sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget%/translations/zh_CN/security/landlockmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget%/translations/zh_TW/security/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget%/translations/it_IT/security/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget%/translations/ja_JP/security/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget%/translations/ko_KR/security/landlockmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget%/translations/sp_SP/security/landlockmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhh?/var/lib/git/docbuild/linux/Documentation/security/landlock.rsthKubh)}(h9Copyright © 2017-2020 Mickaël Salaün h]h9Copyright © 2017-2020 Mickaël Salaün }hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhhhhhKubh)}(hCopyright © 2019-2020 ANSSIh]hCopyright © 2019-2020 ANSSI}hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhhhhhKubhsection)}(hhh](htitle)}(h"Landlock LSM: kernel documentationh]h"Landlock LSM: kernel documentation}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh field_list)}(hhh](hfield)}(hhh](h field_name)}(hAuthorh]hAuthor}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhKubh field_body)}(hMickaël Salaünh]h paragraph)}(hjh]hMickaël Salaün}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hjubah}(h]h ]h"]h$]h&]uh1hhhubeh}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh)}(hhh](h)}(hDateh]hDate}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj hhhKubj)}(hSeptember 2025 h]j)}(hSeptember 2025h]hSeptember 2025}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hj1ubah}(h]h ]h"]h$]h&]uh1hhj ubeh}(h]h ]h"]h$]h&]uh1hhhhK hhhhubeh}(h]h ]h"]h$]h&]uh1hhhhhhhhK ubj)}(hXLandlock's goal is to create scoped access-control (i.e. sandboxing). To harden a whole system, this feature should be available to any process, including unprivileged ones. Because such a process may be compromised or backdoored (i.e. untrusted), Landlock's features must be safe to use from the kernel and other processes point of view. Landlock's interface must therefore expose a minimal attack surface.h]hXLandlock’s goal is to create scoped access-control (i.e. sandboxing). To harden a whole system, this feature should be available to any process, including unprivileged ones. Because such a process may be compromised or backdoored (i.e. untrusted), Landlock’s features must be safe to use from the kernel and other processes point of view. Landlock’s interface must therefore expose a minimal attack surface.}(hjUhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK hhhhubj)}(hXLandlock is designed to be usable by unprivileged processes while following the system security policy enforced by other access control mechanisms (e.g. DAC, LSM). A Landlock rule shall not interfere with other access-controls enforced on the system, only add more restrictions.h]hXLandlock is designed to be usable by unprivileged processes while following the system security policy enforced by other access control mechanisms (e.g. DAC, LSM). A Landlock rule shall not interfere with other access-controls enforced on the system, only add more restrictions.}(hjchhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhhhhubj)}(hAny user can enforce Landlock rulesets on their processes. They are merged and evaluated against inherited rulesets in a way that ensures that only more constraints can be added.h]hAny user can enforce Landlock rulesets on their processes. They are merged and evaluated against inherited rulesets in a way that ensures that only more constraints can be added.}(hjqhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhhhhubj)}(hUUser space documentation can be found here: Documentation/userspace-api/landlock.rst.h]hUUser space documentation can be found here: Documentation/userspace-api/landlock.rst.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhhhhubh)}(hhh](h)}(h+Guiding principles for safe access controlsh]h+Guiding principles for safe access controls}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK ubh bullet_list)}(hhh](h list_item)}(hA Landlock rule shall be focused on access control on kernel objects instead of syscall filtering (i.e. syscall arguments), which is the purpose of seccomp-bpf.h]j)}(hA Landlock rule shall be focused on access control on kernel objects instead of syscall filtering (i.e. syscall arguments), which is the purpose of seccomp-bpf.h]hA Landlock rule shall be focused on access control on kernel objects instead of syscall filtering (i.e. syscall arguments), which is the purpose of seccomp-bpf.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK"hjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(hTo avoid multiple kinds of side-channel attacks (e.g. leak of security policies, CPU-based attacks), Landlock rules shall not be able to programmatically communicate with user space.h]j)}(hTo avoid multiple kinds of side-channel attacks (e.g. leak of security policies, CPU-based attacks), Landlock rules shall not be able to programmatically communicate with user space.h]hTo avoid multiple kinds of side-channel attacks (e.g. leak of security policies, CPU-based attacks), Landlock rules shall not be able to programmatically communicate with user space.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK%hjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(hRKernel access check shall not slow down access request from unsandboxed processes.h]j)}(hRKernel access check shall not slow down access request from unsandboxed processes.h]hRKernel access check shall not slow down access request from unsandboxed processes.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK(hjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(hvComputation related to Landlock operations (e.g. enforcing a ruleset) shall only impact the processes requesting them.h]j)}(hvComputation related to Landlock operations (e.g. enforcing a ruleset) shall only impact the processes requesting them.h]hvComputation related to Landlock operations (e.g. enforcing a ruleset) shall only impact the processes requesting them.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK*hjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(hResources (e.g. file descriptors) directly obtained from the kernel by a sandboxed process shall retain their scoped accesses (at the time of resource acquisition) whatever process uses them. Cf. `File descriptor access rights`_.h]j)}(hResources (e.g. file descriptors) directly obtained from the kernel by a sandboxed process shall retain their scoped accesses (at the time of resource acquisition) whatever process uses them. Cf. `File descriptor access rights`_.h](hResources (e.g. file descriptors) directly obtained from the kernel by a sandboxed process shall retain their scoped accesses (at the time of resource acquisition) whatever process uses them. Cf. }(hj hhhNhNubh reference)}(h `File descriptor access rights`_h]hFile descriptor access rights}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameFile descriptor access rightsrefidfile-descriptor-access-rightsuh1jhj resolvedKubh.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK,hjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(hX*Access denials shall be logged according to system and Landlock domain configurations. Log entries must contain information about the cause of the denial and the owner of the related security policy. Such log generation should have a negligible performance and memory impact on allowed requests. h]j)}(hX)Access denials shall be logged according to system and Landlock domain configurations. Log entries must contain information about the cause of the denial and the owner of the related security policy. Such log generation should have a negligible performance and memory impact on allowed requests.h]hX)Access denials shall be logged according to system and Landlock domain configurations. Log entries must contain information about the cause of the denial and the owner of the related security policy. Such log generation should have a negligible performance and memory impact on allowed requests.}(hj:hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhK0hj6ubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubeh}(h]h ]h"]h$]h&]bullet*uh1jhhhK"hjhhubeh}(h]+guiding-principles-for-safe-access-controlsah ]h"]+guiding principles for safe access controlsah$]h&]uh1hhhhhhhhK ubh)}(hhh](h)}(hDesign choicesh]hDesign choices}(hjahhhNhNubah}(h]h ]h"]h$]h&]uh1hhj^hhhhhK6ubh)}(hhh](h)}(hInode access rightsh]hInode access rights}(hjrhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjohhhhhK9ubj)}(hX/All access rights are tied to an inode and what can be accessed through it. Reading the content of a directory does not imply to be allowed to read the content of a listed inode. Indeed, a file name is local to its parent directory, and an inode can be referenced by multiple file names thanks to (hard) links. Being able to unlink a file only has a direct impact on the directory, not the unlinked inode. This is the reason why ``LANDLOCK_ACCESS_FS_REMOVE_FILE`` or ``LANDLOCK_ACCESS_FS_REFER`` are not allowed to be tied to files but only to directories.h](hXAll access rights are tied to an inode and what can be accessed through it. Reading the content of a directory does not imply to be allowed to read the content of a listed inode. Indeed, a file name is local to its parent directory, and an inode can be referenced by multiple file names thanks to (hard) links. Being able to unlink a file only has a direct impact on the directory, not the unlinked inode. This is the reason why }(hjhhhNhNubhliteral)}(h"``LANDLOCK_ACCESS_FS_REMOVE_FILE``h]hLANDLOCK_ACCESS_FS_REMOVE_FILE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh or }(hjhhhNhNubj)}(h``LANDLOCK_ACCESS_FS_REFER``h]hLANDLOCK_ACCESS_FS_REFER}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh= are not allowed to be tied to files but only to directories.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK;hjohhubeh}(h]inode-access-rightsah ]h"]inode access rightsah$]h&]uh1hhj^hhhhhK9ubh)}(hhh](h)}(hFile descriptor access rightsh]hFile descriptor access rights}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKEubj)}(hAccess rights are checked and tied to file descriptors at open time. The underlying principle is that equivalent sequences of operations should lead to the same results, when they are executed under the same Landlock domain.h]hAccess rights are checked and tied to file descriptors at open time. The underlying principle is that equivalent sequences of operations should lead to the same results, when they are executed under the same Landlock domain.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKGhjhhubj)}(hX[Taking the ``LANDLOCK_ACCESS_FS_TRUNCATE`` right as an example, it may be allowed to open a file for writing without being allowed to :manpage:`ftruncate` the resulting file descriptor if the related file hierarchy doesn't grant that access right. The following sequences of operations have the same semantic and should then have the same result:h](h Taking the }(hjhhhNhNubj)}(h``LANDLOCK_ACCESS_FS_TRUNCATE``h]hLANDLOCK_ACCESS_FS_TRUNCATE}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh\ right as an example, it may be allowed to open a file for writing without being allowed to }(hjhhhNhNubhmanpage)}(h:manpage:`ftruncate`h]h ftruncate}(hjhhhNhNubah}(h]h ]jah"]h$]h&]hhpath ftruncatepagejhhuh1jhjubh the resulting file descriptor if the related file hierarchy doesn’t grant that access right. The following sequences of operations have the same semantic and should then have the same result:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKKhjhhubj)}(hhh](j)}(h``truncate(path);``h]j)}(hjh]j)}(hjh]htruncate(path);}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jhhhKQhjubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubj)}(h=``int fd = open(path, O_WRONLY); ftruncate(fd); close(fd);`` h]j)}(h<``int fd = open(path, O_WRONLY); ftruncate(fd); close(fd);``h]j)}(hj;h]h8int fd = open(path, O_WRONLY); ftruncate(fd); close(fd);}(hj=hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj9ubah}(h]h ]h"]h$]h&]uh1jhhhKRhj5ubah}(h]h ]h"]h$]h&]uh1jhjhhhhhNubeh}(h]h ]h"]h$]h&]jTjUuh1jhhhKQhjhhubj)}(hXSimilarly to file access modes (e.g. ``O_RDWR``), Landlock access rights attached to file descriptors are retained even if they are passed between processes (e.g. through a Unix domain socket). Such access rights will then be enforced even if the receiving process is not sandboxed by Landlock. Indeed, this is required to keep access controls consistent over the whole system, and this avoids unattended bypasses through file descriptor passing (i.e. confused deputy attack).h](h%Similarly to file access modes (e.g. }(hj\hhhNhNubj)}(h ``O_RDWR``h]hO_RDWR}(hjdhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj\ubhX), Landlock access rights attached to file descriptors are retained even if they are passed between processes (e.g. through a Unix domain socket). Such access rights will then be enforced even if the receiving process is not sandboxed by Landlock. Indeed, this is required to keep access controls consistent over the whole system, and this avoids unattended bypasses through file descriptor passing (i.e. confused deputy attack).