€•Ã      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ,/translations/zh_CN/admin-guide/LSM/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/zh_TW/admin-guide/LSM/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/it_IT/admin-guide/LSM/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/ja_JP/admin-guide/LSM/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/ko_KR/admin-guide/LSM/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/sp_SP/admin-guide/LSM/landlock”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒF/var/lib/git/docbuild/linux/Documentation/admin-guide/LSM/landlock.rst”h Kubh¢)”}”(hŒ'Copyright Â© 2025 Microsoft Corporation”h]”hŒ'Copyright Â© 2025 Microsoft Corporation”…””}”hh´sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hhhžhhŸh³h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ Landlock: system-wide management”h]”hŒ Landlock: system-wide management”…””}”(hhÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhÄhžhhŸh³h KubhŒ
field_list”“”)”}”(hhh]”(hŒfield”“”)”}”(hhh]”(hŒ
field_name”“”)”}”(hŒAuthor”h]”hŒAuthor”…””}”(hhãhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhhÞhŸh³h K ubhŒ
field_body”“”)”}”(hŒMickaÃ«l SalaÃ¼n”h]”hŒ	paragraph”“”)”}”(hhõh]”hŒMickaÃ«l SalaÃ¼n”…””}”(hhùhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Khhóubah}”(h]”h ]”h"]”h$]”h&]”uh1hñhhÞubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÜhŸh³h KhhÙhžhubhÝ)”}”(hhh]”(hâ)”}”(hŒDate”h]”hŒDate”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj  hŸh³h K ubhò)”}”(hŒMarch 2025
”h]”hø)”}”(hŒ
March 2025”h]”hŒ
March 2025”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K	hj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hñhj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÜhŸh³h K	hhÙhžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hhÄhžhhŸh³h Kubhø)”}”(hŒ8Landlock can leverage the audit framework to log events.”h]”hŒ8Landlock can leverage the audit framework to log events.”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KhhÄhžhubhø)”}”(hŒUUser space documentation can be found here:
Documentation/userspace-api/landlock.rst.”h]”hŒUUser space documentation can be found here:
Documentation/userspace-api/landlock.rst.”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KhhÄhžhubhÃ)”}”(hhh]”(hÈ)”}”(hŒAudit”h]”hŒAudit”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhjc  hžhhŸh³h Kubhø)”}”(hXC  Denied access requests are logged by default for a sandboxed program if `audit`
is enabled.  This default behavior can be changed with the
sys_landlock_restrict_self() flags (cf.
Documentation/userspace-api/landlock.rst).  Landlock logs can also be masked
thanks to audit rules.  Landlock can generate 2 audit record types.”h]”(hŒHDenied access requests are logged by default for a sandboxed program if ”…””}”(hjt  hžhhŸNh NubhŒtitle_reference”“”)”}”(hŒ`audit`”h]”hŒaudit”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j|  hjt  ubhŒô
is enabled.  This default behavior can be changed with the
sys_landlock_restrict_self() flags (cf.
Documentation/userspace-api/landlock.rst).  Landlock logs can also be masked
thanks to audit rules.  Landlock can generate 2 audit record types.”…””}”(hjt  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Khjc  hžhubhÃ)”}”(hhh]”(hÈ)”}”(hŒRecord types”h]”hŒRecord types”…””}”(hj™  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj–  hžhhŸh³h KubhŒdefinition_list”“”)”}”(hhh]”(hŒdefinition_list_item”“”)”}”(hX  AUDIT_LANDLOCK_ACCESS
This record type identifies a denied access request to a kernel resource.
The ``domain`` field indicates the ID of the domain that blocked the
request.  The ``blockers`` field indicates the cause(s) of this denial
(separated by a comma), and the following fields identify the kernel object
(similar to SELinux).  There may be more than one of this record type per
audit event.

Example with a file link request generating two records in the same event::

    domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351
    domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365
”h]”(hŒterm”“”)”}”(hŒAUDIT_LANDLOCK_ACCESS”h]”hŒAUDIT_LANDLOCK_ACCESS”…””}”(hj´  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j²  hŸh³h K'hj®  ubhŒ
definition”“”)”}”(hhh]”(hø)”}”(hXx  This record type identifies a denied access request to a kernel resource.
