[PATCH v2 0/3] Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX

[PATCH v2 0/3] Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX

[Günther Noack]

Thanks for the review!

This documents the LANDLOCK_ACCESS_FS_RESOLVE_UNIX feature,
introduced in the upcoming Linux 7.1 (Landlock ABI v9).

I applied the suggestions unmodified in most cases.  For the ABI
versions, I used the same style as in the landlock_restrict_self(2)
manpage, which I like for its succinctness.

* Patch 1: should already be applied (including it just for
  completeness, because it's not reflected in the git.kernel.org
  mirror yet)

* Patch 2: Changes the ABI version style for existing documentation,
  this is fine to apply before Linux 7.1.

* Patch 3: Describes the new "resolve UNIX" functionality in Linux 7.1

–Günther

Change Log
==========

V2:
  - s/only applies/applies only/.
  - Use italics for "*" in LANDLOCK_SCOPE_*.
  - s/resolve attempt/resolution attempt/
  - ABI version indicators: Use cardinals for ABI versions, and refer
    to it next to tagged paragraph titles where possible.  Also,
    introduce an additional preparation commit to fix this up for the
    exitisting documentation.
  - Use C99 comments in source code example

V1: Initial version


Günther Noack (3):
  man/man7/landlock.7: Adapt compatibility in code example to ABI v8
  man/man7/landlock.7: Simplify references to ABI versions
  man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9)

 man/man7/landlock.7 | 75 ++++++++++++++++++++++++++++++---------------
 1 file changed, 51 insertions(+), 24 deletions(-)

Range-diff against v1:
1:  07b854876a09 = 1:  fd6de0eb416e man/man7/landlock.7: Adapt compatibility in code example to ABI v8
-:  ------------ > 2:  33b9972559c5 man/man7/landlock.7: Simplify references to ABI versions
2:  414c8fa8f643 ! 3:  a937ec4a113b man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9)
    @@ Commit message
     
      ## man/man7/landlock.7 ##
     @@ man/man7/landlock.7: whose implementations are safe and return the right error codes
    + .BR FICLONERANGE ,
    + .BR FIDEDUPERANGE )
      .RE
    - .IP
    - This access right is available since the fifth version of the Landlock ABI.
     +.TP
    -+.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
    ++.BR LANDLOCK_ACCESS_FS_RESOLVE_UNIX "  (since Landlock ABI version 9)"
     +Look up pathname UNIX
     +domain sockets
     +.RB ( unix (7)).
    @@ man/man7/landlock.7: whose implementations are safe and return the right error c
     +.BR sendmsg (2)
     +with an explicit recipient address.
     +.IP
    -+This access right only applies to connections to UNIX server sockets
    ++This access right applies only to connections to UNIX server sockets
     +which were created outside the newly created Landlock domain
     +(e.g., from within a parent domain or from an unrestricted process).
     +Newly created UNIX servers
    @@ man/man7/landlock.7: whose implementations are safe and return the right error c
     +In this regard,
     +.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
     +has the same semantics as the
    -+.B LANDLOCK_SCOPE_*
    ++.BI LANDLOCK_SCOPE_ *
     +flags.
     +.IP
    -+If a resolve attempt is denied,
    ++If a resolution attempt is denied,
     +the operation returns an
     +.B EACCES
     +error,
     +in line with other filesystem access rights
     +(but different to denials for abstract UNIX domain sockets).
    -+.IP
    -+This access right is available since the ninth version of the Landlock ABI.
      .P
      Whether an opened file can be truncated with
      .BR ftruncate (2)
    @@ man/man7/landlock.7: and only use the available subset of access rights:
     -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v6: same            */
     -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v7: same            */
     -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v8: same            */
    -+    (LANDLOCK_ACCESS_FS_MAKE_SYM     << 1) \- 1,  /* v1                     */
    -+    (LANDLOCK_ACCESS_FS_REFER        << 1) \- 1,  /* v2: add "refer"        */
    -+    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  /* v3: add "truncate"     */
    -+    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  /* v4: TCP support        */
    -+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v5: add "ioctl_dev"    */
    -+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v6: same               */
    -+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v7: same               */
    -+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v8: same               */
    -+    (LANDLOCK_ACCESS_FS_RESOLVE_UNIX << 1) \- 1,  /* v9: add "resolve_unix" */
    ++    (LANDLOCK_ACCESS_FS_MAKE_SYM     << 1) \- 1,  // v1
    ++    (LANDLOCK_ACCESS_FS_REFER        << 1) \- 1,  // v2: add "refer"
    ++    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  // v3: add "truncate"
    ++    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  // v4: TCP support
    ++    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v5: add "ioctl_dev"
    ++    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v6: same
    ++    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v7: same
    ++    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v8: same
    ++    (LANDLOCK_ACCESS_FS_RESOLVE_UNIX << 1) \- 1,  // v9: add "resolve_unix"
      };
      \&
      int abi = landlock_create_ruleset(NULL, 0,
-- 
2.54.0

