1landlock_add_rule(2) System Calls Manual landlock_add_rule(2)
2
3
4
6 landlock_add_rule - add a new Landlock rule to a ruleset
7
9 Standard C library (libc, -lc)
10
12 #include <linux/landlock.h> /* Definition of LANDLOCK_* constants */
13 #include <sys/syscall.h> /* Definition of SYS_* constants */
14
15 int syscall(SYS_landlock_add_rule, int ruleset_fd,
16 enum landlock_rule_type rule_type,
17 const void *rule_attr, uint32_t flags);
18
20 A Landlock rule describes an action on an object. An object is cur‐
21 rently a file hierarchy, and the related filesystem actions are defined
22 with a set of access rights. This landlock_add_rule() system call en‐
23 ables adding a new Landlock rule to an existing ruleset created with
24 landlock_create_ruleset(2). See landlock(7) for a global overview.
25
26 ruleset_fd is a Landlock ruleset file descriptor obtained with land‐
27 lock_create_ruleset(2).
28
29 rule_type identifies the structure type pointed to by rule_attr. Cur‐
30 rently, Linux supports the following rule_type value:
31
32 LANDLOCK_RULE_PATH_BENEATH
33 This defines the object type as a file hierarchy. In this case,
34 rule_attr points to the following structure:
35
36 struct landlock_path_beneath_attr {
37 __u64 allowed_access;
38 __s32 parent_fd;
39 } __attribute__((packed));
40
41 allowed_access contains a bitmask of allowed filesystem actions
42 for this file hierarchy (see Filesystem actions in landlock(7)).
43
44 parent_fd is an opened file descriptor, preferably with the
45 O_PATH flag, which identifies the parent directory of the file
46 hierarchy or just a file.
47
48 flags must be 0.
49
51 On success, landlock_add_rule() returns 0.
52
54 landlock_add_rule() can fail for the following reasons:
55
56 EOPNOTSUPP
57 Landlock is supported by the kernel but disabled at boot time.
58
59 EINVAL flags is not 0, or the rule accesses are inconsistent (i.e.,
60 rule_attr->allowed_access is not a subset of the ruleset handled
61 accesses).
62
63 ENOMSG Empty accesses (i.e., rule_attr->allowed_access is 0).
64
65 EBADF ruleset_fd is not a file descriptor for the current thread, or a
66 member of rule_attr is not a file descriptor as expected.
67
68 EBADFD ruleset_fd is not a ruleset file descriptor, or a member of
69 rule_attr is not the expected file descriptor type.
70
71 EPERM ruleset_fd has no write access to the underlying ruleset.
72
73 EFAULT rule_attr was not a valid address.
74
76 Linux.
77
79 Linux 5.13.
80
82 See landlock(7).
83
85 landlock_create_ruleset(2), landlock_restrict_self(2), landlock(7)
86
87
88
89Linux man-pages 6.05 2023-07-08 landlock_add_rule(2)