landlock: Minor reword of docs for TCP access rights

- Move ABI requirement next to each access right to prepare adding more
  access rights;
- Mention the possibility to remove the random component of a socket's
  ephemeral port choice within the netns-wide ephemeral port range,
  since it allows choosing the "random" ephemeral port.

Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251212163704.142301-2-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>

diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index d5081ab4e5ef2af0fba5de6b3652f60c7d0b712c..f88fa1f68b770b8a3ee98d5a34f0f1c455647005 100644 (file)
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -195,11 +195,13 @@ struct landlock_net_port_attr {
         * It should be noted that port 0 passed to :manpage:`bind(2)` will bind
         * to an available port from the ephemeral port range.  This can be
         * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl
-        * (also used for IPv6).
+        * (also used for IPv6), and within that range, on a per-socket basis
+        * with ``setsockopt(IP_LOCAL_PORT_RANGE)``.
         *
-        * A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP``
+        * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP
         * right means that requesting to bind on port 0 is allowed and it will
-        * automatically translate to binding on the related port range.
+        * automatically translate to binding on a kernel-assigned ephemeral
+        * port.
         */
        __u64 port;
 };
@@ -342,13 +344,12 @@ struct landlock_net_port_attr {
  * These flags enable to restrict a sandboxed process to a set of network
  * actions.
  *
- * This is supported since Landlock ABI version 4.
- *
  * The following access rights apply to TCP port numbers:
  *
- * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port.
- * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to
- *   a remote port.
+ * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind TCP sockets to the given local
+ *   port. Support added in Landlock ABI version 4.
+ * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect TCP sockets to the given
+ *   remote port. Support added in Landlock ABI version 4.
  */
 /* clang-format off */
 #define LANDLOCK_ACCESS_NET_BIND_TCP                   (1ULL << 0)