man/man7/landlock.7: Document network support

Copy over the existing wording from kernel documentation,
as it was introduced in Linux commit
51442e8d64bc (2023-10-26, "landlock: Document network support").
Landlock rules are not only about the filesystem any more
and the new wording is more appropriate.

Signed-off-by: Günther Noack <gnoack@google.com>
Cc: Mickaël Salaün <mic@digikod.net>
Cc: Tahera Fahimi <fahimitahera@gmail.com>
Cc: Tanya Agarwal <tanyaagarwal25699@gmail.com>
Cc: Daniel Burgener <dburgener@linux.microsoft.com>
Cc: <linux-security-module@vger.kernel.org>
Message-ID: <20250303195056.136777-2-gnoack@google.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/man/man7/landlock.7 b/man/man7/landlock.7
index c6b7272ea871713cf10c060e0a1b6b128cbc9a04..7b7a797ad6ca2bce61c3193d764952f9b58f39da 100644 (file)
--- a/man/man7/landlock.7
+++ b/man/man7/landlock.7
@@ -39,13 +39,23 @@ the running kernel must support Landlock and
 it must be enabled at boot time.
 .\"
 .SS Landlock rules
-A Landlock rule describes an action on an object.
-An object is currently a file hierarchy,
-and the related filesystem actions are defined with access rights (see
-.BR landlock_add_rule (2)).
+A Landlock rule describes an action on an object
+which the process intends to perform.
 A set of rules is aggregated in a ruleset,
 which can then restrict the thread enforcing it,
 and its future children.
+.P
+The two existing types of rules are:
+.TP
+.B Filesystem rules
+For these rules, the object is a file hierarchy,
+and the related filesystem actions are defined with
+.IR "filesystem access rights" .
+.TP
+.BR "Network rules" " (since ABI v4)"
+For these rules, the object is a TCP port,
+and the related actions are defined with
+.IR "network access rights" .
 .\"
 .SS Filesystem actions
 These flags enable to restrict a sandboxed process to a