Hi Günther, > Cc: Alejandro Colomar , Please remember to use . :) > Subject: Re: [PATCH man] landlock.7: Re-group description of IOCTL access right Please use full path of the manual page (this can be done with the tab key --autocompletion--). On Mon, Jan 12, 2026 at 08:45:17PM +0100, Günther Noack wrote: > Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right > together with the file access rights. > > This group of access rights applies to files (in this case device > files), and they can be added to file or directory inodes using > landlock_add_rule(2). The check for that works the same for all file > access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV. > > Invoking ioctl(2) on directory FDs can not currently be restricted > with Landlock. Having it grouped separately in the documentation is a > remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV > patch set. If I understand correctly, the behavior has never changed, and the documentation was wrong. Did I understand correctly? > > The same change was also done in kernel documentation, linked below. > Could you please add a Fixes: tag? The format we use can be generated with these git(1) aliases: [alias] ref = show --no-patch --abbrev=12 --date=short \ --format=tformat:'%C(auto)%h%C(reset) %C(dim white)(%cd%x3B \"%C(reset)%C(auto)%s%C(reset)%C(dim white)\")%C(reset)' ref2 = show --no-patch --abbrev=12 --date=short \ --format=tformat:'%C(auto)%h%C(reset) %C(dim white)(%ad, %cd%x3B \"%C(reset)%C(auto)%s%C(reset)%C(dim white)\")%C(reset)' The format is: 12-char-hash (commit-date; "commit-subject") Important note: it's the commit date, not the author date. Example: $ git ref HEAD 92fc3fad3490 (2026-01-13; "man/man7/landlock.7: Re-group description of IOCTL access right") I checked that this is not documented. I'll add it to CONTRIBUTING.d/. > Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/ > Signed-off-by: Günther Noack The diff LGTM. Thanks! > --- > man/man7/landlock.7 | 81 ++++++++++++++++++++++----------------------- > 1 file changed, 39 insertions(+), 42 deletions(-) > > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 > index 5d4a24f79..c31d513d1 100644 > --- a/man/man7/landlock.7 > +++ b/man/man7/landlock.7 > @@ -97,6 +97,45 @@ with > .BR O_TRUNC . > .IP > This access right is available since the third version of the Landlock ABI. > +.TP > +.B LANDLOCK_ACCESS_FS_IOCTL_DEV > +Invoke > +.BR ioctl (2) > +commands on an opened character or block device. > +.IP > +This access right applies to all > +.BR ioctl (2) > +commands implemented by device drivers. > +However, the following common IOCTL commands continue to be invokable > +independent of the > +.B LANDLOCK_ACCESS_FS_IOCTL_DEV > +right: > +.RS > +.IP \[bu] 3 > +IOCTL commands targeting file descriptors > +.RB ( FIOCLEX , > +.BR FIONCLEX ), > +.IP \[bu] > +IOCTL commands targeting file descriptions > +.RB ( FIONBIO , > +.BR FIOASYNC ), > +.IP \[bu] > +IOCTL commands targeting file systems > +.RB ( FIFREEZE , > +.BR FITHAW , > +.BR FIGETBSZ , > +.BR FS_IOC_GETFSUUID , > +.BR FS_IOC_GETFSSYSFSPATH ) > +.IP \[bu] > +Some IOCTL commands which do not make sense when used with devices, but > +whose implementations are safe and return the right error codes > +.RB ( FS_IOC_FIEMAP , > +.BR FICLONE , > +.BR FICLONERANGE , > +.BR FIDEDUPERANGE ) > +.RE > +.IP > +This access right is available since the fifth version of the Landlock ABI. > .P > Whether an opened file can be truncated with > .BR ftruncate (2) > @@ -198,48 +237,6 @@ If multiple requirements are not met, the > .B EACCES > error code takes precedence over > .BR EXDEV . > -.P > -The following access right > -applies to both files and directories: > -.TP > -.B LANDLOCK_ACCESS_FS_IOCTL_DEV > -Invoke > -.BR ioctl (2) > -commands on an opened character or block device. > -.IP > -This access right applies to all > -.BR ioctl (2) > -commands implemented by device drivers. > -However, the following common IOCTL commands continue to be invokable > -independent of the > -.B LANDLOCK_ACCESS_FS_IOCTL_DEV > -right: > -.RS > -.IP \[bu] 3 > -IOCTL commands targeting file descriptors > -.RB ( FIOCLEX , > -.BR FIONCLEX ), > -.IP \[bu] > -IOCTL commands targeting file descriptions > -.RB ( FIONBIO , > -.BR FIOASYNC ), > -.IP \[bu] > -IOCTL commands targeting file systems > -.RB ( FIFREEZE , > -.BR FITHAW , > -.BR FIGETBSZ , > -.BR FS_IOC_GETFSUUID , > -.BR FS_IOC_GETFSSYSFSPATH ) > -.IP \[bu] > -Some IOCTL commands which do not make sense when used with devices, but > -whose implementations are safe and return the right error codes > -.RB ( FS_IOC_FIEMAP , > -.BR FICLONE , > -.BR FICLONERANGE , > -.BR FIDEDUPERANGE ) > -.RE > -.IP > -This access right is available since the fifth version of the Landlock ABI. > .\" > .SS Network flags > These flags enable to restrict a sandboxed process > -- > 2.52.0 > --