[PATCH v3 0/2] landlock*: Bring documentation up to date

[PATCH v3 0/2] landlock*: Bring documentation up to date

[Günther Noack]

This brings the man page documentation up to date with Landlock
ABI v4 (networking support) and v5 (IOCTL support).

V3:
 * rebase on the already merged patches 1/5 to 3/5
   (worked without conflicts using git rebase --onto)
 * use \% and \~ in an additional place in 4/5
 * use angle brackets for URLs in commit descriptions

V2: Addressed the small issues brought up in review
    by Mickaël Salaün and Alejandro Colomar:
 * various small wording and git-merging issues
 * small commit message formatting issues

Günther Noack (2):
  landlock.7, landlock_*.2: Document Landlock ABI version 4
  landlock.7: Document Landlock ABI version 5 (IOCTL)

 man/man2/landlock_add_rule.2       | 74 +++++++++++++++++++++++++----
 man/man2/landlock_create_ruleset.2 | 12 ++++-
 man/man7/landlock.7                | 76 +++++++++++++++++++++++++++---
 3 files changed, 144 insertions(+), 18 deletions(-)

-- 
2.45.2.1089.g2a221341d9-goog

[PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Günther Noack]

Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.

The intent is to bring the man pages mostly in line with the kernel
documentation again.  I intentionally did not add networking support to the
usage example in landlock.7 - I feel that in the long run, we would be better
advised to maintain longer example code in the kernel samples.

Closes: <https://github.com/landlock-lsm/linux/issues/32>
Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Reviewed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack@google.com>
---
 man/man2/landlock_add_rule.2       | 74 ++++++++++++++++++++++++++----
 man/man2/landlock_create_ruleset.2 | 12 ++++-
 man/man7/landlock.7                | 23 ++++++++--
 3 files changed, 94 insertions(+), 15 deletions(-)

diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
index 7a83bb303..489e9c354 100644
--- a/man/man2/landlock_add_rule.2
+++ b/man/man2/landlock_add_rule.2
@@ -20,15 +20,14 @@ Standard C library
 .BI "            const void *" rule_attr ", uint32_t " flags );
 .fi
 .SH DESCRIPTION
-A Landlock rule describes an action on an object.
-An object is currently a file hierarchy,
-and the related filesystem actions
-are defined with a set of access rights.
-This
+A Landlock rule describes an action on an object
+which the process intends to perform.
+A set of rules is aggregated in a ruleset,
+which can then restrict the thread enforcing it, and its future children.
+.P
+The
 .BR landlock_add_rule ()
-system call enables adding a new Landlock rule to an existing ruleset
-created with
-.BR landlock_create_ruleset (2).
+system call adds a new Landlock rule to an existing ruleset.
 See
 .BR landlock (7)
 for a global overview.
@@ -42,10 +41,15 @@ identifies the structure type pointed to by
 .IR rule_attr .
 Currently, Linux supports the following
 .I rule_type
-value:
+values:
 .TP
 .B LANDLOCK_RULE_PATH_BENEATH
-This defines the object type as a file hierarchy.
+For these rules,
+the object is a file hierarchy,
+and the related filesystem actions
+are defined with
+.IR "filesystem access rights" .
+.IP
 In this case,
 .I rule_attr
 points to the following structure:
@@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
 flag,
 which identifies the parent directory of the file hierarchy or
 just a file.
+.TP
+.B LANDLOCK_RULE_NET_PORT
+For these rules,
+the object is a TCP port,
+and the related actions are defined with
+.IR "network access rights" .
+.IP
+In this case,
+.I rule_attr
+points to the following structure:
+.IP
+.in +4n
+.EX
+struct landlock_net_port_attr {
+    __u64 allowed_access;
+    __u64 port;
+};
+.EE
+.in
+.IP
+.i allowed_access
+contains a bitmask of allowed network actions,
+which can be applied on the given port.
+.IP
+.i port
+is the network port in host endianness.
+.IP
+It should be noted that port 0 passed to
+.BR bind (2)
+will bind to an available port from the ephemeral port range.
+This can be configured in the
+.I /proc/sys/net/ipv4/ip_local_port_range
+sysctl (also used for IPv6).
+.IP
+A Landlock rule with port 0
+and the
+.B LANDLOCK_ACCESS_NET_BIND_TCP
+right means that requesting to bind on port 0 is allowed
+and it will automatically translate to binding on the related port range.
 .P
 .I flags
 must be 0.
@@ -89,6 +132,12 @@ is set to indicate the error.
 .BR landlock_add_rule ()
 can fail for the following reasons:
 .TP
+.B EAFNOSUPPORT
+.I rule_type
+is
+.BR LANDLOCK_RULE_NET_PORT ,
+but TCP is not supported by the running kernel.
+.TP
 .B EOPNOTSUPP
 Landlock is supported by the kernel but disabled at boot time.
 .TP
@@ -111,6 +160,11 @@ are only applicable to directories, but
 .I \%rule_attr\->parent_fd
 does not refer to a directory).
 .TP
+.B EINVAL
+In
+.IR \%struct\~landlock_net_port_attr ,
+the port number is greater than 65535.
+.TP
 .B ENOMSG
 Empty accesses (i.e.,
 .I rule_attr\->allowed_access
diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
index 105e9b062..ca635ddbc 100644
--- a/man/man2/landlock_create_ruleset.2
+++ b/man/man2/landlock_create_ruleset.2
@@ -41,6 +41,7 @@ It points to the following structure:
 .EX
 struct landlock_ruleset_attr {
     __u64 handled_access_fs;
+    __u64 handled_access_net;
 };
 .EE
 .in
@@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
 in
 .BR landlock (7)).
 .IP
+.I handled_access_net
+is a bitmask of handled network actions
+(see
+.B Network actions
+in
+.BR landlock (7)).
+.IP
 This structure defines a set of
 .IR "handled access rights" ,
 a set of actions on different object types,
@@ -143,8 +151,8 @@ was not a valid address.
 .TP
 .B ENOMSG
 Empty accesses (i.e.,
-.I attr\->handled_access_fs
-is 0).
+.I attr
+did not specify any access rights to restrict).
 .SH STANDARDS
 Linux.
 .SH HISTORY
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 652054f15..52876a3de 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -189,6 +189,19 @@ If multiple requirements are not met, the
 error code takes precedence over
 .BR EXDEV .
 .\"
+.SS Network flags
+These flags enable to restrict a sandboxed process
+to a set of network actions.
+This is supported since the Landlock ABI version 4.
+.P
+The following access rights apply to TCP port numbers:
+.TP
+.B LANDLOCK_ACCESS_NET_BIND_TCP
+Bind a TCP socket to a local port.
+.TP
+.B LANDLOCK_ACCESS_NET_CONNECT_TCP
+Connect an active TCP socket to a remote port.
+.\"
 .SS Layers of file path access rights
 Each time a thread enforces a ruleset on itself,
 it updates its Landlock domain with a new layer of policy.
@@ -339,6 +352,9 @@ _	_	_
 2	5.19	LANDLOCK_ACCESS_FS_REFER
 _	_	_
 3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
+_	_	_
+4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
+\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version
@@ -439,9 +455,10 @@ and only use the available subset of access rights:
  * numbers hardcoded to keep the example short.
  */
 __u64 landlock_fs_access_rights[] = {
-    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
-    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
-    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
+    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
+    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
+    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
+    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
 };
 \&
 int abi = landlock_create_ruleset(NULL, 0,
-- 
2.45.2.1089.g2a221341d9-goog

[PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Günther Noack]

Landlock ABI 5 restricts ioctl(2) on device files.

Closes: <https://github.com/landlock-lsm/linux/issues/39>
Reviewed-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Günther Noack <gnoack@google.com>
---
 man/man7/landlock.7 | 53 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 50 insertions(+), 3 deletions(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 52876a3de..c6b7272ea 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -89,9 +89,11 @@ with
 .BR O_TRUNC .
 .IP
 This access right is available since the third version of the Landlock ABI.
-.IP
+.P
 Whether an opened file can be truncated with
 .BR ftruncate (2)
+or used with
+.BR ioctl (2)
 is determined during
 .BR open (2),
 in the same way as read and write permissions are checked during
@@ -188,6 +190,48 @@ If multiple requirements are not met, the
 .B EACCES
 error code takes precedence over
 .BR EXDEV .
+.P
+The following access right
+applies to both files and directories:
+.TP
+.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+Invoke
+.BR ioctl (2)
+commands on an opened character or block device.
+.IP
+This access right applies to all
+.BR ioctl (2)
+commands implemented by device drivers.
+However, the following common IOCTL commands continue to be invokable
+independent of the
+.B LANDLOCK_ACCESS_FS_IOCTL_DEV
+right:
+.RS
+.IP \[bu] 3
+IOCTL commands targeting file descriptors
+.RB ( FIOCLEX ,
+.BR FIONCLEX ),
+.IP \[bu]
+IOCTL commands targeting file descriptions
+.RB ( FIONBIO ,
+.BR FIOASYNC ),
+.IP \[bu]
+IOCTL commands targeting file systems
+.RB ( FIFREEZE ,
+.BR FITHAW ,
+.BR FIGETBSZ ,
+.BR FS_IOC_GETFSUUID ,
+.BR FS_IOC_GETFSSYSFSPATH )
+.IP \[bu]
+Some IOCTL commands which do not make sense when used with devices, but
+whose implementations are safe and return the right error codes
+.RB ( FS_IOC_FIEMAP ,
+.BR FICLONE ,
+.BR FICLONERANGE ,
+.BR FIDEDUPERANGE )
+.RE
+.IP
+This access right is available since the fifth version of the Landlock ABI.
 .\"
 .SS Network flags
 These flags enable to restrict a sandboxed process
@@ -355,6 +399,8 @@ _	_	_
 _	_	_
 4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
 \^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
+_	_	_
+5	6.10	LANDLOCK_ACCESS_FS_IOCTL_DEV
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version
@@ -405,7 +451,6 @@ accessible through these system call families:
 .BR chown (2),
 .BR setxattr (2),
 .BR utime (2),
-.BR ioctl (2),
 .BR fcntl (2),
 .BR access (2).
 Future Landlock evolutions will enable to restrict them.
@@ -440,7 +485,8 @@ attr.handled_access_fs =
         LANDLOCK_ACCESS_FS_MAKE_BLOCK |
         LANDLOCK_ACCESS_FS_MAKE_SYM |
         LANDLOCK_ACCESS_FS_REFER |
-        LANDLOCK_ACCESS_FS_TRUNCATE;
+        LANDLOCK_ACCESS_FS_TRUNCATE |
+        LANDLOCK_ACCESS_FS_IOCTL_DEV;
 .EE
 .in
 .P
@@ -459,6 +505,7 @@ __u64 landlock_fs_access_rights[] = {
     (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
     (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
     (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v5: add "ioctl_dev" */
 };
 \&
 int abi = landlock_create_ruleset(NULL, 0,
-- 
2.45.2.1089.g2a221341d9-goog

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 7604 bytes --]

