From: "Günther Noack" <gnoack@google.com>
To: Alejandro Colomar <alx@kernel.org>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
linux-man@vger.kernel.org
Subject: Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4
Date: Wed, 24 Jul 2024 16:19:18 +0200 [thread overview]
Message-ID: <ZqENZk7VcbBeaXFG@google.com> (raw)
In-Reply-To: <f2lafh7vylh6rxxnmliap5fneawwlh4aepkffeqwejfn3tlrir@fzm3hucyrocc>
Hello Alejandro!
On Tue, Jul 23, 2024 at 03:03:13PM +0200, Alejandro Colomar wrote:
> On Tue, Jul 23, 2024 at 10:19:16AM GMT, Günther Noack wrote:
> > +.EX
> > +struct landlock_net_port_attr {
> > + __u64 allowed_access;
> > + __u64 port;
> > +};
> > +.EE
> > +.in
> > +.IP
> > +.i allowed_access
>
> s/i/I/
Thanks, fixed. o_O
> > +contains a bitmask of allowed network actions,
> > +which can be applied on the given port.
> > +.IP
> > +.i port
Same here
> > +is the network port in host endianness.
> > +.IP
> > +It should be noted that port 0 passed to
> > +.BR bind (2)
> > +will bind to an available port from the ephemeral port range.
> > +This can be configured in the
> > +.I /proc/sys/net/ipv4/ip_local_port_range
> > +sysctl (also used for IPv6).
> > +.IP
> > +A Landlock rule with port 0
> > +and the
> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > +right means that requesting to bind on port 0 is allowed
> > +and it will automatically translate to binding on the related port range.
> > .P
> > .I flags
> > must be 0.
> > @@ -89,6 +132,12 @@ is set to indicate the error.
> > .BR landlock_add_rule ()
> > can fail for the following reasons:
> > .TP
> > +.B EAFNOSUPPORT
> > +.I rule_type
> > +is
> > +.BR LANDLOCK_RULE_NET_PORT ,
> > +but TCP is not supported by the running kernel.
> > +.TP
> > .B EOPNOTSUPP
> > Landlock is supported by the kernel but disabled at boot time.
> > .TP
> > @@ -111,6 +160,11 @@ are only applicable to directories, but
> > .I \%rule_attr\->parent_fd
> > does not refer to a directory).
> > .TP
> > +.B EINVAL
> > +In
> > +.IR \%struct\~landlock_net_port_attr ,
> > +the port number is greater than 65535.
> > +.TP
> > .B ENOMSG
> > Empty accesses (i.e.,
> > .I rule_attr\->allowed_access
> > diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> > index 105e9b062..ca635ddbc 100644
> > --- a/man/man2/landlock_create_ruleset.2
> > +++ b/man/man2/landlock_create_ruleset.2
> > @@ -41,6 +41,7 @@ It points to the following structure:
> > .EX
> > struct landlock_ruleset_attr {
> > __u64 handled_access_fs;
> > + __u64 handled_access_net;
> > };
> > .EE
> > .in
> > @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
> > in
> > .BR landlock (7)).
> > .IP
> > +.I handled_access_net
> > +is a bitmask of handled network actions
> > +(see
> > +.B Network actions
> > +in
> > +.BR landlock (7)).
> > +.IP
> > This structure defines a set of
> > .IR "handled access rights" ,
> > a set of actions on different object types,
> > @@ -143,8 +151,8 @@ was not a valid address.
> > .TP
> > .B ENOMSG
> > Empty accesses (i.e.,
> > -.I attr\->handled_access_fs
> > -is 0).
> > +.I attr
> > +did not specify any access rights to restrict).
>
> This looks like a wording fix, isn't it? If so, it might be worth a
> separate patch.
>
> > .SH STANDARDS
> > Linux.
