On 15/05/2023 18:13, Konstantin Meskhidze wrote:
Describe network access rules for TCP sockets. Add network access
example in the tutorial. Add kernel configuration support for network.
Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@xxxxxxxxxx>
---
Changes since v10:
* Fixes documentaion as Mickaёl suggested:
https://lore.kernel.org/linux-security-module/ec23be77-566e-c8fd-179e-f50e025ac2cf@xxxxxxxxxxx/
Changes since v9:
* Minor refactoring.
Changes since v8:
* Minor refactoring.
Changes since v7:
* Fixes documentaion logic errors and typos as Mickaёl suggested:
https://lore.kernel.org/netdev/9f354862-2bc3-39ea-92fd-53803d9bbc21@xxxxxxxxxxx/
Changes since v6:
* Adds network support documentaion.
---
Documentation/userspace-api/landlock.rst | 83 ++++++++++++++++++------
1 file changed, 62 insertions(+), 21 deletions(-)
[...]
@@ -143,10 +159,23 @@ for the ruleset creation, by filtering access rights according to the Landlock
ABI version. In this example, this is not required because all of the requested
``allowed_access`` rights are already available in ABI 1.
-We now have a ruleset with one rule allowing read access to ``/usr`` while
-denying all other handled accesses for the filesystem. The next step is to
-restrict the current thread from gaining more privileges (e.g. thanks to a SUID
-binary).
+For network access-control, we can add a set of rules that allow to use a port
+number for a specific action: HTTPS connections.
+
+.. code-block:: c
+
+ struct landlock_net_service_attr net_service = {
+ .allowed_access = NET_CONNECT_TCP,
LANDLOCK_ACCESS_NET_CONNECT_TCP
+ .port = 443,
+ };
+
+ err = landlock_add_rule(ruleset_fd, LANDLOCK_RULE_NET_SERVICE,
+ &net_service, 0);
+
