summaryrefslogtreecommitdiff
path: root/include/uapi
diff options
context:
space:
mode:
authorMatthieu Buffet <matthieu@buffet.re>2026-06-11 18:21:01 +0200
committerMickaël Salaün <mic@digikod.net>2026-06-13 23:15:04 +0200
commit9a8ed15ce22472fe0363e33738b4317d06b13c3a (patch)
tree59ac2ed5ec258b69b4a943e07bda1ffd8ed1564f /include/uapi
parent0ce4243509d1580349dd0d50624036d6b097e958 (diff)
downloadlwn-9a8ed15ce22472fe0363e33738b4317d06b13c3a.tar.gz
lwn-9a8ed15ce22472fe0363e33738b4317d06b13c3a.zip
landlock: Add UDP bind() access control
Add support for a first fine-grained UDP access right. LANDLOCK_ACCESS_NET_BIND_UDP controls the ability to set the local port of a UDP socket (via bind()). It will be useful for servers (to start receiving datagrams), and for some clients that need to use a specific source port (e.g. mDNS requires to use port 5353) For obvious performance concerns, access control is only enforced when configuring sockets, not when using them for common send/recv operations. Bump ABI to allow userspace to detect and use this new right. Signed-off-by: Matthieu Buffet <matthieu@buffet.re> Link: https://patch.msgid.link/20260611162107.49278-2-matthieu@buffet.re [mic: Fix comment formatting] Signed-off-by: Mickaël Salaün <mic@digikod.net>
Diffstat (limited to 'include/uapi')
-rw-r--r--include/uapi/linux/landlock.h14
1 files changed, 10 insertions, 4 deletions
diff --git a/include/uapi/linux/landlock.h b/include/uapi/linux/landlock.h
index 10a346e55e95..f2927681e92d 100644
--- a/include/uapi/linux/landlock.h
+++ b/include/uapi/linux/landlock.h
@@ -200,10 +200,10 @@ struct landlock_net_port_attr {
* (also used for IPv6), and within that range, on a per-socket basis
* with ``setsockopt(IP_LOCAL_PORT_RANGE)``.
*
- * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP
- * right means that requesting to bind on port 0 is allowed and it will
- * automatically translate to binding on a kernel-assigned ephemeral
- * port.
+ * A Landlock rule with port 0 and the %LANDLOCK_ACCESS_NET_BIND_TCP or
+ * %LANDLOCK_ACCESS_NET_BIND_UDP right means that requesting to bind on
+ * port 0 is allowed and it will automatically translate to binding on a
+ * kernel-assigned ephemeral port.
*/
__u64 port;
};
@@ -373,10 +373,16 @@ struct landlock_net_port_attr {
* port. Support added in Landlock ABI version 4.
* - %LANDLOCK_ACCESS_NET_CONNECT_TCP: Connect TCP sockets to the given
* remote port. Support added in Landlock ABI version 4.
+ *
+ * And similarly for UDP port numbers:
+ *
+ * - %LANDLOCK_ACCESS_NET_BIND_UDP: Bind UDP sockets to the given local
+ * port. Support added in Landlock ABI version 10.
*/
/* clang-format off */
#define LANDLOCK_ACCESS_NET_BIND_TCP (1ULL << 0)
#define LANDLOCK_ACCESS_NET_CONNECT_TCP (1ULL << 1)
+#define LANDLOCK_ACCESS_NET_BIND_UDP (1ULL << 2)
/* clang-format on */
/**