[PATCH v2 1/3] man/man7/landlock.7: Adapt compatibility in code example to ABI v8

[Günther Noack]

* Bring the code example up to speed with Landlock ABI v8
* Use the correct ABI level in the MIN() macro

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man7/landlock.7 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 06910ccab5b1..0e3a11489af2 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -583,6 +583,9 @@ __u64 landlock_fs_access_rights[] = {
     (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
     (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
     (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v5: add "ioctl_dev" */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v6: same            */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v7: same            */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v8: same            */
 };
 \&
 int abi = landlock_create_ruleset(NULL, 0,
@@ -595,7 +598,7 @@ if (abi == \-1) {
     perror("Unable to use Landlock");
     return;  /* Graceful fallback: Do nothing.  */
 }
-abi = MIN(abi, 3);
+abi = MIN(abi, 8);
 \&
 /* Only use the available rights in the ruleset.  */
 attr.handled_access_fs &= landlock_fs_access_rights[abi \- 1];
-- 
2.54.0

[PATCH v2 2/3] man/man7/landlock.7: Simplify references to ABI versions

[Günther Noack]

* Use cardinal numbers for referring to Landlock ABI versions,
  where possible.

* Adopt the format already used in landlock_restrict_self(2),
  where the ABI versions are described next to the flag names
  in their tagged paragraphs.  For example:

    .TP
    .BR FLAG "  (since Landlock ABI version X)"

