[PATCH 3/5] Documentation/landlock: Fix missing case for ABI 6 in downgrade example
Mickaël Salaün
mic at digikod.net
Sun Dec 28 18:16:36 UTC 2025
The subject for documentation should just start with "landlock: "
On Sun, Dec 28, 2025 at 01:27:33AM +0000, Tingmao Wang wrote:
> Note that this code is different from the one in sandboxer.c since
> sandboxer won't ever add LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF and
> LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF.
A more complet patch was sent a few days ago:
https://lore.kernel.org/r/3e21551d-24c3-459f-8cee-4d85c97c0120@oracle.com
>
> Fixes: 12bfcda73ac2 ("landlock: Add LANDLOCK_RESTRICT_SELF_LOG_*_EXEC_* flags")
Unless required by other parts of the patch, there is no need to
backport documentation changes, so there should not be any Fixes tag.
> Signed-off-by: Tingmao Wang <m at maowtm.org>
> ---
> Documentation/userspace-api/landlock.rst | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> index 1d0c2c15c22e..903d2ad11852 100644
> --- a/Documentation/userspace-api/landlock.rst
> +++ b/Documentation/userspace-api/landlock.rst
> @@ -127,6 +127,12 @@ version, and only use the available subset of access rights:
> /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
> ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
> LANDLOCK_SCOPE_SIGNAL);
> + __attribute__((fallthrough));
> + case 6:
> + /* Removes LANDLOCK_RESTRICT_SELF_LOG_* for ABI < 7 */
> + supported_restrict_flags &= ~(LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON |
> + LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF |
> + LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF);
As Günther pointed out, this switch/case might not be needed for this
part of the documentation.
> }
>
> This enables the creation of an inclusive ruleset that will contain our rules.
> --
> 2.52.0
>
>
More information about the Linux-security-module-archive
mailing list