Re: [PATCH v3 1/3] landlock: add backwards compatibility for restrict flags

["Günther Noack" <gnoack3000@gmail.com>]

On Tue, Jan 27, 2026 at 07:18:10PM -0800, Samasth Norway Ananda wrote:
> Add backwards compatibility handling for the restrict flags introduced
> in ABI version 7. This is shown as a separate code block (similar to
> the ruleset_attr handling in the switch statement) because restrict flags
> are passed to landlock_restrict_self() rather than being part of the
> ruleset attributes.
> 
> Also fix misleading description of the /usr rule which incorrectly
> stated it "only allow[s] reading" when the code actually allows both
> reading and executing (LANDLOCK_ACCESS_FS_EXECUTE is included in
> allowed_access).
> 
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> ---
>  Documentation/userspace-api/landlock.rst | 30 +++++++++++++++++-------
>  1 file changed, 22 insertions(+), 8 deletions(-)
> 
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 1ed25af0499f..c8ef1392a0c7 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -157,11 +157,11 @@ This enables the creation of an inclusive ruleset that will contain our rules.
>      }
>  
>  We can now add a new rule to this ruleset thanks to the returned file
> -descriptor referring to this ruleset.  The rule will only allow reading the
> -file hierarchy ``/usr``.  Without another rule, write actions would then be
> -denied by the ruleset.  To add ``/usr`` to the ruleset, we open it with the
> -``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with this file
> -descriptor.
> +descriptor referring to this ruleset.  The rule will allow reading and
> +executing the file hierarchy ``/usr``.  Without another rule, write actions
> +would then be denied by the ruleset.  To add ``/usr`` to the ruleset, we open
> +it with the ``O_PATH`` flag and fill the &struct landlock_path_beneath_attr with
> +this file descriptor.
>  
>  .. code-block:: c
>  
> @@ -233,10 +233,24 @@ to effectively block sending UDP datagrams to arbitrary ports.
>          err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
>                                  &net_port, 0);
>  
> +When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
> +similar backwards compatibility check is needed for the restrict flags
> +(see sys_landlock_restrict_self() documentation for available flags):
> +
> +.. code-block:: c
> +
> +    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> +    if (abi < 7) {
> +        /* Clear logging flags unsupported before ABI 7. */
> +        restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> +                            LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> +                            LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> +    }
> +
>  The next step is to restrict the current thread from gaining more privileges
>  (e.g. through a SUID binary).  We now have a ruleset with the first rule
> -allowing read access to ``/usr`` while denying all other handled accesses for
> -the filesystem, and two more rules allowing DNS queries.
> +allowing read and execute access to ``/usr`` while denying all other handled
> +accesses for the filesystem, and two more rules allowing DNS queries.
>  
>  .. code-block:: c
>  
> @@ -250,7 +264,7 @@ The current thread is now ready to sandbox itself with the ruleset.
>  
>  .. code-block:: c
>  
> -    if (landlock_restrict_self(ruleset_fd, 0)) {
> +    if (landlock_restrict_self(ruleset_fd, restrict_flags)) {
>          perror("Failed to enforce ruleset");
>          close(ruleset_fd);
>          return 1;
> -- 
> 2.50.1
> 

Reviewed-by: Günther Noack <gnoack3000@gmail.com>

Thanks!
–Günther