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man7/landlock.7 | 26 ++++++++------------------
 1 file changed, 8 insertions(+), 18 deletions(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 0e3a11489af2..60915bdd9728 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -89,7 +89,7 @@ these system calls truncate existing files when overwriting them
 .B LANDLOCK_ACCESS_FS_READ_FILE
 Open a file with read access.
 .TP
-.B LANDLOCK_ACCESS_FS_TRUNCATE
+.BR LANDLOCK_ACCESS_FS_TRUNCATE "  (since Landlock ABI version 3)"
 Truncate a file with
 .BR truncate (2),
 .BR ftruncate (2),
@@ -98,10 +98,8 @@ or
 .BR open (2)
 with
 .BR O_TRUNC .
-.IP
-This access right is available since the third version of the Landlock ABI.
 .TP
-.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+.BR LANDLOCK_ACCESS_FS_IOCTL_DEV "  (since Landlock ABI version 5)"
 Invoke
 .BR ioctl (2)
 commands on an opened character or block device.
@@ -137,8 +135,6 @@ whose implementations are safe and return the right error codes
 .BR FICLONERANGE ,
 .BR FIDEDUPERANGE )
 .RE
-.IP
-This access right is available since the fifth version of the Landlock ABI.
 .P
 Whether an opened file can be truncated with
 .BR ftruncate (2)
@@ -191,19 +187,17 @@ Create (or rename or link) a block device.
 .B LANDLOCK_ACCESS_FS_MAKE_SYM
 Create (or rename or link) a symbolic link.
 .TP
-.B LANDLOCK_ACCESS_FS_REFER
+.BR LANDLOCK_ACCESS_FS_REFER "  (since Landlock ABI version 2)"
 Link or rename a file from or to a different directory
 (i.e., reparent a file hierarchy).
 .IP
-This access right is available since the second version of the Landlock ABI.
-.IP
 This is the only access right which is denied by default by any ruleset,
 even if the right is not specified as handled at ruleset creation time.
 The only way to make a ruleset grant this right
 is to explicitly allow it for a specific directory
 by adding a matching rule to the ruleset.
 .IP
-In particular, when using the first Landlock ABI version,
+In particular, when using Landlock ABI version 1,
 Landlock will always deny attempts to reparent files
 between different directories.
 .IP
@@ -245,14 +239,12 @@ error code takes precedence over
 These flags enable to restrict a sandboxed process
 to a set of network actions.
 .P
-This is supported since Landlock ABI version 4.
-.P
 The following access rights apply to TCP port numbers:
 .TP
-.B LANDLOCK_ACCESS_NET_BIND_TCP
+.BR LANDLOCK_ACCESS_NET_BIND_TCP "  (since Landlock ABI version 4)"
 Bind a TCP socket to a local port.
 .TP
-.B LANDLOCK_ACCESS_NET_CONNECT_TCP
+.BR LANDLOCK_ACCESS_NET_CONNECT_TCP "  (since Landlock ABI version 4)"
 Connect an active TCP socket to a remote port.
 .\"
 .SS Scope flags
@@ -260,16 +252,14 @@ These flags enable isolating a sandboxed process from a set of IPC actions.
 Setting a flag for a ruleset will isolate the Landlock domain
 to forbid connections to resources outside the domain.
 .P
-This is supported since Landlock ABI version 6.
-.P
 The following scopes exist:
 .TP
-.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
+.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET "  (since Landlock ABI version 6)"
 Restrict a sandboxed process from connecting to an abstract UNIX socket
 created by a process outside the related Landlock domain
 (e.g., a parent domain or a non-sandboxed process).
 .TP
-.B LANDLOCK_SCOPE_SIGNAL
+.BR LANDLOCK_SCOPE_SIGNAL "  (since Landlock ABI version 6)"
 Restrict a sandboxed process from sending a signal
 to another process outside the domain.
 .\"
-- 
2.54.0

[PATCH v2 3/3] man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9)

[Günther Noack]

Document the new LANDLOCK_ACCESS_FS_RESOLVE_UNIX filesystem access right,
which controls lookups of pathname UNIX domain sockets.  Restricts both
connect(2) and sendmsg(2) with an explicit recipient address to UNIX
sockets created outside the Landlock domain (same semantics as
LANDLOCK_SCOPE_* flags).  Denied attempts return EACCES.

Available since Linux 7.1 (Landlock ABI version 9).

Signed-off-by: Günther Noack <gnoack3000@gmail.com>
---
 man/man7/landlock.7 | 54 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 44 insertions(+), 10 deletions(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 60915bdd9728..55cd002d5789 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -135,6 +135,36 @@ whose implementations are safe and return the right error codes
 .BR FICLONERANGE ,
 .BR FIDEDUPERANGE )
 .RE
+.TP
+.BR LANDLOCK_ACCESS_FS_RESOLVE_UNIX "  (since Landlock ABI version 9)"
+Look up pathname UNIX
+domain sockets
+.RB ( unix (7)).
+On UNIX domain sockets,
+this restricts both calls to
+.BR connect (2)
+and
+.BR sendmsg (2)
+with an explicit recipient address.
+.IP
+This access right applies only to connections to UNIX server sockets
+which were created outside the newly created Landlock domain
+(e.g., from within a parent domain or from an unrestricted process).
+Newly created UNIX servers
+within the same Landlock domain
+continue to be accessible.
+In this regard,
+.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
+has the same semantics as the
+.BI LANDLOCK_SCOPE_ *
+flags.
+.IP
+If a resolution attempt is denied,
+the operation returns an
+.B EACCES
+error,
+in line with other filesystem access rights
+(but different to denials for abstract UNIX domain sockets).
 .P
 Whether an opened file can be truncated with
 .BR ftruncate (2)
@@ -468,6 +498,8 @@ _	_	_
 \^	\^	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
 _	_	_
 8	7.0	LANDLOCK_RESTRICT_SELF_TSYNC
+_	_	_
+9	7.1	LANDLOCK_ACCESS_FS_RESOLVE_UNIX
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version
@@ -553,7 +585,8 @@ attr.handled_access_fs =
         LANDLOCK_ACCESS_FS_MAKE_SYM |
         LANDLOCK_ACCESS_FS_REFER |
         LANDLOCK_ACCESS_FS_TRUNCATE |
-        LANDLOCK_ACCESS_FS_IOCTL_DEV;
+        LANDLOCK_ACCESS_FS_IOCTL_DEV |
+        LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
 .EE
 .in
 .P
@@ -568,14 +601,15 @@ and only use the available subset of access rights:
  * numbers hardcoded to keep the example short.
  */
 __u64 landlock_fs_access_rights[] = {
-    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
-    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
-    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
-    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v5: add "ioctl_dev" */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v6: same            */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v7: same            */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v8: same            */
+    (LANDLOCK_ACCESS_FS_MAKE_SYM     << 1) \- 1,  // v1
+    (LANDLOCK_ACCESS_FS_REFER        << 1) \- 1,  // v2: add "refer"
+    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  // v3: add "truncate"
+    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  // v4: TCP support
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v5: add "ioctl_dev"
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v6: same
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v7: same
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v8: same
+    (LANDLOCK_ACCESS_FS_RESOLVE_UNIX << 1) \- 1,  // v9: add "resolve_unix"
 };
 \&
 int abi = landlock_create_ruleset(NULL, 0,
@@ -588,7 +622,7 @@ if (abi == \-1) {
     perror("Unable to use Landlock");
     return;  /* Graceful fallback: Do nothing.  */
 }
-abi = MIN(abi, 8);
+abi = MIN(abi, 9);
 \&
 /* Only use the available rights in the ruleset.  */
 attr.handled_access_fs &= landlock_fs_access_rights[abi \- 1];
-- 
2.54.0

Re: [PATCH v2 2/3] man/man7/landlock.7: Simplify references to ABI versions

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 4325 bytes --]

Hi!

On 2026-05-15T18:57:52+0200, Günther Noack wrote:
> * Use cardinal numbers for referring to Landlock ABI versions,
>   where possible.
> 
> * Adopt the format already used in landlock_restrict_self(2),
>   where the ABI versions are described next to the flag names
>   in their tagged paragraphs.  For example:
> 
>     .TP
>     .BR FLAG "  (since Landlock ABI version X)"
> 
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>

Patch applied; thanks!