Hi Günther,

On Tue, Jul 23, 2024 at 10:19:16AM GMT, Günther Noack wrote:
> Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
> 
> The intent is to bring the man pages mostly in line with the kernel
> documentation again.  I intentionally did not add networking support to the
> usage example in landlock.7 - I feel that in the long run, we would be better
> advised to maintain longer example code in the kernel samples.
> 
> Closes: <https://github.com/landlock-lsm/linux/issues/32>
> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Reviewed-by: Mickaël Salaün <mic@digikod.net>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
>  man/man2/landlock_add_rule.2       | 74 ++++++++++++++++++++++++++----
>  man/man2/landlock_create_ruleset.2 | 12 ++++-
>  man/man7/landlock.7                | 23 ++++++++--
>  3 files changed, 94 insertions(+), 15 deletions(-)
> 
> diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
> index 7a83bb303..489e9c354 100644
> --- a/man/man2/landlock_add_rule.2
> +++ b/man/man2/landlock_add_rule.2
> @@ -20,15 +20,14 @@ Standard C library
>  .BI "            const void *" rule_attr ", uint32_t " flags );
>  .fi
>  .SH DESCRIPTION
> -A Landlock rule describes an action on an object.
> -An object is currently a file hierarchy,
> -and the related filesystem actions
> -are defined with a set of access rights.
> -This
> +A Landlock rule describes an action on an object
> +which the process intends to perform.
> +A set of rules is aggregated in a ruleset,
> +which can then restrict the thread enforcing it, and its future children.
> +.P
> +The
>  .BR landlock_add_rule ()
> -system call enables adding a new Landlock rule to an existing ruleset
> -created with
> -.BR landlock_create_ruleset (2).
> +system call adds a new Landlock rule to an existing ruleset.
>  See
>  .BR landlock (7)
>  for a global overview.
> @@ -42,10 +41,15 @@ identifies the structure type pointed to by
>  .IR rule_attr .
>  Currently, Linux supports the following
>  .I rule_type
> -value:
> +values:
>  .TP
>  .B LANDLOCK_RULE_PATH_BENEATH
> -This defines the object type as a file hierarchy.
> +For these rules,
> +the object is a file hierarchy,
> +and the related filesystem actions
> +are defined with
> +.IR "filesystem access rights" .
> +.IP
>  In this case,
>  .I rule_attr
>  points to the following structure:
> @@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
>  flag,
>  which identifies the parent directory of the file hierarchy or
>  just a file.
> +.TP
> +.B LANDLOCK_RULE_NET_PORT
> +For these rules,
> +the object is a TCP port,
> +and the related actions are defined with
> +.IR "network access rights" .
> +.IP
> +In this case,
> +.I rule_attr
> +points to the following structure:
> +.IP
> +.in +4n
> +.EX
> +struct landlock_net_port_attr {
> +    __u64 allowed_access;
> +    __u64 port;
> +};
> +.EE
> +.in
> +.IP
> +.i allowed_access

s/i/I/

> +contains a bitmask of allowed network actions,
> +which can be applied on the given port.
> +.IP
> +.i port
> +is the network port in host endianness.
> +.IP
> +It should be noted that port 0 passed to
> +.BR bind (2)
> +will bind to an available port from the ephemeral port range.
> +This can be configured in the
> +.I /proc/sys/net/ipv4/ip_local_port_range
> +sysctl (also used for IPv6).
> +.IP
> +A Landlock rule with port 0
> +and the
> +.B LANDLOCK_ACCESS_NET_BIND_TCP
> +right means that requesting to bind on port 0 is allowed
> +and it will automatically translate to binding on the related port range.
>  .P
>  .I flags
>  must be 0.
> @@ -89,6 +132,12 @@ is set to indicate the error.
>  .BR landlock_add_rule ()
>  can fail for the following reasons:
>  .TP
> +.B EAFNOSUPPORT
> +.I rule_type
> +is
> +.BR LANDLOCK_RULE_NET_PORT ,
> +but TCP is not supported by the running kernel.
> +.TP
>  .B EOPNOTSUPP
>  Landlock is supported by the kernel but disabled at boot time.
>  .TP
> @@ -111,6 +160,11 @@ are only applicable to directories, but
>  .I \%rule_attr\->parent_fd
>  does not refer to a directory).
>  .TP
> +.B EINVAL
> +In
> +.IR \%struct\~landlock_net_port_attr ,
> +the port number is greater than 65535.
> +.TP
>  .B ENOMSG
>  Empty accesses (i.e.,
>  .I rule_attr\->allowed_access
> diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> index 105e9b062..ca635ddbc 100644
> --- a/man/man2/landlock_create_ruleset.2
> +++ b/man/man2/landlock_create_ruleset.2
> @@ -41,6 +41,7 @@ It points to the following structure:
>  .EX
>  struct landlock_ruleset_attr {
>      __u64 handled_access_fs;
> +    __u64 handled_access_net;
>  };
>  .EE
>  .in
> @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
>  in
>  .BR landlock (7)).
>  .IP
> +.I handled_access_net
> +is a bitmask of handled network actions
> +(see
> +.B Network actions
> +in
> +.BR landlock (7)).
> +.IP
>  This structure defines a set of
>  .IR "handled access rights" ,
>  a set of actions on different object types,
> @@ -143,8 +151,8 @@ was not a valid address.
>  .TP
>  .B ENOMSG
>  Empty accesses (i.e.,
> -.I attr\->handled_access_fs
> -is 0).
> +.I attr
> +did not specify any access rights to restrict).

This looks like a wording fix, isn't it?  If so, it might be worth a
separate patch.

>  .SH STANDARDS
>  Linux.
>  .SH HISTORY
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 652054f15..52876a3de 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -189,6 +189,19 @@ If multiple requirements are not met, the
>  error code takes precedence over
>  .BR EXDEV .
>  .\"
> +.SS Network flags
> +These flags enable to restrict a sandboxed process
> +to a set of network actions.
> +This is supported since the Landlock ABI version 4.
> +.P
> +The following access rights apply to TCP port numbers:
> +.TP
> +.B LANDLOCK_ACCESS_NET_BIND_TCP
> +Bind a TCP socket to a local port.
> +.TP
> +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> +Connect an active TCP socket to a remote port.
> +.\"
>  .SS Layers of file path access rights
>  Each time a thread enforces a ruleset on itself,
>  it updates its Landlock domain with a new layer of policy.
> @@ -339,6 +352,9 @@ _	_	_
>  2	5.19	LANDLOCK_ACCESS_FS_REFER
>  _	_	_
>  3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
> +_	_	_
> +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
> +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP

Did you actually want \[ha]?

>  .TE
>  .P
>  Users should use the Landlock ABI version rather than the kernel version
> @@ -439,9 +455,10 @@ and only use the available subset of access rights:
>   * numbers hardcoded to keep the example short.
>   */
>  __u64 landlock_fs_access_rights[] = {
> -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
> -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
> -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
> +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
>  };
>  \&
>  int abi = landlock_create_ruleset(NULL, 0,
> -- 
> 2.45.2.1089.g2a221341d9-goog

Have a lovely day!
Alex

> 
> 

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Günther Noack]

Hello Alejandro!

On Tue, Jul 23, 2024 at 03:03:13PM +0200, Alejandro Colomar wrote:
> On Tue, Jul 23, 2024 at 10:19:16AM GMT, Günther Noack wrote:
> > +.EX
> > +struct landlock_net_port_attr {
> > +    __u64 allowed_access;
> > +    __u64 port;
> > +};
> > +.EE
> > +.in
> > +.IP
> > +.i allowed_access
> 
> s/i/I/

Thanks, fixed. o_O


> > +contains a bitmask of allowed network actions,
> > +which can be applied on the given port.
> > +.IP
> > +.i port

Same here


> > +is the network port in host endianness.
> > +.IP
> > +It should be noted that port 0 passed to
> > +.BR bind (2)
> > +will bind to an available port from the ephemeral port range.
> > +This can be configured in the
> > +.I /proc/sys/net/ipv4/ip_local_port_range
> > +sysctl (also used for IPv6).
> > +.IP
> > +A Landlock rule with port 0
> > +and the
> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > +right means that requesting to bind on port 0 is allowed
> > +and it will automatically translate to binding on the related port range.
> >  .P
> >  .I flags
> >  must be 0.
> > @@ -89,6 +132,12 @@ is set to indicate the error.
> >  .BR landlock_add_rule ()
> >  can fail for the following reasons:
> >  .TP
> > +.B EAFNOSUPPORT
> > +.I rule_type
> > +is
> > +.BR LANDLOCK_RULE_NET_PORT ,
> > +but TCP is not supported by the running kernel.
> > +.TP
> >  .B EOPNOTSUPP
> >  Landlock is supported by the kernel but disabled at boot time.
> >  .TP
> > @@ -111,6 +160,11 @@ are only applicable to directories, but
> >  .I \%rule_attr\->parent_fd
> >  does not refer to a directory).
> >  .TP
> > +.B EINVAL
> > +In
> > +.IR \%struct\~landlock_net_port_attr ,
> > +the port number is greater than 65535.
> > +.TP
> >  .B ENOMSG
> >  Empty accesses (i.e.,
> >  .I rule_attr\->allowed_access
> > diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> > index 105e9b062..ca635ddbc 100644
> > --- a/man/man2/landlock_create_ruleset.2
> > +++ b/man/man2/landlock_create_ruleset.2
> > @@ -41,6 +41,7 @@ It points to the following structure:
> >  .EX
> >  struct landlock_ruleset_attr {
> >      __u64 handled_access_fs;
> > +    __u64 handled_access_net;
> >  };
> >  .EE
> >  .in
> > @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
> >  in
> >  .BR landlock (7)).
> >  .IP
> > +.I handled_access_net
> > +is a bitmask of handled network actions
> > +(see
> > +.B Network actions
> > +in
> > +.BR landlock (7)).
> > +.IP
> >  This structure defines a set of
> >  .IR "handled access rights" ,
> >  a set of actions on different object types,
> > @@ -143,8 +151,8 @@ was not a valid address.
> >  .TP
> >  .B ENOMSG
> >  Empty accesses (i.e.,
> > -.I attr\->handled_access_fs
> > -is 0).
> > +.I attr
> > +did not specify any access rights to restrict).
> 
> This looks like a wording fix, isn't it?  If so, it might be worth a
> separate patch.
> 
> >  .SH STANDARDS
> >  Linux.
> >  .SH HISTORY
> > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> > index 652054f15..52876a3de 100644
> > --- a/man/man7/landlock.7
> > +++ b/man/man7/landlock.7
> > @@ -189,6 +189,19 @@ If multiple requirements are not met, the
> >  error code takes precedence over
> >  .BR EXDEV .
> >  .\"
> > +.SS Network flags
> > +These flags enable to restrict a sandboxed process
> > +to a set of network actions.
> > +This is supported since the Landlock ABI version 4.
> > +.P
> > +The following access rights apply to TCP port numbers:
> > +.TP
> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > +Bind a TCP socket to a local port.
> > +.TP
> > +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> > +Connect an active TCP socket to a remote port.
> > +.\"
> >  .SS Layers of file path access rights
> >  Each time a thread enforces a ruleset on itself,
> >  it updates its Landlock domain with a new layer of policy.
> > @@ -339,6 +352,9 @@ _	_	_
> >  2	5.19	LANDLOCK_ACCESS_FS_REFER
> >  _	_	_
> >  3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
> > +_	_	_
> > +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
> > +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
> 
> Did you actually want \[ha]?

