Msphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget,/translations/zh_CN/admin-guide/LSM/landlockmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget,/translations/zh_TW/admin-guide/LSM/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget,/translations/it_IT/admin-guide/LSM/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget,/translations/ja_JP/admin-guide/LSM/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget,/translations/ko_KR/admin-guide/LSM/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget,/translations/sp_SP/admin-guide/LSM/landlockmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhhF/var/lib/git/docbuild/linux/Documentation/admin-guide/LSM/landlock.rsthKubh)}(h'Copyright © 2025 Microsoft Corporationh]h'Copyright © 2025 Microsoft Corporation}hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhhhhhKubhsection)}(hhh](htitle)}(h Landlock: system-wide managementh]h Landlock: system-wide management}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh field_list)}(hhh](hfield)}(hhh](h field_name)}(hAuthorh]hAuthor}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhKubh field_body)}(hMickaël Salaünh]h paragraph)}(hhh]hMickaël Salaün}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhhubah}(h]h ]h"]h$]h&]uh1hhhubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hhh](h)}(hDateh]hDate}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhKubh)}(h January 2026 h]h)}(h January 2026h]h January 2026}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hj#ubah}(h]h ]h"]h$]h&]uh1hhjubeh}(h]h ]h"]h$]h&]uh1hhhhK hhhhubeh}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh)}(h8Landlock can leverage the audit framework to log events.h]h8Landlock can leverage the audit framework to log events.}(hjGhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hUUser space documentation can be found here: Documentation/userspace-api/landlock.rst.h]hUUser space documentation can be found here: Documentation/userspace-api/landlock.rst.}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hhh](h)}(hAudith]hAudit}(hjfhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjchhhhhKubh)}(hXCDenied access requests are logged by default for a sandboxed program if `audit` is enabled. This default behavior can be changed with the sys_landlock_restrict_self() flags (cf. Documentation/userspace-api/landlock.rst). Landlock logs can also be masked thanks to audit rules. Landlock can generate 2 audit record types.h](hHDenied access requests are logged by default for a sandboxed program if }(hjthhhNhNubhtitle_reference)}(h`audit`h]haudit}(hj~hhhNhNubah}(h]h ]h"]h$]h&]uh1j|hjtubh is enabled. This default behavior can be changed with the sys_landlock_restrict_self() flags (cf. Documentation/userspace-api/landlock.rst). Landlock logs can also be masked thanks to audit rules. Landlock can generate 2 audit record types.}(hjthhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjchhubh)}(hhh](h)}(h Record typesh]h Record types}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubhdefinition_list)}(hhh](hdefinition_list_item)}(hX8AUDIT_LANDLOCK_ACCESS This record type identifies a denied access request to a kernel resource. The ``domain`` field indicates the ID of the domain that blocked the request. The ``blockers`` field indicates the cause(s) of this denial (separated by a comma), and the following fields identify the kernel object (similar to SELinux). There may be more than one of this record type per audit event. Example with a file link request generating two records in the same event:: domain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351 domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365 The ``blockers`` field uses dot-separated prefixes to indicate the type of restriction that caused the denial: **fs.*** - Filesystem access rights (ABI 1+): - fs.execute, fs.write_file, fs.read_file, fs.read_dir - fs.remove_dir, fs.remove_file - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock - fs.make_fifo, fs.make_block, fs.make_sym - fs.refer (ABI 2+) - fs.truncate (ABI 3+) - fs.ioctl_dev (ABI 5+) **net.*** - Network access rights (ABI 4+): - net.bind_tcp - TCP port binding was denied - net.connect_tcp - TCP connection was denied **scope.