[PATCH v2 3/3] landlock.7: Clarify IPC scoping documentation in line with kernel side

[Günther Noack]

Hello Alejandro!

On Fri, Feb 28, 2025 at 10:37:17PM +0100, Alejandro Colomar wrote:
> On Wed, Feb 26, 2025 at 10:29:12PM +0100, Günther Noack wrote:
> > * Clarify terminology
> > * Stop mixing the unix(7) and signal(7) aspects in the explanation.
> > 
> > Terminology:
> > 
> > * The *IPC Scope* of a Landlock domain is that Landlock domain and its
> >   nested domains.
> > 
> > * An *operation* (e.g., signaling, connecting to abstract UDS) is said to
> >   be *scoped within a domain* when the flag for that operation was set at
> >   ruleset creation time.  This means that for the purpose of this
> >   operation, only processes within the domain's IPC scope are reachable.
> > 
> > Link: https://lore.kernel.org/all/20250226211814.31420-4-gnoack@google.com/
> > Signed-off-by: Günther Noack <gnoack at google.com>
> > ---
> >  man/man7/landlock.7 | 73 ++++++++++++++++++++++-----------------------
> >  1 file changed, 35 insertions(+), 38 deletions(-)
> > 
> > diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
> > index 30dbac73d..42cd7286f 100644
> > --- a/man/man7/landlock.7
> > +++ b/man/man7/landlock.7
> > @@ -357,46 +357,43 @@ which means the tracee must be in a sub-domain of the tracer.
> >  Similar to the implicit
> >  .BR "Ptrace restrictions" ,
> >  we may want to further restrict interactions between sandboxes.
> > -Each Landlock domain can be explicitly scoped for a set of actions
> > -by specifying it on a ruleset.
> > -For example, if a sandboxed process should not be able to
> > -.BR connect (2)
> > -to a non-sandboxed process through abstract
> > +Therefore, at ruleset creation time,
> > +each Landlock domain can restrict the scope for certain operations,
> > +so that these operations can only reach out to processes
> > +within the same Landlock domain or in a nested Landlock domain (the "scope").
> > +.P
> > +The operations which can be scoped are:
> > +.P
> 
> Redundant P before TP.

Thanks, done.


> > [...]
> > 
> > -A sandboxed process can connect to a non-sandboxed process
> > -when its domain is not scoped.
> > -If a process's domain is scoped,
> > -it can only connect to sockets created by processes in the same scope.
> > -Moreover,
> > -If a process is scoped to send signal to a non-scoped process,
> > -it can only send signals to processes in the same scope.
> > -.P
> > -A connected datagram socket behaves like a stream socket
> > -when its domain is scoped,
> > -meaning if the domain is scoped after the socket is connected,
> > -it can still
> > -.BR send (2)
> > -data just like a stream socket.
> > -However, in the same scenario,
> > -a non-connected datagram socket cannot send data (with
> > -.BR sendto (2))
> > -outside its scope.
> > -.P
> > -A process with a scoped domain can inherit a socket
> 
> This text seems to have been added in patch 2/3.  Why is it being
> removed in the same set?

I attempted to keep the "copy existing documentation" apart from the "rewrite"
part, but this was maybe a mistake given that this results in throwaway
corrections.  Should I rather squash them instead?

Thanks for the detailed review,
—Günther