I believe \[ha] would show the caret character in the document?
What I want is different, as documented in tbl(1):

  On any row but the first, a table entry of \^
  causes the entry above it to span down into the current one.

The table cell should render like this:

  +---+-----+---------------------------------+
  | 4 | 6.7 | LANDLOCK_ACCESS_NET_BIND_TCP    |
  |   |     | LANDLOCK_ACCESS_NET_CONNECT_TCP |
  +---+-----+---------------------------------+

We are already using the same approach for the table cells further up in the
table.  IIRC, the tbl(1) preprocessor wanted *something* there, and \^ is the
placeholder that you can put if you don't have text to put in that place?

Assuming that I'm right about the \^, do you want a separate patch set for the
.i/.I change?

—Günther

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 5644 bytes --]

Hi Günther!

On Wed, Jul 24, 2024 at 04:19:18PM GMT, Günther Noack wrote:
> Hello Alejandro!
> 
> On Tue, Jul 23, 2024 at 03:03:13PM +0200, Alejandro Colomar wrote:
> > On Tue, Jul 23, 2024 at 10:19:16AM GMT, Günther Noack wrote:
> > > +.EX
> > > +struct landlock_net_port_attr {
> > > +    __u64 allowed_access;
> > > +    __u64 port;
> > > +};
> > > +.EE
> > > +.in
> > > +.IP
> > > +.i allowed_access
> > 
> > s/i/I/
> 
> Thanks, fixed. o_O
> 
> 
> > > +contains a bitmask of allowed network actions,
> > > +which can be applied on the given port.
> > > +.IP
> > > +.i port
> 
> Same here
> 
> 
> > > +is the network port in host endianness.
> > > +.IP
> > > +It should be noted that port 0 passed to
> > > +.BR bind (2)
> > > +will bind to an available port from the ephemeral port range.
> > > +This can be configured in the
> > > +.I /proc/sys/net/ipv4/ip_local_port_range
> > > +sysctl (also used for IPv6).
> > > +.IP
> > > +A Landlock rule with port 0
> > > +and the
> > > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > > +right means that requesting to bind on port 0 is allowed
> > > +and it will automatically translate to binding on the related port range.
> > >  .P
> > >  .I flags
> > >  must be 0.
> > > @@ -89,6 +132,12 @@ is set to indicate the error.
> > >  .BR landlock_add_rule ()
> > >  can fail for the following reasons:
> > >  .TP
> > > +.B EAFNOSUPPORT
> > > +.I rule_type
> > > +is
> > > +.BR LANDLOCK_RULE_NET_PORT ,
> > > +but TCP is not supported by the running kernel.
> > > +.TP
> > >  .B EOPNOTSUPP
> > >  Landlock is supported by the kernel but disabled at boot time.
> > >  .TP
> > > @@ -111,6 +160,11 @@ are only applicable to directories, but
> > >  .I \%rule_attr\->parent_fd
> > >  does not refer to a directory).
> > >  .TP
> > > +.B EINVAL
> > > +In
> > > +.IR \%struct\~landlock_net_port_attr ,
> > > +the port number is greater than 65535.
> > > +.TP
> > >  .B ENOMSG
> > >  Empty accesses (i.e.,
> > >  .I rule_attr\->allowed_access
> > > diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> > > index 105e9b062..ca635ddbc 100644
> > > --- a/man/man2/landlock_create_ruleset.2
> > > +++ b/man/man2/landlock_create_ruleset.2
> > > @@ -41,6 +41,7 @@ It points to the following structure:
> > >  .EX
> > >  struct landlock_ruleset_attr {
> > >      __u64 handled_access_fs;
> > > +    __u64 handled_access_net;
> > >  };
> > >  .EE
> > >  .in
> > > @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
> > >  in
> > >  .BR landlock (7)).
> > >  .IP
> > > +.I handled_access_net
> > > +is a bitmask of handled network actions
> > > +(see
> > > +.B Network actions
> > > +in
> > > +.BR landlock (7)).
> > > +.IP
> > >  This structure defines a set of
> > >  .IR "handled access rights" ,
> > >  a set of actions on different object types,
> > > @@ -143,8 +151,8 @@ was not a valid address.
> > >  .TP
> > >  .B ENOMSG
> > >  Empty accesses (i.e.,
> > > -.I attr\->handled_access_fs
> > > -is 0).
> > > +.I attr
> > > +did not specify any access rights to restrict).
> > 
> > This looks like a wording fix, isn't it?  If so, it might be worth a
> > separate patch.

Ping.

> > 
> > >  .SH STANDARDS
> > >  Linux.
> > >  .SH HISTORY
> > > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> > > index 652054f15..52876a3de 100644
> > > --- a/man/man7/landlock.7
> > > +++ b/man/man7/landlock.7
> > > @@ -189,6 +189,19 @@ If multiple requirements are not met, the
> > >  error code takes precedence over
> > >  .BR EXDEV .
> > >  .\"
> > > +.SS Network flags
> > > +These flags enable to restrict a sandboxed process
> > > +to a set of network actions.
> > > +This is supported since the Landlock ABI version 4.
> > > +.P
> > > +The following access rights apply to TCP port numbers:
> > > +.TP
> > > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > > +Bind a TCP socket to a local port.
> > > +.TP
> > > +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> > > +Connect an active TCP socket to a remote port.
> > > +.\"
> > >  .SS Layers of file path access rights
> > >  Each time a thread enforces a ruleset on itself,
> > >  it updates its Landlock domain with a new layer of policy.
> > > @@ -339,6 +352,9 @@ _	_	_
> > >  2	5.19	LANDLOCK_ACCESS_FS_REFER
> > >  _	_	_
> > >  3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
> > > +_	_	_
> > > +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
> > > +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
> > 
> > Did you actually want \[ha]?
> 
> I believe \[ha] would show the caret character in the document?
> What I want is different, as documented in tbl(1):
> 
>   On any row but the first, a table entry of \^
>   causes the entry above it to span down into the current one.

Ahhh, sorry.  I forgot about that thing.  You can guess that I don't use
tbl(1) often.  :)

> 
> The table cell should render like this:
> 
>   +---+-----+---------------------------------+
>   | 4 | 6.7 | LANDLOCK_ACCESS_NET_BIND_TCP    |
>   |   |     | LANDLOCK_ACCESS_NET_CONNECT_TCP |
>   +---+-----+---------------------------------+
> 
> We are already using the same approach for the table cells further up in the
> table.  IIRC, the tbl(1) preprocessor wanted *something* there, and \^ is the
> placeholder that you can put if you don't have text to put in that place?
> 
> Assuming that I'm right about the \^, do you want a separate patch set for the
> .i/.I change?

It depends on your answer to the pinged question above.

Have a lovely day!
Alex

> 
> —Günther

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Günther Noack]

Hello Alejandro!

On Wed, Jul 24, 2024 at 04:31:21PM +0200, Alejandro Colomar wrote:
> On Wed, Jul 24, 2024 at 04:19:18PM GMT, Günther Noack wrote:
> > On Tue, Jul 23, 2024 at 03:03:13PM +0200, Alejandro Colomar wrote:
> > > On Tue, Jul 23, 2024 at 10:19:16AM GMT, Günther Noack wrote:
> > > > @@ -143,8 +151,8 @@ was not a valid address.
> > > >  .TP
> > > >  .B ENOMSG
> > > >  Empty accesses (i.e.,
> > > > -.I attr\->handled_access_fs
> > > > -is 0).
> > > > +.I attr
> > > > +did not specify any access rights to restrict).
> > > 
> > > This looks like a wording fix, isn't it?  If so, it might be worth a
> > > separate patch.
> 
> Ping.

Thanks, I missed that.

It is not a pure wording fix, but it corrects an overly specific error
description that does not hold any more in the case of Landlock ABI version 4.

With the introduction of Landlock ABI v4, attr->handled_access_fs is not
technically accurate any more, but it can also be attr->handled_access_net(!)
now, in the case where someone uses these new networking features.  So I made
the phrasing a bit more general to cover both.

> It depends on your answer to the pinged question above.

Sounds good.

Thanks for the review!
—Günther

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1546 bytes --]

On Wed, Jul 24, 2024 at 02:51:30PM GMT, Günther Noack wrote:
> Hello Alejandro!

Hi!

> On Wed, Jul 24, 2024 at 04:31:21PM +0200, Alejandro Colomar wrote:
> > On Wed, Jul 24, 2024 at 04:19:18PM GMT, Günther Noack wrote:
> > > On Tue, Jul 23, 2024 at 03:03:13PM +0200, Alejandro Colomar wrote:
> > > > On Tue, Jul 23, 2024 at 10:19:16AM GMT, Günther Noack wrote:
> > > > > @@ -143,8 +151,8 @@ was not a valid address.
> > > > >  .TP
> > > > >  .B ENOMSG
> > > > >  Empty accesses (i.e.,
> > > > > -.I attr\->handled_access_fs
> > > > > -is 0).
> > > > > +.I attr
> > > > > +did not specify any access rights to restrict).
> > > > 
> > > > This looks like a wording fix, isn't it?  If so, it might be worth a
> > > > separate patch.
> > 
> > Ping.
> 
> Thanks, I missed that.
> 
> It is not a pure wording fix, but it corrects an overly specific error
> description that does not hold any more in the case of Landlock ABI version 4.
> 
> With the introduction of Landlock ABI v4, attr->handled_access_fs is not
> technically accurate any more, but it can also be attr->handled_access_net(!)
> now, in the case where someone uses these new networking features.  So I made
> the phrasing a bit more general to cover both.

Makes sense; thanks!

> 
> > It depends on your answer to the pinged question above.

I'll apply this patch set, and amend the s/i/I/ myself.

Have a lovely day!
Alex

> 
> Sounds good.
> 
> Thanks for the review!
> —Günther
> 

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Günther Noack]

On Wed, Jul 24, 2024 at 04:54:43PM +0200, Alejandro Colomar wrote:
> On Wed, Jul 24, 2024 at 02:51:30PM GMT, Günther Noack wrote:
> > On Wed, Jul 24, 2024 at 04:31:21PM +0200, Alejandro Colomar wrote:
> > > It depends on your answer to the pinged question above.
> 
> I'll apply this patch set, and amend the s/i/I/ myself.

Thank you Alejandro, I would appreciate that! :)

Thanks,
—Günther

P.S.: I noticed that it is not in master yet, but I assume it'll get there. :)

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

Hi Günther!