*** - IPC scoping restrictions (ABI 6+): - scope.abstract_unix_socket - Abstract UNIX socket connection denied - scope.signal - Signal sending denied Multiple blockers can appear in a single event (comma-separated) when multiple access rights are missing. For example, creating a regular file in a directory that lacks both ``make_reg`` and ``refer`` rights would show ``blockers=fs.make_reg,fs.refer``. The object identification fields (path, dev, ino for filesystem; opid, ocomm for signals) depend on the type of access being blocked and provide context about what resource was involved in the denial. h](hterm)}(hAUDIT_LANDLOCK_ACCESSh]hAUDIT_LANDLOCK_ACCESS}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKFhjubh definition)}(hhh](h)}(hXxThis record type identifies a denied access request to a kernel resource. The ``domain`` field indicates the ID of the domain that blocked the request. The ``blockers`` field indicates the cause(s) of this denial (separated by a comma), and the following fields identify the kernel object (similar to SELinux). There may be more than one of this record type per audit event.h](hNThis record type identifies a denied access request to a kernel resource. The }(hjhhhNhNubhliteral)}(h ``domain``h]hdomain}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhE field indicates the ID of the domain that blocked the request. The }(hjhhhNhNubj)}(h ``blockers``h]hblockers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh field indicates the cause(s) of this denial (separated by a comma), and the following fields identify the kernel object (similar to SELinux). There may be more than one of this record type per audit event.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjubh)}(hKExample with a file link request generating two records in the same event::h]hJExample with a file link request generating two records in the same event:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK$hjubh literal_block)}(hdomain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351 domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365h]hdomain=195ba459b blockers=fs.refer path="/usr/bin" dev="vda2" ino=351 domain=195ba459b blockers=fs.make_reg,fs.refer path="/usr/local" dev="vda2" ino=365}hj sbah}(h]h ]h"]h$]h&]hhuh1j hhhK&hjubh)}(hnThe ``blockers`` field uses dot-separated prefixes to indicate the type of restriction that caused the denial:h](hThe }(hjhhhNhNubj)}(h ``blockers``h]hblockers}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh^ field uses dot-separated prefixes to indicate the type of restriction that caused the denial:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK*hjubj)}(hhh](j)}(hX***fs.*** - Filesystem access rights (ABI 1+): - fs.execute, fs.write_file, fs.read_file, fs.read_dir - fs.remove_dir, fs.remove_file - fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock - fs.make_fifo, fs.make_block, fs.make_sym - fs.refer (ABI 2+) - fs.truncate (ABI 3+) - fs.ioctl_dev (ABI 5+) h](j)}(h-**fs.*** - Filesystem access rights (ABI 1+):h](hstrong)}(h**fs.***h]hfs.*}(hjFhhhNhNubah}(h]h ]h"]h$]h&]uh1jDhj@ubh% - Filesystem access rights (ABI 1+):}(hj@hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK4hj<ubj)}(hhh]h bullet_list)}(hhh](h list_item)}(h4fs.execute, fs.write_file, fs.read_file, fs.read_dirh]h)}(hjjh]h4fs.execute, fs.write_file, fs.read_file, fs.read_dir}(hjlhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK.hjhubah}(h]h ]h"]h$]h&]uh1jfhjcubjg)}(hfs.remove_dir, fs.remove_fileh]h)}(hjh]hfs.remove_dir, fs.remove_file}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK/hjubah}(h]h ]h"]h$]h&]uh1jfhjcubjg)}(h4fs.make_char, fs.make_dir, fs.make_reg, fs.make_sockh]h)}(hjh]h4fs.make_char, fs.make_dir, fs.make_reg, fs.make_sock}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK0hjubah}(h]h ]h"]h$]h&]uh1jfhjcubjg)}(h(fs.make_fifo, fs.make_block, fs.make_symh]h)}(hjh]h(fs.make_fifo, fs.make_block, fs.make_sym}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK1hjubah}(h]h ]h"]h$]h&]uh1jfhjcubjg)}(hfs.refer (ABI 2+)h]h)}(hjh]hfs.refer (ABI 2+)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK2hjubah}(h]h ]h"]h$]h&]uh1jfhjcubjg)}(hfs.truncate (ABI 3+)h]h)}(hjh]hfs.truncate (ABI 3+)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK3hjubah}(h]h ]h"]h$]h&]uh1jfhjcubjg)}(hfs.ioctl_dev (ABI 5+) h]h)}(hfs.ioctl_dev (ABI 5+)h]hfs.ioctl_dev (ABI 5+)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK4hjubah}(h]h ]h"]h$]h&]uh1jfhjcubeh}(h]h ]h"]h$]h&]bullet-uh1jahhhK.hj^ubah}(h]h ]h"]h$]h&]uh1jhj<ubeh}(h]h ]h"]h$]h&]uh1jhhhK4hj9ubj)}(h**net.