Unverified Commit a13e248f authored May 06, 2022 by Mickaël Salaün

landlock: Fix landlock_add_rule(2) documentation

It is not mandatory to pass a file descriptor obtained with the O_PATH
flag.  Also, replace rule's accesses with ruleset's accesses.

Link: https://lore.kernel.org/r/20220506160820.524344-2-mic@digikod.net


Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>

parent 81709f3d

include/uapi/linux/landlock.h

+3 −2

Original line number	Diff line number	Diff line
		@@ -62,8 +62,9 @@ struct landlock_path_beneath_attr {
		*/
		__u64 allowed_access;
		/**
		* @parent_fd: File descriptor, open with ``O_PATH``, which identifies
		* the parent directory of a file hierarchy, or just a file.
		* @parent_fd: File descriptor, preferably opened with ``O_PATH``,
		* which identifies the parent directory of a file hierarchy, or just a
		* file.
		*/
		__s32 parent_fd;
		/*

security/landlock/syscalls.c

+3 −4

Original line number	Diff line number	Diff line
		@@ -292,14 +292,13 @@ static int get_path_from_fd(const s32 fd, struct path *const path)
		*
		* - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
		* - EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
		* &landlock_path_beneath_attr.allowed_access is not a subset of the rule's
		* accesses);
		* &landlock_path_beneath_attr.allowed_access is not a subset of the
		* ruleset handled accesses);
		* - ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
		* - EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
		* member of @rule_attr is not a file descriptor as expected;
		* - EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
		* @rule_attr is not the expected file descriptor type (e.g. file open
		* without O_PATH);
		* @rule_attr is not the expected file descriptor type;
		* - EPERM: @ruleset_fd has no write access to the underlying ruleset;
		* - EFAULT: @rule_attr inconsistency.
		*/