}(hj\hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhKThjhhubeh}(h]j$ah ]h"]file descriptor access rightsah$]h&]uh1hhj^hhhhhKE referencedKubeh}(h]design-choicesah ]h"]design choicesah$]h&]uh1hhhhhhhhK6ubh)}(hhh](h)}(hTestsh]hTests}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK]ubj)}(hUserspace tests for backward compatibility, ptrace restrictions and filesystem support can be found here: `tools/testing/selftests/landlock/`_.h](hjUserspace tests for backward compatibility, ptrace restrictions and filesystem support can be found here: }(hjhhhNhNubj)}(h$`tools/testing/selftests/landlock/`_h]h!tools/testing/selftests/landlock/}(hjhhhNhNubah}(h]h ]h"]h$]h&]name!tools/testing/selftests/landlock/refurighttps://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/landlock/uh1jhjj%Kubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhhhK_hjhhubeh}(h]testsah ]h"]testsah$]h&]uh1hhhhhhhhK]ubh)}(hhh](h)}(hKernel structuresh]hKernel structures}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKcubh)}(hhh](h)}(hObjecth]hObject}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKfubhindex)}(hhh]h}(h]h ]h"]h$]h&]entries](single#landlock_object_underops (C struct)c.landlock_object_underopshNtauh1jhjhhh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhNubhdesc)}(hhh](hdesc_signature)}(hlandlock_object_underopsh]hdesc_signature_line)}(hstruct landlock_object_underopsh](hdesc_sig_keyword)}(hstructh]hstruct}(hjhhhNhNubah}(h]h ]kah"]h$]h&]uh1jhj hhh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKubhdesc_sig_space)}(h h]h }(hj"hhhNhNubah}(h]h ]wah"]h$]h&]uh1j hj hhhjhKubh desc_name)}(hlandlock_object_underopsh]h desc_sig_name)}(hjh]hlandlock_object_underops}(hj9hhhNhNubah}(h]h ]nah"]h$]h&]uh1j7hj3ubah}(h]h ](sig-namedescnameeh"]h$]h&]hhuh1j1hj hhhjhKubeh}(h]h ]h"]h$]h&]hh add_permalinkuh1jsphinx_line_type declaratorhjhhhjhKubah}(h]jah ](sig sig-objecteh"]h$]h&] is_multiline _toc_parts) _toc_namehuh1jhjhKhjhhubh desc_content)}(hhh]j)}(h"Operations on an underlying objecth]h"Operations on an underlying object}(hjhhhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjehhubah}(h]h ]h"]h$]h&]uh1jchjhhhjhKubeh}(h]h ](cstructeh"]h$]h&]domainjobjtypejdesctypejnoindex noindexentrynocontentsentryuh1jhhhjhjhNubh container)}(h**Definition**:: struct landlock_object_underops { void (*release)(struct landlock_object *const object) __releases(object->lock); }; **Members** ``release`` Releases the underlying object (e.g. iput() for an inode).h](j)}(h**Definition**::h](hstrong)}(h**Definition**h]h Definition}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjubh literal_block)}(hxstruct landlock_object_underops { void (*release)(struct landlock_object *const object) __releases(object->lock); };h]hxstruct landlock_object_underops { void (*release)(struct landlock_object *const object) __releases(object->lock); };}hjsbah}(h]h ]h"]h$]h&]hhuh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjubhdefinition_list)}(hhh]hdefinition_list_item)}(hF``release`` Releases the underlying object (e.g. iput() for an inode).h](hterm)}(h ``release``h]j)}(hjh]hrelease}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjubh definition)}(hhh]j)}(h:Releases the underlying object (e.g. iput() for an inode).h]h:Releases the underlying object (e.g. iput() for an inode).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhjhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_object (C struct)c.landlock_objecthNtauh1jhjhhhjhNubj)}(hhh](j)}(hlandlock_objecth]j )}(hstruct landlock_objecth](j)}(hjh]hstruct}(hjDhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhj@hhh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKubj!)}(h h]h }(hjRhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hj@hhhjQhKubj2)}(hlandlock_objecth]j8)}(hj>h]hlandlock_object}(hjdhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj`ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hj@hhhjQhKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhj<hhhjQhKubah}(h]j7ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjQhKhj9hhubjd)}(hhh]j)}(h%Security blob tied to a kernel objecth]h%Security blob tied to a kernel object}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjhhubah}(h]h ]h"]h$]h&]uh1jchj9hhhjQhKubeh}(h]h ](jstructeh"]h$]h&]jjjjjjjjjuh1jhhhjhjhNubj)}(hX**Definition**:: struct landlock_object { refcount_t usage; spinlock_t lock; void *underobj; union { struct rcu_head rcu_free; const struct landlock_object_underops *underops; }; }; **Members** ``usage`` This counter is used to tie an object to the rules matching it or to keep it alive while adding a new rule. If this counter reaches zero, this struct must not be modified, but this counter can still be read from within an RCU read-side critical section. When adding a new rule to an object with a usage counter of zero, we must wait until the pointer to this object is set to NULL (or recycled). ``lock`` Protects against concurrent modifications. This lock must be held from the time **usage** drops to zero until any weak references from **underobj** to this object have been cleaned up. Lock ordering: inode->i_lock nests inside this. ``underobj`` Used when cleaning up an object and to mark an object as tied to its underlying kernel structure. This pointer is protected by **lock**. Cf. landlock_release_inodes() and release_inode(). ``{unnamed_union}`` anonymous ``rcu_free`` Enables lockless use of **usage**, **lock** and **underobj** from within an RCU read-side critical section. **rcu_free** and **underops** are only used by landlock_put_object(). ``underops`` Enables landlock_put_object() to release the underlying object (e.g. inode).h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK"hjubj)}(hstruct landlock_object { refcount_t usage; spinlock_t lock; void *underobj; union { struct rcu_head rcu_free; const struct landlock_object_underops *underops; }; };h]hstruct landlock_object { refcount_t usage; spinlock_t lock; void *underobj; union { struct rcu_head rcu_free; const struct landlock_object_underops *underops; }; };}hjsbah}(h]h ]h"]h$]h&]hhuh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK$hjubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK.hjubj)}(hhh](j)}(hX``usage`` This counter is used to tie an object to the rules matching it or to keep it alive while adding a new rule. If this counter reaches zero, this struct must not be modified, but this counter can still be read from within an RCU read-side critical section. When adding a new rule to an object with a usage counter of zero, we must wait until the pointer to this object is set to NULL (or recycled). h](j)}(h ``usage``h]j)}(hjh]husage}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK/hjubj)}(hhh]j)}(hXThis counter is used to tie an object to the rules matching it or to keep it alive while adding a new rule. If this counter reaches zero, this struct must not be modified, but this counter can still be read from within an RCU read-side critical section. When adding a new rule to an object with a usage counter of zero, we must wait until the pointer to this object is set to NULL (or recycled).h]hXThis counter is used to tie an object to the rules matching it or to keep it alive while adding a new rule. If this counter reaches zero, this struct must not be modified, but this counter can still be read from within an RCU read-side critical section. When adding a new rule to an object with a usage counter of zero, we must wait until the pointer to this object is set to NULL (or recycled).}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK*hj ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhK/hjubj)}(h``lock`` Protects against concurrent modifications. This lock must be held from the time **usage** drops to zero until any weak references from **underobj** to this object have been cleaned up. Lock ordering: inode->i_lock nests inside this. h](j)}(h``lock``h]j)}(hj-h]hlock}(hj/hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj+ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK7hj'ubj)}(hhh](j)}(hProtects against concurrent modifications. This lock must be held from the time **usage** drops to zero until any weak references from **underobj** to this object have been cleaned up.h](hQProtects against concurrent modifications. This lock must be held from the time }(hjFhhhNhNubj)}(h **usage**h]husage}(hjNhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjFubh. drops to zero until any weak references from }(hjFhhhNhNubj)}(h **underobj**h]hunderobj}(hj`hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjFubh% to this object have been cleaned up.}(hjFhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK3hjCubj)}(h/Lock ordering: inode->i_lock nests inside this.h]h/Lock ordering: inode->i_lock nests inside this.}(hjyhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjBhK7hjCubeh}(h]h ]h"]h$]h&]uh1jhj'ubeh}(h]h ]h"]h$]h&]uh1jhjBhK7hjubj)}(h``underobj`` Used when cleaning up an object and to mark an object as tied to its underlying kernel structure. This pointer is protected by **lock**. Cf. landlock_release_inodes() and release_inode(). h](j)}(h ``underobj``h]j)}(hjh]hunderobj}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK=hjubj)}(hhh]j)}(hUsed when cleaning up an object and to mark an object as tied to its underlying kernel structure. This pointer is protected by **lock**. Cf. landlock_release_inodes() and release_inode().h](hUsed when cleaning up an object and to mark an object as tied to its underlying kernel structure. This pointer is protected by }(hjhhhNhNubj)}(h**lock**h]hlock}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh5. Cf. landlock_release_inodes() and release_inode().}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK;hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhK=hjubj)}(h``{unnamed_union}`` anonymous h](j)}(h``{unnamed_union}``h]j)}(hjh]h{unnamed_union}}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjubj)}(hhh]j)}(h anonymoush]h anonymous}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(h``rcu_free`` Enables lockless use of **usage**, **lock** and **underobj** from within an RCU read-side critical section. **rcu_free** and **underops** are only used by landlock_put_object(). h](j)}(h ``rcu_free``h]j)}(hjh]hrcu_free}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKEhjubj)}(hhh]j)}(hEnables lockless use of **usage**, **lock** and **underobj** from within an RCU read-side critical section. **rcu_free** and **underops** are only used by landlock_put_object().h](hEnables lockless use of }(hj7hhhNhNubj)}(h **usage**h]husage}(hj?hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj7ubh, }(hj7hhhNhNubj)}(h**lock**h]hlock}(hjQhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj7ubh and }(hj7hhhNhNubj)}(h **underobj**h]hunderobj}(hjchhhNhNubah}(h]h ]h"]h$]h&]uh1jhj7ubh0 from within an RCU read-side critical section. }(hj7hhhNhNubj)}(h **rcu_free**h]hrcu_free}(hjuhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj7ubh and }(hj7hhhNhNubj)}(h **underops**h]hunderops}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj7ubh( are only used by landlock_put_object().