*** - Network access rights (ABI 4+): - net.bind_tcp - TCP port binding was denied - net.connect_tcp - TCP connection was denied h](j)}(h+**net.*** - Network access rights (ABI 4+):h](jE)}(h **net.***h]hnet.*}(hj&hhhNhNubah}(h]h ]h"]h$]h&]uh1jDhj"ubh" - Network access rights (ABI 4+):}(hj"hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK8hjubj)}(hhh]jb)}(hhh](jg)}(h*net.bind_tcp - TCP port binding was deniedh]h)}(hjFh]h*net.bind_tcp - TCP port binding was denied}(hjHhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK7hjDubah}(h]h ]h"]h$]h&]uh1jfhjAubjg)}(h,net.connect_tcp - TCP connection was denied h]h)}(h+net.connect_tcp - TCP connection was deniedh]h+net.connect_tcp - TCP connection was denied}(hj_hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK8hj[ubah}(h]h ]h"]h$]h&]uh1jfhjAubeh}(h]h ]h"]h$]h&]jjuh1jahhhK7hj>ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhhhK8hj9ubj)}(h**scope.*** - IPC scoping restrictions (ABI 6+): - scope.abstract_unix_socket - Abstract UNIX socket connection denied - scope.signal - Signal sending denied h](j)}(h0**scope.*** - IPC scoping restrictions (ABI 6+):h](jE)}(h **scope.***h]hscope.*}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jDhjubh% - IPC scoping restrictions (ABI 6+):}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKhjubh)}(hThe object identification fields (path, dev, ino for filesystem; opid, ocomm for signals) depend on the type of access being blocked and provide context about what resource was involved in the denial.h]hThe object identification fields (path, dev, ino for filesystem; opid, ocomm for signals) depend on the type of access being blocked and provide context about what resource was involved in the denial.}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKChjubeh}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhhhKFhjubj)}(hXAUDIT_LANDLOCK_DOMAIN This record type describes the status of a Landlock domain. The ``status`` field can be either ``allocated`` or ``deallocated``. The ``allocated`` status is part of the same audit event and follows the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain. It identifies Landlock domain information at the time of the sys_landlock_restrict_self() call with the following fields: - the ``domain`` ID - the enforcement ``mode`` - the domain creator's ``pid`` - the domain creator's ``uid`` - the domain creator's executable path (``exe``) - the domain creator's command line (``comm``) Example:: domain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer" The ``deallocated`` status is an event on its own and it identifies a Landlock domain release. After such event, it is guarantee that the related domain ID will never be reused during the lifetime of the system. The ``domain`` field indicates the ID of the domain which is released, and the ``denials`` field indicates the total number of denied access request, which might not have been logged according to the audit rules and sys_landlock_restrict_self()'s flags. Example:: domain=195ba459b status=deallocated denials=3 h](j)}(hAUDIT_LANDLOCK_DOMAINh]hAUDIT_LANDLOCK_DOMAIN}(hjThhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKghjPubj)}(hhh](h)}(hThis record type describes the status of a Landlock domain. The ``status`` field can be either ``allocated`` or ``deallocated``.h](hAThis record type describes the status of a Landlock domain. The }(hjehhhNhNubj)}(h ``status``h]hstatus}(hjmhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjeubh field can be either }(hjehhhNhNubj)}(h ``allocated``h]h allocated}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjeubh or }(hjehhhNhNubj)}(h``deallocated``h]h deallocated}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjeubh.