Re: [PATCH 2/2] man/man7/landlock.7: Document... | linux-man

Re: [PATCH 2/2] man/man7/landlock.7: Document LANDLOCK_ACCESS_FS_RESOLVE_UNIX (ABI v9)

From: Günther Noack <hidden>
Date: 2026-05-15 17:47:43

Hello Alejandro,

On Thu, May 14, 2026 at 02:21:14PM +0200, Alejandro Colomar wrote:

On 2026-05-14T09:04:17+0200, Günther Noack wrote:

quoted

Document the new LANDLOCK_ACCESS_FS_RESOLVE_UNIX filesystem access right,
which controls lookups of pathname UNIX domain sockets.  Restricts both
connect(2) and sendmsg(2) with an explicit recipient address to UNIX
sockets created outside the Landlock domain (same semantics as
LANDLOCK_SCOPE_* flags).  Denied attempts return EACCES.

Available since Linux 7.1 (Landlock ABI version 9).

Signed-off-by: Günther Noack <redacted>
---
 man/man7/landlock.7 | 56 +++++++++++++++++++++++++++++++++++++--------
 1 file changed, 46 insertions(+), 10 deletions(-)

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index 0e3a11489af2..d0d9c720bfaf 100644
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7

@@ -139,6 +139,38 @@ whose implementations are safe and return the right error codes
 .RE
 .IP
 This access right is available since the fifth version of the Landlock ABI.
+.TP
+.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
+Look up pathname UNIX
+domain sockets
+.RB ( unix (7)).
+On UNIX domain sockets,
+this restricts both calls to
+.BR connect (2)
+and
+.BR sendmsg (2)
+with an explicit recipient address.
+.IP
+This access right only applies to connections to UNIX server sockets

s/only applies/applies only/

Done, thanks!

I should pay more attention to that,
it might be a German-ism to mix that up.

quoted

+which were created outside the newly created Landlock domain
+(e.g., from within a parent domain or from an unrestricted process).
+Newly created UNIX servers
+within the same Landlock domain
+continue to be accessible.
+In this regard,
+.B LANDLOCK_ACCESS_FS_RESOLVE_UNIX
+has the same semantics as the
+.B LANDLOCK_SCOPE_*

* is variable part, so it should be in italics:

	.BI LANDLOCK_SCOPE_ *

Done.

quoted

+flags.
+.IP
+If a resolve attempt is denied,

'resolve attempt' seems weird.  Should this be 'resolution attempt'?

Good point, done.

quoted

+the operation returns an
+.B EACCES
+error,
+in line with other filesystem access rights
+(but different to denials for abstract UNIX domain sockets).
+.IP
+This access right is available since the ninth version of the Landlock ABI.

I see this is consistent with the rest of the page, but we should change
all of these to use cardinals instead of ordinals (and in digits, not
letters).

Done. I made it consistent with the landlock_restrict_self(2) man page
as well, where we have put these version indicators as shorter phrases
next to the tagged paragraph headlines of the affected flags.

quoted

 .P
 Whether an opened file can be truncated with
 .BR ftruncate (2)

@@ -478,6 +510,8 @@ _	_	_
 \^	\^	LANDLOCK_RESTRICT_SELF_LOG_SUBDOMAINS_OFF
 _	_	_
 8	7.0	LANDLOCK_RESTRICT_SELF_TSYNC
+_	_	_
+9	7.1	LANDLOCK_ACCESS_FS_RESOLVE_UNIX
 .TE
 .P
 Users should use the Landlock ABI version rather than the kernel version
@@ -563,7 +597,8 @@ attr.handled_access_fs =
         LANDLOCK_ACCESS_FS_MAKE_SYM |
         LANDLOCK_ACCESS_FS_REFER |
         LANDLOCK_ACCESS_FS_TRUNCATE |
-        LANDLOCK_ACCESS_FS_IOCTL_DEV;
+        LANDLOCK_ACCESS_FS_IOCTL_DEV |
+        LANDLOCK_ACCESS_FS_RESOLVE_UNIX;
 .EE
 .in
 .P
@@ -578,14 +613,15 @@ and only use the available subset of access rights:
  * numbers hardcoded to keep the example short.
  */
 __u64 landlock_fs_access_rights[] = {
-    (LANDLOCK_ACCESS_FS_MAKE_SYM  << 1) \- 1,  /* v1                  */
-    (LANDLOCK_ACCESS_FS_REFER     << 1) \- 1,  /* v2: add "refer"     */
-    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v3: add "truncate"  */
-    (LANDLOCK_ACCESS_FS_TRUNCATE  << 1) \- 1,  /* v4: TCP support     */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v5: add "ioctl_dev" */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v6: same            */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v7: same            */
-    (LANDLOCK_ACCESS_FS_IOCTL_DEV << 1) \- 1,  /* v8: same            */
+    (LANDLOCK_ACCESS_FS_MAKE_SYM     << 1) \- 1,  /* v1                     */
+    (LANDLOCK_ACCESS_FS_REFER        << 1) \- 1,  /* v2: add "refer"        */
+    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  /* v3: add "truncate"     */
+    (LANDLOCK_ACCESS_FS_TRUNCATE     << 1) \- 1,  /* v4: TCP support        */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v5: add "ioctl_dev"    */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v6: same               */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v7: same               */
+    (LANDLOCK_ACCESS_FS_IOCTL_DEV    << 1) \- 1,  /* v8: same               */
+    (LANDLOCK_ACCESS_FS_RESOLVE_UNIX << 1) \- 1,  /* v9: add "resolve_unix" */

We should probably use C99 comments (//), to reduce the width, and
alignment issues.

Good idea, done.

Feel free to send formatting patches for these side issues.

I split it up a bit, so that the fixes independent of the new feature
can go separately; see
https://lore.kernel.org/all/20260515165753.8830-1-gnoack3000@gmail.com/ (local)

Thanks for the review!
–Günther

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help