The ``domain`` field indicates the ID of the domain that blocked the
request.  The ``blockers`` field indicates the cause(s) of this denial
(separated by a comma), and the following fields identify the kernel object
(similar to SELinux).  There may be more than one of this record type per
audit event.”h]”(hŒNThis record type identifies a denied access request to a kernel resource.
The ”…””}”(hjÇ  hžhhŸNh NubhŒliteral”“”)”}”(hŒ
``domain``”h]”hŒdomain”…””}”(hjÑ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjÇ  ubhŒE field indicates the ID of the domain that blocked the
request.  The ”…””}”(hjÇ  hžhhŸNh NubjÐ  )”}”(hŒ``blockers``”h]”hŒblockers”…””}”(hjã  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjÇ  ubhŒÏ field indicates the cause(s) of this denial
(separated by a comma), and the following fields identify the kernel object
(similar to SELinux).  There may be more than one of this record type per
audit event.”…””}”(hjÇ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KhjÄ  ubhø)”}”(hŒKExample with a file link request generating two records in the same event::”h]”hŒJExample with a file link request generating two records in the same event:”…””}”(hjû  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K$hjÄ  ubhŒliteral_block”“”)”}”(hŒ™domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351
domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365”h]”hŒ™domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351
domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j	  hŸh³h K&hjÄ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj®  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j¬  hŸh³h K'hj©  ubj­  )”}”(hXï  AUDIT_LANDLOCK_DOMAIN
This record type describes the status of a Landlock domain.  The ``status``
field can be either ``allocated`` or ``deallocated``.

The ``allocated`` status is part of the same audit event and follows
the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain.  It identifies
Landlock domain information at the time of the sys_landlock_restrict_self()
call with the following fields:

- the ``domain`` ID
- the enforcement ``mode``
- the domain creator's ``pid``
- the domain creator's ``uid``
- the domain creator's executable path (``exe``)
- the domain creator's command line (``comm``)

Example::

    domain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer"

The ``deallocated`` status is an event on its own and it identifies a
Landlock domain release.  After such event, it is guarantee that the
related domain ID will never be reused during the lifetime of the system.
The ``domain`` field indicates the ID of the domain which is released, and
the ``denials`` field indicates the total number of denied access request,
which might not have been logged according to the audit rules and
sys_landlock_restrict_self()'s flags.

Example::

    domain=195ba459b status=deallocated denials=3

”h]”(j³  )”}”(hŒAUDIT_LANDLOCK_DOMAIN”h]”hŒAUDIT_LANDLOCK_DOMAIN”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j²  hŸh³h KHhj%  ubjÃ  )”}”(hhh]”(hø)”}”(hŒThis record type describes the status of a Landlock domain.  The ``status``
field can be either ``allocated`` or ``deallocated``.”h]”(hŒAThis record type describes the status of a Landlock domain.  The ”…””}”(hj:  hžhhŸNh NubjÐ  )”}”(hŒ
``status``”h]”hŒstatus”…””}”(hjB  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj:  ubhŒ
field can be either ”…””}”(hj:  hžhhŸNh NubjÐ  )”}”(hŒ``allocated``”h]”hŒ	allocated”…””}”(hjT  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj:  ubhŒ or ”…””}”(hj:  hžhhŸNh NubjÐ  )”}”(hŒ``deallocated``”h]”hŒdeallocated”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj:  ubhŒ.”…””}”(hj:  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K*hj7  ubhø)”}”(hŒþThe ``allocated`` status is part of the same audit event and follows
the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain.  It identifies
