* [PATCH] Documentation: landlock: Document fs.resolve_unix audit blocker
@ 2026-06-25 9:28 Doehyun Baek
2026-06-25 12:31 ` Günther Noack
0 siblings, 1 reply; 2+ messages in thread
From: Doehyun Baek @ 2026-06-25 9:28 UTC (permalink / raw)
To: Mickaël Salaün, Günther Noack
Cc: Jonathan Corbet, Shuah Khan, Sebastian Andrzej Siewior,
linux-security-module, linux-doc, linux-kernel, Doehyun Baek
The Landlock audit code can emit fs.resolve_unix as a filesystem blocker
for pathname UNIX socket resolution denials, but the admin guide's blockers
list did not mention it.
Add the missing blocker name and ABI version to keep the audit
documentation in sync with the emitted records.
Fixes: ae97330d1bd6 ("landlock: Control pathname UNIX domain socket resolution by path")
Signed-off-by: Doehyun Baek <doehyunbaek@gmail.com>
---
Documentation/admin-guide/LSM/landlock.rst | 1 +
1 file changed, 1 insertion(+)
diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/admin-guide/LSM/landlock.rst
index 314052bbeb0a..8eb85c9381ff 100644
--- a/Documentation/admin-guide/LSM/landlock.rst
+++ b/Documentation/admin-guide/LSM/landlock.rst
@@ -52,6 +52,7 @@ AUDIT_LANDLOCK_ACCESS
- fs.refer (ABI 2+)
- fs.truncate (ABI 3+)
- fs.ioctl_dev (ABI 5+)
+ - fs.resolve_unix (ABI 9+)
**net.*** - Network access rights (ABI 4+):
- net.bind_tcp - TCP port binding was denied
base-commit: ab9de95c9cf952332ab79453b4b5d1bfca8e514f
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] Documentation: landlock: Document fs.resolve_unix audit blocker
2026-06-25 9:28 [PATCH] Documentation: landlock: Document fs.resolve_unix audit blocker Doehyun Baek
@ 2026-06-25 12:31 ` Günther Noack
0 siblings, 0 replies; 2+ messages in thread
From: Günther Noack @ 2026-06-25 12:31 UTC (permalink / raw)
To: Doehyun Baek
Cc: Mickaël Salaün, Jonathan Corbet, Shuah Khan,
Sebastian Andrzej Siewior, linux-security-module, linux-doc,
linux-kernel
On Thu, Jun 25, 2026 at 09:28:19AM +0000, Doehyun Baek wrote:
> The Landlock audit code can emit fs.resolve_unix as a filesystem blocker
> for pathname UNIX socket resolution denials, but the admin guide's blockers
> list did not mention it.
>
> Add the missing blocker name and ABI version to keep the audit
> documentation in sync with the emitted records.
>
> Fixes: ae97330d1bd6 ("landlock: Control pathname UNIX domain socket resolution by path")
> Signed-off-by: Doehyun Baek <doehyunbaek@gmail.com>
> ---
> Documentation/admin-guide/LSM/landlock.rst | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/Documentation/admin-guide/LSM/landlock.rst b/Documentation/admin-guide/LSM/landlock.rst
> index 314052bbeb0a..8eb85c9381ff 100644
> --- a/Documentation/admin-guide/LSM/landlock.rst
> +++ b/Documentation/admin-guide/LSM/landlock.rst
> @@ -52,6 +52,7 @@ AUDIT_LANDLOCK_ACCESS
> - fs.refer (ABI 2+)
> - fs.truncate (ABI 3+)
> - fs.ioctl_dev (ABI 5+)
> + - fs.resolve_unix (ABI 9+)
>
> **net.*** - Network access rights (ABI 4+):
> - net.bind_tcp - TCP port binding was denied
>
> base-commit: ab9de95c9cf952332ab79453b4b5d1bfca8e514f
> --
> 2.43.0
>
Thanks, good catch!
Reviewed-by: Günther Noack <gnoack@google.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-25 12:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-25 9:28 [PATCH] Documentation: landlock: Document fs.resolve_unix audit blocker Doehyun Baek
2026-06-25 12:31 ` Günther Noack
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox