From: "Günther Noack" <gnoack3000@gmail.com>
To: Justin Suess <utilityemal77@gmail.com>
Cc: linux-security-module@vger.kernel.org,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>
Subject: Re: [PATCH] landlock: Clarify LANDLOCK_RULE_PATH_BENEATH properties in documentation
Date: Fri, 6 Mar 2026 08:39:12 +0100 [thread overview]
Message-ID: <20260306.e20a5eb9ecf5@gnoack.org> (raw)
In-Reply-To: <20260305151507.2563776-1-utilityemal77@gmail.com>
On Thu, Mar 05, 2026 at 10:15:07AM -0500, Justin Suess wrote:
> Add paragraph to Landlock userspace documentation clarifying the strictly
> cumulative property of access rights with respect to the file hierarchy.
>
> Signed-off-by: Justin Suess <utilityemal77@gmail.com>
> ---
> Documentation/userspace-api/landlock.rst | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 13134bccdd39..d02036bb2893 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -173,6 +173,17 @@ this file descriptor.
> return 1;
> }
>
> +The effective access rights for a path are the union of the access rights on
> +the path and all its parents. For instance, in this example, ``/usr/bin/grep``
> +inherits rights granted on ``/usr``, in addition to any rights we choose to
> +grant on ``/usr/bin`` and ``/usr/bin/grep``. Because
> +``LANDLOCK_RULE_PATH_BENEATH`` rights are cumulative, they can only increase
> +down the file hierarchy. Therefore, child paths cannot have fewer effective
> +access rights than their parents. This cumulative behavior is a key property of
> +``LANDLOCK_RULE_PATH_BENEATH`` and requires careful ruleset design to minimize
> +granted accesses. Please see the :ref:`Good practices` section for more
> +details.
> +
> It may also be required to create rules following the same logic as explained
> for the ruleset creation, by filtering access rights according to the Landlock
> ABI version. In this example, this is not required because all of the requested
>
> base-commit: f300a1c3a8ae4abca60913b4d26c405a905e4702
> prerequisite-patch-id: 2b17c4f0b741a703f61294989a53677de0b1a54d
> --
> 2.51.0
>
Thanks! I think this is a good addition to the docs in this place. 👍
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
–Günther
prev parent reply other threads:[~2026-03-06 7:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 15:15 [PATCH] landlock: Clarify LANDLOCK_RULE_PATH_BENEATH properties in documentation Justin Suess
2026-03-06 7:39 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260306.e20a5eb9ecf5@gnoack.org \
--to=gnoack3000@gmail.com \
--cc=gnoack@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox