[RFC PATCH v1 3/3] landlock: Document network restrictions tied to sockets

[Mickaël Salaün]

The Landlock domain used to restrict operations on a socket is the
domain from the thread that created this socket.

Cc: Günther Noack <gnoack at google.com>
Cc: Ivanov Mikhail <ivanov.mikhail1 at huawei-partners.com>
Cc: Konstantin Meskhidze <konstantin.meskhidze at huawei.com>
Cc: Paul Moore <paul at paul-moore.com>
Cc: Tahera Fahimi <fahimitahera at gmail.com>
Signed-off-by: Mickaël Salaün <mic at digikod.net>
Link: https://lore.kernel.org/r/20240719150618.197991-4-mic@digikod.net
---
 Documentation/userspace-api/landlock.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
index 37dafce8038b..4a9bfff575d5 100644
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -529,7 +529,9 @@ Network support (ABI < 4)
 Starting with the Landlock ABI version 4, it is now possible to restrict TCP
 bind and connect actions to only a set of allowed ports thanks to the new
 ``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
-access rights.
+access rights.  These restrictions are tied to a socket and are inherited from
+the sandboxed thread that created this socket.  Hence, sockets created before
+sandboxing are not restricted.
 
 IOCTL (ABI < 5)
 ---------------
-- 
2.45.2