}(hj7hhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKBhj4ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhj3hKEhjubj)}(hY``underops`` Enables landlock_put_object() to release the underlying object (e.g. inode).h](j)}(h ``underops``h]j)}(hjh]hunderops}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKIhjubj)}(hhh]j)}(hLEnables landlock_put_object() to release the underlying object (e.g. inode).h]hLEnables landlock_put_object() to release the underlying object (e.g. inode).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKIhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKIhjubeh}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhjhNubj)}(h**Description**h]j)}(hjh]h Description}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKMhjhhubj)}(hThe goal of this structure is to enable to tie a set of ephemeral access rights (pertaining to different domains) to a kernel object (e.g an inode) in a safe way. This implies to handle concurrent use and modification.h]hThe goal of this structure is to enable to tie a set of ephemeral access rights (pertaining to different domains) to a kernel object (e.g an inode) in a safe way. This implies to handle concurrent use and modification.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhKhjhhubj)}(hjThe lifetime of a :c:type:`struct landlock_object ` depends on the rules referring to it.h](hThe lifetime of a }(hjhhhNhNubh)}(h2:c:type:`struct landlock_object `h]j)}(hj#h]hstruct landlock_object}(hj%hhhNhNubah}(h]h ](xrefjc-typeeh"]h$]h&]uh1jhj!ubah}(h]h ]h"]h$]h&]refdocsecurity/landlock refdomainjreftypetype refexplicitrefwarn c:parent_keysphinx.domains.c LookupKey)}data]sb reftargetlandlock_objectuh1hh]/var/lib/git/docbuild/linux/Documentation/security/landlock:104: ./security/landlock/object.hhK#hjubh& depends on the rules referring to it.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjKhK#hjhhubeh}(h]objectah ]h"]objectah$]h&]uh1hhjhhhhhKfubh)}(hhh](h)}(h Filesystemh]h Filesystem}(hjahhhNhNubah}(h]h ]h"]h$]h&]uh1hhj^hhhhhKlubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j"landlock_inode_security (C struct)c.landlock_inode_securityhNtauh1jhj^hhhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhNubj)}(hhh](j)}(hlandlock_inode_securityh]j )}(hstruct landlock_inode_securityh](j)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhKubj2)}(hlandlock_inode_securityh]j8)}(hjh]hlandlock_inode_security}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjhhhjhKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjhhhjhKubah}(h]j{ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjhKhj~hhubjd)}(hhh]j)}(hInode security blobh]hInode security blob}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKhjhhubah}(h]h ]h"]h$]h&]uh1jchj~hhhjhKubeh}(h]h ](jstructeh"]h$]h&]jjjjjjjjjuh1jhhhj^hj}hNubj)}(hX{**Definition**:: struct landlock_inode_security { struct landlock_object *object; }; **Members** ``object`` Weak pointer to an allocated object. All assignments of a new object are protected by the underlying inode->i_lock. However, atomically disassociating **object** from the inode is only protected by **object->lock**, from the time **object**'s usage refcount drops to zero to the time this pointer is nulled out (cf. release_inode() and hook_sb_delete()). Indeed, such disassociation doesn't require inode->i_lock thanks to the careful rcu_access_pointer() check performed by get_inode_object().h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKhjubj)}(hHstruct landlock_inode_security { struct landlock_object *object; };h]hHstruct landlock_inode_security { struct landlock_object *object; };}hj sbah}(h]h ]h"]h$]h&]hhuh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKhjubj)}(h **Members**h]j)}(hj h]hMembers}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK"hjubj)}(hhh]j)}(hX``object`` Weak pointer to an allocated object. All assignments of a new object are protected by the underlying inode->i_lock. However, atomically disassociating **object** from the inode is only protected by **object->lock**, from the time **object**'s usage refcount drops to zero to the time this pointer is nulled out (cf. release_inode() and hook_sb_delete()). Indeed, such disassociation doesn't require inode->i_lock thanks to the careful rcu_access_pointer() check performed by get_inode_object().h](j)}(h ``object``h]j)}(hj8 h]hobject}(hj: hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj6 ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK&hj2 ubj)}(hhh]j)}(hXWeak pointer to an allocated object. All assignments of a new object are protected by the underlying inode->i_lock. However, atomically disassociating **object** from the inode is only protected by **object->lock**, from the time **object**'s usage refcount drops to zero to the time this pointer is nulled out (cf. release_inode() and hook_sb_delete()). Indeed, such disassociation doesn't require inode->i_lock thanks to the careful rcu_access_pointer() check performed by get_inode_object().h](hWeak pointer to an allocated object. All assignments of a new object are protected by the underlying inode->i_lock. However, atomically disassociating }(hjQ hhhNhNubj)}(h **object**h]hobject}(hjY hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjQ ubh% from the inode is only protected by }(hjQ hhhNhNubj)}(h**object->lock**h]h object->lock}(hjk hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjQ ubh, from the time }(hjQ hhhNhNubj)}(h **object**h]hobject}(hj} hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjQ ubhX’s usage refcount drops to zero to the time this pointer is nulled out (cf. release_inode() and hook_sb_delete()). Indeed, such disassociation doesn’t require inode->i_lock thanks to the careful rcu_access_pointer() check performed by get_inode_object().}(hjQ hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK hjN ubah}(h]h ]h"]h$]h&]uh1jhj2 ubeh}(h]h ]h"]h$]h&]uh1jhjM hK&hj/ ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ] kernelindentah"]h$]h&]uh1jhj^hhhj}hNubj)}(h**Description**h]j)}(hj h]h Description}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK*hj^hhubj)}(hsEnable to reference a :c:type:`struct landlock_object ` tied to an inode (i.e. underlying object).h](hEnable to reference a }(hj hhhNhNubh)}(h2:c:type:`struct landlock_object `h]j)}(hj h]hstruct landlock_object}(hj hhhNhNubah}(h]h ](j/jc-typeeh"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]refdocj; refdomainjreftypetype refexplicitrefwarnjAjEjIlandlock_objectuh1hhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKhj ubh+ tied to an inode (i.e. underlying object).}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj hKhj^hhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j!landlock_file_security (C struct)c.landlock_file_securityhNtauh1jhj^hhhj}hNubj)}(hhh](j)}(hlandlock_file_securityh]j )}(hstruct landlock_file_securityh](j)}(hjh]hstruct}(hj hhhNhNubah}(h]h ]jah"]h$]h&]uh1jhj hhhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKubj!)}(h h]h }(hj hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hj hhhj hKubj2)}(hlandlock_file_securityh]j8)}(hj h]hlandlock_file_security}(hj2 hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj. ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hj hhhj hKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhj hhhj hKubah}(h]j ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhj hKhj hhubjd)}(hhh]j)}(hFile security blobh]hFile security blob}(hjT hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK,hjQ hhubah}(h]h ]h"]h$]h&]uh1jchj hhhj hKubeh}(h]h ](jstructeh"]h$]h&]jjjjl jjl jjjuh1jhhhj^hj}hNubj)}(hX**Definition**:: struct landlock_file_security { access_mask_t allowed_access; #ifdef CONFIG_AUDIT; deny_masks_t deny_masks; u8 fown_layer; #endif; struct landlock_cred_security fown_subject; }; **Members** ``allowed_access`` Access rights that were available at the time of opening the file. This is not necessarily the full set of access rights available at that time, but it's the necessary subset as needed to authorize later operations on the open file. ``deny_masks`` Domain layer levels that deny an optional access (see _LANDLOCK_ACCESS_FS_OPTIONAL). ``fown_layer`` Layer level of **fown_subject->domain** with LANDLOCK_SCOPE_SIGNAL. ``fown_subject`` Landlock credential of the task that set the PID that may receive a signal e.g., SIGURG when writing MSG_OOB to the related socket. This pointer is protected by the related file->f_owner->lock, as for fown_struct's members: pid, uid, and euid.h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjx hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjt ubh:}(hjt hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK0hjp ubj)}(hstruct landlock_file_security { access_mask_t allowed_access; #ifdef CONFIG_AUDIT; deny_masks_t deny_masks; u8 fown_layer; #endif; struct landlock_cred_security fown_subject; };h]hstruct landlock_file_security { access_mask_t allowed_access; #ifdef CONFIG_AUDIT; deny_masks_t deny_masks; u8 fown_layer; #endif; struct landlock_cred_security fown_subject; };}hj sbah}(h]h ]h"]h$]h&]hhuh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK2hjp ubj)}(h **Members**h]j)}(hj h]hMembers}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK;hjp ubj)}(hhh](j)}(h``allowed_access`` Access rights that were available at the time of opening the file. This is not necessarily the full set of access rights available at that time, but it's the necessary subset as needed to authorize later operations on the open file. h](j)}(h``allowed_access``h]j)}(hj h]hallowed_access}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK9hj ubj)}(hhh]j)}(hAccess rights that were available at the time of opening the file. This is not necessarily the full set of access rights available at that time, but it's the necessary subset as needed to authorize later operations on the open file.h]hAccess rights that were available at the time of opening the file. This is not necessarily the full set of access rights available at that time, but it’s the necessary subset as needed to authorize later operations on the open file.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK6hj ubah}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1jhj hK9hj ubj)}(hd``deny_masks`` Domain layer levels that deny an optional access (see _LANDLOCK_ACCESS_FS_OPTIONAL). h](j)}(h``deny_masks``h]j)}(hj h]h deny_masks}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK@hj ubj)}(hhh]j)}(hTDomain layer levels that deny an optional access (see _LANDLOCK_ACCESS_FS_OPTIONAL).h]hTDomain layer levels that deny an optional access (see _LANDLOCK_ACCESS_FS_OPTIONAL).}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK?hj ubah}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1jhj hK@hj ubj)}(hS``fown_layer`` Layer level of **fown_subject->domain** with LANDLOCK_SCOPE_SIGNAL. h](j)}(h``fown_layer``h]j)}(hj5 h]h fown_layer}(hj7 hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj3 ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKEhj/ ubj)}(hhh]j)}(hCLayer level of **fown_subject->domain** with LANDLOCK_SCOPE_SIGNAL.h](hLayer level of }(hjN hhhNhNubj)}(h**fown_subject->domain**h]hfown_subject->domain}(hjV hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjN ubh with LANDLOCK_SCOPE_SIGNAL.