On Wed, Jul 31, 2024 at 11:43:35AM GMT, Günther Noack wrote:
> On Wed, Jul 24, 2024 at 04:54:43PM +0200, Alejandro Colomar wrote:
> > On Wed, Jul 24, 2024 at 02:51:30PM GMT, Günther Noack wrote:
> > > On Wed, Jul 24, 2024 at 04:31:21PM +0200, Alejandro Colomar wrote:
> > > > It depends on your answer to the pinged question above.
> > 
> > I'll apply this patch set, and amend the s/i/I/ myself.
> 
> Thank you Alejandro, I would appreciate that! :)

:-)

> 
> Thanks,
> —Günther
> 
> P.S.: I noticed that it is not in master yet, but I assume it'll get there. :)

Yeah, I'm being slower these days.  I'm a bit tired.  But it'll get
there.  Probably later today.  :)

Have a lovely day!
Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 3997 bytes --]

Hi Günther,

On Tue, Jul 23, 2024 at 10:19:17AM GMT, Günther Noack wrote:
> Landlock ABI 5 restricts ioctl(2) on device files.
> 
> Closes: <https://github.com/landlock-lsm/linux/issues/39>
> Reviewed-by: Mickaël Salaün <mic@digikod.net>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---

I've applied both patches; thanks!  For the moment, they're here:
<https://www.alejandro-colomar.es/src/alx/linux/man-pages/man-pages.git/log/?h=contrib>

Did you not add a CC tag for Konstantin on purpose on this patch, or did
you forget?  Should I add it?

Cheers,
Alex

>  man/man7/landlock.7 | 53 ++++++++++++++++++++++++++++++++++++++++++---
>  1 file changed, 50 insertions(+), 3 deletions(-)
> 
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 52876a3de..c6b7272ea 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -89,9 +89,11 @@ with
>  .BR O_TRUNC .
>  .IP
>  This access right is available since the third version of the Landlock ABI.
> -.IP
> +.P
>  Whether an opened file can be truncated with
>  .BR ftruncate (2)
> +or used with
> +.BR ioctl (2)
>  is determined during
>  .BR open (2),
>  in the same way as read and write permissions are checked during
> @@ -188,6 +190,48 @@ If multiple requirements are not met, the
>  .B EACCES
>  error code takes precedence over
>  .BR EXDEV .
> +.P
> +The following access right
> +applies to both files and directories:
> +.TP
> +.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +Invoke
> +.BR ioctl (2)
> +commands on an opened character or block device.
> +.IP
> +This access right applies to all
> +.BR ioctl (2)
> +commands implemented by device drivers.
> +However, the following common IOCTL commands continue to be invokable
> +independent of the
> +.B LANDLOCK_ACCESS_FS_IOCTL_DEV
> +right:
> +.RS
> +.IP \[bu] 3
> +IOCTL commands targeting file descriptors
> +.RB ( FIOCLEX ,
> +.BR FIONCLEX ),
> +.IP \[bu]
> +IOCTL commands targeting file descriptions
> +.RB ( FIONBIO ,
> +.BR FIOASYNC ),
> +.IP \[bu]
> +IOCTL commands targeting file systems
> +.RB ( FIFREEZE ,
> +.BR FITHAW ,
> +.BR FIGETBSZ ,
> +.BR FS_IOC_GETFSUUID ,
> +.BR FS_IOC_GETFSSYSFSPATH )
> +.IP \[bu]
> +Some IOCTL commands which do not make sense when used with devices, but
> +whose implementations are safe and return the right error codes
> +.RB ( FS_IOC_FIEMAP ,
> +.BR FICLONE ,
> +.BR FICLONERANGE ,
> +.BR FIDEDUPERANGE )
> +.RE
> +.IP
> +This access right is available since the fifth version of the Landlock ABI.
>  .\"
>  .SS Network flags
>  These flags enable to restrict a sandboxed process
> @@ -355,6 +399,8 @@ _	_	_
>  _	_	_
>  4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
>  \^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
> +_	_	_
> +5	6.10	LANDLOCK_ACCESS_FS_IOCTL_DEV
>  .TE
>  .P
>  Users should use the Landlock ABI version rather than the kernel version
> @@ -405,7 +451,6 @@ accessible through these system call families:
>  .BR chown (2),
>  .BR setxattr (2),
>  .BR utime (2),
> -.BR ioctl (2),
>  .BR fcntl (2),
>  .BR access (2).
>  Future Landlock evolutions will enable to restrict them.
> @@ -440,7 +485,8 @@ attr.handled_access_fs =
>          LANDLOCK_ACCESS_FS_MAKE_BLOCK |
>          LANDLOCK_ACCESS_FS_MAKE_SYM |
>          LANDLOCK_ACCESS_FS_REFER |
> -        LANDLOCK_ACCESS_FS_TRUNCATE;
> +        LANDLOCK_ACCESS_FS_TRUNCATE |
> +        LANDLOCK_ACCESS_FS_IOCTL_DEV;
>  .EE
>  .in
>  .P
> @@ -459,6 +505,7 @@ __u64 landlock_fs_access_rights[] = {
>      (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
>      (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
>      (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
> +    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v5: add "ioctl_dev" */
>  };
>  \&
>  int abi = landlock_create_ruleset(NULL, 0,
> -- 
> 2.45.2.1089.g2a221341d9-goog
> 

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Günther Noack]

Hello Alejandro!

On Wed, Jul 31, 2024 at 12:58:51PM +0200, Alejandro Colomar wrote:
> On Tue, Jul 23, 2024 at 10:19:17AM GMT, Günther Noack wrote:
> > Landlock ABI 5 restricts ioctl(2) on device files.
> > 
> > Closes: <https://github.com/landlock-lsm/linux/issues/39>
> > Reviewed-by: Mickaël Salaün <mic@digikod.net>
> > Signed-off-by: Günther Noack <gnoack@google.com>
> > ---
> 
> I've applied both patches; thanks!  For the moment, they're here:
> <https://www.alejandro-colomar.es/src/alx/linux/man-pages/man-pages.git/log/?h=contrib>

Ah, thanks, I did not realize you had a separate cgit running there.
These patches look good. 👍

> Did you not add a CC tag for Konstantin on purpose on this patch, or did
> you forget?  Should I add it?

It's fine as is.

I CC'd Konstantin on the first patch, because he authored the networking
features, and their kernel documentation, which are being turned into man pages
there.  He was not involved in the IOCTL feature, so on that patch he is not
CC'd (but can happily comment, if interested).

Konstantin: I would still appreciate if you could have a look and sign-off on
the networking documentation patch as well, since you are the original author of
much of that documentation on the kernel side.

Thanks,
—Günther

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1744 bytes --]

Hi Günther!

On Wed, Jul 31, 2024 at 01:40:54PM GMT, Günther Noack wrote:
> Hello Alejandro!
> 
> On Wed, Jul 31, 2024 at 12:58:51PM +0200, Alejandro Colomar wrote:
> > On Tue, Jul 23, 2024 at 10:19:17AM GMT, Günther Noack wrote:
> > > Landlock ABI 5 restricts ioctl(2) on device files.
> > > 
> > > Closes: <https://github.com/landlock-lsm/linux/issues/39>
> > > Reviewed-by: Mickaël Salaün <mic@digikod.net>
> > > Signed-off-by: Günther Noack <gnoack@google.com>
> > > ---
> > 
> > I've applied both patches; thanks!  For the moment, they're here:
> > <https://www.alejandro-colomar.es/src/alx/linux/man-pages/man-pages.git/log/?h=contrib>
> 
> Ah, thanks, I did not realize you had a separate cgit running there.
> These patches look good. 👍

Yup; I use it both as a staging area, and as a backup of patches to
several projects.  :)

> > Did you not add a CC tag for Konstantin on purpose on this patch, or did
> > you forget?  Should I add it?
> 
> It's fine as is.

Thanks.

> 
> I CC'd Konstantin on the first patch, because he authored the networking
> features, and their kernel documentation, which are being turned into man pages
> there.  He was not involved in the IOCTL feature, so on that patch he is not
> CC'd (but can happily comment, if interested).
> 
> Konstantin: I would still appreciate if you could have a look and sign-off on
> the networking documentation patch as well, since you are the original author of
> much of that documentation on the kernel side.
> 

I'll leave it for a few more days there, to allow Konstantin to review
it; I'll push to master in a week or so.

Cheers,
Alex

> Thanks,
> —Günther
> 

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Konstantin Meskhidze (A)]