}(hjehhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKIhjbubh)}(hThe ``allocated`` status is part of the same audit event and follows the first logged ``AUDIT_LANDLOCK_ACCESS`` record of a domain. It identifies Landlock domain information at the time of the sys_landlock_restrict_self() call with the following fields:h](hThe }(hjhhhNhNubj)}(h ``allocated``h]h allocated}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhE status is part of the same audit event and follows the first logged }(hjhhhNhNubj)}(h``AUDIT_LANDLOCK_ACCESS``h]hAUDIT_LANDLOCK_ACCESS}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh record of a domain. It identifies Landlock domain information at the time of the sys_landlock_restrict_self() call with the following fields:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKLhjbubjb)}(hhh](jg)}(hthe ``domain`` IDh]h)}(hjh](hthe }(hjhhhNhNubj)}(h ``domain``h]hdomain}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh ID}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKQhjubah}(h]h ]h"]h$]h&]uh1jfhjubjg)}(hthe enforcement ``mode``h]h)}(hj h](hthe enforcement }(hj hhhNhNubj)}(h``mode``h]hmode}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1hhhhKRhjubah}(h]h ]h"]h$]h&]uh1jfhjubjg)}(hthe domain creator's ``pid``h]h)}(hj.h](hthe domain creator’s }(hj0hhhNhNubj)}(h``pid``h]hpid}(hj7hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj0ubeh}(h]h ]h"]h$]h&]uh1hhhhKShj,ubah}(h]h ]h"]h$]h&]uh1jfhjubjg)}(hthe domain creator's ``uid``h]h)}(hjSh](hthe domain creator’s }(hjUhhhNhNubj)}(h``uid``h]huid}(hj\hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjUubeh}(h]h ]h"]h$]h&]uh1hhhhKThjQubah}(h]h ]h"]h$]h&]uh1jfhjubjg)}(h.the domain creator's executable path (``exe``)h]h)}(hjxh](h(the domain creator’s executable path (}(hjzhhhNhNubj)}(h``exe``h]hexe}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjzubh)}(hjzhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKUhjvubah}(h]h ]h"]h$]h&]uh1jfhjubjg)}(h-the domain creator's command line (``comm``) h]h)}(h,the domain creator's command line (``comm``)h](h%the domain creator’s command line (}(hjhhhNhNubj)}(h``comm``h]hcomm}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh)}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKVhjubah}(h]h ]h"]h$]h&]uh1jfhjubeh}(h]h ]h"]h$]h&]jjuh1jahhhKQhjbubh)}(h Example::h]hExample:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKXhjbubj )}(hedomain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer"h]hedomain=195ba459b status=allocated mode=enforcing pid=300 uid=0 exe="/root/sandboxer" comm="sandboxer"}hjsbah}(h]h ]h"]h$]h&]hhuh1j hhhKZhjbubh)}(hXThe ``deallocated`` status is an event on its own and it identifies a Landlock domain release. After such event, it is guarantee that the related domain ID will never be reused during the lifetime of the system. The ``domain`` field indicates the ID of the domain which is released, and the ``denials`` field indicates the total number of denied access request, which might not have been logged according to the audit rules and sys_landlock_restrict_self()'s flags.h](hThe }(hjhhhNhNubj)}(h``deallocated``h]h deallocated}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh status is an event on its own and it identifies a Landlock domain release. After such event, it is guarantee that the related domain ID will never be reused during the lifetime of the system. The }(hjhhhNhNubj)}(h ``domain``h]hdomain}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhA field indicates the ID of the domain which is released, and the }(hjhhhNhNubj)}(h ``denials``h]hdenials}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh field indicates the total number of denied access request, which might not have been logged according to the audit rules and sys_landlock_restrict_self()’s flags.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK\hjbubh)}(h Example::h]hExample:}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKdhjbubj )}(h-domain=195ba459b status=deallocated denials=3h]h-domain=195ba459b status=deallocated denials=3}hj=sbah}(h]h ]h"]h$]h&]hhuh1j hhhKfhjbubeh}(h]h ]h"]h$]h&]uh1jhjPubeh}(h]h ]h"]h$]h&]uh1jhhhKghjhhubeh}(h]h ]h"]h$]h&]uh1jhjhhhhhNubeh}(h] record-typesah ]h"] record typesah$]h&]uh1hhjchhhhhKubh)}(hhh](h)}(h Event samplesh]h Event samples}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjehhhhhKjubh)}(h9Here are two examples of log events (see serial numbers).h]h9Here are two examples of log events (see serial numbers).