, Günther Noack wrote:
> Hello!

Hello!

> Thanks for the review!  Here's the fourth round of the patch set, this
> time just adding the missing ABI version information.  Added another
> small patch in the same style for the adjacent Landlock man page where
> it applies.  (The third Landlock manpage, landlock_create_ruleset.2,
> doesn't need it because one flag is available since the start and the
> errata flag is available where needed and backported everywhere, as
> previously discussed.)

Thanks!

> Kept the cover letter title as is, to reduce confusion (but the part
> where Landlock ABI v8 gets described is already submitted).

You may want to use --in-reply-to instead, so that all revisions are
subthreads of the same thread (v1).  But thanks!

> 
> –Günther
> 
> P.S.: I have a half-finished commit for the upcoming Linux 7.1 release
> as well; I can send this one soon, I assume it's OK to send these
> slightly before the release, given that the code is already on Linux
> master?

Yup, that's fine.


Have a lovely night!
Alex

> 
> 
> Change Log
> ==========
> 
> v4:
>   - mention ABI versions for flags next to the tagged paragraph title
>     where they are described
>     - 1/2: do that in landlock_restrict_self.2 (based on v3's patch 4)
>     - 2/2: do that in landlock_add_rule.2 as well
>   - earlier patches 1,2,3 from v3 were already merged
> 
> v3:
>   - split the size/attr clarifications from the "errata" patch into a
>     separate commit
>   - earlier patch from v2 about the "scoped" EINVAL error was already
>     merged
>   
> v2:
>   - landlock_create_ruleset.2: added a tiny patch to add a missing
>     mention of "scoped" in the errors list.
>   - landlock_create_ruleset.2: various reformulations for errata
>   - earlier patch from v1 about the default ABI version assumption was
>     already merged (thanks!)    
> 
> Günther Noack (2):
>   man/man2/landlock_restrict_self.2: Document ABI requirement for
>     logging flags
>   man/man2/landlock_add_rule.2: mention ABI version for
>     LANDLOCK_RULE_NET_PORT
> 
>  man/man2/landlock_add_rule.2      | 2 +-
>  man/man2/landlock_restrict_self.2 | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> -- 
> 2.53.0
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v4 0/2] Update Landlock docs to Landlock ABI v8

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 2287 bytes --]

Hi Günther!

On 2026-04-22T21:23:28+0200, Günther Noack wrote:
> Hello!
> 
> Thanks for the review!  Here's the fourth round of the patch set, this
> time just adding the missing ABI version information.  Added another
> small patch in the same style for the adjacent Landlock man page where
> it applies.  (The third Landlock manpage, landlock_create_ruleset.2,
> doesn't need it because one flag is available since the start and the
> errata flag is available where needed and backported everywhere, as
> previously discussed.)
> 
> Kept the cover letter title as is, to reduce confusion (but the part
> where Landlock ABI v8 gets described is already submitted).
> 
> –Günther

I've applied the both patches of the patch set.  Thanks!


Have a lovely day!
Alex

> 
> P.S.: I have a half-finished commit for the upcoming Linux 7.1 release
> as well; I can send this one soon, I assume it's OK to send these
> slightly before the release, given that the code is already on Linux
> master?
> 
> 
> Change Log
> ==========
> 
> v4:
>   - mention ABI versions for flags next to the tagged paragraph title
>     where they are described
>     - 1/2: do that in landlock_restrict_self.2 (based on v3's patch 4)
>     - 2/2: do that in landlock_add_rule.2 as well
>   - earlier patches 1,2,3 from v3 were already merged
> 
> v3:
>   - split the size/attr clarifications from the "errata" patch into a
>     separate commit
>   - earlier patch from v2 about the "scoped" EINVAL error was already
>     merged
>   
> v2:
>   - landlock_create_ruleset.2: added a tiny patch to add a missing
>     mention of "scoped" in the errors list.
>   - landlock_create_ruleset.2: various reformulations for errata
>   - earlier patch from v1 about the default ABI version assumption was
>     already merged (thanks!)    
> 
> Günther Noack (2):
>   man/man2/landlock_restrict_self.2: Document ABI requirement for
>     logging flags
>   man/man2/landlock_add_rule.2: mention ABI version for
>     LANDLOCK_RULE_NET_PORT
> 
>  man/man2/landlock_add_rule.2      | 2 +-
>  man/man2/landlock_restrict_self.2 | 6 +++---
>  2 files changed, 4 insertions(+), 4 deletions(-)
> 
> -- 
> 2.53.0
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]