From: Günther Noack Date: Thu, 27 Nov 2025 11:51:36 +0000 (+0100) Subject: landlock: Document LANDLOCK_RESTRICT_SELF_TSYNC X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39508405f6e6c8ce8a0f4bf93b344610d9051043;p=thirdparty%2Fkernel%2Flinux.git landlock: Document LANDLOCK_RESTRICT_SELF_TSYNC Add documentation for LANDLOCK_RESTRICT_SELF_TSYNC. It does not need to go into the main example, but it has a section in the ABI compatibility notes. In the HTML rendering, the main reference is the system call documentation, which is included from the landlock.h header file. Cc: Andrew G. Morgan Cc: John Johansen Cc: Paul Moore Signed-off-by: Günther Noack Link: https://lore.kernel.org/r/20251127115136.3064948-4-gnoack@google.com [mic: Update date] Signed-off-by: Mickaël Salaün --- diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index 1d0c2c15c22e3..90bb0778666db 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: March 2025 +:Date: November 2025 The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock @@ -604,6 +604,14 @@ Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``, sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst for more details on audit. +Thread synchronization (ABI < 8) +-------------------------------- + +Starting with the Landlock ABI version 8, it is now possible to +enforce Landlock rulesets across all threads of the calling process +using the ``LANDLOCK_RESTRICT_SELF_TSYNC`` flag passed to +sys_landlock_restrict_self(). + .. _kernel_support: Kernel support