Improve "file names that don't exist" case explanation

[n0toose]

The documentation mentions a case of "file names that don’t exist". This got me thinking. Is it possible to whitelist a specific "path", despite no file (and therefore, no file descriptor) for a regular path to be created, without giving R/W permissions to the parent folder? (For example, so as to create a log.txt file in the current working directory, without the process being able to inspect anything else in the current working directory apart from the log?)

rust-landlock/src/uapi/landlock.rs

Line 15 in 94721d2

pub const LANDLOCK_ACCESS_FS_MAKE_REG: u32 = 256;

rust-landlock/src/fs.rs

Line 74 in 94721d2

MakeReg = uapi::LANDLOCK_ACCESS_FS_MAKE_REG as u64,

rust-landlock/src/fs.rs

Line 129 in 94721d2

| MakeReg

Derived from the examples:

pub fn initialize_landlock() -> Result<RestrictionStatus, LandlockRestrictError> {
	let abi = ABI::V5;
	let access_all: landlock::BitFlags<AccessFs, u64> = AccessFs::from_all(abi);
	let access_read: landlock::BitFlags<AccessFs, u64> = AccessFs::from_read(abi);

	Ok(Ruleset::default()
		.handle_access(access_all)?
		.create()?
		.add_rules(
			WHITELISTED_PATHS
				.get()
				.unwrap()
				.as_slice()
				.iter()
				.map::<Result<_, LandlockRestrictError>, _>(|p| {
					Ok(PathBeneath::new(PathFd::new(p)?, access_all))
				}),
		)?
		.restrict_self()?)
}