diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-02-26 11:55:44 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-02-26 11:55:44 -0800 |
| commit | c0d35086a21b8d5536da5029fd76b9aeecf3217d (patch) | |
| tree | affdb5d5bc1a3d09950c12d4c69895db036a54d1 /Documentation | |
| parent | d62fdaf51b115f851dd151f7af054535890b5a0d (diff) | |
| parent | 78332fdb956f18accfbca5993b10c5ed69f00a2c (diff) | |
| download | linux-c0d35086a21b8d5536da5029fd76b9aeecf3217d.tar.gz linux-c0d35086a21b8d5536da5029fd76b9aeecf3217d.tar.bz2 linux-c0d35086a21b8d5536da5029fd76b9aeecf3217d.zip | |
Merge tag 'landlock-6.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
Pull landlock fixes from Mickaël Salaün:
"Fixes to TCP socket identification, documentation, and tests"
* tag 'landlock-6.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux:
selftests/landlock: Add binaries to .gitignore
selftests/landlock: Test that MPTCP actions are not restricted
selftests/landlock: Test TCP accesses with protocol=IPPROTO_TCP
landlock: Fix non-TCP sockets restriction
landlock: Minor typo and grammar fixes in IPC scoping documentation
landlock: Fix grammar error
selftests/landlock: Enable the new CONFIG_AF_UNIX_OOB
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/userspace-api/landlock.rst | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/Documentation/userspace-api/landlock.rst b/Documentation/userspace-api/landlock.rst index d639c61cb472..ad587f53fe41 100644 --- a/Documentation/userspace-api/landlock.rst +++ b/Documentation/userspace-api/landlock.rst @@ -8,7 +8,7 @@ Landlock: unprivileged access control ===================================== :Author: Mickaël Salaün -:Date: October 2024 +:Date: January 2025 The goal of Landlock is to enable restriction of ambient rights (e.g. global filesystem or network access) for a set of processes. Because Landlock @@ -329,11 +329,11 @@ non-sandboxed process, we can specify this restriction with A sandboxed process can connect to a non-sandboxed process when its domain is not scoped. If a process's domain is scoped, it can only connect to sockets created by processes in the same scope. -Moreover, If a process is scoped to send signal to a non-scoped process, it can +Moreover, if a process is scoped to send signal to a non-scoped process, it can only send signals to processes in the same scope. A connected datagram socket behaves like a stream socket when its domain is -scoped, meaning if the domain is scoped after the socket is connected , it can +scoped, meaning if the domain is scoped after the socket is connected, it can still :manpage:`send(2)` data just like a stream socket. However, in the same scenario, a non-connected datagram socket cannot send data (with :manpage:`sendto(2)`) outside its scope. |