7/23/2024 1:19 PM, Günther Noack пишет:
> Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
> 
> The intent is to bring the man pages mostly in line with the kernel
> documentation again.  I intentionally did not add networking support to the
> usage example in landlock.7 - I feel that in the long run, we would be better
> advised to maintain longer example code in the kernel samples.
> 
> Closes: <https://github.com/landlock-lsm/linux/issues/32>
> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Reviewed-by: Mickaël Salaün <mic@digikod.net>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
>   man/man2/landlock_add_rule.2       | 74 ++++++++++++++++++++++++++----
>   man/man2/landlock_create_ruleset.2 | 12 ++++-
>   man/man7/landlock.7                | 23 ++++++++--
>   3 files changed, 94 insertions(+), 15 deletions(-)
> 
> diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
> index 7a83bb303..489e9c354 100644
> --- a/man/man2/landlock_add_rule.2
> +++ b/man/man2/landlock_add_rule.2
> @@ -20,15 +20,14 @@ Standard C library
>   .BI "            const void *" rule_attr ", uint32_t " flags );
>   .fi
>   .SH DESCRIPTION
> -A Landlock rule describes an action on an object.
> -An object is currently a file hierarchy,
> -and the related filesystem actions
> -are defined with a set of access rights.
> -This
> +A Landlock rule describes an action on an object
> +which the process intends to perform.
> +A set of rules is aggregated in a ruleset,
> +which can then restrict the thread enforcing it, and its future children.
> +.P
> +The
>   .BR landlock_add_rule ()
> -system call enables adding a new Landlock rule to an existing ruleset
> -created with
> -.BR landlock_create_ruleset (2).
> +system call adds a new Landlock rule to an existing ruleset.
>   See
>   .BR landlock (7)
>   for a global overview.
> @@ -42,10 +41,15 @@ identifies the structure type pointed to by
>   .IR rule_attr .
>   Currently, Linux supports the following
>   .I rule_type
> -value:
> +values:
>   .TP
>   .B LANDLOCK_RULE_PATH_BENEATH
> -This defines the object type as a file hierarchy.
> +For these rules,
> +the object is a file hierarchy,
> +and the related filesystem actions
> +are defined with
> +.IR "filesystem access rights" .
> +.IP
>   In this case,
>   .I rule_attr
>   points to the following structure:
> @@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
>   flag,
>   which identifies the parent directory of the file hierarchy or
>   just a file.
> +.TP
> +.B LANDLOCK_RULE_NET_PORT
> +For these rules,
> +the object is a TCP port,
> +and the related actions are defined with
> +.IR "network access rights" .
> +.IP
> +In this case,
> +.I rule_attr
> +points to the following structure:
> +.IP
> +.in +4n
> +.EX
> +struct landlock_net_port_attr {
> +    __u64 allowed_access;
> +    __u64 port;
> +};
> +.EE
> +.in
> +.IP
> +.i allowed_access
> +contains a bitmask of allowed network actions,
> +which can be applied on the given port.
> +.IP
> +.i port
> +is the network port in host endianness.
> +.IP
> +It should be noted that port 0 passed to
> +.BR bind (2)
> +will bind to an available port from the ephemeral port range.
> +This can be configured in the
> +.I /proc/sys/net/ipv4/ip_local_port_range
> +sysctl (also used for IPv6).
> +.IP
> +A Landlock rule with port 0
> +and the
> +.B LANDLOCK_ACCESS_NET_BIND_TCP
> +right means that requesting to bind on port 0 is allowed
> +and it will automatically translate to binding on the related port range.
>   .P
>   .I flags
>   must be 0.
> @@ -89,6 +132,12 @@ is set to indicate the error.
>   .BR landlock_add_rule ()
>   can fail for the following reasons:
>   .TP
> +.B EAFNOSUPPORT
> +.I rule_type
> +is
> +.BR LANDLOCK_RULE_NET_PORT ,
> +but TCP is not supported by the running kernel.
> +.TP
>   .B EOPNOTSUPP
>   Landlock is supported by the kernel but disabled at boot time.
>   .TP
> @@ -111,6 +160,11 @@ are only applicable to directories, but
>   .I \%rule_attr\->parent_fd
>   does not refer to a directory).
>   .TP
> +.B EINVAL
> +In
> +.IR \%struct\~landlock_net_port_attr ,
> +the port number is greater than 65535.
> +.TP
>   .B ENOMSG
>   Empty accesses (i.e.,
>   .I rule_attr\->allowed_access
> diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> index 105e9b062..ca635ddbc 100644
> --- a/man/man2/landlock_create_ruleset.2
> +++ b/man/man2/landlock_create_ruleset.2
> @@ -41,6 +41,7 @@ It points to the following structure:
>   .EX
>   struct landlock_ruleset_attr {
>       __u64 handled_access_fs;
> +    __u64 handled_access_net;
>   };
>   .EE
>   .in
> @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
>   in
>   .BR landlock (7)).
>   .IP
> +.I handled_access_net
> +is a bitmask of handled network actions
> +(see
> +.B Network actions
> +in
> +.BR landlock (7)).
> +.IP
>   This structure defines a set of
>   .IR "handled access rights" ,
>   a set of actions on different object types,
> @@ -143,8 +151,8 @@ was not a valid address.
>   .TP
>   .B ENOMSG
>   Empty accesses (i.e.,
> -.I attr\->handled_access_fs
> -is 0).
> +.I attr
> +did not specify any access rights to restrict).
>   .SH STANDARDS
>   Linux.
>   .SH HISTORY
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 652054f15..52876a3de 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -189,6 +189,19 @@ If multiple requirements are not met, the
>   error code takes precedence over
>   .BR EXDEV .
>   .\"
> +.SS Network flags
> +These flags enable to restrict a sandboxed process
> +to a set of network actions.
> +This is supported since the Landlock ABI version 4.
> +.P
> +The following access rights apply to TCP port numbers:
> +.TP
> +.B LANDLOCK_ACCESS_NET_BIND_TCP
> +Bind a TCP socket to a local port.
> +.TP
> +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> +Connect an active TCP socket to a remote port.
> +.\"
>   .SS Layers of file path access rights
>   Each time a thread enforces a ruleset on itself,
>   it updates its Landlock domain with a new layer of policy.
> @@ -339,6 +352,9 @@ _	_	_
>   2	5.19	LANDLOCK_ACCESS_FS_REFER
>   _	_	_
>   3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
> +_	_	_
> +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
> +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
>   .TE
>   .P
>   Users should use the Landlock ABI version rather than the kernel version
> @@ -439,9 +455,10 @@ and only use the available subset of access rights:
>    * numbers hardcoded to keep the example short.
>    */
>   __u64 landlock_fs_access_rights[] = {
> -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
> -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
> -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
> +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */   Double "LANDLOCK_ACCESS_FS_TRUNCATE  << 1", I think its a mistype here.
>   };
>   \&
>   int abi = landlock_create_ruleset(NULL, 0,

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 8144 bytes --]

Hi Konstantin,

You didn't write anything in this message, right?  Was it an accident?

Have a lovely day!
Alex

On Tue, Aug 06, 2024 at 11:38:57AM GMT, Konstantin Meskhidze (A) wrote:
> 
> 
> 7/23/2024 1:19 PM, Günther Noack пишет:
> > Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
> > 
> > The intent is to bring the man pages mostly in line with the kernel
> > documentation again.  I intentionally did not add networking support to the
> > usage example in landlock.7 - I feel that in the long run, we would be better
> > advised to maintain longer example code in the kernel samples.
> > 
> > Closes: <https://github.com/landlock-lsm/linux/issues/32>
> > Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> > Reviewed-by: Mickaël Salaün <mic@digikod.net>
> > Signed-off-by: Günther Noack <gnoack@google.com>
> > ---
> >   man/man2/landlock_add_rule.2       | 74 ++++++++++++++++++++++++++----
> >   man/man2/landlock_create_ruleset.2 | 12 ++++-
> >   man/man7/landlock.7                | 23 ++++++++--
> >   3 files changed, 94 insertions(+), 15 deletions(-)
> > 
> > diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
> > index 7a83bb303..489e9c354 100644
> > --- a/man/man2/landlock_add_rule.2
> > +++ b/man/man2/landlock_add_rule.2
> > @@ -20,15 +20,14 @@ Standard C library
> >   .BI "            const void *" rule_attr ", uint32_t " flags );
> >   .fi
> >   .SH DESCRIPTION
> > -A Landlock rule describes an action on an object.
> > -An object is currently a file hierarchy,
> > -and the related filesystem actions
> > -are defined with a set of access rights.
> > -This
> > +A Landlock rule describes an action on an object
> > +which the process intends to perform.
> > +A set of rules is aggregated in a ruleset,
> > +which can then restrict the thread enforcing it, and its future children.
> > +.P
> > +The
> >   .BR landlock_add_rule ()
> > -system call enables adding a new Landlock rule to an existing ruleset
> > -created with
> > -.BR landlock_create_ruleset (2).
> > +system call adds a new Landlock rule to an existing ruleset.
> >   See
> >   .BR landlock (7)
> >   for a global overview.
> > @@ -42,10 +41,15 @@ identifies the structure type pointed to by
> >   .IR rule_attr .
> >   Currently, Linux supports the following
> >   .I rule_type
> > -value:
> > +values:
> >   .TP
> >   .B LANDLOCK_RULE_PATH_BENEATH
> > -This defines the object type as a file hierarchy.
> > +For these rules,
> > +the object is a file hierarchy,
> > +and the related filesystem actions
> > +are defined with
> > +.IR "filesystem access rights" .
> > +.IP
> >   In this case,
> >   .I rule_attr
> >   points to the following structure:
> > @@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
> >   flag,
> >   which identifies the parent directory of the file hierarchy or
> >   just a file.
> > +.TP
> > +.B LANDLOCK_RULE_NET_PORT
> > +For these rules,
> > +the object is a TCP port,
> > +and the related actions are defined with
> > +.IR "network access rights" .
> > +.IP
> > +In this case,
> > +.I rule_attr
> > +points to the following structure:
> > +.IP
> > +.in +4n
> > +.EX
> > +struct landlock_net_port_attr {
> > +    __u64 allowed_access;
> > +    __u64 port;
> > +};
> > +.EE
> > +.in
> > +.IP
> > +.i allowed_access
> > +contains a bitmask of allowed network actions,
> > +which can be applied on the given port.
> > +.IP
> > +.i port
> > +is the network port in host endianness.
> > +.IP
> > +It should be noted that port 0 passed to
> > +.BR bind (2)
> > +will bind to an available port from the ephemeral port range.
> > +This can be configured in the
> > +.I /proc/sys/net/ipv4/ip_local_port_range
> > +sysctl (also used for IPv6).
> > +.IP
> > +A Landlock rule with port 0
> > +and the
> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > +right means that requesting to bind on port 0 is allowed
> > +and it will automatically translate to binding on the related port range.
> >   .P
> >   .I flags
> >   must be 0.
> > @@ -89,6 +132,12 @@ is set to indicate the error.
> >   .BR landlock_add_rule ()
> >   can fail for the following reasons:
> >   .TP
> > +.B EAFNOSUPPORT
> > +.I rule_type
> > +is
> > +.BR LANDLOCK_RULE_NET_PORT ,
> > +but TCP is not supported by the running kernel.
> > +.TP
> >   .B EOPNOTSUPP
> >   Landlock is supported by the kernel but disabled at boot time.
> >   .TP
> > @@ -111,6 +160,11 @@ are only applicable to directories, but
> >   .I \%rule_attr\->parent_fd
> >   does not refer to a directory).
> >   .TP
> > +.B EINVAL
> > +In
> > +.IR \%struct\~landlock_net_port_attr ,
> > +the port number is greater than 65535.
> > +.TP
> >   .B ENOMSG
> >   Empty accesses (i.e.,
> >   .I rule_attr\->allowed_access
> > diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> > index 105e9b062..ca635ddbc 100644
> > --- a/man/man2/landlock_create_ruleset.2
> > +++ b/man/man2/landlock_create_ruleset.2
> > @@ -41,6 +41,7 @@ It points to the following structure:
> >   .EX
> >   struct landlock_ruleset_attr {
> >       __u64 handled_access_fs;
> > +    __u64 handled_access_net;
> >   };
> >   .EE
> >   .in
> > @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
> >   in
> >   .BR landlock (7)).
> >   .IP
> > +.I handled_access_net
> > +is a bitmask of handled network actions
> > +(see
> > +.B Network actions
> > +in
> > +.BR landlock (7)).
> > +.IP
> >   This structure defines a set of
> >   .IR "handled access rights" ,
> >   a set of actions on different object types,
> > @@ -143,8 +151,8 @@ was not a valid address.
> >   .TP
> >   .B ENOMSG
> >   Empty accesses (i.e.,
> > -.I attr\->handled_access_fs
> > -is 0).
> > +.I attr
> > +did not specify any access rights to restrict).
> >   .SH STANDARDS
> >   Linux.
> >   .SH HISTORY
> > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> > index 652054f15..52876a3de 100644
> > --- a/man/man7/landlock.7
> > +++ b/man/man7/landlock.7
> > @@ -189,6 +189,19 @@ If multiple requirements are not met, the
> >   error code takes precedence over
> >   .BR EXDEV .
> >   .\"
> > +.SS Network flags
> > +These flags enable to restrict a sandboxed process
> > +to a set of network actions.
> > +This is supported since the Landlock ABI version 4.
> > +.P
> > +The following access rights apply to TCP port numbers:
> > +.TP
> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
> > +Bind a TCP socket to a local port.
> > +.TP
> > +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> > +Connect an active TCP socket to a remote port.
> > +.\"
> >   .SS Layers of file path access rights
> >   Each time a thread enforces a ruleset on itself,
> >   it updates its Landlock domain with a new layer of policy.
> > @@ -339,6 +352,9 @@ _	_	_
> >   2	5.19	LANDLOCK_ACCESS_FS_REFER
> >   _	_	_
> >   3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
> > +_	_	_
> > +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
> > +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
> >   .TE
> >   .P
> >   Users should use the Landlock ABI version rather than the kernel version
> > @@ -439,9 +455,10 @@ and only use the available subset of access rights:
> >    * numbers hardcoded to keep the example short.
> >    */
> >   __u64 landlock_fs_access_rights[] = {
> > -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
> > -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
> > -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
> > +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> > +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */   Double "LANDLOCK_ACCESS_FS_TRUNCATE  << 1", I think its a mistype here.
> >   };
> >   \&
> >   int abi = landlock_create_ruleset(NULL, 0,

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Konstantin Meskhidze (A)]

8/6/2024 1:19 PM, Alejandro Colomar пишет:
> Hi Konstantin,
> 
> You didn't write anything in this message, right?  Was it an accident?

