From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63ACE311C15
	for <linux-kernel@vger.kernel.org>; Wed, 25 Feb 2026 18:54:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.65
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772045643; cv=none; b=kFpcQAIikX2NY9vctjqlvh4gWH6I0NZq2t3opBPR2BIv7SZxIvl/FwmMhumH7jclpYsyPZSiN7nwhfxukY/TS7HIS8dX5bWrwyV0HdZSemnN/dAeISg7+EU7Z8y7pPNSYbPFSxNhVut6sm667QEbUyT6EFKn8cbhHFxcIxt91cA=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772045643; c=relaxed/simple;
	bh=IYfNgJtBQ6RbPAHveRA9XcmzjH3CHVpWjJuPVOZDjb4=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=mpgrJ4EmIcnyRVvHeWx4SGX8bQ3YqQyu7K+XJcUZo7/8xA+GGHNav/LCk/COtsTs9lgWvhU15609CfuApkslTkhF9TikTkeLJNRCC93W2OTiH3Tqx5PxvMi8vnzkkP8DkKtjPHLGGaz93YebRpeCiDN//5P2ha5L6EIszyT1xrQ=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XM3F5sqB; arc=none smtp.client-ip=209.85.128.65
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XM3F5sqB"
Received: by mail-wm1-f65.google.com with SMTP id 5b1f17b1804b1-4807068eacbso762425e9.2
        for <linux-kernel@vger.kernel.org>; Wed, 25 Feb 2026 10:54:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1772045641; x=1772650441; darn=vger.kernel.org;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date:message-id:reply-to;
        bh=m0v9eecdrDlKKkRsI8AJc9LWKKGXVn/oxr4SUBFzAKY=;
        b=XM3F5sqBj50+0X5mw+JusqQTCwHKXeJFBn/xTlz+o+F+mAmprSAJxoIlo/fMqYMEml
         wcL/r/crRzJnH0E5V4tZAXWpODV9KCTTJ3BxM4wmyfrE3BvJb42EHuyhSh7Ho4DnFTkW
         xJocbFNoRvhYuzGMGWQob5jokv8Muue1XhROJjPYPh3OkGyGzxjNHb1V2g8cDlulspVS
         YWJ1trXhV9TAlCZXtdhE6RkHXXUkzTJqw9B/8XBH7pwbq2JeEh5S9oXJjbjzu+qCHfgS
         s9hTaVIrRHLM4NhQOKnJ7T6vOUxmOayegXMZdEpGxK0/lUWwBN1VIpfDznNTwG3HR5Sr
         UVfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772045641; x=1772650441;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=m0v9eecdrDlKKkRsI8AJc9LWKKGXVn/oxr4SUBFzAKY=;
        b=NdHbNHNP56C2AiTW8s3Wqk039sQjN8emLaL39I1qizfAcymel3asFWjgWTnHGFii8m
         +Ia0ZkqO1E/ZgKAgNKOBxqnxQokwNBncMUhidsIRcuW2ARyyB4j+dac5jNV5JsGQlMQd
         zKg+El+N0cBcHAZO7eU/v1bY12/QGKtVGu//uNw8XhBjuDG1+K/GE4eYqqGhEDQf/K8Y
         aK2eEZcBuSL04jAusbtjPeS/qWpMgnc01DqA6/MHv5baTysDfbBg6aUFwXzg0jgsOb/C
         u0PBanxCU8vytPWGbzXQw+cHB2Xboi97DYloNu6yIfkUS9K29TnSgD3Vax8mdtdx5GKn
         1PdQ==
X-Forwarded-Encrypted: i=1; AJvYcCUP87XzbZ547Wk1RLvYTQ5mL9HNGFZ65b815MvvqPKHPE+vdVRrtvCZJ5iSuZVE7VuIK6xV4waSYv8gEck=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy5dUq32udfVdke5WAsNyeHVwGIDdbPBFC24JI6A3bPAys1WWnv
	QMjNilqntgkgD7QftmjghVZfQZZuwsyykirV5airOzD9XvGGpXJhZI35
X-Gm-Gg: ATEYQzxVpNcDh5K2Yun4zAIRap5P+hPY1BvOYfw/SCPgUnT+u/zs/++HOd8lL7VH+NP
	1z4qBWJilj5Vah0W4CrRkkzN+5IW0Y9HbyQ3MuL5T07Hd8g5rlTbDAg+/8XTXJdLgsbM0rPVUYg
	KbI4Du7AufajZlHFHSSP3ACDO4gLxX7QWli2yXoc/C3f3kDAhlqHFBENTmJcOZcWlTz1Ti9my5F
	2KgCUxVWuMD9PZL2VAvDFDRuokDA/7Ojd0KpipmbCljvmwsUjOqTrp3wi7Yj8nXkCeP/mhZ66yC
	73bdJT2NS9aVIPbhB9XJHTZ+hfWpC7mM7S8u4ts5HzUO7oCOTS5ly1DwWDxyD75K32z/oHxjzHr
	sKMv2bcBHpuh3gR1F61JSK0KTkZeFpmUP8ywlkkDb/Z1XoppnZ+nTaDkOa1b2Pt2hOHqzx8Z4iP
	9xuT4cxoqtu7RQA+hAS178GDh53Yiv4/bpKASxoNi+TzuX3RkZ
X-Received: by 2002:a05:600c:c4a5:b0:483:7783:5382 with SMTP id 5b1f17b1804b1-483a95e6b64mr263650605e9.27.1772045640610;
        Wed, 25 Feb 2026 10:54:00 -0800 (PST)
Received: from localhost (ip87-106-108-193.pbiaas.com. [87.106.108.193])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bd702e7bsm99932735e9.5.2026.02.25.10.54.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 25 Feb 2026 10:54:00 -0800 (PST)
Date: Wed, 25 Feb 2026 19:53:52 +0100
From: =?iso-8859-1?Q?G=FCnther?= Noack <gnoack3000@gmail.com>
To: "Panagiotis \"Ivory\" Vasilopoulos" <git@n0toose.net>
Cc: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>,
	=?iso-8859-1?Q?G=FCnther?= Noack <gnoack@google.com>,
	Jonathan Corbet <corbet@lwn.net>,
	Shuah Khan <skhan@linuxfoundation.org>,
	linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] landlock: Expand restrict flags example for ABI
 version 8
Message-ID: <20260225.617b52a2bef0@gnoack.org>
References: <20260221-landlock-docs-add-tsync-example-v2-1-60990986bba5@n0toose.net>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20260221-landlock-docs-add-tsync-example-v2-1-60990986bba5@n0toose.net>

