[PATCH v6 9/9] landlock: Document FS access right for pathname UNIX sockets

Günther Noack gnoack3000 at gmail.com
Fri Mar 20 17:04:34 UTC 2026 

On Wed, Mar 18, 2026 at 05:54:19PM +0100, Mickaël Salaün wrote:
> Please always add some minimal description.

Done.

> Also, as already requested, could you run the check-linux.sh all on each
> patch?  That would avoid me to fix things like the date (which would now
> be OK because of the new patch in my next branch, but still).

Will do.


> On Sun, Mar 15, 2026 at 11:21:50PM +0100, Günther Noack wrote:
> > Cc: Justin Suess <utilityemal77 at gmail.com>
> > Cc: Mickaël Salaün <mic at digikod.net>
> > Signed-off-by: Günther Noack <gnoack3000 at gmail.com>
> > ---
> >  Documentation/userspace-api/landlock.rst | 15 ++++++++++++++-
> >  1 file changed, 14 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst
> > index 13134bccdd39..e60ebd07c5cc 100644
> > --- a/Documentation/userspace-api/landlock.rst
> > +++ b/Documentation/userspace-api/landlock.rst
> > @@ -77,7 +77,8 @@ to be explicit about the denied-by-default access rights.
> >              LANDLOCK_ACCESS_FS_MAKE_SYM |
> >              LANDLOCK_ACCESS_FS_REFER |
> >              LANDLOCK_ACCESS_FS_TRUNCATE |
> > -            LANDLOCK_ACCESS_FS_IOCTL_DEV,
> > +            LANDLOCK_ACCESS_FS_IOCTL_DEV |
> > +            LANDLOCK_ACCESS_FS_RESOLVE_UNIX,
> >          .handled_access_net =
> >              LANDLOCK_ACCESS_NET_BIND_TCP |
> >              LANDLOCK_ACCESS_NET_CONNECT_TCP,
> > @@ -127,6 +128,11 @@ version, and only use the available subset of access rights:
> >          /* Removes LANDLOCK_SCOPE_* for ABI < 6 */
> >          ruleset_attr.scoped &= ~(LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET |
> >                                   LANDLOCK_SCOPE_SIGNAL);
> > +        __attribute__((fallthrough));
> 
> Case 6 should be handled too:
> 
>   case 6 ... 8:

Thank you, good catch!

> 
> > +    case 7:
> > +    case 8:
> > +        /* Removes LANDLOCK_ACCESS_FS_RESOLVE_UNIX for ABI < 9 */
> > +        ruleset_attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
> >      }
> >  

-Günther

More information about the Linux-security-module-archive mailing list