Landlock domain information at the time of the sys_landlock_restrict_self()
call with the following fields:”h]”(hŒThe ”…””}”(hj~  hžhhŸNh NubjÐ  )”}”(hŒ``allocated``”h]”hŒ	allocated”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj~  ubhŒE status is part of the same audit event and follows
the first logged ”…””}”(hj~  hžhhŸNh NubjÐ  )”}”(hŒ``AUDIT_LANDLOCK_ACCESS``”h]”hŒAUDIT_LANDLOCK_ACCESS”…””}”(hj˜  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj~  ubhŒ record of a domain.  It identifies
Landlock domain information at the time of the sys_landlock_restrict_self()
call with the following fields:”…””}”(hj~  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K-hj7  ubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒthe ``domain`` ID”h]”hø)”}”(hj¹  h]”(hŒthe ”…””}”(hj»  hžhhŸNh NubjÐ  )”}”(hŒ
``domain``”h]”hŒdomain”…””}”(hjÂ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj»  ubhŒ ID”…””}”(hj»  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K2hj·  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hj²  ubj¶  )”}”(hŒthe enforcement ``mode``”h]”hø)”}”(hjâ  h]”(hŒthe enforcement ”…””}”(hjä  hžhhŸNh NubjÐ  )”}”(hŒ``mode``”h]”hŒmode”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjä  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K3hjà  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hj²  ubj¶  )”}”(hŒthe domain creator's ``pid``”h]”hø)”}”(hj  h]”(hŒthe domain creatorâ€™s ”…””}”(hj	  hžhhŸNh NubjÐ  )”}”(hŒ``pid``”h]”hŒpid”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj	  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K4hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hj²  ubj¶  )”}”(hŒthe domain creator's ``uid``”h]”hø)”}”(hj,  h]”(hŒthe domain creatorâ€™s ”…””}”(hj.  hžhhŸNh NubjÐ  )”}”(hŒ``uid``”h]”hŒuid”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj.  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K5hj*  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hj²  ubj¶  )”}”(hŒ.the domain creator's executable path (``exe``)”h]”hø)”}”(hjQ  h]”(hŒ(the domain creatorâ€™s executable path (”…””}”(hjS  hžhhŸNh NubjÐ  )”}”(hŒ``exe``”h]”hŒexe”…””}”(hjZ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjS  ubhŒ)”…””}”(hjS  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K6hjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hj²  ubj¶  )”}”(hŒ-the domain creator's command line (``comm``)
”h]”hø)”}”(hŒ,the domain creator's command line (``comm``)”h]”(hŒ%the domain creatorâ€™s command line (”…””}”(hj|  hžhhŸNh NubjÐ  )”}”(hŒ``comm``”h]”hŒcomm”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj|  ubhŒ)”…””}”(hj|  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K7hjx  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hj²  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j°  hŸh³h K2hj7  ubhø)”}”(hŒ	Example::”h]”hŒExample:”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K9hj7  ubj
  )”}”(hŒedomain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer"”h]”hŒedomain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer"”…””}”hj¸  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j	  hŸh³h K;hj7  ubhø)”}”(hXÒ  The ``deallocated`` status is an event on its own and it identifies a
Landlock domain release.  After such event, it is guarantee that the
related domain ID will never be reused during the lifetime of the system.
The ``domain`` field indicates the ID of the domain which is released, and
the ``denials`` field indicates the total number of denied access request,
which might not have been logged according to the audit rules and
sys_landlock_restrict_self()'s flags.”h]”(hŒThe ”…””}”(hjÆ  hžhhŸNh NubjÐ  )”}”(hŒ``deallocated``”h]”hŒdeallocated”…””}”(hjÎ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjÆ  ubhŒÆ status is an event on its own and it identifies a
Landlock domain release.  After such event, it is guarantee that the
related domain ID will never be reused during the lifetime of the system.