}(hjN hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKDhjK ubah}(h]h ]h"]h$]h&]uh1jhj/ ubeh}(h]h ]h"]h$]h&]uh1jhjJ hKEhj ubj)}(hX``fown_subject`` Landlock credential of the task that set the PID that may receive a signal e.g., SIGURG when writing MSG_OOB to the related socket. This pointer is protected by the related file->f_owner->lock, as for fown_struct's members: pid, uid, and euid.h](j)}(h``fown_subject``h]j)}(hj h]h fown_subject}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKNhj{ ubj)}(hhh]j)}(hLandlock credential of the task that set the PID that may receive a signal e.g., SIGURG when writing MSG_OOB to the related socket. This pointer is protected by the related file->f_owner->lock, as for fown_struct's members: pid, uid, and euid.h]hLandlock credential of the task that set the PID that may receive a signal e.g., SIGURG when writing MSG_OOB to the related socket. This pointer is protected by the related file->f_owner->lock, as for fown_struct’s members: pid, uid, and euid.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKKhj ubah}(h]h ]h"]h$]h&]uh1jhj{ ubeh}(h]h ]h"]h$]h&]uh1jhj hKNhj ubeh}(h]h ]h"]h$]h&]uh1jhjp ubeh}(h]h ] kernelindentah"]h$]h&]uh1jhj^hhhj}hNubj)}(h**Description**h]j)}(hj h]h Description}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKRhj^hhubj)}(hXThis information is populated when opening a file in hook_file_open, and tracks the relevant Landlock access rights that were available at the time of opening the file. Other LSM hooks use these rights in order to authorize operations on already opened files.h]hXThis information is populated when opening a file in hook_file_open, and tracks the relevant Landlock access rights that were available at the time of opening the file. Other LSM hooks use these rights in order to authorize operations on already opened files.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK-hj^hhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j'landlock_superblock_security (C struct)c.landlock_superblock_securityhNtauh1jhj^hhhj}hNubj)}(hhh](j)}(hlandlock_superblock_securityh]j )}(h#struct landlock_superblock_securityh](j)}(hjh]hstruct}(hj hhhNhNubah}(h]h ]jah"]h$]h&]uh1jhj hhhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK5ubj!)}(h h]h }(hj hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hj hhhj hK5ubj2)}(hlandlock_superblock_securityh]j8)}(hj h]hlandlock_superblock_security}(hj" hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hj hhhj hK5ubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhj hhhj hK5ubah}(h]j ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhj hK5hj hhubjd)}(hhh]j)}(hSuperblock security blobh]hSuperblock security blob}(hjD hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK^hjA hhubah}(h]h ]h"]h$]h&]uh1jchj hhhj hK5ubeh}(h]h ](jstructeh"]h$]h&]jjjj\ jj\ jjjuh1jhhhj^hj}hNubj)}(hX **Definition**:: struct landlock_superblock_security { atomic_long_t inode_refs; }; **Members** ``inode_refs`` Number of pending inodes (from this superblock) that are being released by release_inode(). Cf. struct super_block->s_fsnotify_inode_refs .h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjh hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjd ubh:}(hjd hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKbhj` ubj)}(hFstruct landlock_superblock_security { atomic_long_t inode_refs; };h]hFstruct landlock_superblock_security { atomic_long_t inode_refs; };}hj sbah}(h]h ]h"]h$]h&]hhuh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKdhj` ubj)}(h **Members**h]j)}(hj h]hMembers}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKhhj` ubj)}(hhh]j)}(h``inode_refs`` Number of pending inodes (from this superblock) that are being released by release_inode(). Cf. struct super_block->s_fsnotify_inode_refs .h](j)}(h``inode_refs``h]j)}(hj h]h inode_refs}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKfhj ubj)}(hhh]j)}(hNumber of pending inodes (from this superblock) that are being released by release_inode(). Cf. struct super_block->s_fsnotify_inode_refs .h]hNumber of pending inodes (from this superblock) that are being released by release_inode(). Cf. struct super_block->s_fsnotify_inode_refs .}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKehj ubah}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1jhj hKfhj ubah}(h]h ]h"]h$]h&]uh1jhj` ubeh}(h]h ] kernelindentah"]h$]h&]uh1jhj^hhhj}hNubj)}(h**Description**h]j)}(hj h]h Description}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhKjhj^hhubj)}(hHEnable hook_sb_delete() to wait for concurrent calls to release_inode().h]hHEnable hook_sb_delete() to wait for concurrent calls to release_inode().}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhY/var/lib/git/docbuild/linux/Documentation/security/landlock:110: ./security/landlock/fs.hhK_hj^hhubeh}(h] filesystemah ]h"] filesystemah$]h&]uh1hhjhhhhhKlubh)}(hhh](h)}(hProcess credentialh]hProcess credential}(hj$ hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj! hhhhhKrubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j!landlock_cred_security (C struct)c.landlock_cred_securityhNtauh1jhj! hhhNhNubj)}(hhh](j)}(hlandlock_cred_securityh]j )}(hstruct landlock_cred_securityh](j)}(hjh]hstruct}(hjK hhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjG hhh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKubj!)}(h h]h }(hjY hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjG hhhjX hKubj2)}(hlandlock_cred_securityh]j8)}(hjE h]hlandlock_cred_security}(hjk hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjg ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjG hhhjX hKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjC hhhjX hKubah}(h]j> ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjX hKhj@ hhubjd)}(hhh]j)}(hCredential security blobh]hCredential security blob}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKhj hhubah}(h]h ]h"]h$]h&]uh1jchj@ hhhjX hKubeh}(h]h ](jstructeh"]h$]h&]jjjj jj jjjuh1jhhhj! hNhNubj)}(hX**Definition**:: struct landlock_cred_security { struct landlock_ruleset *domain; #ifdef CONFIG_AUDIT; u16 domain_exec; u8 log_subdomains_off : 1; #endif; }; **Members** ``domain`` Immutable ruleset enforced on a task. ``domain_exec`` Bitmask identifying the domain layers that were enforced by the current task's executed file (i.e. no new execve(2) since landlock_restrict_self(2)). ``log_subdomains_off`` Set if the domain descendants's log_status should be set to ``LANDLOCK_LOG_DISABLED``. This is not a landlock_hierarchy configuration because it applies to future descendant domains and it does not require a current domain.h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh:}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKhj ubj)}(hstruct landlock_cred_security { struct landlock_ruleset *domain; #ifdef CONFIG_AUDIT; u16 domain_exec; u8 log_subdomains_off : 1; #endif; };h]hstruct landlock_cred_security { struct landlock_ruleset *domain; #ifdef CONFIG_AUDIT; u16 domain_exec; u8 log_subdomains_off : 1; #endif; };}hj sbah}(h]h ]h"]h$]h&]hhuh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKhj ubj)}(h **Members**h]j)}(hj h]hMembers}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK&hj ubj)}(hhh](j)}(h1``domain`` Immutable ruleset enforced on a task. h](j)}(h ``domain``h]j)}(hj h]hdomain}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK!hj ubj)}(hhh]j)}(h%Immutable ruleset enforced on a task.h]h%Immutable ruleset enforced on a task.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhK!hjubah}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ]h"]h$]h&]uh1jhjhK!hj ubj)}(h``domain_exec`` Bitmask identifying the domain layers that were enforced by the current task's executed file (i.e. no new execve(2) since landlock_restrict_self(2)). h](j)}(h``domain_exec``h]j)}(hj3h]h domain_exec}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj1ubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK)hj-ubj)}(hhh]j)}(hBitmask identifying the domain layers that were enforced by the current task's executed file (i.e. no new execve(2) since landlock_restrict_self(2)).h]hBitmask identifying the domain layers that were enforced by the current task’s executed file (i.e. no new execve(2) since landlock_restrict_self(2)).}(hjLhhhNhNubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK'hjIubah}(h]h ]h"]h$]h&]uh1jhj-ubeh}(h]h ]h"]h$]h&]uh1jhjHhK)hj ubj)}(h``log_subdomains_off`` Set if the domain descendants's log_status should be set to ``LANDLOCK_LOG_DISABLED``. This is not a landlock_hierarchy configuration because it applies to future descendant domains and it does not require a current domain.h](j)}(h``log_subdomains_off``h]j)}(hjmh]hlog_subdomains_off}(hjohhhNhNubah}(h]h ]h"]h$]h&]uh1jhjkubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK/hjgubj)}(hhh]j)}(hSet if the domain descendants's log_status should be set to ``LANDLOCK_LOG_DISABLED``. This is not a landlock_hierarchy configuration because it applies to future descendant domains and it does not require a current domain.h](h>Set if the domain descendants’s log_status should be set to }(hjhhhNhNubj)}(h``LANDLOCK_LOG_DISABLED``h]hLANDLOCK_LOG_DISABLED}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh. This is not a landlock_hierarchy configuration because it applies to future descendant domains and it does not require a current domain.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK-hjubah}(h]h ]h"]h$]h&]uh1jhjgubeh}(h]h ]h"]h$]h&]uh1jhjhK/hj ubeh}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ] kernelindentah"]h$]h&]uh1jhj! hhhNhNubj)}(h**Description**h]j)}(hjh]h Description}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK3hj! hhubj)}(hThis structure is packed to minimize the size of struct landlock_file_security. However, it is always aligned in the LSM cred blob, see lsm_set_blob_size().h]hThis structure is packed to minimize the size of struct landlock_file_security. However, it is always aligned in the LSM cred blob, see lsm_set_blob_size().}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKhj! hhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j,landlock_get_applicable_subject (C function)!c.landlock_get_applicable_subjecthNtauh1jhj! hhhNhNubj)}(hhh](j)}(hconst struct landlock_cred_security * landlock_get_applicable_subject (const struct cred *const cred, const struct access_masks masks, size_t *const handle_layer)h]j )}(hconst struct landlock_cred_security *landlock_get_applicable_subject(const struct cred *const cred, const struct access_masks masks, size_t *const handle_layer)h](j)}(hconsth]hconst}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK`ubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhK`ubj)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhhjhK`ubj!)}(h h]h }(hj*hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhK`ubh)}(hhh]j8)}(hlandlock_cred_securityh]hlandlock_cred_security}(hj;hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj8ubah}(h]h ]h"]h$]h&] refdomainjreftype identifier reftargetj=modnameN classnameNjAjD)}jG]jB ASTIdentifier)}jQlandlock_get_applicable_subjectsb!c.landlock_get_applicable_subjectasbuh1hhjhhhjhK`ubj!)}(h h]h }(hj_hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhK`ubhdesc_sig_punctuation)}(hjUh]h*}(hjohhhNhNubah}(h]h ]pah"]h$]h&]uh1jmhjhhhjhK`ubj2)}(hlandlock_get_applicable_subjecth]j8)}(hj\h]hlandlock_get_applicable_subject}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj}ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjhhhjhK`ubhdesc_parameterlist)}(h\(const struct cred *const cred, const struct access_masks masks, size_t *const handle_layer)h](hdesc_parameter)}(hconst struct cred *const credh](j)}(hjh]hconst}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubj)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubh)}(hhh]j8)}(hcredh]hcred}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ]h"]h$]h&] refdomainjreftypejQ reftargetjmodnameN classnameNjAjD)}jG]jZ!c.landlock_get_applicable_subjectasbuh1hhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubjn)}(hjUh]h*}(hjhhhNhNubah}(h]h ]jyah"]h$]h&]uh1jmhjubj)}(hjh]hconst}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubj8)}(hcredh]hcred}(hj-hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubeh}(h]h ]h"]h$]h&]noemphhhuh1jhjubj)}(hconst struct access_masks masksh](j)}(hjh]hconst}(hjFhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjBubj!)