  Sorry. I wrote a message but did it on the same line with the patch 
code. Here below I rewrite it.
> 
> Have a lovely day!
> Alex
> 
> On Tue, Aug 06, 2024 at 11:38:57AM GMT, Konstantin Meskhidze (A) wrote:
>> 
>> 
>> 7/23/2024 1:19 PM, Günther Noack пишет:
>> > Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
>> > 
>> > The intent is to bring the man pages mostly in line with the kernel
>> > documentation again.  I intentionally did not add networking support to the
>> > usage example in landlock.7 - I feel that in the long run, we would be better
>> > advised to maintain longer example code in the kernel samples.
>> > 
>> > Closes: <https://github.com/landlock-lsm/linux/issues/32>
>> > Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> > Reviewed-by: Mickaël Salaün <mic@digikod.net>
>> > Signed-off-by: Günther Noack <gnoack@google.com>
>> > ---
>> >   man/man2/landlock_add_rule.2       | 74 ++++++++++++++++++++++++++----
>> >   man/man2/landlock_create_ruleset.2 | 12 ++++-
>> >   man/man7/landlock.7                | 23 ++++++++--
>> >   3 files changed, 94 insertions(+), 15 deletions(-)
>> > 
>> > diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
>> > index 7a83bb303..489e9c354 100644
>> > --- a/man/man2/landlock_add_rule.2
>> > +++ b/man/man2/landlock_add_rule.2
>> > @@ -20,15 +20,14 @@ Standard C library
>> >   .BI "            const void *" rule_attr ", uint32_t " flags );
>> >   .fi
>> >   .SH DESCRIPTION
>> > -A Landlock rule describes an action on an object.
>> > -An object is currently a file hierarchy,
>> > -and the related filesystem actions
>> > -are defined with a set of access rights.
>> > -This
>> > +A Landlock rule describes an action on an object
>> > +which the process intends to perform.
>> > +A set of rules is aggregated in a ruleset,
>> > +which can then restrict the thread enforcing it, and its future children.
>> > +.P
>> > +The
>> >   .BR landlock_add_rule ()
>> > -system call enables adding a new Landlock rule to an existing ruleset
>> > -created with
>> > -.BR landlock_create_ruleset (2).
>> > +system call adds a new Landlock rule to an existing ruleset.
>> >   See
>> >   .BR landlock (7)
>> >   for a global overview.
>> > @@ -42,10 +41,15 @@ identifies the structure type pointed to by
>> >   .IR rule_attr .
>> >   Currently, Linux supports the following
>> >   .I rule_type
>> > -value:
>> > +values:
>> >   .TP
>> >   .B LANDLOCK_RULE_PATH_BENEATH
>> > -This defines the object type as a file hierarchy.
>> > +For these rules,
>> > +the object is a file hierarchy,
>> > +and the related filesystem actions
>> > +are defined with
>> > +.IR "filesystem access rights" .
>> > +.IP
>> >   In this case,
>> >   .I rule_attr
>> >   points to the following structure:
>> > @@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
>> >   flag,
>> >   which identifies the parent directory of the file hierarchy or
>> >   just a file.
>> > +.TP
>> > +.B LANDLOCK_RULE_NET_PORT
>> > +For these rules,
>> > +the object is a TCP port,
>> > +and the related actions are defined with
>> > +.IR "network access rights" .
>> > +.IP
>> > +In this case,
>> > +.I rule_attr
>> > +points to the following structure:
>> > +.IP
>> > +.in +4n
>> > +.EX
>> > +struct landlock_net_port_attr {
>> > +    __u64 allowed_access;
>> > +    __u64 port;
>> > +};
>> > +.EE
>> > +.in
>> > +.IP
>> > +.i allowed_access
>> > +contains a bitmask of allowed network actions,
>> > +which can be applied on the given port.
>> > +.IP
>> > +.i port
>> > +is the network port in host endianness.
>> > +.IP
>> > +It should be noted that port 0 passed to
>> > +.BR bind (2)
>> > +will bind to an available port from the ephemeral port range.
>> > +This can be configured in the
>> > +.I /proc/sys/net/ipv4/ip_local_port_range
>> > +sysctl (also used for IPv6).
>> > +.IP
>> > +A Landlock rule with port 0
>> > +and the
>> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
>> > +right means that requesting to bind on port 0 is allowed
>> > +and it will automatically translate to binding on the related port range.
>> >   .P
>> >   .I flags
>> >   must be 0.
>> > @@ -89,6 +132,12 @@ is set to indicate the error.
>> >   .BR landlock_add_rule ()
>> >   can fail for the following reasons:
>> >   .TP
>> > +.B EAFNOSUPPORT
>> > +.I rule_type
>> > +is
>> > +.BR LANDLOCK_RULE_NET_PORT ,
>> > +but TCP is not supported by the running kernel.
>> > +.TP
>> >   .B EOPNOTSUPP
>> >   Landlock is supported by the kernel but disabled at boot time.
>> >   .TP
>> > @@ -111,6 +160,11 @@ are only applicable to directories, but
>> >   .I \%rule_attr\->parent_fd
>> >   does not refer to a directory).
>> >   .TP
>> > +.B EINVAL
>> > +In
>> > +.IR \%struct\~landlock_net_port_attr ,
>> > +the port number is greater than 65535.
>> > +.TP
>> >   .B ENOMSG
>> >   Empty accesses (i.e.,
>> >   .I rule_attr\->allowed_access
>> > diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
>> > index 105e9b062..ca635ddbc 100644
>> > --- a/man/man2/landlock_create_ruleset.2
>> > +++ b/man/man2/landlock_create_ruleset.2
>> > @@ -41,6 +41,7 @@ It points to the following structure:
>> >   .EX
>> >   struct landlock_ruleset_attr {
>> >       __u64 handled_access_fs;
>> > +    __u64 handled_access_net;
>> >   };
>> >   .EE
>> >   .in
>> > @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
>> >   in
>> >   .BR landlock (7)).
>> >   .IP
>> > +.I handled_access_net
>> > +is a bitmask of handled network actions
>> > +(see
>> > +.B Network actions
>> > +in
>> > +.BR landlock (7)).
>> > +.IP
>> >   This structure defines a set of
>> >   .IR "handled access rights" ,
>> >   a set of actions on different object types,
>> > @@ -143,8 +151,8 @@ was not a valid address.
>> >   .TP
>> >   .B ENOMSG
>> >   Empty accesses (i.e.,
>> > -.I attr\->handled_access_fs
>> > -is 0).
>> > +.I attr
>> > +did not specify any access rights to restrict).
>> >   .SH STANDARDS
>> >   Linux.
>> >   .SH HISTORY
>> > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
>> > index 652054f15..52876a3de 100644
>> > --- a/man/man7/landlock.7
>> > +++ b/man/man7/landlock.7
>> > @@ -189,6 +189,19 @@ If multiple requirements are not met, the
>> >   error code takes precedence over
>> >   .BR EXDEV .
>> >   .\"
>> > +.SS Network flags
>> > +These flags enable to restrict a sandboxed process
>> > +to a set of network actions.
>> > +This is supported since the Landlock ABI version 4.
>> > +.P
>> > +The following access rights apply to TCP port numbers:
>> > +.TP
>> > +.B LANDLOCK_ACCESS_NET_BIND_TCP
>> > +Bind a TCP socket to a local port.
>> > +.TP
>> > +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
>> > +Connect an active TCP socket to a remote port.
>> > +.\"
>> >   .SS Layers of file path access rights
>> >   Each time a thread enforces a ruleset on itself,
>> >   it updates its Landlock domain with a new layer of policy.
>> > @@ -339,6 +352,9 @@ _	_	_
>> >   2	5.19	LANDLOCK_ACCESS_FS_REFER
>> >   _	_	_
>> >   3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
>> > +_	_	_
>> > +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
>> > +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
>> >   .TE
>> >   .P
>> >   Users should use the Landlock ABI version rather than the kernel version
>> > @@ -439,9 +455,10 @@ and only use the available subset of access rights:
>> >    * numbers hardcoded to keep the example short.
>> >    */
>> >   __u64 landlock_fs_access_rights[] = {
>> > -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
>> > -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
>> > -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
>> > +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
>> > +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
>> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
>> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */   Double "LANDLOCK_ACCESS_FS_TRUNCATE  << 1", I think its a mistype here.
	Double "LANDLOCK_ACCESS_FS_TRUNCATE  << 1", I think its a mistype here 
or its ok??
	
>> >   };
>> >   \&
>> >   int abi = landlock_create_ruleset(NULL, 0,
> 

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Konstantin Meskhidze (A)]

7/31/2024 2:40 PM, Günther Noack пишет:
> Hello Alejandro!
> 
> On Wed, Jul 31, 2024 at 12:58:51PM +0200, Alejandro Colomar wrote:
>> On Tue, Jul 23, 2024 at 10:19:17AM GMT, Günther Noack wrote:
>> > Landlock ABI 5 restricts ioctl(2) on device files.
>> > 
>> > Closes: <https://github.com/landlock-lsm/linux/issues/39>
>> > Reviewed-by: Mickaël Salaün <mic@digikod.net>
>> > Signed-off-by: Günther Noack <gnoack@google.com>
>> > ---
>> 
>> I've applied both patches; thanks!  For the moment, they're here:
>> <https://www.alejandro-colomar.es/src/alx/linux/man-pages/man-pages.git/log/?h=contrib>
> 
> Ah, thanks, I did not realize you had a separate cgit running there.
> These patches look good. 👍
> 
>> Did you not add a CC tag for Konstantin on purpose on this patch, or did
>> you forget?  Should I add it?
> 
> It's fine as is.
> 
> I CC'd Konstantin on the first patch, because he authored the networking
> features, and their kernel documentation, which are being turned into man pages
> there.  He was not involved in the IOCTL feature, so on that patch he is not
> CC'd (but can happily comment, if interested).
> 
> Konstantin: I would still appreciate if you could have a look and sign-off on
> the networking documentation patch as well, since you are the original author of
> much of that documentation on the kernel side.

  Hi Günther. I have checked the patch. It looks good, I left one 
question there. Please check it. Do I really need to sign-off it?

Regards,
    -Konstantin.
> 
> Thanks,
> —Günther
> .

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Günther Noack]

Hello Konstantin!