The ”…””}”(hjÆ  hžhhŸNh NubjÐ  )”}”(hŒ
``domain``”h]”hŒdomain”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjÆ  ubhŒA field indicates the ID of the domain which is released, and
the ”…””}”(hjÆ  hžhhŸNh NubjÐ  )”}”(hŒ``denials``”h]”hŒdenials”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjÆ  ubhŒ¥ field indicates the total number of denied access request,
which might not have been logged according to the audit rules and
sys_landlock_restrict_self()â€™s flags.”…””}”(hjÆ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K=hj7  ubhø)”}”(hŒ	Example::”h]”hŒExample:”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KEhj7  ubj
  )”}”(hŒ-domain=195ba459b status=deallocated denials=3”h]”hŒ-domain=195ba459b status=deallocated denials=3”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j	  hŸh³h KGhj7  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÂ  hj%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j¬  hŸh³h KHhj©  hžhubeh}”(h]”h ]”h"]”h$]”h&]”uh1j§  hj–  hžhhŸh³h Nubeh}”(h]”Œrecord-types”ah ]”h"]”Œrecord types”ah$]”h&]”uh1hÂhjc  hžhhŸh³h KubhÃ)”}”(hhh]”(hÈ)”}”(hŒEvent samples”h]”hŒEvent samples”…””}”(hjC  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj@  hžhhŸh³h KKubhø)”}”(hŒ9Here are two examples of log events (see serial numbers).”h]”hŒ9Here are two examples of log events (see serial numbers).”…””}”(hjQ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KMhj@  hžhubhø)”}”(hŒ¨In this example a sandboxed program (``kill``) tries to send a signal to the
init process, which is denied because of the signal scoping restriction
(``LL_SCOPED=s``)::”h]”(hŒ%In this example a sandboxed program (”…””}”(hj_  hžhhŸNh NubjÐ  )”}”(hŒ``kill``”h]”hŒkill”…””}”(hjg  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj_  ubhŒi) tries to send a signal to the
init process, which is denied because of the signal scoping restriction
(”…””}”(hj_  hžhhŸNh NubjÐ  )”}”(hŒ``LL_SCOPED=s``”h]”hŒLL_SCOPED=s”…””}”(hjy  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj_  ubhŒ):”…””}”(hj_  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KOhj@  hžhubj
  )”}”(hŒE$ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1”h]”hŒE$ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1”…””}”hj‘  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j	  hŸh³h KShj@  hžhubhø)”}”(hXÔ  This command generates two events, each identified with a unique serial
number following a timestamp (``msg=audit(1729738800.268:30)``).  The first
event (serial ``30``) contains 4 records.  The first record
(``type=LANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc66f`.
The cause of this denial is signal scopping restriction
(``blockers=scope.signal``).  The process that would have receive this signal
is the init process (``opid=1 ocomm="systemd"``).”h]”(hŒfThis command generates two events, each identified with a unique serial
number following a timestamp (”…””}”(hjŸ  hžhhŸNh NubjÐ  )”}”(hŒ ``msg=audit(1729738800.268:30)``”h]”hŒmsg=audit(1729738800.268:30)”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjŸ  ubhŒ).  The first
event (serial ”…””}”(hjŸ  hžhhŸNh NubjÐ  )”}”(hŒ``30``”h]”hŒ30”…””}”(hj¹  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjŸ  ubhŒ)) contains 4 records.  The first record
(”…””}”(hjŸ  hžhhŸNh NubjÐ  )”}”(hŒ``type=LANDLOCK_ACCESS``”h]”hŒtype=LANDLOCK_ACCESS”…””}”(hjË  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjŸ  ubhŒ') shows an access denied by the domain ”…””}”(hjŸ  hžhhŸNh Nubj}  )”}”(hŒ`1a6fdc66f`”h]”hŒ	1a6fdc66f”…””}”(hjÝ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j|  hjŸ  ubhŒ;.
