tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

landlock: Minor reword of docs for TCP access rights

- Move ABI requirement next to each access right to prepare adding more
access rights;
- Mention the possibility to remove the random component of a socket's
ephemeral port choice within the netns-wide ephemeral port range,
since it allows choosing the "random" ephemeral port.

Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251212163704.142301-2-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>

authored by

Matthieu Buffet and committed by
Mickaël Salaün bbb6f53e 39508405

+9 -8
+9 -8
include/uapi/linux/landlock.h
··· 195 195 * It should be noted that port 0 passed to :manpage:`bind(2)` will bind 196 196 * to an available port from the ephemeral port range. This can be 197 197 * configured with the ``/proc/sys/net/ipv4/ip_local_port_range`` sysctl 198 - * (also used for IPv6). 198 + * (also used for IPv6), and within that range, on a per-socket basis 199 + * with ``setsockopt(IP_LOCAL_PORT_RANGE)``. 199 200 * 200 - * A Landlock rule with port 0 and the ``LANDLOCK_ACCESS_NET_BIND_TCP`` 201 + * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP 201 202 * right means that requesting to bind on port 0 is allowed and it will 202 - * automatically translate to binding on the related port range. 203 + * automatically translate to binding on a kernel-assigned ephemeral 204 + * port. 203 205 */ 204 206 __u64 port; 205 207 }; ··· 344 342 * These flags enable to restrict a sandboxed process to a set of network 345 343 * actions. 346 344 * 347 - * This is supported since Landlock ABI version 4. 348 - * 349 345 * The following access rights apply to TCP port numbers: 350 346 * 351 - * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind a TCP socket to a local port. 352 - * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect an active TCP socket to 353 - * a remote port. 347 + * - %LANDLOCK_ACCESS_NET_BIND_TCP: Bind TCP sockets to the given local 348 + * port. Support added in Landlock ABI version 4. 349 + * - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect TCP sockets to the given 350 + * remote port. Support added in Landlock ABI version 4. 354 351 */ 355 352 /* clang-format off */ 356 353 #define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)