landlock: Demonstrate best-effort allowed_access filtering
Landlock provides best-effort sandboxing across ABI versions:
applications request the rights they need, and on older kernels the
unsupported rights are silently dropped from handled_access_* by the
documented compatibility switch. The recommended pattern for
landlock_add_rule(2) calls is to mirror this filtering at the rule
level, which wasn't explicitly described in the exemple.
Show the pattern explicitly in the filesystem and network rule examples
by masking each rule's allowed_access against the ruleset's
handled_access_* and adding the rule only when at least one bit remains
set. This makes the recommended best-effort pattern self-documenting.
Reviewed-by: Günther Noack <gnoack3000@gmail.com>
Link: https://patch.msgid.link/20260513151856.148423-1-mic@digikod.net
Signed-off-by: Mickaël Salaün <mic@digikod.net>
projects / thirdparty / kernel / linux.git / commit