}(h h]h }(hjShhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjBubj)}(hjh]hstruct}(hjahhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjBubj!)}(h h]h }(hjnhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjBubh)}(hhh]j8)}(h access_masksh]h access_masks}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj|ubah}(h]h ]h"]h$]h&] refdomainjreftypejQ reftargetjmodnameN classnameNjAjD)}jG]jZ!c.landlock_get_applicable_subjectasbuh1hhjBubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjBubj8)}(hmasksh]hmasks}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjBubeh}(h]h ]h"]h$]h&]noemphhhuh1jhjubj)}(hsize_t *const handle_layerh](h)}(hhh]j8)}(hsize_th]hsize_t}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ]h"]h$]h&] refdomainjreftypejQ reftargetjmodnameN classnameNjAjD)}jG]jZ!c.landlock_get_applicable_subjectasbuh1hhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubjn)}(hjUh]h*}(hjhhhNhNubah}(h]h ]jyah"]h$]h&]uh1jmhjubj)}(hjh]hconst}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hj hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubj8)}(h handle_layerh]h handle_layer}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubeh}(h]h ]h"]h$]h&]noemphhhuh1jhjubeh}(h]h ]h"]h$]h&]hhuh1jhjhhhjhK`ubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjhhhjhK`ubah}(h]jah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjhK`hjhhubjd)}(hhh]j)}(hReturn the subject's Landlock credential if its enforced domain applies to (i.e. handles) at least one of the access rights specified in **masks**h](hReturn the subject’s Landlock credential if its enforced domain applies to (i.e. handles) at least one of the access rights specified in }(hjEhhhNhNubj)}(h **masks**h]hmasks}(hjMhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjEubeh}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhK`hjBhhubah}(h]h ]h"]h$]h&]uh1jchjhhhjhK`ubeh}(h]h ](jfunctioneh"]h$]h&]jjjjkjjkjjjuh1jhhhj! hNhNubj)}(hXe**Parameters** ``const struct cred *const cred`` credential ``const struct access_masks masks`` access masks ``size_t *const handle_layer`` returned youngest layer handling a subset of **masks**. Not set if the function returns NULL. **Return** landlock_cred(**cred**) if any access rights specified in **masks** is handled, or NULL otherwise.h](j)}(h**Parameters**h]j)}(hjuh]h Parameters}(hjwhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjsubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKdhjoubj)}(hhh](j)}(h-``const struct cred *const cred`` credential h](j)}(h!``const struct cred *const cred``h]j)}(hjh]hconst struct cred *const cred}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKehjubj)}(hhh]j)}(h credentialh]h credential}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKehjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKehjubj)}(h1``const struct access_masks masks`` access masks h](j)}(h#``const struct access_masks masks``h]j)}(hjh]hconst struct access_masks masks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKfhjubj)}(hhh]j)}(h access masksh]h access masks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKfhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKfhjubj)}(h~``size_t *const handle_layer`` returned youngest layer handling a subset of **masks**. Not set if the function returns NULL. h](j)}(h``size_t *const handle_layer``h]j)}(hjh]hsize_t *const handle_layer}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKhhjubj)}(hhh]j)}(h^returned youngest layer handling a subset of **masks**. Not set if the function returns NULL.h](h-returned youngest layer handling a subset of }(hjhhhNhNubj)}(h **masks**h]hmasks}(hj'hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh(. Not set if the function returns NULL.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKghjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhhjubeh}(h]h ]h"]h$]h&]uh1jhjoubj)}(h **Return**h]j)}(hjTh]hReturn}(hjVhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjRubah}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKjhjoubj)}(hblandlock_cred(**cred**) if any access rights specified in **masks** is handled, or NULL otherwise.h](hlandlock_cred(}(hjjhhhNhNubj)}(h**cred**h]hcred}(hjrhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjjubh$) if any access rights specified in }(hjjhhhNhNubj)}(h **masks**h]hmasks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjjubh is handled, or NULL otherwise.}(hjjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh[/var/lib/git/docbuild/linux/Documentation/security/landlock:116: ./security/landlock/cred.hhKjhjoubeh}(h]h ] kernelindentah"]h$]h&]uh1jhj! hhhNhNubeh}(h]process-credentialah ]h"]process credentialah$]h&]uh1hhjhhhhhKrubh)}(hhh](h)}(hRuleset and domainh]hRuleset and domain}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKxubj)}(hX4A domain is a read-only ruleset tied to a set of subjects (i.e. tasks' credentials). Each time a ruleset is enforced on a task, the current domain is duplicated and the ruleset is imported as a new layer of rules in the new domain. Indeed, once in a domain, each rule is tied to a layer level. To grant access to an object, at least one rule of each layer must allow the requested action on the object. A task can then only transit to a new domain that is the intersection of the constraints from the current domain and those of a ruleset provided by the task.h]hX6A domain is a read-only ruleset tied to a set of subjects (i.e. tasks’ credentials). Each time a ruleset is enforced on a task, the current domain is duplicated and the ruleset is imported as a new layer of rules in the new domain. Indeed, once in a domain, each rule is tied to a layer level. To grant access to an object, at least one rule of each layer must allow the requested action on the object. A task can then only transit to a new domain that is the intersection of the constraints from the current domain and those of a ruleset provided by the task.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKzhjhhubj)}(hThe definition of a subject is implicit for a task sandboxing itself, which makes the reasoning much easier and helps avoid pitfalls.h]hThe definition of a subject is implicit for a task sandboxing itself, which makes the reasoning much easier and helps avoid pitfalls.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjhhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_layer (C struct)c.landlock_layerhNtauh1jhjhhhNhNubj)}(hhh](j)}(hlandlock_layerh]j )}(hstruct landlock_layerh](j)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhKubj2)}(hlandlock_layerh]j8)}(hjh]hlandlock_layer}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjhhhjhKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjhhhjhKubah}(h]jah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjhKhjhhubjd)}(hhh]j)}(hAccess rights for a given layerh]hAccess rights for a given layer}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhj1hhubah}(h]h ]h"]h$]h&]uh1jchjhhhjhKubeh}(h]h ](jstructeh"]h$]h&]jjjjLjjLjjjuh1jhhhjhNhNubj)}(hX>**Definition**:: struct landlock_layer { u16 level; access_mask_t access; }; **Members** ``level`` Position of this layer in the layer stack. Starts from 1. ``access`` Bitfield of allowed actions on the kernel object. They are relative to the object type (e.g. ``LANDLOCK_ACTION_FS_READ``).h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjTubh:}(hjThhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjPubj)}(hCstruct landlock_layer { u16 level; access_mask_t access; };h]hCstruct landlock_layer { u16 level; access_mask_t access; };}hjqsbah}(h]h ]h"]h$]h&]hhuh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK hjPubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK%hjPubj)}(hhh](j)}(hE``level`` Position of this layer in the layer stack. Starts from 1. h](j)}(h ``level``h]j)}(hjh]hlevel}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(h:Position of this layer in the layer stack. Starts from 1.h]h:Position of this layer in the layer stack. Starts from 1.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(h``access`` Bitfield of allowed actions on the kernel object. They are relative to the object type (e.g. ``LANDLOCK_ACTION_FS_READ``).h](j)}(h ``access``h]j)}(hjh]haccess}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK#hjubj)}(hhh]j)}(h{Bitfield of allowed actions on the kernel object. They are relative to the object type (e.g. ``LANDLOCK_ACTION_FS_READ``).h](h^Bitfield of allowed actions on the kernel object. They are relative to the object type (e.g. }(hjhhhNhNubj)}(h``LANDLOCK_ACTION_FS_READ``h]hLANDLOCK_ACTION_FS_READ}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjhK#hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhK#hjubeh}(h]h ]h"]h$]h&]uh1jhjPubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_key (C union)c.landlock_keyhNtauh1jhjhhhNhNubj)}(hhh](j)}(h landlock_keyh]j )}(hunion landlock_keyh](j)}(hunionh]hunion}(hjEhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjAhhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK*ubj!)}(h h]h }(hjThhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjAhhhjShK*ubj2)}(h landlock_keyh]j8)}(hj?h]h landlock_key}(hjfhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjbubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjAhhhjShK*ubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhj=hhhjShK*ubah}(h]j8ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjShK*hj:hhubjd)}(hhh]j)}(h!Key of a ruleset's red-black treeh]h#Key of a ruleset’s red-black tree}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK)hjhhubah}(h]h ]h"]h$]h&]uh1jchj:hhhjShK*ubeh}(h]h ](junioneh"]h$]h&]jjjjjjjjjuh1jhhhjhNhNubj)}(hX **Definition**:: union landlock_key { struct landlock_object *object; uintptr_t data; }; **Members** ``object`` Pointer to identify a kernel object (e.g. an inode). ``data`` Raw data to identify an arbitrary 32-bit value (e.g. a TCP port).h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK-hjubj)}(hOunion landlock_key { struct landlock_object *object; uintptr_t data; };h]hOunion landlock_key { struct landlock_object *object; uintptr_t data; };}hjsbah}(h]h ]h"]h$]h&]hhuh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK/hjubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK4hjubj)}(hhh](j)}(h@``object`` Pointer to identify a kernel object (e.g. an inode). h](j)}(h ``object``h]j)}(hjh]hobject}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK.hjubj)}(hhh]j)}(h4Pointer to identify a kernel object (e.g. an inode).h]h4Pointer to identify a kernel object (e.g. an inode).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj hK.hj ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhj hK.hjubj)}(hJ``data`` Raw data to identify an arbitrary 32-bit value (e.g. a TCP port).h](j)}(h``data``h]j)}(hj.h]hdata}(hj0hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj,ubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK2hj(ubj)}(hhh]j)}(hARaw data to identify an arbitrary 32-bit value (e.g. a TCP port).h]hARaw data to identify an arbitrary 32-bit value (e.g. a TCP port).}(hjGhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjChK2hjDubah}(h]h ]h"]h$]h&]uh1jhj(ubeh}(h]h ]h"]h$]h&]uh1jhjChK2hjubeh}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_key_type (C enum)c.landlock_key_typehNtauh1jhjhhhNhNubj)}(hhh](j)}(hlandlock_key_typeh]j )}(henum landlock_key_typeh](j)}(henumh]henum}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK9ubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhK9ubj2)}(hlandlock_key_typeh]j8)}(hjh]hlandlock_key_type}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjhhhjhK9ubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjhhhjhK9ubah}(h]jzah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjhK9hj|hhubjd)}(hhh]j)}(h3Type of :c:type:`union landlock_key `h](hType of }(hjhhhNhNubh)}(h+:c:type:`union landlock_key `h]j)}(hjh]hunion landlock_key}(hjhhhNhNubah}(h]h ](j/jc-typeeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj; refdomainjreftypetype refexplicitrefwarnjAjD)}jG]jY)}jQjsbc.landlock_key_typeasbjI landlock_keyuh1hh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK8hjhhubah}(h]h ]h"]h$]h&]uh1jchj|hhhjhK9ubeh}(h]h ](jenumeh"]h$]h&]jjjj jj jjjuh1jhhhjhNhNubj)}(h**Constants** ``LANDLOCK_KEY_INODE`` Type of :c:type:`landlock_ruleset.root_inode `'s node keys. ``LANDLOCK_KEY_NET_PORT`` Type of :c:type:`landlock_ruleset.root_net_port `'s node keys.h](j)}(h **Constants**h]j)}(hjh]h Constants}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK`'s node keys. h](j)}(h``LANDLOCK_KEY_INODE``h]j)}(hj2h]hLANDLOCK_KEY_INODE}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj0ubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK@hj,ubj)}(hhh]j)}(hMType of :c:type:`landlock_ruleset.root_inode `'s node keys.h](hType of }(hjKhhhNhNubh)}(h8:c:type:`landlock_ruleset.root_inode `h]j)}(hjUh]hlandlock_ruleset.root_inode}(hjWhhhNhNubah}(h]h ](j/jc-typeeh"]h$]h&]uh1jhjSubah}(h]h ]h"]h$]h&]refdocj; refdomainjreftypetype refexplicitrefwarnjAjEjIlandlock_rulesetuh1hh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK?hjKubh’s node keys.