[RFC PATCH 3/5] samples/landlock: Add support for LANDLOCK_ACCESS_FS_CONNECT_UNIX

[Günther Noack]

Add unix(7) connect() support to the Landlock sample tool.

The "connect UNIX" right is grouped with the read-write rights in the
sample tool.  Rationale: In the general case, any operations are
possible through a Unix domain socket, including data-mutating
operations.

Cc: Justin Suess <utilityemal77 at gmail.com>
Cc: Mickaël Salaün <mic at digikod.net>
Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
---
 samples/landlock/sandboxer.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/samples/landlock/sandboxer.c b/samples/landlock/sandboxer.c
index e7af02f98208b..b24ef317d1ea9 100644
--- a/samples/landlock/sandboxer.c
+++ b/samples/landlock/sandboxer.c
@@ -295,11 +295,12 @@ static bool check_ruleset_scope(const char *const env_var,
 	LANDLOCK_ACCESS_FS_MAKE_SYM | \
 	LANDLOCK_ACCESS_FS_REFER | \
 	LANDLOCK_ACCESS_FS_TRUNCATE | \
-	LANDLOCK_ACCESS_FS_IOCTL_DEV)
+	LANDLOCK_ACCESS_FS_IOCTL_DEV | \
+	LANDLOCK_ACCESS_FS_CONNECT_UNIX)
 
 /* clang-format on */
 
-#define LANDLOCK_ABI_LAST 7
+#define LANDLOCK_ABI_LAST 8
 
 #define XSTR(s) #s
 #define STR(s) XSTR(s)
@@ -444,6 +445,12 @@ int main(const int argc, char *const argv[], char *const *const envp)
 			"provided by ABI version %d (instead of %d).\n",
 			LANDLOCK_ABI_LAST, abi);
 		__attribute__((fallthrough));
+	case 7:
+		/* Removes LANDLOCK_ACCESS_FS_CONNECT_UNIX for ABI < 8 */
+		ruleset_attr.handled_access_fs &=
+			~LANDLOCK_ACCESS_FS_CONNECT_UNIX;
+
+		__attribute__((fallthrough));
 	case LANDLOCK_ABI_LAST:
 		break;
 	default:
-- 
2.52.0