1landlock_restrict_self(2) System Calls Manual landlock_restrict_self(2)
2
3
4
6 landlock_restrict_self - enforce a Landlock ruleset
7
9 Standard C library (libc, -lc)
10
12 #include <linux/landlock.h> /* Definition of LANDLOCK_* constants */
13 #include <sys/syscall.h> /* Definition of SYS_* constants */
14
15 int syscall(SYS_landlock_restrict_self, int ruleset_fd,
16 uint32_t flags);
17
19 Once a Landlock ruleset is populated with the desired rules, the land‐
20 lock_restrict_self() system call enables enforcing this ruleset on the
21 calling thread. See landlock(7) for a global overview.
22
23 A thread can be restricted with multiple rulesets that are then com‐
24 posed together to form the thread's Landlock domain. This can be seen
25 as a stack of rulesets but it is implemented in a more efficient way.
26 A domain can only be updated in such a way that the constraints of each
27 past and future composed rulesets will restrict the thread and its fu‐
28 ture children for their entire life. It is then possible to gradually
29 enforce tailored access control policies with multiple independent
30 rulesets coming from different sources (e.g., init system configura‐
31 tion, user session policy, built-in application policy). However, most
32 applications should only need one call to landlock_restrict_self() and
33 they should avoid arbitrary numbers of such calls because of the com‐
34 posed rulesets limit. Instead, developers are encouraged to build a
35 tailored ruleset thanks to multiple calls to landlock_add_rule(2).
36
37 In order to enforce a ruleset, either the caller must have the
38 CAP_SYS_ADMIN capability in its user namespace, or the thread must al‐
39 ready have the no_new_privs bit set. As for seccomp(2), this avoids
40 scenarios where unprivileged processes can affect the behavior of priv‐
41 ileged children (e.g., because of set-user-ID binaries). If that bit
42 was not already set by an ancestor of this thread, the thread must make
43 the following call:
44
45 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
46
47 ruleset_fd is a Landlock ruleset file descriptor obtained with land‐
48 lock_create_ruleset(2) and fully populated with a set of calls to land‐
49 lock_add_rule(2).
50
51 flags must be 0.
52
54 On success, landlock_restrict_self() returns 0.
55
57 landlock_restrict_self() can fail for the following reasons:
58
59 EOPNOTSUPP
60 Landlock is supported by the kernel but disabled at boot time.
61
62 EINVAL flags is not 0.
63
64 EBADF ruleset_fd is not a file descriptor for the current thread.
65
66 EBADFD ruleset_fd is not a ruleset file descriptor.
67
68 EPERM ruleset_fd has no read access to the underlying ruleset, or the
69 calling thread is not running with no_new_privs, or it doesn't
70 have the CAP_SYS_ADMIN in its user namespace.
71
72 E2BIG The maximum number of composed rulesets is reached for the call‐
73 ing thread. This limit is currently 64.
74
76 Linux.
77
79 Linux 5.13.
80
82 See landlock(7).
83
85 landlock_create_ruleset(2), landlock_add_rule(2), landlock(7)
86
87
88
89Linux man-pages 6.05 2023-03-30 landlock_restrict_self(2)