}(hjKhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjrhK?hjHubah}(h]h ]h"]h$]h&]uh1jhj,ubeh}(h]h ]h"]h$]h&]uh1jhjGhK@hj)ubj)}(hj``LANDLOCK_KEY_NET_PORT`` Type of :c:type:`landlock_ruleset.root_net_port `'s node keys.h](j)}(h``LANDLOCK_KEY_NET_PORT``h]j)}(hjh]hLANDLOCK_KEY_NET_PORT}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKChjubj)}(hhh]j)}(hPType of :c:type:`landlock_ruleset.root_net_port `'s node keys.h](hType of }(hjhhhNhNubh)}(h;:c:type:`landlock_ruleset.root_net_port `h]j)}(hjh]hlandlock_ruleset.root_net_port}(hjhhhNhNubah}(h]h ](j/jc-typeeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj; refdomainjreftypetype refexplicitrefwarnjAjEjIlandlock_rulesetuh1hhjhKChjubh’s node keys.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjhKChjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKChj)ubeh}(h]h ]h"]h$]h&]uh1jhj ubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_id (C struct) c.landlock_idhNtauh1jhjhhhNhNubj)}(hhh](j)}(h landlock_idh]j )}(hstruct landlock_idh](j)}(hjh]hstruct}(hj hhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKIubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhjhKIubj2)}(h landlock_idh]j8)}(hjh]h landlock_id}(hj+hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj'ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjhhhjhKIubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjhhhjhKIubah}(h]jah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjhKIhjhhubjd)}(hhh]j)}(h$Unique rule identifier for a ruleseth]h$Unique rule identifier for a ruleset}(hjMhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKHhjJhhubah}(h]h ]h"]h$]h&]uh1jchjhhhjhKIubeh}(h]h ](jstructeh"]h$]h&]jjjjejjejjjuh1jhhhjhNhNubj)}(hX**Definition**:: struct landlock_id { union landlock_key key; const enum landlock_key_type type; }; **Members** ``key`` Identifies either a kernel object (e.g. an inode) or a raw value (e.g. a TCP port). ``type`` Type of a landlock_ruleset's root tree.h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjqhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjmubh:}(hjmhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKLhjiubj)}(hZstruct landlock_id { union landlock_key key; const enum landlock_key_type type; };h]hZstruct landlock_id { union landlock_key key; const enum landlock_key_type type; };}hjsbah}(h]h ]h"]h$]h&]hhuh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKNhjiubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKShjiubj)}(hhh](j)}(h\``key`` Identifies either a kernel object (e.g. an inode) or a raw value (e.g. a TCP port). h](j)}(h``key``h]j)}(hjh]hkey}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKNhjubj)}(hhh]j)}(hSIdentifies either a kernel object (e.g. an inode) or a raw value (e.g. a TCP port).h]hSIdentifies either a kernel object (e.g. an inode) or a raw value (e.g. a TCP port).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKMhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKNhjubj)}(h0``type`` Type of a landlock_ruleset's root tree.h](j)}(h``type``h]j)}(hjh]htype}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKQhjubj)}(hhh]j)}(h'Type of a landlock_ruleset's root tree.h]h)Type of a landlock_ruleset’s root tree.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKRhj ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhj hKQhjubeh}(h]h ]h"]h$]h&]uh1jhjiubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_rule (C struct)c.landlock_rulehNtauh1jhjhhhNhNubj)}(hhh](j)}(h landlock_ruleh]j )}(hstruct landlock_ruleh](j)}(hjh]hstruct}(hjNhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjJhhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKXubj!)}(h h]h }(hj\hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjJhhhj[hKXubj2)}(h landlock_ruleh]j8)}(hjHh]h landlock_rule}(hjnhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjjubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjJhhhj[hKXubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjFhhhj[hKXubah}(h]jAah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhj[hKXhjChhubjd)}(hhh]j)}(hAccess rights tied to an objecth]hAccess rights tied to an object}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKWhjhhubah}(h]h ]h"]h$]h&]uh1jchjChhhj[hKXubeh}(h]h ](jstructeh"]h$]h&]jjjjjjjjjuh1jhhhjhNhNubj)}(hX**Definition**:: struct landlock_rule { struct rb_node node; union landlock_key key; u32 num_layers; struct landlock_layer layers[] ; }; **Members** ``node`` Node in the ruleset's red-black tree. ``key`` A union to identify either a kernel object (e.g. an inode) or a raw data value (e.g. a network socket port). This is used as a key for this ruleset element. The pointer is set once and never modified. It always points to an allocated object because each rule increments the refcount of its object. ``num_layers`` Number of entries in **layers**. ``layers`` Stack of layers, from the latest to the newest, implemented as a flexible array member (FAM).h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK[hjubj)}(hstruct landlock_rule { struct rb_node node; union landlock_key key; u32 num_layers; struct landlock_layer layers[] ; };h]hstruct landlock_rule { struct rb_node node; union landlock_key key; u32 num_layers; struct landlock_layer layers[] ; };}hjsbah}(h]h ]h"]h$]h&]hhuh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK]hjubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKdhjubj)}(hhh](j)}(h/``node`` Node in the ruleset's red-black tree. h](j)}(h``node``h]j)}(hjh]hnode}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK\hjubj)}(hhh]j)}(h%Node in the ruleset's red-black tree.h]h'Node in the ruleset’s red-black tree.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhK\hjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhK\hjubj)}(hX4``key`` A union to identify either a kernel object (e.g. an inode) or a raw data value (e.g. a network socket port). This is used as a key for this ruleset element. The pointer is set once and never modified. It always points to an allocated object because each rule increments the refcount of its object. h](j)}(h``key``h]j)}(hj6h]hkey}(hj8hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj4ubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKdhj0ubj)}(hhh]j)}(hX+A union to identify either a kernel object (e.g. an inode) or a raw data value (e.g. a network socket port). This is used as a key for this ruleset element. The pointer is set once and never modified. It always points to an allocated object because each rule increments the refcount of its object.h]hX+A union to identify either a kernel object (e.g. an inode) or a raw data value (e.g. a network socket port). This is used as a key for this ruleset element. The pointer is set once and never modified. It always points to an allocated object because each rule increments the refcount of its object.}(hjOhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK`hjLubah}(h]h ]h"]h$]h&]uh1jhj0ubeh}(h]h ]h"]h$]h&]uh1jhjKhKdhjubj)}(h0``num_layers`` Number of entries in **layers**. h](j)}(h``num_layers``h]j)}(hjph]h num_layers}(hjrhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjnubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhhjjubj)}(hhh]j)}(h Number of entries in **layers**.h](hNumber of entries in }(hjhhhNhNubj)}(h **layers**h]hlayers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjhKhhjubah}(h]h ]h"]h$]h&]uh1jhjjubeh}(h]h ]h"]h$]h&]uh1jhjhKhhjubj)}(hh``layers`` Stack of layers, from the latest to the newest, implemented as a flexible array member (FAM).h](j)}(h ``layers``h]j)}(hjh]hlayers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKlhjubj)}(hhh]j)}(h]Stack of layers, from the latest to the newest, implemented as a flexible array member (FAM).h]h]Stack of layers, from the latest to the newest, implemented as a flexible array member (FAM).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKlhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKlhjubeh}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_ruleset (C struct)c.landlock_rulesethNtauh1jhjhhhNhNubj)}(hhh](j)}(hlandlock_ruleseth]j )}(hstruct landlock_ruleseth](j)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjhhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKsubj!)}(h h]h }(hj"hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjhhhj!hKsubj2)}(hlandlock_ruleseth]j8)}(hjh]hlandlock_ruleset}(hj4hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj0ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hjhhhj!hKsubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhj hhhj!hKsubah}(h]jah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhj!hKshj hhubjd)}(hhh]j)}(hLandlock ruleseth]hLandlock ruleset}(hjVhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKrhjShhubah}(h]h ]h"]h$]h&]uh1jchj hhhj!hKsubeh}(h]h ](jstructeh"]h$]h&]jjjjnjjnjjjuh1jhhhjhNhNubj)}(hX~ **Definition**:: struct landlock_ruleset { struct rb_root root_inode; #if IS_ENABLED(CONFIG_INET); struct rb_root root_net_port; #endif; struct landlock_hierarchy *hierarchy; union { struct work_struct work_free; struct { struct mutex lock; refcount_t usage; u32 num_rules; u32 num_layers; struct access_masks access_masks[]; }; }; }; **Members** ``root_inode`` Root of a red-black tree containing :c:type:`struct landlock_rule ` nodes with inode object. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until **usage** reaches zero. ``root_net_port`` Root of a red-black tree containing :c:type:`struct landlock_rule ` nodes with network port. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until **usage** reaches zero. ``hierarchy`` Enables hierarchy identification even when a parent domain vanishes. This is needed for the ptrace protection. ``{unnamed_union}`` anonymous ``work_free`` Enables to free a ruleset within a lockless section. This is only used by landlock_put_ruleset_deferred() when **usage** reaches zero. The fields **lock**, **usage**, **num_rules**, **num_layers** and **access_masks** are then unused. ``{unnamed_struct}`` anonymous ``lock`` Protects against concurrent modifications of **root**, if **usage** is greater than zero. ``usage`` Number of processes (i.e. domains) or file descriptors referencing this ruleset. ``num_rules`` Number of non-overlapping (i.e. not for the same object) rules in this ruleset. ``num_layers`` Number of layers that are used in this ruleset. This enables to check that all the layers allow an access request. A value of 0 identifies a non-merged ruleset (i.e. not a domain). ``access_masks`` Contains the subset of filesystem and network actions that are restricted by a ruleset. A domain saves all layers of merged rulesets in a stack (FAM), starting from the first layer to the last one. These layers are used when merging rulesets, for user space backward compatibility (i.e. future-proof), and to properly handle merged rulesets without overlapping access rights. These layers are set once and never changed for the lifetime of the ruleset.h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hjzhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjvubh:}(hjvhhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKvhjrubj)}(hXstruct landlock_ruleset { struct rb_root root_inode; #if IS_ENABLED(CONFIG_INET); struct rb_root root_net_port; #endif; struct landlock_hierarchy *hierarchy; union { struct work_struct work_free; struct { struct mutex lock; refcount_t usage; u32 num_rules; u32 num_layers; struct access_masks access_masks[]; }; }; };h]hXstruct landlock_ruleset { struct rb_root root_inode; #if IS_ENABLED(CONFIG_INET); struct rb_root root_net_port; #endif; struct landlock_hierarchy *hierarchy; union { struct work_struct work_free; struct { struct mutex lock; refcount_t usage; u32 num_rules; u32 num_layers; struct access_masks access_masks[]; }; }; };}hjsbah}(h]h ]h"]h$]h&]hhuh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKxhjrubj)}(h **Members**h]j)}(hjh]hMembers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjrubj)}(hhh](j)}(h``root_inode`` Root of a red-black tree containing :c:type:`struct landlock_rule ` nodes with inode object. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until **usage** reaches zero. h](j)}(h``root_inode``h]j)}(hjh]h root_inode}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhK}hjubj)}(hhh]j)}(hRoot of a red-black tree containing :c:type:`struct landlock_rule ` nodes with inode object. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until **usage** reaches zero.h](h$Root of a red-black tree containing }(hjhhhNhNubh)}(h.:c:type:`struct landlock_rule `h]j)}(hjh]hstruct landlock_rule}(hjhhhNhNubah}(h]h ](j/jc-typeeh"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]refdocj; refdomainjreftypetype refexplicitrefwarnjAjEjI landlock_ruleuh1hh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKzhjubhp nodes with inode object. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until }(hjhhhNhNubj)}(h **usage**h]husage}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh reaches zero.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjhKzhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhK}hjubj)}(h``root_net_port`` Root of a red-black tree containing :c:type:`struct landlock_rule ` nodes with network port. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until **usage** reaches zero. h](j)}(h``root_net_port``h]j)}(hj2h]h root_net_port}(hj4hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj0ubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhj,ubj)}(hhh]j)}(hRoot of a red-black tree containing :c:type:`struct landlock_rule ` nodes with network port. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until **usage** reaches zero.h](h$Root of a red-black tree containing }(hjKhhhNhNubh)}(h.:c:type:`struct landlock_rule `h]j)}(hjUh]hstruct landlock_rule}(hjWhhhNhNubah}(h]h ](j/jc-typeeh"]h$]h&]uh1jhjSubah}(h]h ]h"]h$]h&]refdocj; refdomainjreftypetype refexplicitrefwarnjAjEjI landlock_ruleuh1hh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjKubho nodes with network port. Once a ruleset is tied to a process (i.e. as a domain), this tree is immutable until }(hjKhhhNhNubj)}(h **usage**h]husage}(hjwhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjKubh reaches zero.}(hjKhhhNhNubeh}(h]h ]h"]h$]h&]uh1jhjrhKhjHubah}(h]h ]h"]h$]h&]uh1jhj,ubeh}(h]h ]h"]h$]h&]uh1jhjGhKhjubj)}(h~``hierarchy`` Enables hierarchy identification even when a parent domain vanishes. This is needed for the ptrace protection. h](j)}(h ``hierarchy``h]j)}(hjh]h hierarchy}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hoEnables hierarchy identification even when a parent domain vanishes. This is needed for the ptrace protection.h]hoEnables hierarchy identification even when a parent domain vanishes. This is needed for the ptrace protection.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(h``{unnamed_union}`` anonymous h](j)}(h``{unnamed_union}``h]j)}(hjh]h{unnamed_union}}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(h anonymoush]h anonymous}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(h``work_free`` Enables to free a ruleset within a lockless section. This is only used by landlock_put_ruleset_deferred() when **usage** reaches zero. The fields **lock**, **usage**, **num_rules**, **num_layers** and **access_masks** are then unused. h](j)}(h ``work_free``h]j)}(hjh]h work_free}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hEnables to free a ruleset within a lockless section. This is only used by landlock_put_ruleset_deferred() when **usage** reaches zero. The fields **lock**, **usage**, **num_rules**, **num_layers** and **access_masks** are then unused.h](hpEnables to free a ruleset within a lockless section. This is only used by landlock_put_ruleset_deferred() when }(hj-hhhNhNubj)}(h **usage**h]husage}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj-ubh reaches zero. The fields }(hj-hhhNhNubj)}(h**lock**h]hlock}(hjGhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj-ubh, }(hj-hhhNhNubj)}(h **usage**h]husage}(hjYhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj-ubh, }hj-sbj)}(h **num_rules**h]h num_rules}(hjkhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj-ubh, }hj-sbj)}(h**num_layers**h]h num_layers}(hj}hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj-ubh and }(hj-hhhNhNubj)}(h**access_masks**h]h access_masks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj-ubh are then unused.}(hj-hhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhj*ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhj)hKhjubj)}(h``{unnamed_struct}`` anonymous h](j)}(h``{unnamed_struct}``h]j)}(hjh]h{unnamed_struct}}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(h anonymoush]h anonymous}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(hc``lock`` Protects against concurrent modifications of **root**, if **usage** is greater than zero. h](j)}(h``lock``h]j)}(hjh]hlock}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hYProtects against concurrent modifications of **root**, if **usage** is greater than zero.h](h-Protects against concurrent modifications of }(hj hhhNhNubj)}(h**root**h]hroot}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh, if }(hj hhhNhNubj)}(h **usage**h]husage}(hj&hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh is greater than zero.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhj ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(h[``usage`` Number of processes (i.e. domains) or file descriptors referencing this ruleset. h](j)}(h ``usage``h]j)}(hjQh]husage}(hjShhhNhNubah}(h]h ]h"]h$]h&]uh1jhjOubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjKubj)}(hhh]j)}(hPNumber of processes (i.e. domains) or file descriptors referencing this ruleset.h]hPNumber of processes (i.e. domains) or file descriptors referencing this ruleset.}(hjjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjgubah}(h]h ]h"]h$]h&]uh1jhjKubeh}(h]h ]h"]h$]h&]uh1jhjfhKhjubj)}(h^``num_rules`` Number of non-overlapping (i.e. not for the same object) rules in this ruleset. h](j)}(h ``num_rules``h]j)}(hjh]h num_rules}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hONumber of non-overlapping (i.e. not for the same object) rules in this ruleset.h]hONumber of non-overlapping (i.e. not for the same object) rules in this ruleset.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(h``num_layers`` Number of layers that are used in this ruleset. This enables to check that all the layers allow an access request. A value of 0 identifies a non-merged ruleset (i.e. not a domain). h](j)}(h``num_layers``h]j)}(hjh]h num_layers}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hNumber of layers that are used in this ruleset. This enables to check that all the layers allow an access request. A value of 0 identifies a non-merged ruleset (i.e. not a domain).h]hNumber of layers that are used in this ruleset. This enables to check that all the layers allow an access request. A value of 0 identifies a non-merged ruleset (i.e. not a domain).}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubj)}(hX``access_masks`` Contains the subset of filesystem and network actions that are restricted by a ruleset. A domain saves all layers of merged rulesets in a stack (FAM), starting from the first layer to the last one. These layers are used when merging rulesets, for user space backward compatibility (i.e. future-proof), and to properly handle merged rulesets without overlapping access rights. These layers are set once and never changed for the lifetime of the ruleset.h](j)}(h``access_masks``h]j)}(hjh]h access_masks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hXContains the subset of filesystem and network actions that are restricted by a ruleset. A domain saves all layers of merged rulesets in a stack (FAM), starting from the first layer to the last one. These layers are used when merging rulesets, for user space backward compatibility (i.e. future-proof), and to properly handle merged rulesets without overlapping access rights. These layers are set once and never changed for the lifetime of the ruleset.h]hXContains the subset of filesystem and network actions that are restricted by a ruleset. A domain saves all layers of merged rulesets in a stack (FAM), starting from the first layer to the last one. These layers are used when merging rulesets, for user space backward compatibility (i.e. future-proof), and to properly handle merged rulesets without overlapping access rights. These layers are set once and never changed for the lifetime of the ruleset.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubeh}(h]h ]h"]h$]h&]uh1jhjrubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(h**Description**h]j)}(hjBh]h Description}(hjDhhhNhNubah}(h]h ]h"]h$]h&]uh1jhj@ubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjhhubj)}(h\This data structure must contain unique entries, be updatable, and quick to match an object.h]h\This data structure must contain unique entries, be updatable, and quick to match an object.}(hjXhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKshjhhubj)}(hhh]h}(h]h ]h"]h$]h&]entries](j(landlock_union_access_masks (C function)c.landlock_union_access_maskshNtauh1jhjhhhNhNubj)}(hhh](j)}(h]struct access_masks landlock_union_access_masks (const struct landlock_ruleset *const domain)h]j )}(h\struct access_masks landlock_union_access_masks(const struct landlock_ruleset *const domain)h](j)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhj|hhh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hj|hhhjhKubh)}(hhh]j8)}(h access_masksh]h access_masks}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ]h"]h$]h&] refdomainjreftypejQ reftargetjmodnameN classnameNjAjD)}jG]jY)}jQlandlock_union_access_maskssbc.landlock_union_access_masksasbuh1hhj|hhhjhKubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hj|hhhjhKubj2)}(hlandlock_union_access_masksh]j8)}(hjh]hlandlock_union_access_masks}(hjhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hj|hhhjhKubj)}(h-(const struct landlock_ruleset *const domain)h]j)}(h+const struct landlock_ruleset *const domainh](j)}(hjh]hconst}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubj)}(hjh]hstruct}(hjhhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hjhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubh)}(hhh]j8)}(hlandlock_ruleseth]hlandlock_ruleset}(hj&hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj#ubah}(h]h ]h"]h$]h&] refdomainjreftypejQ reftargetj(modnameN classnameNjAjD)}jG]jc.landlock_union_access_masksasbuh1hhjubj!)}(h h]h }(hjDhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubjn)}(hjUh]h*}(hjRhhhNhNubah}(h]h ]jyah"]h$]h&]uh1jmhjubj)}(hjh]hconst}(hj_hhhNhNubah}(h]h ]jah"]h$]h&]uh1jhjubj!)