1landlock_add_rule(2)          System Calls Manual         landlock_add_rule(2)
2
3
4

NAME

6       landlock_add_rule - add a new Landlock rule to a ruleset
7

LIBRARY

9       Standard C library (libc, -lc)
10

SYNOPSIS

12       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
13       #include <sys/syscall.h>     /* Definition of SYS_* constants */
14
15       int syscall(SYS_landlock_add_rule, int ruleset_fd,
16                   enum landlock_rule_type rule_type,
17                   const void *rule_attr, uint32_t flags);
18

DESCRIPTION

20       A  Landlock  rule  describes an action on an object.  An object is cur‐
21       rently a file hierarchy, and the related filesystem actions are defined
22       with  a set of access rights.  This landlock_add_rule() system call en‐
23       ables adding a new Landlock rule to an existing  ruleset  created  with
24       landlock_create_ruleset(2).  See landlock(7) for a global overview.
25
26       ruleset_fd  is  a  Landlock ruleset file descriptor obtained with land‐
27       lock_create_ruleset(2).
28
29       rule_type identifies the structure type pointed to by rule_attr.   Cur‐
30       rently, Linux supports the following rule_type value:
31
32       LANDLOCK_RULE_PATH_BENEATH
33              This defines the object type as a file hierarchy.  In this case,
34              rule_attr points to the following structure:
35
36                  struct landlock_path_beneath_attr {
37                      __u64 allowed_access;
38                      __s32 parent_fd;
39                  } __attribute__((packed));
40
41              allowed_access contains a bitmask of allowed filesystem  actions
42              for this file hierarchy (see Filesystem actions in landlock(7)).
43
44              parent_fd  is  an  opened  file  descriptor, preferably with the
45              O_PATH flag, which identifies the parent directory of  the  file
46              hierarchy or just a file.
47
48       flags must be 0.
49

RETURN VALUE

51       On success, landlock_add_rule() returns 0.
52

ERRORS

54       landlock_add_rule() can fail for the following reasons:
55
56       EOPNOTSUPP
57              Landlock is supported by the kernel but disabled at boot time.
58
59       EINVAL flags  is  not  0,  or the rule accesses are inconsistent (i.e.,
60              rule_attr->allowed_access is not a subset of the ruleset handled
61              accesses).
62
63       ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0).
64
65       EBADF  ruleset_fd is not a file descriptor for the current thread, or a
66              member of rule_attr is not a file descriptor as expected.
67
68       EBADFD ruleset_fd is not a ruleset file  descriptor,  or  a  member  of
69              rule_attr is not the expected file descriptor type.
70
71       EPERM  ruleset_fd has no write access to the underlying ruleset.
72
73       EFAULT rule_attr was not a valid address.
74

STANDARDS

76       Linux.
77

HISTORY

79       Linux 5.13.
80

EXAMPLES

82       See landlock(7).
83

SEE ALSO

85       landlock_create_ruleset(2), landlock_restrict_self(2), landlock(7)
86
87
88
89Linux man-pages 6.05              2023-07-08              landlock_add_rule(2)
Impressum