@@ -149,10 +149,10 @@ static const struct file_operations ruleset_fops = {
149
149
*
150
150
* Possible returned errors are:
151
151
*
152
- * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
153
- * - EINVAL: unknown @flags, or unknown access, or too small @size;
154
- * - E2BIG or EFAULT: @attr or @size inconsistencies;
155
- * - ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
152
+ * - % EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
153
+ * - % EINVAL: unknown @flags, or unknown access, or too small @size;
154
+ * - % E2BIG or % EFAULT: @attr or @size inconsistencies;
155
+ * - % ENOMSG: empty &landlock_ruleset_attr.handled_access_fs.
156
156
*/
157
157
SYSCALL_DEFINE3 (landlock_create_ruleset ,
158
158
const struct landlock_ruleset_attr __user * const , attr ,
@@ -280,7 +280,7 @@ static int get_path_from_fd(const s32 fd, struct path *const path)
280
280
* @ruleset_fd: File descriptor tied to the ruleset that should be extended
281
281
* with the new rule.
282
282
* @rule_type: Identify the structure type pointed to by @rule_attr (only
283
- * LANDLOCK_RULE_PATH_BENEATH for now).
283
+ * % LANDLOCK_RULE_PATH_BENEATH for now).
284
284
* @rule_attr: Pointer to a rule (only of type &struct
285
285
* landlock_path_beneath_attr for now).
286
286
* @flags: Must be 0.
@@ -290,17 +290,17 @@ static int get_path_from_fd(const s32 fd, struct path *const path)
290
290
*
291
291
* Possible returned errors are:
292
292
*
293
- * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
294
- * - EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
293
+ * - % EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
294
+ * - % EINVAL: @flags is not 0, or inconsistent access in the rule (i.e.
295
295
* &landlock_path_beneath_attr.allowed_access is not a subset of the
296
296
* ruleset handled accesses);
297
- * - ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
298
- * - EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
297
+ * - % ENOMSG: Empty accesses (e.g. &landlock_path_beneath_attr.allowed_access);
298
+ * - % EBADF: @ruleset_fd is not a file descriptor for the current thread, or a
299
299
* member of @rule_attr is not a file descriptor as expected;
300
- * - EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
300
+ * - % EBADFD: @ruleset_fd is not a ruleset file descriptor, or a member of
301
301
* @rule_attr is not the expected file descriptor type;
302
- * - EPERM: @ruleset_fd has no write access to the underlying ruleset;
303
- * - EFAULT: @rule_attr inconsistency.
302
+ * - % EPERM: @ruleset_fd has no write access to the underlying ruleset;
303
+ * - % EFAULT: @rule_attr inconsistency.
304
304
*/
305
305
SYSCALL_DEFINE4 (landlock_add_rule , const int , ruleset_fd ,
306
306
const enum landlock_rule_type , rule_type ,
@@ -378,20 +378,20 @@ SYSCALL_DEFINE4(landlock_add_rule, const int, ruleset_fd,
378
378
* @flags: Must be 0.
379
379
*
380
380
* This system call enables to enforce a Landlock ruleset on the current
381
- * thread. Enforcing a ruleset requires that the task has CAP_SYS_ADMIN in its
381
+ * thread. Enforcing a ruleset requires that the task has % CAP_SYS_ADMIN in its
382
382
* namespace or is running with no_new_privs. This avoids scenarios where
383
383
* unprivileged tasks can affect the behavior of privileged children.
384
384
*
385
385
* Possible returned errors are:
386
386
*
387
- * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
388
- * - EINVAL: @flags is not 0.
389
- * - EBADF: @ruleset_fd is not a file descriptor for the current thread;
390
- * - EBADFD: @ruleset_fd is not a ruleset file descriptor;
391
- * - EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
387
+ * - % EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
388
+ * - % EINVAL: @flags is not 0.
389
+ * - % EBADF: @ruleset_fd is not a file descriptor for the current thread;
390
+ * - % EBADFD: @ruleset_fd is not a ruleset file descriptor;
391
+ * - % EPERM: @ruleset_fd has no read access to the underlying ruleset, or the
392
392
* current thread is not running with no_new_privs, or it doesn't have
393
- * CAP_SYS_ADMIN in its namespace.
394
- * - E2BIG: The maximum number of stacked rulesets is reached for the current
393
+ * % CAP_SYS_ADMIN in its namespace.
394
+ * - % E2BIG: The maximum number of stacked rulesets is reached for the current
395
395
* thread.
396
396
*/
397
397
SYSCALL_DEFINE2 (landlock_restrict_self , const int , ruleset_fd , const __u32 ,
0 commit comments