The cause of this denial is signal scopping restriction
(”…””}”(hjŸ  hžhhŸNh NubjÐ  )”}”(hŒ``blockers=scope.signal``”h]”hŒblockers=scope.signal”…””}”(hjï  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjŸ  ubhŒI).  The process that would have receive this signal
is the init process (”…””}”(hjŸ  hžhhŸNh NubjÐ  )”}”(hŒ``opid=1 ocomm="systemd"``”h]”hŒopid=1 ocomm="systemd"”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjŸ  ubhŒ).”…””}”(hjŸ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KUhj@  hžhubhø)”}”(hŒÒThe second record (``type=LANDLOCK_DOMAIN``) describes (``status=allocated``)
domain `1a6fdc66f`.  This domain was created by process ``286`` executing the
``/root/sandboxer`` program launched by the root user.”h]”(hŒThe second record (”…””}”(hj  hžhhŸNh NubjÐ  )”}”(hŒ``type=LANDLOCK_DOMAIN``”h]”hŒtype=LANDLOCK_DOMAIN”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj  ubhŒ) describes (”…””}”(hj  hžhhŸNh NubjÐ  )”}”(hŒ``status=allocated``”h]”hŒstatus=allocated”…””}”(hj3  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj  ubhŒ	)
domain ”…””}”(hj  hžhhŸNh Nubj}  )”}”(hŒ`1a6fdc66f`”h]”hŒ	1a6fdc66f”…””}”(hjE  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j|  hj  ubhŒ&.  This domain was created by process ”…””}”(hj  hžhhŸNh NubjÐ  )”}”(hŒ``286``”h]”hŒ286”…””}”(hjW  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj  ubhŒ executing the
”…””}”(hj  hžhhŸNh NubjÐ  )”}”(hŒ``/root/sandboxer``”h]”hŒ/root/sandboxer”…””}”(hji  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj  ubhŒ# program launched by the root user.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K]hj@  hžhubhø)”}”(hŒ—The third record (``type=SYSCALL``) describes the syscall, its provided
arguments, its result (``success=no exit=-1``), and the process that called it.”h]”(hŒThe third record (”…””}”(hj  hžhhŸNh NubjÐ  )”}”(hŒ``type=SYSCALL``”h]”hŒtype=SYSCALL”…””}”(hj‰  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj  ubhŒ=) describes the syscall, its provided
arguments, its result (”…””}”(hj  hžhhŸNh NubjÐ  )”}”(hŒ``success=no exit=-1``”h]”hŒsuccess=no exit=-1”…””}”(hj›  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj  ubhŒ"), and the process that called it.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Kahj@  hžhubhø)”}”(hŒ«The fourth record (``type=PROCTITLE``) shows the command's name as an
hexadecimal value.  This can be translated with ``python -c
'print(bytes.fromhex("6B696C6C0031"))'``.”h]”(hŒThe fourth record (”…””}”(hj³  hžhhŸNh NubjÐ  )”}”(hŒ``type=PROCTITLE``”h]”hŒtype=PROCTITLE”…””}”(hj»  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj³  ubhŒS) shows the commandâ€™s name as an
hexadecimal value.  This can be translated with ”…””}”(hj³  hžhhŸNh NubjÐ  )”}”(hŒ4``python -c
'print(bytes.fromhex("6B696C6C0031"))'``”h]”hŒ0python -c
'print(bytes.fromhex("6B696C6C0031"))'”…””}”(hjÍ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hj³  ubhŒ.”…””}”(hj³  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Kdhj@  hžhubhø)”}”(hXÚ  Finally, the last record (``type=LANDLOCK_DOMAIN``) is also the only one from
the second event (serial ``31``).  It is not tied to a direct user space action
but an asynchronous one to free resources tied to a Landlock domain
(``status=deallocated``).  This can be useful to know that the following logs
will not concern the domain ``1a6fdc66f`` anymore.  This record also summarize
the number of requests this domain denied (``denials=1``), whether they were
logged or not.”h]”(hŒFinally, the last record (”…””}”(hjå  hžhhŸNh NubjÐ  )”}”(hŒ``type=LANDLOCK_DOMAIN``”h]”hŒtype=LANDLOCK_DOMAIN”…””}”(hjí  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjå  ubhŒ5) is also the only one from
the second event (serial ”…””}”(hjå  hžhhŸNh NubjÐ  )”}”(hŒ``31``”h]”hŒ31”…””}”(hjÿ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjå  ubhŒv).  It is not tied to a direct user space action
but an asynchronous one to free resources tied to a Landlock domain
(”…””}”(hjå  hžhhŸNh NubjÐ  )”}”(hŒ``status=deallocated``”h]”hŒstatus=deallocated”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjå  ubhŒS).  This can be useful to know that the following logs
will not concern the domain ”…””}”(hjå  hžhhŸNh NubjÐ  )”}”(hŒ``1a6fdc66f``”h]”hŒ	1a6fdc66f”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjå  ubhŒQ anymore.  This record also summarize
the number of requests this domain denied (”…””}”(hjå  hžhhŸNh NubjÐ  )”}”(hŒ``denials=1``”h]”hŒ	denials=1”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÏ  hjå  ubhŒ#), whether they were
logged or not.”…””}”(hjå  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Khhj@  hžhubj
  )”}”(hXF  type=LANDLOCK_ACCESS msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd"
type=LANDLOCK_DOMAIN msg=audit(1729738800.268:30): domain=1a6fdc66f status=allocated mode=enforcing pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer"
type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...]