> > .SH HISTORY
> > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> > index 652054f15..52876a3de 100644
> > --- a/man/man7/landlock.7
> > +++ b/man/man7/landlock.7
> > @@ -189,6 +189,19 @@ If multiple requirements are not met, the
> > error code takes precedence over
> > .BR EXDEV .
> > .\"
> > +.SS Network flags
> > +These flags enable to restrict a sandboxed process
> > +to a set of network actions.
> > +This is supported since the Landlock ABI version 4.
> > +.P
> > +The following access rights apply to TCP port numbers:
> > +.TP
> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > +Bind a TCP socket to a local port.
> > +.TP
> > +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> > +Connect an active TCP socket to a remote port.
> > +.\"
> > .SS Layers of file path access rights
> > Each time a thread enforces a ruleset on itself,
> > it updates its Landlock domain with a new layer of policy.
> > @@ -339,6 +352,9 @@ _ _ _
> > 2 5.19 LANDLOCK_ACCESS_FS_REFER
> > _ _ _
> > 3 6.2 LANDLOCK_ACCESS_FS_TRUNCATE
> > +_ _ _
> > +4 6.7 LANDLOCK_ACCESS_NET_BIND_TCP
> > +\^ \^ LANDLOCK_ACCESS_NET_CONNECT_TCP
>
> Did you actually want \[ha]?
I believe \[ha] would show the caret character in the document?
What I want is different, as documented in tbl(1):
On any row but the first, a table entry of \^
causes the entry above it to span down into the current one.
The table cell should render like this:
+---+-----+---------------------------------+
| 4 | 6.7 | LANDLOCK_ACCESS_NET_BIND_TCP |
| | | LANDLOCK_ACCESS_NET_CONNECT_TCP |
+---+-----+---------------------------------+
We are already using the same approach for the table cells further up in the
table. IIRC, the tbl(1) preprocessor wanted *something* there, and \^ is the
placeholder that you can put if you don't have text to put in that place?
Assuming that I'm right about the \^, do you want a separate patch set for the
.i/.I change?
—Günther
next prev parent reply other threads:[~2024-07-24 14:19 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-23 10:19 [PATCH v3 0/2] landlock*: Bring documentation up to date Günther Noack
2024-07-23 10:19 ` [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4 Günther Noack
2024-07-23 13:03 ` Alejandro Colomar
2024-07-24 14:19 ` Günther Noack [this message]
2024-07-24 14:31 ` Alejandro Colomar
2024-07-24 14:51 ` Günther Noack
2024-07-24 14:54 ` Alejandro Colomar
2024-07-31 9:43 ` Günther Noack
2024-07-31 9:51 ` Alejandro Colomar
2024-08-06 8:38 ` Konstantin Meskhidze (A)
2024-08-06 10:19 ` Alejandro Colomar
2024-08-06 10:34 ` Konstantin Meskhidze (A)
2024-08-08 9:28 ` Günther Noack
2024-08-21 15:30 ` Konstantin Meskhidze (A)
2024-08-21 16:37 ` Günther Noack
2024-08-22 8:46 ` Konstantin Meskhidze (A)
2024-08-21 21:54 ` Alejandro Colomar
2024-08-22 8:47 ` Konstantin Meskhidze (A)
2024-07-23 10:19 ` [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL) Günther Noack
2024-07-31 10:58 ` Alejandro Colomar
2024-07-31 11:40 ` Günther Noack
2024-07-31 11:58 ` Alejandro Colomar
2024-08-07 12:09 ` Konstantin Meskhidze (A)
2024-08-08 10:09 ` Günther Noack
2024-08-16 12:37 ` Alejandro Colomar
2024-08-21 13:26 ` Konstantin Meskhidze (A)
2024-08-21 14:06 ` Alejandro Colomar
2024-08-21 15:24 ` Konstantin Meskhidze (A)
2024-08-21 13:30 ` Konstantin Meskhidze (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZqENZk7VcbBeaXFG@google.com \
--to=gnoack@google.com \
--cc=alx@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-man@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox