@@ -529,7 +529,9 @@ Network support (ABI < 4)
Starting with the Landlock ABI version 4, it is now possible to restrict TCP
bind and connect actions to only a set of allowed ports thanks to the new
``LANDLOCK_ACCESS_NET_BIND_TCP`` and ``LANDLOCK_ACCESS_NET_CONNECT_TCP``
-access rights.
+access rights. These restrictions are tied to a socket and are inherited from
+the sandboxed thread that created this socket. Hence, sockets created before
+sandboxing are not restricted.
IOCTL (ABI < 5)
---------------
The Landlock domain used to restrict operations on a socket is the domain from the thread that created this socket. Cc: Günther Noack <gnoack@google.com> Cc: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Cc: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> Cc: Paul Moore <paul@paul-moore.com> Cc: Tahera Fahimi <fahimitahera@gmail.com> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20240719150618.197991-4-mic@digikod.net --- Documentation/userspace-api/landlock.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)