type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031
type=LANDLOCK_DOMAIN msg=audit(1729738800.324:31): domain=1a6fdc66f status=deallocated denials=1”h]”hXF  type=LANDLOCK_ACCESS msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd"
type=LANDLOCK_DOMAIN msg=audit(1729738800.268:30): domain=1a6fdc66f status=allocated mode=enforcing pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer"
type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...]
type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031
type=LANDLOCK_DOMAIN msg=audit(1729738800.324:31): domain=1a6fdc66f status=deallocated denials=1”…””}”hjM  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²Œforce”‰Œlanguage”Œnone”Œhighlight_args”}”uh1j	  hŸh³h Kphj@  hžhubhø)”}”(hŒ>Here is another example showcasing filesystem access control::”h]”hŒ=Here is another example showcasing filesystem access control:”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Kxhj@  hžhubj
  )”}”(hŒP$ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd"”h]”hŒP$ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd"”…””}”hjn  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j	  hŸh³h Kzhj@  hžhubhø)”}”(hŒ‚The related audit logs contains 8 records from 3 different events (serials 33,
34 and 35) created by the same domain `1a6fdc679`::”h]”(hŒuThe related audit logs contains 8 records from 3 different events (serials 33,
34 and 35) created by the same domain ”…””}”(hj|  hžhhŸNh Nubj}  )”}”(hŒ`1a6fdc679`”h]”hŒ	1a6fdc679”…””}”(hj„  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j|  hj|  ubhŒ:”…””}”(hj|  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K|hj@  hžhubj
  )”}”(hXÿ  type=LANDLOCK_ACCESS msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9
type=LANDLOCK_DOMAIN msg=audit(1729738800.221:33): domain=1a6fdc679 status=allocated mode=enforcing pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer"
type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764
type=LANDLOCK_ACCESS msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821
type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764
type=LANDLOCK_DOMAIN msg=audit(1729738800.261:35): domain=1a6fdc679 status=deallocated denials=2”h]”hXÿ  type=LANDLOCK_ACCESS msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9
type=LANDLOCK_DOMAIN msg=audit(1729738800.221:33): domain=1a6fdc679 status=allocated mode=enforcing pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer"
type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764
type=LANDLOCK_ACCESS msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821
type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...]
type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764
type=LANDLOCK_DOMAIN msg=audit(1729738800.261:35): domain=1a6fdc679 status=deallocated denials=2”…””}”hjœ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j	  hŸh³h Khj@  hžhubeh}”(h]”Œevent-samples”ah ]”h"]”Œevent samples”ah$]”h&]”uh1hÂhjc  hžhhŸh³h KKubhÃ)”}”(hhh]”(hÈ)”}”(hŒEvent filtering”h]”hŒEvent filtering”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj²  hžhhŸh³h KŠubhø)”}”(hŒÇIf you get spammed with audit logs related to Landlock, this is either an
attack attempt or a bug in the security policy.  We can put in place some
filters to limit noise with two complementary ways:”h]”hŒÇIf you get spammed with audit logs related to Landlock, this is either an
attack attempt or a bug in the security policy.  We can put in place some
filters to limit noise with two complementary ways:”…””}”(hjÃ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KŒhj²  hžhubj±  )”}”(hhh]”(j¶  )”}”(hŒOwith sys_landlock_restrict_self()'s flags if we can fix the sandboxed
programs,”h]”hø)”}”(hŒOwith sys_landlock_restrict_self()'s flags if we can fix the sandboxed
programs,”h]”hŒQwith sys_landlock_restrict_self()â€™s flags if we can fix the sandboxed
programs,”…””}”(hjØ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h KhjÔ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hjÑ  hžhhŸh³h Nubj¶  )”}”(hŒ2or with audit rules (see :manpage:`auditctl(8)`).
