On 10/09/2022 23:14, Konstantin Meskhidze (A) wrote:
9/6/2022 11:12 AM, Mickaël Salaün пишет:
On 29/08/2022 19:04, Konstantin Meskhidze wrote:
[...]
@@ -129,6 +138,24 @@ descriptor.
}
err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&path_beneath, 0);
+
+It may also be required to create rules following the same logic as explained
+for the ruleset creation, by filtering access rights according to the Landlock
+ABI version. In this example, this is not required because all of the requested
+`allowed_access` rights are already available in ABI 1.
This paragraph should not be moved. Furthermore, this hunk remove error
handling…
Ok. Got it.
+
+For network part we can add number of rules containing a port number and actions
+that a process is allowed to do for certian ports.
+
+.. code-block:: c
+
+ struct landlock_net_service_attr net_service = {
+ .allowed_access = LANDLOCK_ACCESS_NET_BIND_TCP,
+ .port = 8080,
+ };
+
+ err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service, 0);
close(path_beneath.parent_fd);
if (err) {
perror("Failed to update ruleset");
@@ -136,13 +163,9 @@ descriptor.
return 1;
}
-It may also be required to create rules following the same logic as explained
-for the ruleset creation, by filtering access rights according to the Landlock
-ABI version. In this example, this is not required because all of the requested
-`allowed_access` rights are already available in ABI 1.
-
Please add similar standalone code + explanation sections for network here.
Is added section for network not enough?
Take a look at the generated HTML documentation. Add a dedicated
code-block section + explanation instead of inserting the network doc
between FS doc parts and introducing issue in the example.
