landlock: Demonstrate best-effort allowed_access filtering

author Mickaël Salaün <mic@digikod.net>

Wed, 13 May 2026 15:18:53 +0000 (17:18 +0200)

committer Mickaël Salaün <mic@digikod.net>

Sat, 13 Jun 2026 21:14:59 +0000 (23:14 +0200)
author Mickaël Salaün <mic@digikod.net>
Wed, 13 May 2026 15:18:53 +0000 (17:18 +0200)
committer Mickaël Salaün <mic@digikod.net>
Sat, 13 Jun 2026 21:14:59 +0000 (23:14 +0200)
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst

index fd8b78c31f2fe0673c8238fbcf0eda617bb1380c..45861fa75685b3c29f4a7feed10a83819b554be6 100644 (file)
--- a/Documentation/userspace-api/landlock.rst
+++ b/Documentation/userspace-api/landlock.rst
@@ -8,7 +8,7 @@ Landlock: unprivileged access control
  =====================================
  
  :Author: Mickaël Salaün
-:Date: March 2026
+:Date: May 2026
  
  The goal of Landlock is to enable restriction of ambient rights (e.g. global
  filesystem or network access) for a set of processes.  Because Landlock
@@ -155,7 +155,7 @@ this file descriptor.
  
  .. code-block:: c
  
-    int err;
+    int err = 0;
      struct landlock_path_beneath_attr path_beneath = {
          .allowed_access =
              LANDLOCK_ACCESS_FS_EXECUTE |
@@ -163,25 +163,29 @@ this file descriptor.
              LANDLOCK_ACCESS_FS_READ_DIR,
      };
  
-    path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
-    if (path_beneath.parent_fd < 0) {
-        perror("Failed to open file");
-        close(ruleset_fd);
-        return 1;
-    }
-    err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
-                            &path_beneath, 0);
-    close(path_beneath.parent_fd);
-    if (err) {
-        perror("Failed to update ruleset");
-        close(ruleset_fd);
-        return 1;
+    path_beneath.allowed_access &= ruleset_attr.handled_access_fs;
+    if (path_beneath.allowed_access) {
+        path_beneath.parent_fd = open("/usr", O_PATH | O_CLOEXEC);
+        if (path_beneath.parent_fd < 0) {
+            perror("Failed to open file");
+            close(ruleset_fd);
+            return 1;
+        }
+        err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
+                                &path_beneath, 0);
+        close(path_beneath.parent_fd);
+        if (err) {
+            perror("Failed to update ruleset");
+            close(ruleset_fd);
+            return 1;
+        }
      }
  
-It may also be required to create rules following the same logic as explained
-for the ruleset creation, by filtering access rights according to the Landlock
-ABI version.  In this example, this is not required because all of the requested
-``allowed_access`` rights are already available in ABI 1.
+As shown above, masking the rule's ``allowed_access`` against the ruleset's
+``handled_access_*`` is the recommended best-effort pattern: rights the running
+kernel does not support are dropped (the compatibility switch above already
+cleared them in ``handled_access_*``), and the rule is skipped if no supported
+right remains.
  
  For network access-control, we can add a set of rules that allow to use a port
  number for a specific action: HTTPS connections.
@@ -193,8 +197,10 @@ number for a specific action: HTTPS connections.
          .port = 443,
      };
  
-    err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
-                            &net_port, 0);
+    net_port.allowed_access &= ruleset_attr.handled_access_net;
+    if (net_port.allowed_access)
+        err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_PORT,
+                                &net_port, 0);
  
  When passing a non-zero ``flags`` argument to ``landlock_restrict_self()``, a
  similar backwards compatibility check is needed for the restrict flags
author	Mickaël Salaün <mic@digikod.net>
	Wed, 13 May 2026 15:18:53 +0000 (17:18 +0200)
committer	Mickaël Salaün <mic@digikod.net>
	Sat, 13 Jun 2026 21:14:59 +0000 (23:14 +0200)