”h]”hø)”}”(hŒ1or with audit rules (see :manpage:`auditctl(8)`).”h]”(hŒor with audit rules (see ”…””}”(hjð  hžhhŸNh Nubh Œmanpage”“”)”}”(hŒ:manpage:`auditctl(8)`”h]”hŒauditctl(8)”…””}”(hjú  hžhhŸNh Nubah}”(h]”h ]”jø  ah"]”h$]”h&]”h±h²Œpath”Œauditctl(8)”Œpage”Œauditctl”Œsection”Œ8”uh1jø  hjð  ubhŒ).”…””}”(hjð  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K’hjì  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hjÑ  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”j¨  j©  uh1j°  hŸh³h Khj²  hžhubeh}”(h]”Œevent-filtering”ah ]”h"]”Œevent filtering”ah$]”h&]”uh1hÂhjc  hžhhŸh³h KŠubeh}”(h]”Œaudit”ah ]”h"]”Œaudit”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KubhÃ)”}”(hhh]”(hÈ)”}”(hŒAdditional documentation”h]”hŒAdditional documentation”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj4  hžhhŸh³h K•ubj±  )”}”(hhh]”(j¶  )”}”(hŒ`Linux Audit Documentation`_”h]”hø)”}”(hjJ  h]”hŒ	reference”“”)”}”(hjJ  h]”hŒLinux Audit Documentation”…””}”(hjQ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒLinux Audit Documentation”Œrefuri”Œ7https://github.com/linux-audit/audit-documentation/wiki”uh1jO  hjL  Œresolved”Kubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K—hjH  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hjE  hžhhŸh³h Nubj¶  )”}”(hŒ(Documentation/userspace-api/landlock.rst”h]”hø)”}”(hjq  h]”hŒ(Documentation/userspace-api/landlock.rst”…””}”(hjs  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K˜hjo  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hjE  hžhhŸh³h Nubj¶  )”}”(hŒ#Documentation/security/landlock.rst”h]”hø)”}”(hjˆ  h]”hŒ#Documentation/security/landlock.rst”…””}”(hjŠ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h K™hj†  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hjE  hžhhŸh³h Nubj¶  )”}”(hŒhttps://landlock.io
”h]”hø)”}”(hŒhttps://landlock.io”h]”jP  )”}”(hj£  h]”hŒhttps://landlock.io”…””}”(hj¥  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”j£  uh1jO  hj¡  ubah}”(h]”h ]”h"]”h$]”h&]”uh1h÷hŸh³h Kšhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jµ  hjE  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”j¨  Œ*”uh1j°  hŸh³h K—hj4  hžhubh¢)”}”(hŒLinks”h]”hŒLinks”…””}”hjÆ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hj4  hžhhŸh³h KœubhŒtarget”“”)”}”(hŒY.. _Linux Audit Documentation:
   https://github.com/linux-audit/audit-documentation/wiki”h]”h}”(h]”Œlinux-audit-documentation”ah ]”h"]”Œlinux audit documentation”ah$]”h&]”j`  ja  uh1jÔ  h Khj4  hžhhŸh³Œ
referenced”Kubeh}”(h]”Œadditional-documentation”ah ]”h"]”Œadditional documentation”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K•ubeh}”(h]”Œlandlock-system-wide-management”ah ]”h"]”Œ landlock: system-wide management”ah$]”h&]”uh1hÂhhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÇNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œlinux audit documentation”]”jQ  asŒrefids”}”Œnameids”}”(jð  jí  j1  j.  j=  j:  j¯  j¬  j)  j&  jè  jå  jß  jÜ  uŒ	nametypes”}”(jð  ‰j1  ‰j=  ‰j¯  ‰j)  ‰jè  ‰jß  ˆuh}”(jí  hÄj.  jc  j:  j–  j¬  j@  j&  j²  jå  j4  jÜ  jÖ  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.