Hi Günther, On Tue, Jan 13, 2026 at 08:20:53PM +0100, Günther Noack wrote: > Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right > together with the file access rights. > > This group of access rights applies to files (in this case device > files), and they can be added to file or directory inodes using > landlock_add_rule(2). The check for that works the same for all file > access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV. > > Invoking ioctl(2) on directory FDs can not currently be restricted > with Landlock. Having it grouped separately in the documentation is a > remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV > patch set. > > The same change was also done in kernel documentation, linked below. > > Fixes: 893db5f60c73 (2024-08-21; "landlock.7: Document Landlock ABI version 5 (IOCTL)") > Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/ > Signed-off-by: Günther Noack Thanks! Patch applied. Have a lovely night! Alex > --- > man/man7/landlock.7 | 81 ++++++++++++++++++++++----------------------- > 1 file changed, 39 insertions(+), 42 deletions(-) > > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 > index 5d4a24f79..c31d513d1 100644 > --- a/man/man7/landlock.7 > +++ b/man/man7/landlock.7 > @@ -97,6 +97,45 @@ with > .BR O_TRUNC . > .IP > This access right is available since the third version of the Landlock ABI. > +.TP > +.B LANDLOCK_ACCESS_FS_IOCTL_DEV > +Invoke > +.BR ioctl (2) > +commands on an opened character or block device. > +.IP > +This access right applies to all > +.BR ioctl (2) > +commands implemented by device drivers. > +However, the following common IOCTL commands continue to be invokable > +independent of the > +.B LANDLOCK_ACCESS_FS_IOCTL_DEV > +right: > +.RS > +.IP \[bu] 3 > +IOCTL commands targeting file descriptors > +.RB ( FIOCLEX , > +.BR FIONCLEX ), > +.IP \[bu] > +IOCTL commands targeting file descriptions > +.RB ( FIONBIO , > +.BR FIOASYNC ), > +.IP \[bu] > +IOCTL commands targeting file systems > +.RB ( FIFREEZE , > +.BR FITHAW , > +.BR FIGETBSZ , > +.BR FS_IOC_GETFSUUID , > +.BR FS_IOC_GETFSSYSFSPATH ) > +.IP \[bu] > +Some IOCTL commands which do not make sense when used with devices, but > +whose implementations are safe and return the right error codes > +.RB ( FS_IOC_FIEMAP , > +.BR FICLONE , > +.BR FICLONERANGE , > +.BR FIDEDUPERANGE ) > +.RE > +.IP > +This access right is available since the fifth version of the Landlock ABI. > .P > Whether an opened file can be truncated with > .BR ftruncate (2) > @@ -198,48 +237,6 @@ If multiple requirements are not met, the > .B EACCES > error code takes precedence over > .BR EXDEV . > -.P > -The following access right > -applies to both files and directories: > -.TP > -.B LANDLOCK_ACCESS_FS_IOCTL_DEV > -Invoke > -.BR ioctl (2) > -commands on an opened character or block device. > -.IP > -This access right applies to all > -.BR ioctl (2) > -commands implemented by device drivers. > -However, the following common IOCTL commands continue to be invokable > -independent of the > -.B LANDLOCK_ACCESS_FS_IOCTL_DEV > -right: > -.RS > -.IP \[bu] 3 > -IOCTL commands targeting file descriptors > -.RB ( FIOCLEX , > -.BR FIONCLEX ), > -.IP \[bu] > -IOCTL commands targeting file descriptions > -.RB ( FIONBIO , > -.BR FIOASYNC ), > -.IP \[bu] > -IOCTL commands targeting file systems > -.RB ( FIFREEZE , > -.BR FITHAW , > -.BR FIGETBSZ , > -.BR FS_IOC_GETFSUUID , > -.BR FS_IOC_GETFSSYSFSPATH ) > -.IP \[bu] > -Some IOCTL commands which do not make sense when used with devices, but > -whose implementations are safe and return the right error codes > -.RB ( FS_IOC_FIEMAP , > -.BR FICLONE , > -.BR FICLONERANGE , > -.BR FIDEDUPERANGE ) > -.RE > -.IP > -This access right is available since the fifth version of the Landlock ABI. > .\" > .SS Network flags > These flags enable to restrict a sandboxed process > -- > 2.52.0 > > --