Have a lovely night!
Alex

> ---
>  man/man7/landlock.7 | 26 ++++++++------------------
>  1 file changed, 8 insertions(+), 18 deletions(-)
> 
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 0e3a11489af2..60915bdd9728 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -89,7 +89,7 @@ these system calls truncate existing files when overwriting them
>  .B LANDLOCK_ACCESS_FS_READ_FILE
>  Open a file with read access.
>  .TP
> -.B LANDLOCK_ACCESS_FS_TRUNCATE
> +.BR LANDLOCK_ACCESS_FS_TRUNCATE "  (since Landlock ABI version 3)"
>  Truncate a file with
>  .BR truncate (2),
>  .BR ftruncate (2),
> @@ -98,10 +98,8 @@ or
>  .BR open (2)
>  with
>  .BR O_TRUNC .
> -.IP
> -This access right is available since the third version of the Landlock ABI.
>  .TP
> -.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +.BR LANDLOCK_ACCESS_FS_IOCTL_DEV "  (since Landlock ABI version 5)"
>  Invoke
>  .BR ioctl (2)
>  commands on an opened character or block device.
> @@ -137,8 +135,6 @@ whose implementations are safe and return the right error codes
>  .BR FICLONERANGE ,
>  .BR FIDEDUPERANGE )
>  .RE
> -.IP
> -This access right is available since the fifth version of the Landlock ABI.
>  .P
>  Whether an opened file can be truncated with
>  .BR ftruncate (2)
> @@ -191,19 +187,17 @@ Create (or rename or link) a block device.
>  .B LANDLOCK_ACCESS_FS_MAKE_SYM
>  Create (or rename or link) a symbolic link.
>  .TP
> -.B LANDLOCK_ACCESS_FS_REFER
> +.BR LANDLOCK_ACCESS_FS_REFER "  (since Landlock ABI version 2)"
>  Link or rename a file from or to a different directory
>  (i.e., reparent a file hierarchy).
>  .IP
> -This access right is available since the second version of the Landlock ABI.
> -.IP
>  This is the only access right which is denied by default by any ruleset,
>  even if the right is not specified as handled at ruleset creation time.
>  The only way to make a ruleset grant this right
>  is to explicitly allow it for a specific directory
>  by adding a matching rule to the ruleset.
>  .IP
> -In particular, when using the first Landlock ABI version,
> +In particular, when using Landlock ABI version 1,
>  Landlock will always deny attempts to reparent files
>  between different directories.
>  .IP
> @@ -245,14 +239,12 @@ error code takes precedence over
>  These flags enable to restrict a sandboxed process
>  to a set of network actions.
>  .P
> -This is supported since Landlock ABI version 4.
> -.P
>  The following access rights apply to TCP port numbers:
>  .TP
> -.B LANDLOCK_ACCESS_NET_BIND_TCP
> +.BR LANDLOCK_ACCESS_NET_BIND_TCP "  (since Landlock ABI version 4)"
>  Bind a TCP socket to a local port.
>  .TP
> -.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> +.BR LANDLOCK_ACCESS_NET_CONNECT_TCP "  (since Landlock ABI version 4)"
>  Connect an active TCP socket to a remote port.
>  .\"
>  .SS Scope flags
> @@ -260,16 +252,14 @@ These flags enable isolating a sandboxed process from a set of IPC actions.
>  Setting a flag for a ruleset will isolate the Landlock domain
>  to forbid connections to resources outside the domain.
>  .P
> -This is supported since Landlock ABI version 6.
> -.P
>  The following scopes exist:
>  .TP
> -.B LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
> +.BR LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET "  (since Landlock ABI version 6)"
>  Restrict a sandboxed process from connecting to an abstract UNIX socket
>  created by a process outside the related Landlock domain
>  (e.g., a parent domain or a non-sandboxed process).
>  .TP
> -.B LANDLOCK_SCOPE_SIGNAL
> +.BR LANDLOCK_SCOPE_SIGNAL "  (since Landlock ABI version 6)"
>  Restrict a sandboxed process from sending a signal
>  to another process outside the domain.
>  .\"
> -- 
> 2.54.0
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v2 3/3] man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 4568 bytes --]

Hi Günther,

On 2026-05-15T18:57:53+0200, Günther Noack wrote:
> Document the new LANDLOCK_ACCESS_FS_RESOLVE_UNIX filesystem access right,
> which controls lookups of pathname UNIX domain sockets.  Restricts both
> connect(2) and sendmsg(2) with an explicit recipient address to UNIX
> sockets created outside the Landlock domain (same semantics as
> LANDLOCK_SCOPE_* flags).  Denied attempts return EACCES.
> 
> Available since Linux 7.1 (Landlock ABI version 9).
> 
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>

