1landlock_restrict_self(2)     System Calls Manual    landlock_restrict_self(2)
2
3
4

NAME

6       landlock_restrict_self - enforce a Landlock ruleset
7

LIBRARY

9       Standard C library (libc, -lc)
10

SYNOPSIS

12       #include <linux/landlock.h>  /* Definition of LANDLOCK_* constants */
13       #include <sys/syscall.h>     /* Definition of SYS_* constants */
14
15       int syscall(SYS_landlock_restrict_self, int ruleset_fd,
16                   uint32_t flags);
17

DESCRIPTION

19       Once  a Landlock ruleset is populated with the desired rules, the land‐
20       lock_restrict_self() system call enables enforcing this ruleset on  the
21       calling thread.  See landlock(7) for a global overview.
22
23       A  thread  can  be restricted with multiple rulesets that are then com‐
24       posed together to form the thread's Landlock domain.  This can be  seen
25       as  a  stack of rulesets but it is implemented in a more efficient way.
26       A domain can only be updated in such a way that the constraints of each
27       past  and future composed rulesets will restrict the thread and its fu‐
28       ture children for their entire life.  It is then possible to  gradually
29       enforce  tailored  access  control  policies  with multiple independent
30       rulesets coming from different sources (e.g.,  init  system  configura‐
31       tion, user session policy, built-in application policy).  However, most
32       applications should only need one call to landlock_restrict_self()  and
33       they  should  avoid arbitrary numbers of such calls because of the com‐
34       posed rulesets limit.  Instead, developers are encouraged  to  build  a
35       tailored ruleset thanks to multiple calls to landlock_add_rule(2).
36
37       In  order  to  enforce  a  ruleset,  either  the  caller  must have the
38       CAP_SYS_ADMIN capability in its user namespace, or the thread must  al‐
39       ready  have  the  no_new_privs bit set.  As for seccomp(2), this avoids
40       scenarios where unprivileged processes can affect the behavior of priv‐
41       ileged  children  (e.g., because of set-user-ID binaries).  If that bit
42       was not already set by an ancestor of this thread, the thread must make
43       the following call:
44
45              prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
46
47       ruleset_fd  is  a  Landlock ruleset file descriptor obtained with land‐
48       lock_create_ruleset(2) and fully populated with a set of calls to land‐
49       lock_add_rule(2).
50
51       flags must be 0.
52

RETURN VALUE

54       On success, landlock_restrict_self() returns 0.
55

ERRORS

57       landlock_restrict_self() can fail for the following reasons:
58
59       EOPNOTSUPP
60              Landlock is supported by the kernel but disabled at boot time.
61
62       EINVAL flags is not 0.
63
64       EBADF  ruleset_fd is not a file descriptor for the current thread.
65
66       EBADFD ruleset_fd is not a ruleset file descriptor.
67
68       EPERM  ruleset_fd  has no read access to the underlying ruleset, or the
69              calling thread is not running with no_new_privs, or  it  doesn't
70              have the CAP_SYS_ADMIN in its user namespace.
71
72       E2BIG  The maximum number of composed rulesets is reached for the call‐
73              ing thread.  This limit is currently 64.
74

STANDARDS

76       Linux.
77

HISTORY

79       Linux 5.13.
80

EXAMPLES

82       See landlock(7).
83

SEE ALSO

85       landlock_create_ruleset(2), landlock_add_rule(2), landlock(7)
86
87
88
89Linux man-pages 6.05              2023-03-30         landlock_restrict_self(2)
Impressum