On Tue, Aug 06, 2024 at 01:34:01PM +0300, Konstantin Meskhidze (A) wrote:
> 8/6/2024 1:19 PM, Alejandro Colomar пишет:
> > On Tue, Aug 06, 2024 at 11:38:57AM GMT, Konstantin Meskhidze (A) wrote:
> > > 7/23/2024 1:19 PM, Günther Noack пишет:
> > > > Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
> > > > > The intent is to bring the man pages mostly in line with the
> > > kernel
> > > > documentation again.  I intentionally did not add networking support to the
> > > > usage example in landlock.7 - I feel that in the long run, we would be better
> > > > advised to maintain longer example code in the kernel samples.
> > > > > Closes: <https://github.com/landlock-lsm/linux/issues/32>
> > > > Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> > > > Reviewed-by: Mickaël Salaün <mic@digikod.net>
> > > > Signed-off-by: Günther Noack <gnoack@google.com>

> > > > @@ -439,9 +455,10 @@ and only use the available subset of access rights:
> > > >    * numbers hardcoded to keep the example short.
> > > >    */
> > > >   __u64 landlock_fs_access_rights[] = {
> > > > -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
> > > > -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
> > > > -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
> > > > +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> > > > +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> > > > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> > > > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */   Double "LANDLOCK_ACCESS_FS_TRUNCATE  << 1", I think its a mistype here.
> Double "LANDLOCK_ACCESS_FS_TRUNCATE  << 1", I think its a mistype here or
> its ok??

No, this is intentionally the same as on the previous line.

This table is part of the example code in the landlock(7) man page.  As I
mentioned in the commit message, the example code is (intentionally) still only
using Landlock's file system features, not the network access rights.

The table lists the file system(!) access rights which are available at
different Landlock ABI versions, but those did not change between v3 and v4.

—Günther

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Günther Noack]

On Wed, Aug 07, 2024 at 03:09:02PM +0300, Konstantin Meskhidze (A) wrote:
> 7/31/2024 2:40 PM, Günther Noack пишет:
> > Konstantin: I would still appreciate if you could have a look and sign-off on
> > the networking documentation patch as well, since you are the original author of
> > much of that documentation on the kernel side.
> 
> Hi Günther. I have checked the patch. It looks good, I left one question
> there. Please check it. Do I really need to sign-off it?

Thank you, Konstantin!

I would like to put both your "Co-developed-by" and "Signed-off-by" into the
patch, because:

  (a) We should give you credit for the documentation that you've written :-),
      and this man page change is based on your documentation in the kernel
      Documentation/ directory and headers.

  (b) Committing this man-page change would put it under the
      "Linux-man-pages-copyleft" license, which is different than the licenses
      used for the kernel, where the documentation was originally written.  I
      would like to add your "Co-developed-by" and "Signed-off-by", so that it's
      clear that we all agree on this.

For reference, the rules for "Co-developed-by" are also discussed in [1].

Would that work for you, if we put your "Co-developed-by" and "Signed-off-by"
lines on the "ABI version 4" man page commit?

Thanks,
—Günther

[1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1809 bytes --]

Hi Günther, Konstantin,

On Thu, Aug 08, 2024 at 12:09:10PM GMT, Günther Noack wrote:
> On Wed, Aug 07, 2024 at 03:09:02PM +0300, Konstantin Meskhidze (A) wrote:
> > 7/31/2024 2:40 PM, Günther Noack пишет:
> > > Konstantin: I would still appreciate if you could have a look and sign-off on
> > > the networking documentation patch as well, since you are the original author of
> > > much of that documentation on the kernel side.
> > 
> > Hi Günther. I have checked the patch. It looks good, I left one question
> > there. Please check it. Do I really need to sign-off it?
> 
> Thank you, Konstantin!
> 
> I would like to put both your "Co-developed-by" and "Signed-off-by" into the
> patch, because:
> 
>   (a) We should give you credit for the documentation that you've written :-),
>       and this man page change is based on your documentation in the kernel
>       Documentation/ directory and headers.
> 
>   (b) Committing this man-page change would put it under the
>       "Linux-man-pages-copyleft" license, which is different than the licenses
>       used for the kernel, where the documentation was originally written.  I
>       would like to add your "Co-developed-by" and "Signed-off-by", so that it's
>       clear that we all agree on this.
> 
> For reference, the rules for "Co-developed-by" are also discussed in [1].
> 
> Would that work for you, if we put your "Co-developed-by" and "Signed-off-by"
> lines on the "ABI version 4" man page commit?

I'll extend the wait until September.  I guess Konstantin's on vacation.

Cheers,
Alex

> 
> Thanks,
> —Günther
> 
> [1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by
> 

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Konstantin Meskhidze (A)]

8/16/2024 3:37 PM, Alejandro Colomar пишет:
> Hi Günther, Konstantin,
> 
> On Thu, Aug 08, 2024 at 12:09:10PM GMT, Günther Noack wrote:
>> On Wed, Aug 07, 2024 at 03:09:02PM +0300, Konstantin Meskhidze (A) wrote:
>> > 7/31/2024 2:40 PM, Günther Noack пишет:
>> > > Konstantin: I would still appreciate if you could have a look and sign-off on
>> > > the networking documentation patch as well, since you are the original author of
>> > > much of that documentation on the kernel side.
>> > 
>> > Hi Günther. I have checked the patch. It looks good, I left one question
>> > there. Please check it. Do I really need to sign-off it?
>> 
>> Thank you, Konstantin!
>> 
>> I would like to put both your "Co-developed-by" and "Signed-off-by" into the
>> patch, because:
>> 
>>   (a) We should give you credit for the documentation that you've written :-),
>>       and this man page change is based on your documentation in the kernel
>>       Documentation/ directory and headers.
>> 
>>   (b) Committing this man-page change would put it under the
>>       "Linux-man-pages-copyleft" license, which is different than the licenses
>>       used for the kernel, where the documentation was originally written.  I
>>       would like to add your "Co-developed-by" and "Signed-off-by", so that it's
>>       clear that we all agree on this.
>> 
>> For reference, the rules for "Co-developed-by" are also discussed in [1].
>> 
>> Would that work for you, if we put your "Co-developed-by" and "Signed-off-by"
>> lines on the "ABI version 4" man page commit?
> 
> I'll extend the wait until September.  I guess Konstantin's on vacation.

  Hi Alex!!!
  Thanks for waiting!!
  Can you please explain the procedure for me? Do I need to resend the 
first patch with my "Co-developed-by" and "Signed-off-by" or you can 
sign-off it for me?

  Best regards,
     Konstantin
> 
> Cheers,
> Alex
> 
>> 
>> Thanks,
>> —Günther
>> 
>> [1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by
>> 
> 

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Konstantin Meskhidze (A)]

8/8/2024 1:09 PM, Günther Noack пишет:
> On Wed, Aug 07, 2024 at 03:09:02PM +0300, Konstantin Meskhidze (A) wrote:
>> 7/31/2024 2:40 PM, Günther Noack пишет:
>> > Konstantin: I would still appreciate if you could have a look and sign-off on
>> > the networking documentation patch as well, since you are the original author of
>> > much of that documentation on the kernel side.
>> 
>> Hi Günther. I have checked the patch. It looks good, I left one question
>> there. Please check it. Do I really need to sign-off it?
> 
> Thank you, Konstantin!
> 
> I would like to put both your "Co-developed-by" and "Signed-off-by" into the
> patch, because:
> 
>    (a) We should give you credit for the documentation that you've written :-),
>        and this man page change is based on your documentation in the kernel
>        Documentation/ directory and headers.
> 
>    (b) Committing this man-page change would put it under the
>        "Linux-man-pages-copyleft" license, which is different than the licenses
>        used for the kernel, where the documentation was originally written.  I
>        would like to add your "Co-developed-by" and "Signed-off-by", so that it's
>        clear that we all agree on this.
> 
> For reference, the rules for "Co-developed-by" are also discussed in [1].
> 
> Would that work for you, if we put your "Co-developed-by" and "Signed-off-by"
> lines on the "ABI version 4" man page commit?
> 
   Hi Günther!!!

   I appreciate this. To be honest this would be a honor for me.

   Can you please explain the procedure? Do I need to send the first 
patch with my "Co-developed-by" and "Signed-off-by" or you can sign-off 
it for me?
> Thanks,
> —Günther
> 
> [1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by
> .

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

On Wed, Aug 21, 2024 at 04:26:43PM GMT, Konstantin Meskhidze (A) wrote:
> > I'll extend the wait until September.  I guess Konstantin's on vacation.
> 
>  Hi Alex!!!

Hi Konstantin!

>  Thanks for waiting!!

:-)

>  Can you please explain the procedure for me? Do I need to resend the first
> patch with my "Co-developed-by" and "Signed-off-by" or you can sign-off it
> for me?

No.  The usual procedure is a reply to the patch to which you want the
tag applied, with the explicit tags on separate lines, so that they are
easy to parse.  If I were to send the tags, I'd add the following:

Co-developed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>


Have a lovely day!
Alex

> > > [1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 2/2] landlock.7: Document Landlock ABI version 5 (IOCTL)

[Konstantin Meskhidze (A)]

8/21/2024 5:06 PM, Alejandro Colomar пишет:
> On Wed, Aug 21, 2024 at 04:26:43PM GMT, Konstantin Meskhidze (A) wrote:
>> > I'll extend the wait until September.  I guess Konstantin's on vacation.
>> 
>>  Hi Alex!!!
> 
> Hi Konstantin!
> 
>>  Thanks for waiting!!
> 
> :-)
> 
>>  Can you please explain the procedure for me? Do I need to resend the first
>> patch with my "Co-developed-by" and "Signed-off-by" or you can sign-off it
>> for me?
> 
> No.  The usual procedure is a reply to the patch to which you want the
> tag applied, with the explicit tags on separate lines, so that they are
> easy to parse.  If I were to send the tags, I'd add the following:
> 
> Co-developed-by: Alejandro Colomar <alx@kernel.org>
> Signed-off-by: Alejandro Colomar <alx@kernel.org>
> 
   Got it. Thank you so much!!

