landlock: Document LANDLOCK_RESTRICT_SELF_TSYNC
Add documentation for LANDLOCK_RESTRICT_SELF_TSYNC. It does not need to go into the main example, but it has a section in the ABI compatibility notes. In the HTML rendering, the main reference is the system call documentation, which is included from the landlock.h header file. Cc: Andrew G. Morgan <morgan@kernel.org> Cc: John Johansen <john.johansen@canonical.com> Cc: Paul Moore <paul@paul-moore.com> Signed-off-by: Günther Noack <gnoack@google.com> Link: https://lore.kernel.org/r/20251127115136.3064948-4-gnoack@google.com [mic: Update date] Signed-off-by: Mickaël Salaün <mic@digikod.net>
This commit is contained in:
Günther Noack
Mickaël Salaün
parent
50c058e3ea
commit
39508405f6
|
|
@ -8,7 +8,7 @@ Landlock: unprivileged access control
|
|||
=====================================
|
||||
|
||||
:Author: Mickaël Salaün
|
||||
:Date: March 2025
|
||||
:Date: November 2025
|
||||
|
||||
The goal of Landlock is to enable restriction of ambient rights (e.g. global
|
||||
filesystem or network access) for a set of processes. Because Landlock
|
||||
|
|
@ -604,6 +604,14 @@ Landlock audit events with the ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``,
|
|||
sys_landlock_restrict_self(). See Documentation/admin-guide/LSM/landlock.rst
|
||||
for more details on audit.
|
||||
|
||||
Thread synchronization (ABI < 8)
|
||||
--------------------------------
|
||||
|
||||
Starting with the Landlock ABI version 8, it is now possible to
|
||||
enforce Landlock rulesets across all threads of the calling process
|
||||
using the ``LANDLOCK_RESTRICT_SELF_TSYNC`` flag passed to
|
||||
sys_landlock_restrict_self().
|
||||
|
||||
.. _kernel_support:
|
||||
|
||||
Kernel support
|
||||
|
|
|
|||
Loading…
Reference in New Issue