}(hjvhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKlhjehhubh)}(hIn this example a sandboxed program (``kill``) tries to send a signal to the init process, which is denied because of the signal scoping restriction (``LL_SCOPED=s``)::h](h%In this example a sandboxed program (}(hjhhhNhNubj)}(h``kill``h]hkill}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhi) tries to send a signal to the init process, which is denied because of the signal scoping restriction (}(hjhhhNhNubj)}(h``LL_SCOPED=s``h]h LL_SCOPED=s}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh):}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKnhjehhubj )}(hE$ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1h]hE$ LL_FS_RO=/ LL_FS_RW=/ LL_SCOPED=s LL_FORCE_LOG=1 ./sandboxer kill 1}hjsbah}(h]h ]h"]h$]h&]hhuh1j hhhKrhjehhubh)}(hXThis command generates two events, each identified with a unique serial number following a timestamp (``msg=audit(1729738800.268:30)``). The first event (serial ``30``) contains 4 records. The first record (``type=LANDLOCK_ACCESS``) shows an access denied by the domain `1a6fdc66f`. The cause of this denial is signal scoping restriction (``blockers=scope.signal``). The process that would have receive this signal is the init process (``opid=1 ocomm="systemd"``).h](hfThis command generates two events, each identified with a unique serial number following a timestamp (}(hjhhhNhNubj)}(h ``msg=audit(1729738800.268:30)``h]hmsg=audit(1729738800.268:30)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh). The first event (serial }(hjhhhNhNubj)}(h``30``h]h30}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh)) contains 4 records. The first record (}(hjhhhNhNubj)}(h``type=LANDLOCK_ACCESS``h]htype=LANDLOCK_ACCESS}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh') shows an access denied by the domain }(hjhhhNhNubj})}(h `1a6fdc66f`h]h 1a6fdc66f}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j|hjubh:. The cause of this denial is signal scoping restriction (}(hjhhhNhNubj)}(h``blockers=scope.signal``h]hblockers=scope.signal}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhI). The process that would have receive this signal is the init process (}(hjhhhNhNubj)}(h``opid=1 ocomm="systemd"``h]hopid=1 ocomm="systemd"}(hj&hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKthjehhubh)}(hThe second record (``type=LANDLOCK_DOMAIN``) describes (``status=allocated``) domain `1a6fdc66f`. This domain was created by process ``286`` executing the ``/root/sandboxer`` program launched by the root user.h](hThe second record (}(hj>hhhNhNubj)}(h``type=LANDLOCK_DOMAIN``h]htype=LANDLOCK_DOMAIN}(hjFhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj>ubh ) describes (}(hj>hhhNhNubj)}(h``status=allocated``h]hstatus=allocated}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj>ubh ) domain }(hj>hhhNhNubj})}(h `1a6fdc66f`h]h 1a6fdc66f}(hjjhhhNhNubah}(h]h ]h"]h$]h&]uh1j|hj>ubh&. This domain was created by process }(hj>hhhNhNubj)}(h``286``h]h286}(hj|hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj>ubh executing the }(hj>hhhNhNubj)}(h``/root/sandboxer``h]h/root/sandboxer}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj>ubh# program launched by the root user.}(hj>hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK|hjehhubh)}(hThe third record (``type=SYSCALL``) describes the syscall, its provided arguments, its result (``success=no exit=-1``), and the process that called it.h](hThe third record (}(hjhhhNhNubj)}(h``type=SYSCALL``h]h type=SYSCALL}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh=) describes the syscall, its provided arguments, its result (}(hjhhhNhNubj)}(h``success=no exit=-1``h]hsuccess=no exit=-1}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh"), and the process that called it.