   Best regards,
     Konstantin
> 
> Have a lovely day!
> Alex
> 
>> > > [1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by
> 

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Konstantin Meskhidze (A)]

7/23/2024 1:19 PM, Günther Noack wrote:
> Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
> 
> The intent is to bring the man pages mostly in line with the kernel
> documentation again.  I intentionally did not add networking support to the
> usage example in landlock.7 - I feel that in the long run, we would be better
> advised to maintain longer example code in the kernel samples.
> 
> Closes: <https://github.com/landlock-lsm/linux/issues/32>
> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Reviewed-by: Mickaël Salaün <mic@digikod.net>
> Signed-off-by: Günther Noack <gnoack@google.com>
> ---
>   man/man2/landlock_add_rule.2       | 74 ++++++++++++++++++++++++++----
>   man/man2/landlock_create_ruleset.2 | 12 ++++-
>   man/man7/landlock.7                | 23 ++++++++--
>   3 files changed, 94 insertions(+), 15 deletions(-)
> 
> diff --git a/man/man2/landlock_add_rule.2 b/man/man2/landlock_add_rule.2
> index 7a83bb303..489e9c354 100644
> --- a/man/man2/landlock_add_rule.2
> +++ b/man/man2/landlock_add_rule.2
> @@ -20,15 +20,14 @@ Standard C library
>   .BI "            const void *" rule_attr ", uint32_t " flags );
>   .fi
>   .SH DESCRIPTION
> -A Landlock rule describes an action on an object.
> -An object is currently a file hierarchy,
> -and the related filesystem actions
> -are defined with a set of access rights.
> -This
> +A Landlock rule describes an action on an object
> +which the process intends to perform.
> +A set of rules is aggregated in a ruleset,
> +which can then restrict the thread enforcing it, and its future children.
> +.P
> +The
>   .BR landlock_add_rule ()
> -system call enables adding a new Landlock rule to an existing ruleset
> -created with
> -.BR landlock_create_ruleset (2).
> +system call adds a new Landlock rule to an existing ruleset.
>   See
>   .BR landlock (7)
>   for a global overview.
> @@ -42,10 +41,15 @@ identifies the structure type pointed to by
>   .IR rule_attr .
>   Currently, Linux supports the following
>   .I rule_type
> -value:
> +values:
>   .TP
>   .B LANDLOCK_RULE_PATH_BENEATH
> -This defines the object type as a file hierarchy.
> +For these rules,
> +the object is a file hierarchy,
> +and the related filesystem actions
> +are defined with
> +.IR "filesystem access rights" .
> +.IP
>   In this case,
>   .I rule_attr
>   points to the following structure:
> @@ -74,6 +78,45 @@ is an opened file descriptor, preferably with the
>   flag,
>   which identifies the parent directory of the file hierarchy or
>   just a file.
> +.TP
> +.B LANDLOCK_RULE_NET_PORT
> +For these rules,
> +the object is a TCP port,
> +and the related actions are defined with
> +.IR "network access rights" .
> +.IP
> +In this case,
> +.I rule_attr
> +points to the following structure:
> +.IP
> +.in +4n
> +.EX
> +struct landlock_net_port_attr {
> +    __u64 allowed_access;
> +    __u64 port;
> +};
> +.EE
> +.in
> +.IP
> +.i allowed_access
> +contains a bitmask of allowed network actions,
> +which can be applied on the given port.
> +.IP
> +.i port
> +is the network port in host endianness.
> +.IP
> +It should be noted that port 0 passed to
> +.BR bind (2)
> +will bind to an available port from the ephemeral port range.
> +This can be configured in the
> +.I /proc/sys/net/ipv4/ip_local_port_range
> +sysctl (also used for IPv6).
> +.IP
> +A Landlock rule with port 0
> +and the
> +.B LANDLOCK_ACCESS_NET_BIND_TCP
> +right means that requesting to bind on port 0 is allowed
> +and it will automatically translate to binding on the related port range.
>   .P
>   .I flags
>   must be 0.
> @@ -89,6 +132,12 @@ is set to indicate the error.
>   .BR landlock_add_rule ()
>   can fail for the following reasons:
>   .TP
> +.B EAFNOSUPPORT
> +.I rule_type
> +is
> +.BR LANDLOCK_RULE_NET_PORT ,
> +but TCP is not supported by the running kernel.
> +.TP
>   .B EOPNOTSUPP
>   Landlock is supported by the kernel but disabled at boot time.
>   .TP
> @@ -111,6 +160,11 @@ are only applicable to directories, but
>   .I \%rule_attr\->parent_fd
>   does not refer to a directory).
>   .TP
> +.B EINVAL
> +In
> +.IR \%struct\~landlock_net_port_attr ,
> +the port number is greater than 65535.
> +.TP
>   .B ENOMSG
>   Empty accesses (i.e.,
>   .I rule_attr\->allowed_access
> diff --git a/man/man2/landlock_create_ruleset.2 b/man/man2/landlock_create_ruleset.2
> index 105e9b062..ca635ddbc 100644
> --- a/man/man2/landlock_create_ruleset.2
> +++ b/man/man2/landlock_create_ruleset.2
> @@ -41,6 +41,7 @@ It points to the following structure:
>   .EX
>   struct landlock_ruleset_attr {
>       __u64 handled_access_fs;
> +    __u64 handled_access_net;
>   };
>   .EE
>   .in
> @@ -52,6 +53,13 @@ is a bitmask of handled filesystem actions
>   in
>   .BR landlock (7)).
>   .IP
> +.I handled_access_net
> +is a bitmask of handled network actions
> +(see
> +.B Network actions
> +in
> +.BR landlock (7)).
> +.IP
>   This structure defines a set of
>   .IR "handled access rights" ,
>   a set of actions on different object types,
> @@ -143,8 +151,8 @@ was not a valid address.
>   .TP
>   .B ENOMSG
>   Empty accesses (i.e.,
> -.I attr\->handled_access_fs
> -is 0).
> +.I attr
> +did not specify any access rights to restrict).
>   .SH STANDARDS
>   Linux.
>   .SH HISTORY
> diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> index 652054f15..52876a3de 100644
> --- a/man/man7/landlock.7
> +++ b/man/man7/landlock.7
> @@ -189,6 +189,19 @@ If multiple requirements are not met, the
>   error code takes precedence over
>   .BR EXDEV .
>   .\"
> +.SS Network flags
> +These flags enable to restrict a sandboxed process
> +to a set of network actions.
> +This is supported since the Landlock ABI version 4.
> +.P
> +The following access rights apply to TCP port numbers:
> +.TP
> +.B LANDLOCK_ACCESS_NET_BIND_TCP
> +Bind a TCP socket to a local port.
> +.TP
> +.B LANDLOCK_ACCESS_NET_CONNECT_TCP
> +Connect an active TCP socket to a remote port.
> +.\"
>   .SS Layers of file path access rights
>   Each time a thread enforces a ruleset on itself,
>   it updates its Landlock domain with a new layer of policy.
> @@ -339,6 +352,9 @@ _	_	_
>   2	5.19	LANDLOCK_ACCESS_FS_REFER
>   _	_	_
>   3	6.2	LANDLOCK_ACCESS_FS_TRUNCATE
> +_	_	_
> +4	6.7	LANDLOCK_ACCESS_NET_BIND_TCP
> +\^	\^	LANDLOCK_ACCESS_NET_CONNECT_TCP
>   .TE
>   .P
>   Users should use the Landlock ABI version rather than the kernel version
> @@ -439,9 +455,10 @@ and only use the available subset of access rights:
>    * numbers hardcoded to keep the example short.
>    */
>   __u64 landlock_fs_access_rights[] = {
> -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
> -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
> -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
> +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
>   };
>   \&
>   int abi = landlock_create_ruleset(NULL, 0,

Co-developed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Günther Noack]

On Wed, Aug 21, 2024 at 06:30:09PM +0300, Konstantin Meskhidze (A) wrote:
> 7/23/2024 1:19 PM, Günther Noack wrote:
> >   [...]
> >
> >   Users should use the Landlock ABI version rather than the kernel version
> > @@ -439,9 +455,10 @@ and only use the available subset of access rights:
> >    * numbers hardcoded to keep the example short.
> >    */
> >   __u64 landlock_fs_access_rights[] = {
> > -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
> > -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
> > -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
> > +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
> > +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
> >   };
> >   \&
> >   int abi = landlock_create_ruleset(NULL, 0,
> 
> Co-developed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>

Thank you very much, Konstantin! :)

—Günther

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Alejandro Colomar]

[-- Attachment #1: Type: text/plain, Size: 1076 bytes --]

Hi Günther, Konstantin,

On Wed, Aug 21, 2024 at 06:30:09PM GMT, Konstantin Meskhidze (A) wrote:
> 7/23/2024 1:19 PM, Günther Noack wrote:
> > Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
> > 
> > The intent is to bring the man pages mostly in line with the kernel
> > documentation again.  I intentionally did not add networking support to the
> > usage example in landlock.7 - I feel that in the long run, we would be better
> > advised to maintain longer example code in the kernel samples.
> > 
> > Closes: <https://github.com/landlock-lsm/linux/issues/32>
> > Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> > Reviewed-by: Mickaël Salaün <mic@digikod.net>
> > Signed-off-by: Günther Noack <gnoack@google.com>
> > ---
> 
> Co-developed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>

I've appended the tags, and pushed the changes to master.  Thanks!

Have a lovely night!
Alex

-- 
<https://www.alejandro-colomar.es/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Konstantin Meskhidze (A)]

8/21/2024 7:37 PM, Günther Noack wrote:
> On Wed, Aug 21, 2024 at 06:30:09PM +0300, Konstantin Meskhidze (A) wrote:
>> 7/23/2024 1:19 PM, Günther Noack wrote:
>> >   [...]
>> >
>> >   Users should use the Landlock ABI version rather than the kernel version
>> > @@ -439,9 +455,10 @@ and only use the available subset of access rights:
>> >    * numbers hardcoded to keep the example short.
>> >    */
>> >   __u64 landlock_fs_access_rights[] = {
>> > -    (LANDLOCK_ACCESS_FS_MAKE_SYM << 1) \- 1,  /* v1                 */
>> > -    (LANDLOCK_ACCESS_FS_REFER    << 1) \- 1,  /* v2: add "refer"    */
>> > -    (LANDLOCK_ACCESS_FS_TRUNCATE << 1) \- 1,  /* v3: add "truncate" */
>> > +    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
>> > +    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
>> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
>> > +    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
>> >   };
>> >   \&
>> >   int abi = landlock_create_ruleset(NULL, 0,
>> 
>> Co-developed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> 
> Thank you very much, Konstantin! :)
> 
> —Günther

   Thank you, Günther!!! :)
	
   Best regards,
       Konstantin!
> .

Re: [PATCH v3 1/2] landlock.7, landlock_*.2: Document Landlock ABI version 4

[Konstantin Meskhidze (A)]

8/22/2024 12:54 AM, Alejandro Colomar wrote:
> Hi Günther, Konstantin,
> 
> On Wed, Aug 21, 2024 at 06:30:09PM GMT, Konstantin Meskhidze (A) wrote:
>> 7/23/2024 1:19 PM, Günther Noack wrote:
>> > Landlock ABI 4 restricts bind(2) and connect(2) on TCP port numbers.
>> > 
>> > The intent is to bring the man pages mostly in line with the kernel
>> > documentation again.  I intentionally did not add networking support to the
>> > usage example in landlock.7 - I feel that in the long run, we would be better
>> > advised to maintain longer example code in the kernel samples.
>> > 
>> > Closes: <https://github.com/landlock-lsm/linux/issues/32>
>> > Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> > Reviewed-by: Mickaël Salaün <mic@digikod.net>
>> > Signed-off-by: Günther Noack <gnoack@google.com>
>> > ---
>> 
>> Co-developed-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
>> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
> 
> I've appended the tags, and pushed the changes to master.  Thanks!
> 
> Have a lovely night!
> Alex

   Thank you, Alex!!! :)

   Best regards,
   Konstantin
>