}(h h]h }(hjlhhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hjubj8)}(hdomainh]hdomain}(hjzhhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hjubeh}(h]h ]h"]h$]h&]noemphhhuh1jhjubah}(h]h ]h"]h$]h&]hhuh1jhj|hhhjhKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhjxhhhjhKubah}(h]jsah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjhKhjuhhubjd)}(hhh]j)}(h.Return all access rights handled in the domainh]h.Return all access rights handled in the domain}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjhhubah}(h]h ]h"]h$]h&]uh1jchjuhhhjhKubeh}(h]h ](jfunctioneh"]h$]h&]jjjjjjjjjuh1jhhhjhNhNubj)}(h**Parameters** ``const struct landlock_ruleset *const domain`` Landlock ruleset (used as a domain) **Return** an access_masks result of the OR of all the domain's access masks.h](j)}(h**Parameters**h]j)}(hjh]h Parameters}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(hT``const struct landlock_ruleset *const domain`` Landlock ruleset (used as a domain) h](j)}(h/``const struct landlock_ruleset *const domain``h]j)}(hjh]h+const struct landlock_ruleset *const domain}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hhh]j)}(h#Landlock ruleset (used as a domain)h]h#Landlock ruleset (used as a domain)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]uh1jhjhKhjubah}(h]h ]h"]h$]h&]uh1jhjubj)}(h **Return**h]j)}(hj h]hReturn}(hj" hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubj)}(hBan access_masks result of the OR of all the domain's access masks.h]hDan access_masks result of the OR of all the domain’s access masks.}(hj6 hhhNhNubah}(h]h ]h"]h$]h&]uh1jh^/var/lib/git/docbuild/linux/Documentation/security/landlock:134: ./security/landlock/ruleset.hhKhjubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubj)}(hhh]h}(h]h ]h"]h$]h&]entries](jlandlock_details (C struct)c.landlock_detailshNtauh1jhjhhhNhNubj)}(hhh](j)}(hlandlock_detailsh]j )}(hstruct landlock_detailsh](j)}(hjh]hstruct}(hje hhhNhNubah}(h]h ]jah"]h$]h&]uh1jhja hhh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKubj!)}(h h]h }(hjs hhhNhNubah}(h]h ]j-ah"]h$]h&]uh1j hja hhhjr hKubj2)}(hlandlock_detailsh]j8)}(hj_ h]hlandlock_details}(hj hhhNhNubah}(h]h ]jCah"]h$]h&]uh1j7hj ubah}(h]h ](jJjKeh"]h$]h&]hhuh1j1hja hhhjr hKubeh}(h]h ]h"]h$]h&]hhjUuh1jjVjWhj] hhhjr hKubah}(h]jX ah ](j[j\eh"]h$]h&]j`ja)jbhuh1jhjr hKhjZ hhubjd)}(hhh]j)}(hDomain's creation informationh]hDomain’s creation information}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKhj hhubah}(h]h ]h"]h$]h&]uh1jchjZ hhhjr hKubeh}(h]h ](jstructeh"]h$]h&]jjjj jj jjjuh1jhhhjhNhNubj)}(hX**Definition**:: struct landlock_details { struct pid *pid; uid_t uid; char comm[TASK_COMM_LEN]; char exe_path[]; }; **Members** ``pid`` PID of the task that initially restricted itself. It still identifies the same task. Keeping a reference to this PID ensures that it will not be recycled. ``uid`` UID of the task that initially restricted itself, at creation time. ``comm`` Command line of the task that initially restricted itself, at creation time. Always NULL terminated. ``exe_path`` Executable path of the task that initially restricted itself, at creation time. Always NULL terminated, and never greater than LANDLOCK_PATH_MAX_SIZE.h](j)}(h**Definition**::h](j)}(h**Definition**h]h Definition}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh:}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK#hj ubj)}(hsstruct landlock_details { struct pid *pid; uid_t uid; char comm[TASK_COMM_LEN]; char exe_path[]; };h]hsstruct landlock_details { struct pid *pid; uid_t uid; char comm[TASK_COMM_LEN]; char exe_path[]; };}hj sbah}(h]h ]h"]h$]h&]hhuh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK%hj ubj)}(h **Members**h]j)}(hj h]hMembers}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubah}([Th]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK,hj ubj)}(hhh](j)}(h``pid`` PID of the task that initially restricted itself. It still identifies the same task. Keeping a reference to this PID ensures that it will not be recycled. h](j)}(h``pid``h]j)}(hj!h]hpid}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj!ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK.hj!ubj)}(hhh]j)}(hPID of the task that initially restricted itself. It still identifies the same task. Keeping a reference to this PID ensures that it will not be recycled.h]hPID of the task that initially restricted itself. It still identifies the same task. Keeping a reference to this PID ensures that it will not be recycled.}(hj-!hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK,hj*!ubah}(h]h ]h"]h$]h&]uh1jhj!ubeh}(h]h ]h"]h$]h&]uh1jhj)!hK.hj !ubj)}(hL``uid`` UID of the task that initially restricted itself, at creation time. h](j)}(h``uid``h]j)}(hjN!h]huid}(hjP!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjL!ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK2hjH!ubj)}(hhh]j)}(hCUID of the task that initially restricted itself, at creation time.h]hCUID of the task that initially restricted itself, at creation time.}(hjg!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjc!hK2hjd!ubah}(h]h ]h"]h$]h&]uh1jhjH!ubeh}(h]h ]h"]h$]h&]uh1jhjc!hK2hj !ubj)}(ho``comm`` Command line of the task that initially restricted itself, at creation time. Always NULL terminated. h](j)}(h``comm``h]j)}(hj!h]hcomm}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj!ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK7hj!ubj)}(hhh]j)}(heCommand line of the task that initially restricted itself, at creation time. Always NULL terminated.h]heCommand line of the task that initially restricted itself, at creation time. Always NULL terminated.}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK6hj!ubah}(h]h ]h"]h$]h&]uh1jhj!ubeh}(h]h ]h"]h$]h&]uh1jhj!hK7hj !ubj)}(h``exe_path`` Executable path of the task that initially restricted itself, at creation time. Always NULL terminated, and never greater than LANDLOCK_PATH_MAX_SIZE.h](j)}(h ``exe_path``h]j)}(hj!h]hexe_path}(hj!hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj!ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKNumber of potential children domains plus their parent domain.h]h>Number of potential children domains plus their parent domain.}(hjS#hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKShjP#ubah}(h]h ]h"]h$]h&]uh1jhj4#ubeh}(h]h ]h"]h$]h&]uh1jhjO#hKThj"ubj)}(h``log_status`` Whether this domain should be logged or not. Because concurrent log entries may be created at the same time, it is still possible to have several domain records of the same domain. h](j)}(h``log_status``h]j)}(hjt#h]h log_status}(hjv#hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjr#ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK\hjn#ubj)}(hhh]j)}(hWhether this domain should be logged or not. Because concurrent log entries may be created at the same time, it is still possible to have several domain records of the same domain.h]hWhether this domain should be logged or not. Because concurrent log entries may be created at the same time, it is still possible to have several domain records of the same domain.}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKZhj#ubah}(h]h ]h"]h$]h&]uh1jhjn#ubeh}(h]h ]h"]h$]h&]uh1jhj#hK\hj"ubj)}(hw``num_denials`` Number of access requests denied by this domain. Masked (i.e. never logged) denials are still counted. h](j)}(h``num_denials``h]j)}(hj#h]h num_denials}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj#ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKahj#ubj)}(hhh]j)}(hfNumber of access requests denied by this domain. Masked (i.e. never logged) denials are still counted.h]hfNumber of access requests denied by this domain. Masked (i.e. never logged) denials are still counted.}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhK`hj#ubah}(h]h ]h"]h$]h&]uh1jhj#ubeh}(h]h ]h"]h$]h&]uh1jhj#hKahj"ubj)}(h>``id`` Landlock domain ID, sets once at domain creation time. h](j)}(h``id``h]j)}(hj#h]hid}(hj#hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj#ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKehj#ubj)}(hhh]j)}(h6Landlock domain ID, sets once at domain creation time.h]h6Landlock domain ID, sets once at domain creation time.}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj#hKehj#ubah}(h]h ]h"]h$]h&]uh1jhj#ubeh}(h]h ]h"]h$]h&]uh1jhj#hKehj"ubj)}(h2``details`` Information about the related domain. h](j)}(h ``details``h]j)}(hj!$h]hdetails}(hj#$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj$ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKihj$ubj)}(hhh]j)}(h%Information about the related domain.h]h%Information about the related domain.}(hj:$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj6$hKihj7$ubah}(h]h ]h"]h$]h&]uh1jhj$ubeh}(h]h ]h"]h$]h&]uh1jhj6$hKihj"ubj)}(h``log_same_exec`` Set if the domain is *not* configured with ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``. Set to true by default. h](j)}(h``log_same_exec``h]j)}(hjZ$h]h log_same_exec}(hj\$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjX$ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKnhjT$ubj)}(hhh]j)}(hqSet if the domain is *not* configured with ``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``. Set to true by default.h](hSet if the domain is }(hjs$hhhNhNubhemphasis)}(h*not*h]hnot}(hj}$hhhNhNubah}(h]h ]h"]h$]h&]uh1j{$hjs$ubh configured with }(hjs$hhhNhNubj)}(h,``LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF``h]h(LANDLOCK_RESTRICT_SELF_LOG_SAME_EXEC_OFF}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjs$ubh. Set to true by default.}(hjs$hhhNhNubeh}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKmhjp$ubah}(h]h ]h"]h$]h&]uh1jhjT$ubeh}(h]h ]h"]h$]h&]uh1jhjo$hKnhj"ubj)}(h{``log_new_exec`` Set if the domain is configured with ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``. Set to false by default.h](j)}(h``log_new_exec``h]j)}(hj$h]h log_new_exec}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj$ubah}(h]h ]h"]h$]h&]uh1jh]/var/lib/git/docbuild/linux/Documentation/security/landlock:137: ./security/landlock/domain.hhKrhj$ubj)}(hhh]j)}(hjSet if the domain is configured with ``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``. Set to false by default.h](h%Set if the domain is configured with }(hj$hhhNhNubj)}(h*``LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON``h]h&LANDLOCK_RESTRICT_SELF_LOG_NEW_EXEC_ON}(hj$hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj$ubh. Set to false by default.}(hj$hhhNhNubeh}(h]h ]h"]h$]h&]uh1jhj$hKrhj$ubah}(h]h ]h"]h$]h&]uh1jhj$ubeh}(h]h ]h"]h$]h&]uh1jhj$hKrhj"ubeh}(h]h ]h"]h$]h&]uh1jhj"ubeh}(h]h ] kernelindentah"]h$]h&]uh1jhjhhhNhNubeh}(h]ruleset-and-domainah ]h"]ruleset and domainah$]h&]uh1hhjhhhhhKxubeh}(h]kernel-structuresah ]h"]kernel structuresah$]h&]uh1hhhhhhhhKcubh)}(hhh](h)}(hAdditional documentationh]hAdditional documentation}(hj%hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj%hhhhhKubj)}(hhh](j)}(h(Documentation/userspace-api/landlock.rsth]j)}(hj2%h]h(Documentation/userspace-api/landlock.rst}(hj4%hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhj0%ubah}(h]h ]h"]h$]h&]uh1jhj-%hhhhhNubj)}(h*Documentation/admin-guide/LSM/landlock.rsth]j)}(hjI%h]h*Documentation/admin-guide/LSM/landlock.rst}(hjK%hhhNhNubah}(h]h ]h"]h$]h&]uh1jhhhKhjG%ubah}(h]h ]h"]h$]h&]uh1jhj-%hhhhhNubj)}(hhttps://landlock.io h]j)}(hhttps://landlock.ioh]j)}(hjd%h]hhttps://landlock.io}(hjf%hhhNhNubah}(h]h ]h"]h$]h&]refurijd%uh1jhjb%ubah}(h]h ]h"]h$]h&]uh1jhhhKhj^%ubah}(h]h ]h"]h$]h&]uh1jhj-%hhhhhNubeh}(h]h ]h"]h$]h&]jTjUuh1jhhhKhj%hhubh)}(hLinksh]hLinks}hj%sbah}(h]h ]h"]h$]h&]hhuh1hhj%hhhhhKubhtarget)}(h.. _tools/testing/selftests/landlock/: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/tools/testing/selftests/landlock/h]h}(h] tools-testing-selftests-landlockah ]h"]!tools/testing/selftests/landlock/ah$]h&]jjuh1j%hKhj%hhhhjKubeh}(h]additional-documentationah ]h"]additional documentationah$]h&]uh1hhhhhhhhKubeh}(h]!landlock-lsm-kernel-documentationah ]h"]"landlock lsm: kernel documentationah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerj%error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}(file descriptor access rights]ja!tools/testing/selftests/landlock/]jaurefids}nameids}(j%j%j[jXjjjjjj$jjj%j%j[jXj j jjj%j%j%j%j%j%u nametypes}(j%j[jjjjj%j[j jj%j%j%uh}(j%hjXjjj^jjoj$jjjj%jjXjjjj7j<j j^j{jj j j j jj! j> jC jjj%jjjj8j=jzjjjjAjFjj jsjxjX j] jD"jI"j%j%j%j%u footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}Rparse_messages]transform_messages] transformerN include_log] decorationNhhub.