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjehhubh)}(hThe fourth record (``type=PROCTITLE``) shows the command's name as an hexadecimal value. This can be translated with ``python -c 'print(bytes.fromhex("6B696C6C0031"))'``.h](hThe fourth record (}(hjhhhNhNubj)}(h``type=PROCTITLE``h]htype=PROCTITLE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhS) shows the command’s name as an hexadecimal value. This can be translated with }(hjhhhNhNubj)}(h4``python -c 'print(bytes.fromhex("6B696C6C0031"))'``h]h0python -c 'print(bytes.fromhex("6B696C6C0031"))'}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjehhubh)}(hXFinally, the last record (``type=LANDLOCK_DOMAIN``) is also the only one from the second event (serial ``31``). It is not tied to a direct user space action but an asynchronous one to free resources tied to a Landlock domain (``status=deallocated``). This can be useful to know that the following logs will not concern the domain ``1a6fdc66f`` anymore. This record also summarize the number of requests this domain denied (``denials=1``), whether they were logged or not.h](hFinally, the last record (}(hj hhhNhNubj)}(h``type=LANDLOCK_DOMAIN``h]htype=LANDLOCK_DOMAIN}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh5) is also the only one from the second event (serial }(hj hhhNhNubj)}(h``31``h]h31}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubhv). It is not tied to a direct user space action but an asynchronous one to free resources tied to a Landlock domain (}(hj hhhNhNubj)}(h``status=deallocated``h]hstatus=deallocated}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubhS). This can be useful to know that the following logs will not concern the domain }(hj hhhNhNubj)}(h ``1a6fdc66f``h]h 1a6fdc66f}(hjHhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubhQ anymore. This record also summarize the number of requests this domain denied (}(hj hhhNhNubj)}(h ``denials=1``h]h denials=1}(hjZhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh#), whether they were logged or not.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjehhubj )}(hXFtype=LANDLOCK_ACCESS msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd" type=LANDLOCK_DOMAIN msg=audit(1729738800.268:30): domain=1a6fdc66f status=allocated mode=enforcing pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer" type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...] type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031 type=LANDLOCK_DOMAIN msg=audit(1729738800.324:31): domain=1a6fdc66f status=deallocated denials=1h]hXFtype=LANDLOCK_ACCESS msg=audit(1729738800.268:30): domain=1a6fdc66f blockers=scope.signal opid=1 ocomm="systemd" type=LANDLOCK_DOMAIN msg=audit(1729738800.268:30): domain=1a6fdc66f status=allocated mode=enforcing pid=286 uid=0 exe="/root/sandboxer" comm="sandboxer" type=SYSCALL msg=audit(1729738800.268:30): arch=c000003e syscall=62 success=no exit=-1 [..] ppid=272 pid=286 auid=0 uid=0 gid=0 [...] comm="kill" [...] type=PROCTITLE msg=audit(1729738800.268:30): proctitle=6B696C6C0031 type=LANDLOCK_DOMAIN msg=audit(1729738800.324:31): domain=1a6fdc66f status=deallocated denials=1}hjrsbah}(h]h ]h"]h$]h&]hhforcelanguagenonehighlight_args}uh1j hhhKhjehhubh)}(h>Here is another example showcasing filesystem access control::h]h=Here is another example showcasing filesystem access control:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjehhubj )}(hP$ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd"h]hP$ LL_FS_RO=/ LL_FS_RW=/tmp LL_FORCE_LOG=1 ./sandboxer sh -c "echo > /etc/passwd"}hjsbah}(h]h ]h"]h$]h&]hhuh1j hhhKhjehhubh)}(hThe related audit logs contains 8 records from 3 different events (serials 33, 34 and 35) created by the same domain `1a6fdc679`::h](huThe related audit logs contains 8 records from 3 different events (serials 33, 34 and 35) created by the same domain }(hjhhhNhNubj})}(h `1a6fdc679`h]h 1a6fdc679}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j|hjubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjehhubj )}(hXtype=LANDLOCK_ACCESS msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9 type=LANDLOCK_DOMAIN msg=audit(1729738800.221:33): domain=1a6fdc679 status=allocated mode=enforcing pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer" type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...] type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764 type=LANDLOCK_ACCESS msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821 type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...] type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764 type=LANDLOCK_DOMAIN msg=audit(1729738800.261:35): domain=1a6fdc679 status=deallocated denials=2h]hXtype=LANDLOCK_ACCESS msg=audit(1729738800.221:33): domain=1a6fdc679 