diff options
| author | Günther Noack <gnoack3000@gmail.com> | 2026-01-13 20:20:53 +0100 |
|---|---|---|
| committer | Alejandro Colomar <alx@kernel.org> | 2026-01-14 00:34:02 +0100 |
| commit | c5800b3bb828cb098445ca372f8b9d69eea4e688 (patch) | |
| tree | 23345a707153f4f92dcd76696bffa31a43df2ac2 | |
| parent | d02f0f25abc40456ea540fe86a151b39e662cd18 (diff) | |
| download | man-pages-c5800b3bb828cb098445ca372f8b9d69eea4e688.tar.gz | |
man/man7/landlock.7: Filesystem actions: Re-group description of IOCTL access right
Move the description of the LANDLOCK_ACCESS_FS_IOCTL_DEV access right
together with the file access rights.
This group of access rights applies to files (in this case device
files), and they can be added to file or directory inodes using
landlock_add_rule(2). The check for that works the same for all file
access rights, including LANDLOCK_ACCESS_FS_IOCTL_DEV.
Invoking ioctl(2) on directory FDs can not currently be restricted
with Landlock. Having it grouped separately in the documentation is a
remnant from earlier revisions of the LANDLOCK_ACCESS_FS_IOCTL_DEV
patch set.
The same change was also done in kernel documentation, linked below.
Fixes: 893db5f60c73 (2024-08-21; "landlock.7: Document Landlock ABI version 5 (IOCTL)")
Link: https://lore.kernel.org/all/20260111175203.6545-2-gnoack3000@gmail.com/
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Message-ID: <20260113192052.4703-2-gnoack3000@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
| -rw-r--r-- | man/man7/landlock.7 | 81 |
1 files changed, 39 insertions, 42 deletions
diff --git a/man/man7/landlock.7 b/man/man7/landlock.7 index 5d4a24f792..c31d513d15 100644 --- a/man/man7/landlock.7 +++ b/man/man7/landlock.7 @@ -97,6 +97,45 @@ with .BR O_TRUNC . .IP This access right is available since the third version of the Landlock ABI. +.TP +.B LANDLOCK_ACCESS_FS_IOCTL_DEV +Invoke +.BR ioctl (2) +commands on an opened character or block device. +.IP +This access right applies to all +.BR ioctl (2) +commands implemented by device drivers. +However, the following common IOCTL commands continue to be invokable +independent of the +.B LANDLOCK_ACCESS_FS_IOCTL_DEV +right: +.RS +.IP \[bu] 3 +IOCTL commands targeting file descriptors +.RB ( FIOCLEX , +.BR FIONCLEX ), +.IP \[bu] +IOCTL commands targeting file descriptions +.RB ( FIONBIO , +.BR FIOASYNC ), +.IP \[bu] +IOCTL commands targeting file systems +.RB ( FIFREEZE , +.BR FITHAW , +.BR FIGETBSZ , +.BR FS_IOC_GETFSUUID , +.BR FS_IOC_GETFSSYSFSPATH ) +.IP \[bu] +Some IOCTL commands which do not make sense when used with devices, but +whose implementations are safe and return the right error codes +.RB ( FS_IOC_FIEMAP , +.BR FICLONE , +.BR FICLONERANGE , +.BR FIDEDUPERANGE ) +.RE +.IP +This access right is available since the fifth version of the Landlock ABI. .P Whether an opened file can be truncated with .BR ftruncate (2) @@ -198,48 +237,6 @@ If multiple requirements are not met, the .B EACCES error code takes precedence over .BR EXDEV . -.P -The following access right -applies to both files and directories: -.TP -.B LANDLOCK_ACCESS_FS_IOCTL_DEV -Invoke -.BR ioctl (2) -commands on an opened character or block device. -.IP -This access right applies to all -.BR ioctl (2) -commands implemented by device drivers. -However, the following common IOCTL commands continue to be invokable -independent of the -.B LANDLOCK_ACCESS_FS_IOCTL_DEV -right: -.RS -.IP \[bu] 3 -IOCTL commands targeting file descriptors -.RB ( FIOCLEX , -.BR FIONCLEX ), -.IP \[bu] -IOCTL commands targeting file descriptions -.RB ( FIONBIO , -.BR FIOASYNC ), -.IP \[bu] -IOCTL commands targeting file systems -.RB ( FIFREEZE , -.BR FITHAW , -.BR FIGETBSZ , -.BR FS_IOC_GETFSUUID , -.BR FS_IOC_GETFSSYSFSPATH ) -.IP \[bu] -Some IOCTL commands which do not make sense when used with devices, but -whose implementations are safe and return the right error codes -.RB ( FS_IOC_FIEMAP , -.BR FICLONE , -.BR FICLONERANGE , -.BR FIDEDUPERANGE ) -.RE -.IP -This access right is available since the fifth version of the Landlock ABI. .\" .SS Network flags These flags enable to restrict a sandboxed process |