Reviewed-by: Alejandro Colomar <alx@kernel.org>


Cheers,
Alex

> ---
>  man/man7/landlock.7 | 54 ++++++++++++++++++++++++++++++++++++---------
>  1 file changed, 44 insertions(+), 10 deletions(-)
> 
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 60915bdd9728..55cd002d5789 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -135,6 +135,36 @@ whose implementations are safe and return the right error codes
>  .BR FICLONERANGE ,
>  .BR FIDEDUPERANGE )
>  .RE
> +.TP
> +.BR LANDLOCK_ACCESS_FS_RESOLVE_UNIX "  (since Landlock ABI version 9)"
> +Look up pathname UNIX
> +domain sockets
> +.RB ( unix (7)).
> +On UNIX domain sockets,
> +this restricts both calls to
> +.BR connect (2)
> +and
> +.BR sendmsg (2)
> +with an explicit recipient address.
> +.IP
> +This access right applies only to connections to UNIX server sockets
> +which were created outside the newly created Landlock domain
> +(e.g., from within a parent domain or from an unrestricted process).
> +Newly created UNIX servers
> +within the same Landlock domain
> +continue to be accessible.
> +In this regard,
> +.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
> +has the same semantics as the
> +.BI LANDLOCK_SCOPE_ *
> +flags.
> +.IP
> +If a resolution attempt is denied,
> +the operation returns an
> +.B EACCES
> +error,
> +in line with other filesystem access rights
> +(but different to denials for abstract UNIX domain sockets).
>  .P
>  Whether an opened file can be truncated with
>  .BR ftruncate (2)
> @@ -468,6 +498,8 @@ _	_	_
>  \^	\^	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
>  _	_	_
>  8	7.0	LANDLOCK_RESTRICT_SELF_TSYNC
> +_	_	_
> +9	7.1	LANDLOCK_ACCESS_FS_RESOLVE_UNIX
>  .TE
>  .P
>  Users should use the Landlock ABI version rather than the kernel version
> @@ -553,7 +585,8 @@ attr.handled_access_fs =
>          LANDLOCK_ACCESS_FS_MAKE_SYM |
>          LANDLOCK_ACCESS_FS_REFER |
>          LANDLOCK_ACCESS_FS_TRUNCATE |
> -        LANDLOCK_ACCESS_FS_IOCTL_DEV;
> +        LANDLOCK_ACCESS_FS_IOCTL_DEV |
> +        LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
>  .EE
>  .in
>  .P
> @@ -568,14 +601,15 @@ and only use the available subset of access rights:
>   * numbers hardcoded to keep the example short.
>   */
>  __u64 landlock_fs_access_rights[] = {
> -    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> -    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> -    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> -    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
> -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v5: add "ioctl_dev" */
> -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v6: same            */
> -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v7: same            */
> -    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v8: same            */
> +    (LANDLOCK_ACCESS_FS_MAKE_SYM     << 1) \- 1,  // v1
> +    (LANDLOCK_ACCESS_FS_REFER        << 1) \- 1,  // v2: add "refer"
> +    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  // v3: add "truncate"
> +    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  // v4: TCP support
> +    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v5: add "ioctl_dev"
> +    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v6: same
> +    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v7: same
> +    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  // v8: same
> +    (LANDLOCK_ACCESS_FS_RESOLVE_UNIX << 1) \- 1,  // v9: add "resolve_unix"
>  };
>  \&
>  int abi = landlock_create_ruleset(NULL, 0,
> @@ -588,7 +622,7 @@ if (abi == \-1) {
>      perror("Unable to use Landlock");
>      return;  /* Graceful fallback: Do nothing.  */
>  }
> -abi = MIN(abi, 8);
> +abi = MIN(abi, 9);
>  \&
>  /* Only use the available rights in the ruleset.  */
>  attr.handled_access_fs &= landlock_fs_access_rights[abi \- 1];
> -- 
> 2.54.0
> 
> 

-- 
<https://www.alejandro-colomar.es>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]