On Sat, Feb 21, 2026 at 11:12:25PM +0100, Panagiotis "Ivory" Vasilopoulos wrote:
> Add LANDLOCK_RESTRICT_SELF_TSYNC to the backwards compatibility example
> for restrict flags. This introduces completeness, similar to that of
> the ruleset attributes example.
> 
> Additionally, I modified the two comments of the example to make them
> more consistent with the ruleset attributes example's.
> 
> Signed-off-by: Panagiotis 'Ivory' Vasilopoulos <git@n0toose.net>
> ---
> Changes in v2:
> - Fix formatting error.
> - Link to v1: https://lore.kernel.org/r/20260221-landlock-docs-add-tsync-example-v1-1-f89383809eb4@n0toose.net
> ---
>  Documentation/userspace-api/landlock.rst | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 13134bccdd39d78ddce3daf454f32dda162ce91b..0affe1c953d61a4b32aca700cd262c49cee6304a 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -197,12 +197,18 @@ similar backwards compatibility check is needed for the restrict flags
>  
>  .. code-block:: c
>  
> -    __u32 restrict_flags = LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON;
> -    if (abi < 7) {
> -        /* Clear logging flags unsupported before ABI 7. */
> +    __u32 restrict_flags =
> +        LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> +        LANDLOCK_RESTRICT_SELF_TSYNC;
> +    switch (abi) {
> +    case 1 ... 6:
> +        /* Clear logging flags unsupported for ABI < 7 */
>          restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
>                              LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
>                              LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
> +    case 7:
> +        /* Removes multithread flag unsupported for ABI < 8 */
> +        restrict_flags &= ~LANDLOCK_RESTRICT_SELF_TSYNC;
>      }

Thanks Panagiotis, this makes sense.  We overlooked this.

I'm slightly worried that people will copy-paste this example blindly
if it does not have a big warning in it.  Unlike the other "backwards
compatibility" example code that we have, this one actually changes
how the enforcement works.  (The other flags change logging, but audit
logging makes no difference to the process that sandboxes itself.)

Could you please add wording to the comment to state more explicitly
that below ABI v8, the enforced Landlock policy only applies to the
current thread?

Thanks,
–Günther