blockers=fs.write_file path="/dev/tty" dev="devtmpfs" ino=9 type=LANDLOCK_DOMAIN msg=audit(1729738800.221:33): domain=1a6fdc679 status=allocated mode=enforcing pid=289 uid=0 exe="/root/sandboxer" comm="sandboxer" type=SYSCALL msg=audit(1729738800.221:33): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...] type=PROCTITLE msg=audit(1729738800.221:33): proctitle=7368002D63006563686F203E202F6574632F706173737764 type=LANDLOCK_ACCESS msg=audit(1729738800.221:34): domain=1a6fdc679 blockers=fs.write_file path="/etc/passwd" dev="vda2" ino=143821 type=SYSCALL msg=audit(1729738800.221:34): arch=c000003e syscall=257 success=no exit=-13 [...] ppid=272 pid=289 auid=0 uid=0 gid=0 [...] comm="sh" [...] type=PROCTITLE msg=audit(1729738800.221:34): proctitle=7368002D63006563686F203E202F6574632F706173737764 type=LANDLOCK_DOMAIN msg=audit(1729738800.261:35): domain=1a6fdc679 status=deallocated denials=2}hjsbah}(h]h ]h"]h$]h&]hhuh1j hhhKhjehhubeh}(h] event-samplesah ]h"] event samplesah$]h&]uh1hhjchhhhhKjubh)}(hhh](h)}(hEvent filteringh]hEvent filtering}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hIf you get spammed with audit logs related to Landlock, this is either an attack attempt or a bug in the security policy. We can put in place some filters to limit noise with two complementary ways:h]hIf you get spammed with audit logs related to Landlock, this is either an attack attempt or a bug in the security policy. We can put in place some filters to limit noise with two complementary ways:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjhhubjb)}(hhh](jg)}(hOwith sys_landlock_restrict_self()'s flags if we can fix the sandboxed programs,h]h)}(hOwith sys_landlock_restrict_self()'s flags if we can fix the sandboxed programs,h]hQwith sys_landlock_restrict_self()’s flags if we can fix the sandboxed programs,}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjubah}(h]h ]h"]h$]h&]uh1jfhjhhhhhNubjg)}(h2or with audit rules (see :manpage:`auditctl(8)`). h]h)}(h1or with audit rules (see :manpage:`auditctl(8)`).h](hor with audit rules (see }(hj hhhNhNubhmanpage)}(h:manpage:`auditctl(8)`h]h auditctl(8)}(hj hhhNhNubah}(h]h ]j ah"]h$]h&]hhpath auditctl(8)pageauditctlsection8uh1j hj ubh).}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1jfhjhhhhhNubeh}(h]h ]h"]h$]h&]jjuh1jahhhKhjhhubeh}(h]event-filteringah ]h"]event filteringah$]h&]uh1hhjchhhhhKubeh}(h]auditah ]h"]auditah$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hAdditional documentationh]hAdditional documentation}(hj\ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjY hhhhhKubjb)}(hhh](jg)}(h`Linux Audit Documentation`_h]h)}(hjo h]h reference)}(hjo h]hLinux Audit Documentation}(hjv hhhNhNubah}(h]h ]h"]h$]h&]nameLinux Audit Documentationrefuri7https://github.com/linux-audit/audit-documentation/wikiuh1jt hjq resolvedKubah}(h]h ]h"]h$]h&]uh1hhhhKhjm ubah}(h]h ]h"]h$]h&]uh1jfhjj hhhhhNubjg)}(h(Documentation/userspace-api/landlock.rsth]h)}(hj h]h(Documentation/userspace-api/landlock.rst}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1jfhjj hhhhhNubjg)}(h#Documentation/security/landlock.rsth]h)}(hj h]h#Documentation/security/landlock.rst}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1jfhjj hhhhhNubjg)}(hhttps://landlock.io h]h)}(hhttps://landlock.ioh]ju )}(hj h]hhttps://landlock.io}(hj hhhNhNubah}(h]h ]h"]h$]h&]refurij uh1jt hj ubah}(h]h ]h"]h$]h&]uh1hhhhKhj ubah}(h]h ]h"]h$]h&]uh1jfhjj hhhhhNubeh}(h]h ]h"]h$]h&]j*uh1jahhhKhjY hhubh)}(hLinksh]hLinks}hj sbah}(h]h ]h"]h$]h&]hhuh1hhjY hhhhhKubhtarget)}(hY.. _Linux Audit Documentation: https://github.com/linux-audit/audit-documentation/wikih]h}(h]linux-audit-documentationah ]h"]linux audit documentationah$]h&]j j uh1j hKhjY hhhh referencedKubeh}(h]additional-documentationah ]h"]additional documentationah$]h&]uh1hhhhhhhhKubeh}(h]landlock-system-wide-managementah ]h"] landlock: system-wide managementah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerj; error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}linux audit documentation]jv asrefids}nameids}(j j jV jS jbj_jjjN jK j j j j u nametypes}(j jV jbjjN j j uh}(j hjS jcj_jjjejK jj jY j j u footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}Rparse_messages]transform_messages] transformerN include_log] decorationNhhub.