PathAccess(...).accessFS ⊆ cfg.handledAccessFS
for all path options constructed with PathAccess().
This is a conservative choice, but it's easier to enforce that way.
RODirs() and friends are more "magic" - they let you give broad access permissions on entire directories, and that is supposed to work even when the user specifies a smaller AccessFSSet in their config. On the other hand, when users pass a custom AccessFSSet to PathAccess(), they should have a clear understanding of the configuration that they will use it in, and it can be expected that they ensure it is a subset.
This is a good example. On library upgrade, it should be enough to bump the version number, in most cases. Note that a Go-landlock library that supports V3 at some point still needs to do the exact same thing in the V2 case though:
landlock.RODirs("/bin", "/usr", "/etc"),
This is a good example as well. Making and removing directories is forbidden everywhere except in /tmp.
This is a good example as well. Making and removing directories is forbidden, except in /tmp and creating them in /home/x/tmp. It's verbose, but the author knows exactly what is being restricted and what is the scope of each exception:
The following example is on the fence:
- It's a good example as long as the author has checked that "transmogrify" is captured in Landlock ABI V99.
- It's a bad example if the author has not checked that. If "transmogrify" is not part of Landlock ABI V99, it's very likely to be a programmer mistake, and it would be better to give an error in that case.
This last case is the one that the bug is about.